After you deploy the Windows updates from Microsoft for the CVE-2021-34527 or “PrintNightmare” vulnerability, you are still vulnerable if you have applied a very specific Group Policy setting. “Point and Print” security is enabled by default, which means you are protected by default, but it’s probably worth verifying the state of this feature in your environment.
How to remediate CVE-2021-34257 according to Microsoft:
Deploy the July 2021 Monthly Rollups, or the July 2021 Security-only updates to all of your Windows endpoints.
“In order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.):
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
- NoWarningNoElevationOnUpdate = 0 (DWORD) or not defined (default setting)
Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.”
How to change the Group Policy Management Console (GPMC):
These settings are typically controlled from the Group Policy Management Console (GPMC). To change these settings:
- Find any Group Policy Object (GPO) that is applying this setting.
- In the Group Policy Management Editor window, click Computer Configuration, click Policies, click Administrative Templates, and then click Printers.
- Right-click Point and Print Restrictions, and then click Edit.
- Ensure the elevation prompts are enabled.
If you are affected by CVE-2021-34527, rather than using Aiden to deploy a remediation script, we recommend you update any affected GPO, because Group Policy will override any change we make the next time a full policy evaluation is performed.
To quickly find the applicable GPOs:
- Log on to a computer which has the PointAndPrint policy applied, as described by Microsoft above.
- Open an elevated command prompt.
- Run the following command: gpresult /scope computer /r /z
- Press Ctrl-F to search the results for: PointAndPrint
- The name of the GPO will be displayed as “GPO: <Name of GPO>”
More from Microsoft: https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7
Have any questions on how to remediate the Microsoft CVE-2021-34527 vulnerability? Please contact us and we’d be happy to help!