Introduction
In June 2021 a vulnerability was discovered relating to the Windows Print Spooler service.
Issue
This Microsoft article CVE-2021-34527 - Security Update Guide - Microsoft - Windows Print Spooler Remote Code Execution Vulnerability describes the problem and offers two methods to protect against it.
Resolution
UPDATE: 7th July 2021 - Microsoft have released an out of band patch for this issue, please see July 6, 2021—KB5004945 (OS Builds 19041.1083, 19042.1083, and 19043.1083) Out-of-band (microsoft.com).
and
https://www.catalog.update.microsoft.com/Search.aspx?q=KB5004945
Workaround
As of 6th July 2021, Microsoft are working on an update to fix this vulnerability. In the meantime they have provided two workarounds:
Option 1 - Disable the Print Spooler service
If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:
Stop-Service -Name Spooler -ForceSet-Service -Name Spooler -StartupType Disabled
Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.
Option 2 - Disable inbound remote printing through Group Policy
You can also configure the settings via Group Policy as follows:
Computer Configuration / Administrative Templates / Printers
Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.
You must restart the Print Spooler service for the group policy to take effect.
Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.
Impact on Spindle Document Distribution
Draycir have established that Option 1 will prevent Spindle Document Distribution from processing documents, as the Spindle Pro Printer Agent service has a dependency on the Print Spooler service.
Option 2, however allows printing to continue to a locally connected printer (such as Spindle Pro Auto), which is how we would expect Spindle Document Distribution to be configured in the vast majority of cases.
Knowledge Base Article Details
| Related Product | Spindle Document Management, Spindle Document Distribution, Spindle Professional |
| Reference Number | KBA-01-03-035 |
| Document Date | 06/07/2021 |
| Original Author | Vince Hodgson |
| Document Version | 1.1 |
| Last Updated | 07/07/2021 |
| Update Author | Vince Hodgson |
| Keywords |