L1 BIO 12.06.01 CIS Windows - Print Spooler

Intune: Disable Print Spooler Client Connections (PrintNightmare Fix)

πŸ“… 2025-10-30
β€’
⏱️ 3 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Disable Print Spooler remote connections = PrintNightmare (CVE-2021-34527) mitigation - prevents remote code execution via print spooler.

Aanbeveling
IMPLEMENT IMMEDIATELY
Risico zonder
Critical
Risk Score
10/10
Implementatie
4u (tech: 2u)
Van toepassing op:
βœ“ Windows 10
βœ“ Windows 11

PrintNightmare = CRITICAL vulnerability (2021): Print Spooler: Windows service (manages print jobs), Vulnerability: Remote attackers can install malicious print drivers β†’ SYSTEM-level code execution, Exploitation: Unauthenticated remote code execution (RCE), Active attacks: Widespread exploitation (ransomware gangs), Patch: Microsoft patches available, maar defense-in-depth: Disable remote spooler. Attack: Attacker β†’ network β†’ send malicious print driver install request β†’ Print Spooler executes β†’ SYSTEM compromise.

PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.DeviceManagement

Implementatie

Disable remote spooler: Policy: Allow Print Spooler to accept client connections: Disabled, Effect: Print Spooler cannot accept remote connections (local printing ONLY), Printers: Network printing via print server (not direct), Workstations: NO direct network printing (security > convenience).

Vereisten

  1. Intune subscription
  2. Windows 10/11
  3. Print infrastructure: Dedicated print servers (not workstation direct printing)

Implementatie

Intune Settings Catalog: Printers β†’ Allow Print Spooler to accept client connections: Disabled. Effect: Workstations cannot act as print servers. Printing: Via dedicated print servers.

Compliance

Microsoft Security Advisory (PrintNightmare), CIS Windows Benchmark, BIO 12.06.

Monitoring

Gebruik PowerShell-script allow-print-spooler-to-accept-client-connections-is-set-to-disabled.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script allow-print-spooler-to-accept-client-connections-is-set-to-disabled.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Intune Security Options: Print Spooler Client Connections Disabled .DESCRIPTION CIS - Print Spooler remote connections disabled (PrintNightmare mitigation). .NOTES Filename: print-spooler-remote.ps1|Author: Nederlandse Baseline voor Veilige Cloud|Registry: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RegisterSpoolerRemoteRpcEndPoint|Expected: 2 (Disabled) #> #Requires -Version 5.1 #Requires -RunAsAdministrator [CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert) $ErrorActionPreference = 'Stop'; $RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers"; $RegName = "RegisterSpoolerRemoteRpcEndPoint"; $ExpectedValue = 2 function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) } function Test-Compliance { $r = [PSCustomObject]@{ScriptName = "print-spooler.ps1"; PolicyName = "Print Spooler Remote"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = "Disabled"; Details = @() }; function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue } try { if (Test-Path $RegPath) { $v = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue; if ($v -and $v.$RegName -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "Spooler remote disabled" }else { $r.Details += "Spooler remote: $($v.$RegName)" } }else { $r.Details += "Niet geconfigureerd" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r } function Invoke-Remediation { if (-not(Test-Path $RegPath)) { New-Item -Path $RegPath -Force | Out-Null }; Set-ItemProperty -Path $RegPath -Name $RegName -Value $ExpectedValue -Type DWord -Force; Write-Host "Print Spooler remote connections disabled" -ForegroundColor Green } function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r } function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue } try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }

Risico zonder implementatie

Risico zonder implementatie
Critical: KRITIEK: PrintNightmare = remote SYSTEM compromise (active exploitation).

Management Samenvatting

Disable Print Spooler remote connections. PrintNightmare (CVE-2021-34527) mitigation. Workstations: No direct network printing. Implementatie: 2-4 uur.