Zero Day Vulnerability Mitigation

ITS is making an emergency change on July 1, 2021 at 5:00 pm on Windows workstations and servers in the UConn Active Directory.

This change is in response to the security threat, PrintNightmare, which allows an attacker to exploit a vulnerability in the Windows Print Spooler service and potentially ​compromise Windows workstations and servers. Because of the potential for widespread institutional impact, we are doing the following:

  • We are implementing a group policy change for the Windows workstations that will disallow client connections for the print spooler. This change will effectively limit access to the local machine, preventing the remote exploitation of the vulnerability. A repercussion of this change is that customers will no longer be able to access printers shared from a workstation. Please assist customers with printers that need to be accessed from multiple computers. They should be configured via a print server and not from a workstation.
  • Windows servers will have the print spooler service disabled by a new group policy. However, the ITS print servers will be excluded from this policy and be mitigated by modifying the ACL’s to deny SYSTEM from access to “C:\Windows\System32\spool\drivers” on our print servers.

If you have a print server in the UConn domain, please contact us to have it added to the exclusion group, and you should modify the ACL’s to deny SYSTEM from access to “C:\Windows\System32\spool\drivers” on your print server(s).

Resource Links:

Change request: https://jira.uconn.edu/browse/CHANGEMGMT-1526

Vulnerability Explanation: https://blog.truesec.com/2021/06/30/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675/

How to mitigate a print server: https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/