Windows Hardening - Disabling the Print Spooler

Introduction

The Microsoft Windows operating system Print Spooler is a service for managing print jobs. The executable for this service is spoolsv.exe and this service is enabled by default on most Microsoft Windows systems.

It has been impacted by a large number of vulnerabilities over the years, and was used as the spread vector of the virus Stuxnet.

Recently, two new critical vulnerabilities were released. The CVE-2021-1675 (also called PrintNightmare) and the CVE-2021-34527.

In order to fix these vulnerabilities, it is generally recommended to disable the print spooler service on Windows servers that do not require it. In the following sections, we will see 3 methods to disable this service.

Detection of print spooler by attackers

During the recognition phase of a pentest or simply when attacking the internal network of a company, the attackers carry out scans of the machines. These scans make it possible to detect the services and their versions that are running on the machines of the network. The print spooler service being an RPC service, an attacker can check if it is active with the following rpcdump.py command:

# rpcdump.py 192.168.1.21 | grep MS-RPRN -A6

If the service is active, it will be displayed in the list of RPC services and will be found by the grep MS-RPRN -A6:

Disabling the Print Spooler service via the graphical interface

In order to deactivate the Print Spooler service via the graphical interface, you must use the Windows Services Manager. Then select the Print Spooler service from the list of services of this interface and click on properties. Stop the service, then deactivate it from the StartupType drop-down menu.

Disabling the Print Spooler service through a GPO

It is also possible to disable the service on multiple machines in the domain using a Group Policy Object (GPO). To do this, you need to go into the Group Policy Management Console

Disabling the Print Spooler service via powershell

To disable the Print Spooler service via powershell, we will first check the status of the service, using the powershell Get-Service command:

Get-Service -DisplayName "Print Spooler"

We see in the screenshot above that the Status of the service is Running, which means it is enabled and running. Therefore we will need to stop it before disabling it. To stop it we will use the following Get-Service powershell command, allowing to select the service, and Set-Service to stop it:

Get-Service -DisplayName "Print Spooler" | Stop-Service

You must then disable the service by setting the StartupType to the valuedisabled like this:

Get-Service -DisplayName "Print Spooler" | Set-Service -Status stopped -StartupType disabled

We can also check in the service management console that the print spooler is disabled:

In summary

To disable the Windows Print Spooler service, type the following powershell commands:

Get-Service -DisplayName "Print Spooler"
Get-Service -DisplayName "Print Spooler" | Stop-Service
Get-Service -DisplayName "Print Spooler" | Set-Service -Status stopped -StartupType disabled

References

• https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1
• https://learn.microsoft.com/fr-fr/defender-for-identity/cas-isp-print-spooler
• https://learn.microsoft.com/fr-fr/powershell/scripting/samples/managing-services?view=powershell-7.1