Click to select the Users can only point and print to these servers check box if it's not already selected.
In the text box, type the fully qualified server names to which you want to allow users to connect. Separate each name by using a semicolon [;].
In the When installing drivers for a new connection box, select Do not show warning or elevation prompt.
In the When updating drivers for an existing connection box, select Show warning only.
Click OK.
Best,
Sean
Doing what you outlined will leave the computers vulnerable to the PrintNightmare problems! I assume that the OP's reason for asking is because he wants to prevent the exploit.
The article you linked is how to ENABLE Point and Print, not how to disable it!
Doing what you stated ["In the When installing drivers for a new connection box, select Do not show warning or elevation prompt"] sets the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint "NoWarningNoElevationOnInstall" DWORD value to 1, which means the exploit can run. The "NoWarningNoElevationOnInstall" value should be zero, which is what choosing "Show warning and elevation prompt" does in the GPO. Both security prompts should be set to "Show warning and elevation prompt" to prevent the exploit.
Microsoft’s knowledge base article, KB5005652, details a change made with Windows updates released August 10, 2021 and later regarding the point and print technology’s default driver installation behavior. Previously, when using point and print, users that do not have local administrator privilege could install printer drivers, which would be automatically downloaded from the print server and installed on the user’s computer.
To mitigate the PrintNightmare vulnerabilities, the new default behavior is to deny users that do not have administrator privilege the ability to install printer drivers via point and print. This change causes a support problem in departments where print queues are mapped via Group Policy or made available for users to connect to from a share on the print server since IT administrators would have to implement a way to ensure the necessary drivers are installed on the computers they support.
Please note that this change has no effect on users that have local administrator privilege.
Limit users to point and print only to trusted servers
If your department needs to permit users to install printer drivers via point and print, it is strongly recommended that the Point and Print Restrictions group policy setting be configured to specify the servers that they are allowed to point and print to.
- In the Group Policy Management Console, create a new Group Policy Object or edit an appropriate, existing GPO.
- Navigate to Computer Configuration > Administrative Templates > Printers.
- Double-click the Point and Print Restrictions setting.
- Click the Enabled radio button.
- Click the Users can only point and print to these servers checkbox.
- Enter the FQDNs for your print servers, separated by a semicolon.
- Change both security prompts options to Show warning and elevation prompt.
- Click OK.
Allowing users without administrator privilege to use point and print to install and update printer drivers
A new DWord name, RestrictDriverInstallationToAdministrators, located at HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint, set to a value of 1, blank, or not present will require administrative privilege to install a printer driver when using Point and Print.
To allow users that do not have administrative privileges to install and update printer drivers, create a Group Policy Object, linked to an appropriate OU, that adds the RestrictDriverInstallationToAdministrators DWord to the PointAndPrint registry key and sets its value to 0.
UPDATE: Part II here: //www.anthonyfontanez.com/index.php/2021/08/16/printnightmare-point-and-print-part-ii/
UPDATE 2: Added additional information about Package Point and Print
UPDATE 3: The Security Baseline for Windows 11 includes an updated SecGuide.admx template that can natively control the new registry item.
Printers suck. We all know it. PrintNightmare has been through a few evolutions as of late. Now, as part of the 2021-08 Cumulative Update for Windows 10 [KB5005652—Manage new Point and Print default driver installation behavior [CVE-2021-34481]], unless you go and create/set a specific registry item, Point and Print will now be locked down and require administrative rights to install drivers from any print server. My assumption is that this is to catch all of the Point and Print misconfigurations out there once and for all. While the vulnerabilities are still present on the system, this may help mitigate compromise, however, you may find yourself with many Help Desk tickets for printer installations. In this post, I’m going to go over a “proper” Point and Print configuration, that will allow you to continue to let users without admin rights install printers, along with some additional “best practices” that I would consider putting in place if not already.
Point and Print Configuration
Point and Print allows users to install shared printers and drivers easily by downloading the driver from the print server. These settings can be found in Group Policy under “Computer Configuration\Policies\Administrative Templates\Printers”.
The above shows how I have Point and Print configured in my lab.
- Users can only point and print to “print.ad.ajf8729.com”
- Elevation prompts are bypassed for driver installations/updates
Seeing the values set in the registry via PowerShell:
PowerShell1
2
3
4
5
6
7
8
9
10
Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\'
Restricted : 1
TrustedServers : 1
ServerList : print.ad.ajf8729.com
InForest : 0
NoWarningNoElevationOnInstall : 1
UpdatePromptSettings : 2
RestrictDriverInstallationToAdministrators : 0
This is typically seen as an insecure configuration, due to bypassing the UAC prompts. But since the trusted server list is configured, this will block any attempts to point and print to printers shared on an untrusted server with the following message, regardless of local admin privileges:
Enter the 2021-08 Cumulative Update…
After installing the 2021-08 Cumulative Update for Windows 10, the above policy will get thrown out the window, due to the introduction of a new registry item. If this item is not created, set to 1, or undefined, the Point and Print policy is essentially ignored, and admin rights will be required to install any print drivers. In order to counter this, the new item must be created, and set to 0.
PowerShell1
2
3
4
if [-not [Test-Path -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint']] {
New-Item -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint' -Force
}
New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint' -Name 'RestrictDriverInstallationToAdministrators' -PropertyType DWORD -Value 0 -Force
This item can easily be configured via Group Policy Preferences, ConfigMgr Configuration Item, or Intune Proactive Remediation:
Intune Proactive Remediation: please see //github.com/windows-admins/Intune/tree/main/Proactive%20Remediations/PrintNightmare for sample scripts.
UPDATE: The Security Baseline for Windows 11 includes an updated SecGuide.admx that has a native setting to control this new registry item. It is located under “Computer Configuration\Administrative Templates\MS Security Guide”.
Any of these configurations will allow the previously configured Point and Print policy to continue to function as expected after the 2021-08 Cumulative Update is installed.
Package Point and Print
After some additional troubleshooting with Johannes in the WinAdmins Community, we discovered that he did not have Package Point and Print settings configured, where I did [mentioned in the next section]. While I was not 100% sure how that setting worked initially, I had configured it in tandem with the regular Point and Print settings. After doing some more research [Point and Print with Packages & Package-Aware Print Drivers], it seems like it comes down a setting in the INF file. You can see which drivers are package-aware in the Print Management console, under Drivers -> “Packaged” column:
Combining the normal Point and Print settings with the Package Point and Print Settings is simple; it’s a single GPO setting to enable it and configured trusted servers:
Configuring this setting is highly recommended if you are configured regular Point and Print as I described earlier.
Additional “Best Practices”
Along with the above configuration, there’s a few other settings I would include in your overall printer configuration policies as a baseline.
Harden your trusted print serversIf you go the route of not requiring elevation to install printers from trusted servers, the print server itself becomes the sensitive target. Hardening the server becomes critical to protect your infrastructure.
- Review who has administrative rights to these servers, how their firewalls are configured, and what is installed on them.
- Enable print driver isolation on every driver possible to help prevent bad drivers from taking down the entire system.
- Ensure the servers are as up to date as possible.
- Utilize the PrintBrm utility to backup your print server configurations, and to move to a new operating system if necessary.
- “Allow Print Spooler to accept client connections”
- This should be set to Disabled on all endpoints that are not print servers, to ensure that clients cannot connect to printers shared from them. Ideally, inbound File/Print sharing firewall rules are blocked/disabled/restricted on endpoints; but if not, this is an easy stopgap until endpoint firewall rules are better configured.
- “Package Point and print – Approved Servers”
- This is similar to the standard Point and Print setting, but for “packaged” drivers. Configure this to the same trusted server[s] as the standard Point and Print trusted server[s]. See the above newly added section for further details.
The Print Spooler service should ideally be disabled on all servers that do not require it. Disabling it on Domain Controllers will stop automatic pruning of stale printers published to the directory, so be prepared to do this manually or via script if necessary. Disabling the service can easily be done via Group Policy Preferences:
In the long term, endpoint firewall rules should be configured to prevent File/Print Sharing where necessary. While I intend to go into much more depth about firewall configurations in a later post, here is a quick glace at a bare-bones basic endpoint firewall policy for a client machine:
The above policy only allows SMB access from one host, and RDP from a single subnet. Local firewall rules configured on the system itself are not applied, meaning everything must be configured in policy. This is a very secure configuration, and can take a bit of work to get to. Be on the lookout for a future post going into greater detail about this.