PrintNightmare Vulnerability AuditOperating System Security Vulnerability
Find Domain Controllers and Workstations Vulnerable to PrintNightmare
Microsoft accidentally released details of a critical unpatched vulnerability. The vulnerability CVE-2021-1675 that affects the Print Spooler service was supposed to be fixed in the last Patch Tuesday, but Microsoft recently updated the vulnerability and researchers found additional methods to exploit the vulnerability and there is no patch available yet. It is therefore critical that you take action as soon as possible and disable the Print Spooler service on all domain controllers while we all wait for a patch release from Microsoft.
The PrintNightmare vulnerability allows attackers to obtain full SYSTEM privileges by using a normal domain user account. Additionally, it can also lead to remote code execution with the highest privileges. You can read more about the vulnerability in our PrintNightmare blog post.
The report below provides an overview of all your devices, servers and workstation, and their patch status. Additionally, it shows the status of the Windows Print Spooler service, the start mode of the service, and the current status. Lastly, it also shows whether either of the registry keys that make a device vulnerable exists or are enabled. You can find more info on the fix on Microsoft’s official page.
Update July 7: Updates for Windows 10 versions added.
Update July 8: Updates for Windows 10 version 1607, Windows Server 2016, or Windows Server 2012 have been added.
Update July 13: PointAndPrint registry keys check added. Patch Tuesday July 2021 updates added.
The following registry key must be added to your custom registry scanning configuration to get accurate results in your report:
Regpath: SOFTWAREPoliciesMicrosoftWindows NTPrintersPointAndPrint
Regvalue 1: NoWarningNoElevationOnInstall
Regvalue 2: UpdatePromptSettings