Mapping a printer with and without Admin By Request
Hit print, have privs?
Being in the Privilege Access Management (PAM) business, every now and then I come across someone I like to refer to as the ‘Anti-PAM’er’. This person will oversee network security and take a rather dim view of any solution that enables the lowly employee from running any administrative task at all.
From a security perspective, this is of course a valid approach, but we would say, one very much at the expense of productivity. An overly controlling security policy like this is also going to require a very busy, thick skinned IT helpdesk, and company issue paper bags for hyperventilating employees trying to get simple things to ‘just work’ in a hurry.
To the Anti-PAM’er’, the best type of admin rights for users, are no admin rights at all. Only Admin people should ever do admin things. Users need to write their documents, send their emails, and print.
I mean, who ever heard of needing admin rights to print something?
Your worst PrintNightmare
The PrintNightmare nightmare started back in June 2021 when the ancient Windows Printer Spooler service went from venerable to vulnerable overnight. Originally thought to be a vulnerability which only impacted domain controllers running Windows Print Services, it soon became apparent that the problem was far more serious, soon graduating from Local Privilege Escalation (LPE) to full blown Remote Code Execution (RCE).
Nightmare CVEs, come in threes!
What makes PrintNightMare super interesting is that the discovery and reporting of it (or should I say, THEM), well, it was all a bit Laurel & Hardy (Dick und Doof for our German readers!) It was not surprising the result was ‘another fine mess’.
Two different reports of Remote Code Execution (RCE) vulnerabilities in the Windows Spooler service came wobbling into shot at virtually at the same time, and in the fashion of a classic farce, they were immediately assumed to be one and the same. A patch was issued for the first Windows spooler vulnerability (CVE-2021-1675) along with full publication of the proof-of-concept exploit code. This left a different vulnerability (also confusingly christened PrintNightmare) in the other report unfixed, wide open and without a patch. Microsoft later clarified the confusion by getting a new CVE assigned to PrintNightmare: CVE-2021-34527.
Like all good comedies, just when you think it’s over there was more to come! A further discovery in August delivered a zinger of a punchline. It was quickly realized that the patch to resolve CVE-2021-34527 was not effective for organizations that used a widely adopted Windows Server printing feature called ‘Point And Print’.
The PrintNightmare Point And Print exploit can be leveraged by an attacker modifying an existing driver package and associating a payload .dll that the user (and local print spooler service) will unwittingly run with full system rights. After that the attacker can run whatever they like as SYSTEM, and once finished, would surely not resist the irony of printing their own ransom notes.
The patch for Point And Print (KB5005652) was released in time for August 2021 patch Tuesday fix under CVE-2021-34481.
As the curtain came down on the first act of the PrintNightmare patch fiasco, there would be no applause from the audience, but groans. Act two would be no laughing matter.
Et Tu, Brother! How the lowly printer betrayed its privilege
The really unfortunate / clever / evil genius thing about the PrintNightmare CVE-2021-34481 vulnerability is that it fundamentally exploits two long standing assumptions:
- That printer drivers would only ever be written by cuddly printer manufacturers, solely for the purpose of printing stuff out.
- That the task of adding / installing print drivers, unlike other system drivers, can be performed without any security implication to the user, because, well hey we love printers, right?!
And so, with Windows 10, and O/S versions before, the ability to allow non privileged users to install network print drivers has always been by default allowed. You simply point at a printer, click on it, and print. Thus the marketing gurus at Microsoft thought very hard and after a flash of imagination decided to call this functionality ‘Point And Print’.
So long, PrintNightmare. Welcome to Helpdesk hell!
Microsofts KB5005652 remediation for PrintNightware was bold and brutal. It involved changing the default behavior from enabling users to install network print drivers, to give the user a prompt instead, first ‘Do you trust this printer?’ and after this, a UAC prompt with a requirement for Local Admin rights.
As print drivers need to be installed on initial printer setup AND for simply printing something out if the print driver requires an update, if you are in the unfortunate position of using Point And Print plus are following security best practice by not giving users permanent Local Admin rights, you’re looking at an A0 poster sized printing problem with KB5005652.
At this point in the blog, I have either filled you with dread, or you have realized that you might have stumbled upon a good article that will stop your boss screaming ‘no one can print’ at you. You’ve diligently hung in there, so it’s high time we went go through the options, and then show you how our Admin By Request solution can help you with your newly acquired Point And Print Privilege Problem!
Option 1: Do nothing
Of course, doing nothing is always an option, however the impact will be difficult to control because it will be wholly dependent on the state of each Windows 10 endpoint under your management:
Windows 10 PCs that have not received KB5005652 will continue to run as normal but would be totally exploitable by PrintNightmare when they add / update printer drivers.
Windows 10 PCs that have KB5005652 but also have the print driver installed (from previous install) will initially appear fine and work problem free. However, when the print driver gets updated, these users will get a nasty surprise: a UAC prompt when they go to print something out.
Windows 10 PCs that have KB5005652 but do not have the print driver – perhaps connecting to a new printer, the user will not be able to set this printer up. They will also hit UAC and need to put in a call the helpdesk.
The problems therefore with Option 1 are:
- Real potential for significant unplanned disruption, which since endpoints might be in different states and situations, will be difficult to control.
- Issues with helpdesk users filling in UAC prompts for users, if for example they happen to be using MS Teams for remote support.
- More users will need to use Local Admin credentials more often. Never a good thing if those details themselves are compromised.
Option 2: Revert & Remediate
Microsoft generally provide you with the ability to revert a change in default behavior and the KB5005652 is no exception. As mentioned here KB5005652—KB5005652—Manage new Point and Print default driver installation behavior (CVE-2021-34481) (microsoft.com) you can revert to the ‘pre KB5005652’ setting by locating the registry key:
Then set a value of
RestrictDriverInstallationToAdministrators with ValueData of ‘0’.
There are a couple of additional remediations mentioned in the above article which basically allow you to restrict end user installs of specific Print Servers and Package Points. You just need to hope your existing print servers are sufficiently protected and difficult to compromise.
Yes, option 2 will extract you from HelpDesk hell and make all your users love you again. However, by doing this you are essentially making your entire organisation PrintNightMare vulnerable. You crawled out of a short-term printing hole, whilst immediately falling into a bigger security one!
Option 3: Deploy All Printers to the Computer not User, via GPO
By using GPO to deploy printers to computers, not users, this operation is performed without user intervention and occurs at system level. Thus, it completely does away with the issue of users needing admin rights for adding printers / hitting problems with driver updates.
The problem with this approach is that sometimes you want printers to ‘follow’ users depending on where they are sitting, and well, this option isn’t going to work in a hot desking environment.
There is also a higher reliance on complex GPO management, and hardware refreshes could be a pain.
How Admin By Request Can Help
Options 1 > 3 are either disruptive, potentially dangerous or involve much GPO drudgery. With Admin By Request we can give you three more options all of which are quick to deploy, easy to manage and simple to use!
Note: All three of our options could be put in place in the same organisation but to meet different use cases and security requirements. This is simple to achieve by assigning different settings to different groups of users or computers (sub settings).
Option 4: Use Admin By Request to achieve password-less approval system for adding printers
Because Admin By Request is a solution that enables users to be granted ‘Just In Time’ privileged user access, the task of adding a printer or updating its driver can be done without the UAC box showing up.
By enabling our approval feature, users hitting KB5005652 when adding / using a printer will be automatically routed to a workflow where the IT team can then approve or request further information. Once approved (via the portal or our mobile app), the user can carry on their merry way to complete the printer setup, and the whole operation is fully audit logged.
Option 5: Allow ‘Auto Approval’ / Tray Tools for the adding of printers
Quite frankly, I will be straight with you. This is not too different from option 2) ‘Revert & Remediate’ above, because you are essentially allowing a non-privileged user to add a printer without any form of check. Unlike the second option, it’s worth bearing in mind that all Admin By Request operations are audit logged, and so at least you will have a easy way to see exactly who is doing exactly what.
It’s also possible to give this right to senior IT staff that might find it useful when used with our ‘Support Assistance’ feature. A remote session could still be performed to help the printer-less damsel in distress, completed safely by IT, however no UAC would show up, just our confirmation prompt, so no requirement to enter any usernames or passwords. Again, everything is logged.
Option 6: Blacklist the ability to add network printers, but provide a PIN code override
It may seem odd to write a blog about how Admin By Request can help you with your PrintNightMare Point And Print predicament, only for us to suggest an option which prevent users from adding / updating their own printer drivers!
As it is not possible for us to ascertain the ‘sanity’ of any printer driver / package, there is surely a good argument for preventing user print driver management completely. With Admin By Request this can be done globally, instantly, and on systems across different domains, without the need for any GPO config. Whether this is done immediately or after an alternative printer management solution was rolled out, this would be down to you.
This approach might be needed, as Admin By Request enables users to launch applications / create administrative sessions and without additional configuration, it would therefore be possible for a user with a KB5005652 patched system, to potentially add a maliciously tampered printer / driver / package without knowing it.
Because of this, if you are worried about the potential impacts of PrintNightmare, we would recommend using Admin By Request to specifically blacklist (block) the ability of users to add printers, whilst still enabling them to use Admin By Request for safely elevating the tools and applications they need to use day in day out.
As with all blacklist operations in Admin By Request, there is always the option of the PIN code override, in case a special situation arises which requires manual intervention to perform the printer elevation operation.
Admin By Request – awake from your PrintNightmare!
Although it’s still early days in terms of fallout from Microsofts recent PrintNightmare patch, it’s clear to us that different customers will use Admin By Request differently in order to solve the PrintNightmare woes.
Some have chosen to roll out auto approval, enabling users to elevate, add printers and audit log simply because it’s not possible for them to implement a GPO based solution quickly enough.
Others are using Admin By Requests blacklist feature to provide a more intuitive method to prevent users from managing their own printers, rather than simply show them a UAC prompt. At the same time, different Admin By Request settings are applied to the IT Helpdesk team, giving them the ability to jump on computers, fix printers, all without hitting UAC and needing to re-enter usernames and passwords.
We have made the tools, and in true FastTrack Software style, we made them easy to deploy, manage and run.
Customers may decide to use our tools differently, but from the feedback we have had so far, the positive outcomes are all such perfect copies….Xerox would be proud!
Finally, we understand that no two scenarios are the same. If after reading this blog you would like some further guidance from us to help you painlessly navigate your own PrintNightmare, please to get in touch or create a support ticket to discuss options with us.