PrintNightmare Discover Print Servers
Find all servers, with printer published to users in AD, by looking for printerqueue objects.
CVE-2021-1675 aka PrintNightmare
Lots of interest in figuring out which servers offer network printing services due to CVE-2021-1675 aka PrintNightmare. Ideally your org has a well managed print service with DNS aliases to your regional print servers. Or maybe a managed print service over internet? If your print servers are less easy to find try hunting in Active Directory.
Defenders - find your print servers
IT opererations teams publish printer records in Active Directory to help users find printers near them. They appear in “add printer - find a printer in the directory” dialog on Windows machines. You can query this information to:
- figure out which servers offer print services
- build a secruity group for an AD Group Policy to enable the spooler service on only these machines
- and disable spooler in your server security baseline group policy. The code below assumes you’re on a machine with ActiveDirectoy PowerShell module from the Microsoft Remote Server Admin Tools (RSAT), which is a useful Windows OS feature to enable.
Also Attackers - find their print servers
IT opererations teams publish printer records in Active Directory to help users find printers near them. They appear in “add printer - find a printer in the directory” dialog on Windows machines. You can query this information to figure out which servers are still running the spooler service, because it’s their role, before trying CVE-2021-1675. Do an ADSI/LDAP query for printerqueue objects.
Note: this PowerShell script only finds printers (and their servers) if they’ve be published in AD. To find all shared printers (where you have to know print server name/alias) you’d have to query every Windows Server. get-printer -computername
fun fact: Spooler actually has a purpose on Domain controllers. “responsible for performing print pruning – removing the stale print queue objects from the Active Directory. " Microsoft guidelines for disabling system services in windows server