Print Servers and CVE-2021-34481

Created by Andrew Schott, Modified on Wed, Sep 1, 2021 at 5:06 PM by Andrew Schott

CVE-2021-34481 enables local privilege escalation to the SYSTEM level. To compromise a system, a threat actor would need physical access, or the system would need to be already compromised. To mitigate this, Microsoft decided to completely kill the ability for non-admin users to install print drivers hosted by a print server. The following GPO settings will disable that new behavior and lock down Point nd Print settings to only allow the connections to a trusted server and then silence the admin prompts per usual.


Computer Configuration (Enabled)

Policies

 - Windows Settings

 -- Security Settings

 --- Local Policies/Security Options

 ---- Devices

 ---- Policy Setting 

 ---- Devices: Prevent users from installing printer drivers Disabled 


 - Administrative Templates

 - Policy definitions (ADMX files) retrieved from the central store.

 -- Printers

 --- Package Point and print - Approved servers Enabled  

 ---- Enter fully qualified server names 

 ---- print.domain.local 

  

 --- Point and Print Restrictions Enabled  

 ---- Users can only point and print to these servers: Enabled 

 ----- Enter fully qualified server names separated by semicolons print.domain.local 

 ---- Users can only point and print to machines in their forest Disabled 

 ---- Security Prompts: 

 ----- When installing drivers for a new connection: Do not show warning or elevation prompt 

 ----- When updating drivers for an existing connection: Do not show warning or elevation prompt


 -- System/Driver Installation

 ---  Allow non-administrators to install drivers for these device setup classes Enabled  

 ----  Allow Users to install device drivers for these classes: 

 ----- {4658ee7e-f050-11d1-b6bd-00c04fa372a7} (Printer)

 ----- {4d36e979-e325-11ce-bfc1-08002be10318} (PNPPrinter)


Preferences

 - Windows Settings

 -- Registry

 --- RestrictDriverInstallationToAdministrators (Order: 1)

 ----- General

 ------  Action Update 

 ----  PropertiesHive HKEY_LOCAL_MACHINE 

 ----  Key path Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint 

 ----  Value name RestrictDriverInstallationToAdministrators 

 ----  Value type REG_DWORD 

 ----  Value data 0x0 (0



User Configuration (Enabled)

 - Policies

 -- Administrative Templates

 -- Policy definitions (ADMX files) retrieved from the central store.

 --- Control Panel/Printers

 ---- Package Point and print - Approved servers Enabled

 ----- Enter fully qualified server names 

 ----- print.domain.local


 ---- Point and Print Restrictions Disabled

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article