Windows Hardening - Disabling the Print Spooler
Introduction
The Microsoft Windows operating system Print Spooler is a service for managing print jobs. The executable for this service is
spoolsv.exe
and this service is
enabled by default
on most Microsoft Windows systems.
It has been impacted by a large number of vulnerabilities over the years, and was used as the spread vector of the virus Stuxnet .
Recently, two new critical vulnerabilities were released. The CVE-2021-1675 (also called PrintNightmare) and the CVE-2021-34527 .
In order to fix these vulnerabilities, it is generally recommended to disable the print spooler service on Windows servers that do not require it. In the following sections, we will see 3 methods to disable this service.
Detection of print spooler by attackers
During the recognition phase of a pentest or simply when attacking the internal network of a company, the attackers carry out scans of the machines. These scans make it possible to detect the services and their versions that are running on the machines of the network. The print spooler service being an RPC service, an attacker can check if it is active with the following
rpcdump.py
command:
# rpcdump.py 192.168.1.21 | grep MS-RPRN -A6
If the service is active, it will be displayed in the list of RPC services and will be found by the
grep MS-RPRN -A6
:
Disabling the Print Spooler service via the graphical interface
In order to deactivate the
Print Spooler
service via the graphical interface, you must use the Windows Services Manager. Then select the
Print Spooler
service from the list of services of this interface and click on properties. Stop the service, then deactivate it from the
StartupType
drop-down menu.
Disabling the Print Spooler service through a GPO
It is also possible to disable the service on multiple machines in the domain using a Group Policy Object (GPO). To do this, you need to go into the Group Policy Management Console
Disabling the Print Spooler service via powershell
To disable the Print Spooler service via powershell, we will first check the status of the service, using the powershell Get-Service command:
Get-Service -DisplayName "Print Spooler"
We see in the screenshot above that the
Status
of the service is
Running
, which means it is enabled and running. Therefore we will need to stop it before disabling it. To stop it we will use the following
Get-Service
powershell command, allowing to select the service, and
Set-Service
to stop it:
Get-Service -DisplayName "Print Spooler" | Stop-Service
You must then disable the service by setting the
StartupType
to the value
disabled
like this:
Get-Service -DisplayName "Print Spooler" | Set-Service -Status stopped -StartupType disabled
We can also check in the service management console that the print spooler is disabled:
In summary
To disable the Windows Print Spooler service, type the following powershell commands:
Get-Service -DisplayName "Print Spooler"
Get-Service -DisplayName "Print Spooler" | Stop-Service
Get-Service -DisplayName "Print Spooler" | Set-Service -Status stopped -StartupType disabled