A remote code execution vulnerability exists when the Windows® Print Spooler
service improperly performs privileged file operations. An attacker who
successfully exploits this vulnerability could run arbitrary code with
system privileges and perform the following actions:
- Install programs.
- View, change, or delete data.
- Create new accounts with full user rights.
For more information, see the Microsoft complete guidance for
For customers who use Rackspace Managed Patching, the required update is
available with the release of July 2021 patches.
Customers who want to remediate this before the July 2021 patching window
should use the following steps:
Install the applicable out-of-band update in
These updates require a reboot.
After installing the update, perform the following steps:
Open the Registry Editor for the server on which you want to install the
update by clicking Start Menu > Run. Type
Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
and look for the following registry keys:
Set the the registry keys to
0to disable Point and Print. If the registry
keys are missing, the features are disabled. Ensure that disabling this feature doesn't
affect necessary business operations on the server.
Note: To enable Point and Print in the future, set the registry keys to
After patching, Microsoft also recommends that you complete the steps in
KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates.
If you can't install patches at this time, review the following workarounds
to protect servers until you can install the patches:
Disable the Print Spooler service on servers that are not serving in any
printing capacity by using the following commands:
Stop-Service -Name Spooler -Force Set-Service -Name Spooler -StartupType Disabled
Disable inbound remote printing through Group Policy by using the following
In the Group Policy Editor, navigate to
Computer Configuration > Administrative Templates > Printers.
Disable the Allow Print Spooler to accept client connections policy to
block remote attacks.
Restart the Print Spooler service.
If you need more information or further assistance regarding this
vulnerability, open a Support ticket in the Customer Portal, or contact your
Rackspace Support team.
Updated 2 months ago