Microsoft recently released a patch, CVE-2021-1675, to address the exploit in the Windows Print Spooler service, but it turned out that the patch didn't work. Initially they thought the bug was just about local privileges' escalation but it turns out that it's full remote execution. That means that an attacker can get full domain privileges' by executing the code as standard user. There are tons of ways a malicious actor could execute this exploit. The vulnerability has been dubbed as PrintNightmare.
Microsoft, probably, will be releasing a new patch soon but until then the only thing you can do is to disable the print spooler on the domain controller or any server where you don't need print spooler running. So here is what you can do.
Step 1:
Open PowerShell ISE as Administrator and type the below script:
Stop-Service -Name Spooler
Set-Service -StartupType Disabled -Name Spooler
Save the script as .ps1 file.
Step 2:
Deploy the deploy script using your remote monitoring and management system. You will basically need to create a filter that will pull all the domain controllers and file servers. Create a scheduled task to run the script on all those machines pulled by the filter.
Step 3:
The RMM should tell you whether the task executed successfully or not. But you can sign in into randomly into some machines to verify if the spooler function has been stopped and disabled.
The RMM should tell you whether the task executed successfully or not. But you can sign in into randomly into some machines to verify if the spooler function has been stopped and disabled.
No comments:
Post a Comment
Please leave your comments and suggestions.