Group Policy for assigning Printer Shares

Problem:

Linking printers as an unprivileged user (without administrator rights) does not work anymore since Microsoft updates in summer 2021. This is due to changes related to CVE-2021-1675, commonly known as Printer Nightmare.

Solution:

The behavior of Click and Print in Windows has changed. Therefore, linking printer shares is no longer a straightforward option. An adjustment of the group policy is therefore necessary.

Background

Administrator rights are normally required to install drivers. In order to enable unprivileged users to link printers, Windows made an exception here. When linking printers from print servers, a driver installation was performed in the background. When the CVE-2021-1675 vulnerability was discovered, it was determined that this behavior can be used to install malicious drivers. The check whether a driver is a regular printer driver or a malicious driver that can be used to compromise was insufficient. As a result, Microsoft has made several attempts to improve this behavior. The first approach was that only signed printer drivers could be used. However, it didn't take long to find a workaround. The number of signed printer drivers in Windows is huge and to compromise it is enough to find a security hole in an existing printer driver. Corresponding gaps were quickly found and Microsoft was forced to completely change the behavior.

New behavior since summer 2021

The automatic installation of drives when linking now requires administrative rights by default. If you want to change this behavior, you have to create a corresponding group policy.

The following has proven to be a feasible path between convenience (printer assignment for normal users) and security:

  • The driver installation is prevented by default
  • A list of trustworthy print servers is defined

How to set up a secure environment

Group Policy global disable spooler

It is good practice disabling the Print Spooler by default on all servers that do not require a printer.

Disable Spooler GPO

This GPO should be assigned to everybody (whole domain + domain controllers). Via Delegation you have to remove your print servers from this GPO.

Disable Spooler deny server list

Disable Spooler deny server list

Group Policy allow non admins to install print drivers

This GPO contains following Policies for Computers

  1. Devices: Prevent users from installing printer drivers -> Disable
  2. Windows Registry key: HKEY_LOCAL_MACHINE" key="SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" name="RestrictDriverInstallationToAdministrators" type="REG_DWORD" value="00000000">
  3. Package Point and print - Approved servers
    • Add your Print Servers to the List
  4. Point and Print Restrictions
    • Users can only point and print to these servers
    • Do not show warning or elevation prompt
    • Do not show warning or elevation prompt
1. Devices: Prevent users from installing printer drivers -> Disable

Point and Print Policy 1

2. Windows Registry key: HKEY_LOCAL_MACHINE" key="SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\RestrictDriverInstallationToAdministrators"

Point and Print Policy 4

3. Package Point and print - Approved servers, 4. Point and Print Restrictions

Point and Print Policy 2

NOTE: If you forget to add your print servers to both policies (Allowed Servers and Restrictions), the default behavior - any server - will be applied. All security is therefore switched off!

NOTE: The value 0 in the registry key RestrictDriverInstallationToAdministrators enables the Point and Print feature. The default value for the key (= if the key doesn't exist) is 1 which means disable the whole feature.