Okay, Microsoft, we have to speak. Or fairly, we have to print. We actually do. We aren’t all paperless out right here within the enterprise world — many people nonetheless must click on the Print button inside our enterprise functions and print issues out on an precise sheet of paper, or ship one thing to a PDF printer. But over the past a number of months you’ve made it close to not possible to remain absolutely patched and hold printing.Case in level: the August safety updates.Microsoft made a change in how Group Policy printers are dealt with when it modified the default Point and Print habits to handle “PrintNightmare” vulnerabilities affecting the Windows Print Spooler service. As famous in KB5005652, “by default, non-administrator customers will now not be capable to do the next utilizing Point and Print with out an elevation of privilege to administrator:Install new printers utilizing drivers on a distant pc or server
Update current printer drivers utilizing drivers from distant pc or server”
IDGHowever, what we’re seeing over on the PatchManagement.org checklist is that anybody with a V3 model of print driver is having their customers be prompted to reinstall drivers or set up new drivers. More exactly, when the print server is on a Server 2016 server, the printers are pushed out by way of Group Policy, and the printer driver from the seller is a V3 driver, it’s triggering the reinstallation of print drivers. We’re additionally seeing that when the patch is on the workstation and never on the server, it’s triggering a reinstallation of the print drivers.Given that companies are more likely to hold customers with out administrator rights to restrict lateral motion (and fairly frankly as a result of Microsoft has informed us through the years that working with administrator rights was a foul factor), we’re now having to resolve to offer customers native administrator rights, make a registry key adjustment that weakens safety, or roll again the patch till Microsoft figures out what went improper.Those who do wish to make the registry change can open a Command Prompt window with elevated permissions and enter the next:reg add “HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows NTPrintersPointAndPrint” /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 0 /fBut doing so exposes you to publicly identified vulnerabilities, and neither Microsoft nor I like to recommend it.Getting to the guts of the print drawbackMicrosoft has privately acknowledged in a assist case that “the admin/install prompt for already-installed drivers and already-installed printers is unexpected behavior.” It went on to say, “We have received new reports that this is also affecting customers where the drivers/printers, etc. are already installed and it is already under investigation, we do not have an estimated time of fix yet, but we are working on it.” But whereas the corporate could also be privately acknowledging that there’s a drawback with printing, it isn’t showcasing it on the Windows well being launch dashboard.Anthony J. Fontanez has blogged right here and right here with some nice dialogue of what’s going on. As he factors out, one of many options is to make sure you have V4 printer drivers deployed in your community. But therein lies an issue — it’s typically extraordinarily arduous to find out if drivers are V3 or V4. In the case of Hewlett Packard printers, PCL 6 denotes V3, whereas PCL-6 (word the hyphen) denotes V4. You might must deploy the drivers on a check digital machine so as to decide precisely what printer driver you have got.If your printer vendor doesn’t have a V4 model of the printer driver, be sure that you attain out to your vendor — particularly if they’re beneath lively leases — and demand that they arrive out with a revised driver. As Fontanez wrote, “V4 drivers use a model-specific driver on the print server side. When clients connect to a printer on a server using a V4 driver, they do not download any driver. Instead they use a generic preloaded driver named ‘Microsoft enhanced Point and Print.’” However, some community admins have indicated that the V4 drivers aren’t the answer both.But even for those who might get the August updates put in in your community, that doesn’t imply you might be absolutely protected against print spooler vulnerabilities. There is one more CVE (CVE-2021-36958) for which now we have no patch, and the one workaround is to disable the print spooler. All we formally know right now is that “A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.  The workaround for this vulnerability is stopping and disabling the Print Spooler service.”If you’re a shopper, the problem isn’t fairly as bleak. I’ve but to see a house or shopper consumer have points with printing or scanning after the August updates have been put in. That mentioned, we’re nonetheless weak to the unpatched CVE-2021-36958. If you have already got the August updates put in and you aren’t having any unwanted effects with printing or scanning, depart the August safety updates put in.So what are you able to do right now for those who run a enterprise and it’s important to print?Review what servers and computer systems completely must print. Clearly the foundational safety points with the print server code have but to be fastened, and it doesn’t seem they are going to be fastened quickly.
Consider printing a particular proper that you just grant solely to these in your community who actually want that proper, as an alternative of getting the print spooler service routinely enabled all through your community.
Disable the service on all area controllers and hold it that manner till additional discover.
Limit the servers in your community which have print server roles.
Try to restrict the servers as greatest as you’ll be able to so you’ll be able to monitor and restrict visitors to those machines.
Disable the print server position on workstations until they must print.
Reevaluate your workflow and processes and see if there are methods to maneuver such enterprise flows to web-based processes or one thing that gained’t rely on paper, toner, and printers.
A ultimate phrase to MicrosoftMicrosoft, you have to do higher than you might be doing now. Because we do nonetheless print. And over the past yr you’ve damaged printing too many occasions. I understand that you could be be paperless and shifting to digital all the pieces, however be a bit extra conscious that your enterprise prospects aren’t fairly there but.Your prospects shouldn’t must make the painful option to take away the replace so as to perform of their enterprise, or worse but must carry out a registry tweak, which permits the enterprise to print however exposes the agency to vulnerabilities because of this.I’ve been patching programs for greater than 20 years, and if the perfect factor we are able to inform a enterprise right now is to “uninstall the update in order to continue to be in business,” now we have not fastened a factor in 20 years of updating. Businesses nonetheless can’t instantly patch such as you urge us to do. We nonetheless have to attend to see if there are unwanted effects and cope with the after results.So, Microsoft? If you need us to right away patch, you have to understand that many people nonetheless must print.

Copyright © 2021 IDG Communications, Inc.