PrintNightmare: secure print configuration

In this “little” tutorial, I will show you how to set up a “secure” configuration.

Since the publication of the PrintNightmare flaw, Microsoft has deployed several updates to correct this problem and took the opportunity to modify the behavior of Windows to harden the configuration.

In this tutorial, we will see the parameters to use in order to have a better configuration in your company.

The main change, is going to be to declare by GPO, the print servers where clients are allowed to download drivers.

Before going into production, I advise you to test this solution in the lab and then gradually apply it OU by OU.

Open the Group Policy Management console.

Go to the Group Policy Objects 1 container, right click on it and click New 2.

Name the group policy 1 and click OK 2.

Go to the following location: Computer Configuration / Policies / Administrative Templates / Printers.

Open the Point and Print Restrictions parameter 1.

This parameter will allow us to disable the elevation of rights window for the installation of the drivers.

Select Enabled 1, then choose Do not show warning or elevation prompt 2 (twice), then click Apply 3 and OK 4.

Back to the list of parameters, click on Point and print the packages – Approved servers 1.

Activate 1 the parameter then click on the Display 2 button.

Indicate the print servers 1 (1 per line) then click on OK 2.

Once the servers, add, click on Apply 1 and OK 2 to validate the configuration.

The first Group Policy is ready:

Now, create a second group policy, where we will allow non-administrator users to install drivers. I have already covered this topic here: KB5005033: Allow non-administrators to install printer drivers. Only process the registry key.

Once the two strategies are ready, we will link them to the Organizing Unit (OU).

Right click on OU 1 and click on Link an existing GPO 2.

Select strategy 1 and click OK 2.

Repeat the operation for the second Group Policy.

The two group policies are linked to the OU:

Applying these settings should allow you to skip the spooler security related Windows updates with ease.

Complement : mimikatz/ at master · gentilkiwi/mimikatz · GitHub

Leave a Comment