The Windows print nightmare continues for the enterprise

Okay, Microsoft, we need to talk. Or rather, we need to print. We really do. We aren’t all paperless out here in the business world — many of us still need to click the Print button inside our business applications and print things out on an actual sheet of paper, or send something to a PDF printer. But over the last several months you’ve made it near impossible to stay fully patched and keep printing.

Case in point: the August security updates.

Microsoft made a change in how Group Policy printers are handled when it changed the default Point and Print behavior to address “PrintNightmare” vulnerabilities affecting the Windows Print Spooler service. As noted in KB5005652, “by default, non-administrator users will no longer be able to do the following using Point and Print without an elevation of privilege to administrator:

• Install new printers using drivers on a remote computer or server
• Update existing printer drivers using drivers from remote computer or server”

IDG

However, what we’re seeing over on the PatchManagement.org list is that anyone with a V3 style of print driver is having their users be prompted to reinstall drivers or install new drivers. More precisely, when the print server is on a Server 2016 server, the printers are pushed out via Group Policy, and the printer driver from the vendor is a V3 driver, it is triggering the reinstallation of print drivers. We’re also seeing that when the patch is on the workstation and not on the server, it’s triggering a reinstallation of the print drivers.

Given that firms are likely to keep users without administrator rights to limit lateral movement (and quite frankly because Microsoft has told us over the years that running with administrator rights was a bad thing), we’re now having to decide to give users local administrator rights, make a registry key adjustment that weakens security, or roll back the patch until Microsoft figures out what went wrong.

Those who do want to make the registry change can open a Command Prompt window with elevated permissions and enter the following:

reg add "HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows NTPrintersPointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 0 /f

But doing so exposes you to publicly known vulnerabilities, and neither Microsoft nor I recommend it.

Getting to the heart of the print problem

Microsoft has privately acknowledged in a support case that “the admin/install prompt for already-installed drivers and already-installed printers is unexpected behavior.” It went on to say, “We have received new reports that this is also affecting customers where the drivers/printers, etc. are already installed and it is already under investigation, we do not have an estimated time of fix yet, but we are working on it.” But while the company may be privately acknowledging that there is a problem with printing, it isn’t showcasing it on the Windows health release dashboard.

Anthony J. Fontanez has blogged here and here with some great discussion of what is going on. As he points out, one of the solutions is to ensure you have V4 printer drivers deployed in your network. But therein lies a problem — it’s often extremely hard to determine if drivers are V3 or V4. In the case of Hewlett Packard printers, PCL 6 denotes V3, whereas PCL-6 (note the hyphen) denotes V4. You may have to deploy the drivers on a test virtual machine in order to determine exactly what printer driver you have.

If your printer vendor doesn’t have a V4 version of the printer driver, ensure that you reach out to your vendor — especially if they are under active leases — and demand that they come out with a revised driver. As Fontanez wrote, “V4 drivers use a model-specific driver on the print server side. When clients connect to a printer on a server using a V4 driver, they do not download any driver. Instead they use a generic preloaded driver named ‘Microsoft enhanced Point and Print.’” However, some network admins have indicated that the V4 drivers aren’t the solution either.

But even if you could get the August updates installed in your network, that doesn’t mean you are fully protected from print spooler vulnerabilities. There is yet another CVE (CVE-2021-36958) for which we have no patch, and the only workaround is to disable the print spooler. All we officially know at this time is that “A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.  The workaround for this vulnerability is stopping and disabling the Print Spooler service.”

If you are a consumer, the issue isn’t quite as bleak. I’ve yet to see a home or consumer user have issues with printing or scanning after the August updates were installed. That said, we are still vulnerable to the unpatched CVE-2021-36958. If you already have the August updates installed and you are not having any side effects with printing or scanning, leave the August security updates installed.

So what can you do at this time if you run a business and you have to print?

• Review what servers and computers absolutely have to print. Clearly the foundational security issues with the print server code have yet to be fixed, and it doesn’t appear they will be fixed soon.
• Consider printing a specific right that you grant only to those in your network who truly need that right, instead of having the print spooler service automatically enabled throughout your network.
• Disable the service on all domain controllers and keep it that way until further notice.
• Limit the servers in your network that have print server roles.
• Try to limit the servers as best as you can so you can monitor and limit traffic to these machines.
• Disable the print server role on workstations unless they have to print.
• Reevaluate your workflow and processes and see if there are ways to move such business flows to web-based processes or something that won’t depend on paper, toner, and printers.

A final word to Microsoft

Microsoft, you need to do better than you are doing now. Because we do still print. And over the last year you’ve broken printing too many times. I realize that you may be paperless and moving to electronic everything, but be a bit more aware that your enterprise customers aren’t quite there yet.

Your customers shouldn’t have to make the painful choice to remove the update in order to function in their business, or worse yet have to perform a registry tweak, which allows the business to print but exposes the firm to vulnerabilities as a result.

I’ve been patching systems for more than 20 years, and if the best thing we can tell a business at this time is to “uninstall the update in order to continue to be in business,” we have not fixed a thing in 20 years of updating. Businesses still can’t immediately patch like you urge us to do. We still have to wait to see if there are side effects and deal with the after effects.

So, Microsoft? If you want us to immediately patch, you need to realize that many of us still need to print.