Register for Zero Trust World 25!
Contact Us
833-292-7732
Client Portal Login
Back to Blogs Back to Press Releases
ThreatLocker Cybersecurity in the News Blog Header for CVE-2021-1675: Active Directory Hardening
October 18, 2023
News

CVE-2021-1675: Active Directory Hardening

Table of Contents

Text Link

Defense First Mindset

Active Directory Hardening (AD) is of utmost importance in the ever-changing digital landscape as companies seek to expand and create new Infrastructure. Our commitment to your organization's security goes beyond mere information dissemination; it's about empowering you with the latest knowledge and strategies needed to defend against the relentless adversaries lurking in the digital shadows. This article presents the best practices for keeping your organization safe and the most common attacks that are still actively being sought out in the wild by threat actors.

About CVE-2021-1675 (PrintNightmare)

The discovery of CVE-2021-1675, also known as the PrintNightmare, occurred on June 30, 2021. We must be familiar with the Windows Print Spooler to understand this vulnerability further. Print Spooler is a background service responsible for managing print jobs. It handles tasks like queuing print jobs and communicating with printers.

This vulnerability exposed this service by granting Threat Actors the ability to execute arbitrary code with SYSTEM-level privileges on a vulnerable Windows system. In simpler terms, it grants an attacker full control over the compromised system, a nightmare scenario for security professionals. When successfully exploited, an attacker can install malicious software, steal data, modify configurations, or take other malicious actions with the highest privileges. Essentially, they can do almost anything they want on the compromised system. This vulnerability is considered high severity because of its potential for widespread damage and the ease with which it can be exploited. It's a serious concern for organizations, requiring immediate action to mitigate the risk.

What Versions of Windows are Vulnerable?

Any version of Windows that has not been patched as of July 6, 2021, is vulnerable.

Many may still wonder if this is a relevant vulnerability. Our Threat Intelligence research shows this is still actively being exploited. Despite the urgency and severity of the threat, some organizations have yet to apply these critical security updates, whether because of resource constraints, lack of awareness, or the mistaken belief that they're immune to attack.

Mitigate Threat Actors Attempts of Exploiting this Vulnerability

On July 6, 2021, Microsoft responded by releasing emergency patches to thwart attackers' attempts at exploiting this vulnerability.

Mitigation steps are as follows:

  • Implement the updates from July 2021 Out-of-band or any subsequent ones.

Verify if the subsequent conditions hold true:

  1. Registry Settings:
  2. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\Printers\PointAndPrint
  3. NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
  4. UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
  5. Group Policy: You have not configured the Point and Print Restrictions Group Policy.

If both conditions are true, you're not vulnerable to CVE-2021-34527, and no further action is needed. If either condition is not true, you are vulnerable. Follow the steps below to change the Point and Print Restrictions Group Policy to a secure configuration.

  1. Launch the group policy editor utility and navigate to Computer
  2. Configuration > Administrative Templates > Printers
  3. Set up the Group Policy setting for Point and Print Restrictions in the following manner:
  4.  Enable the Group Policy for Point and Print Restrictions.
  5. "When setting up drivers for a fresh connection": "Display alert and elevation prompt".
  6. "When updating drivers for an existing connection": "Show warning and elevation prompt".

1.   Launch the group policy editor utility and navigate to Computer

  • Configuration > Administrative Templates > Printers

2.   Set up the Group Policy setting for Point and Print Restrictions in the following manner:

  • Enable the Group Policy for Point and Print Restrictions.
  • "When setting up drivers for a fresh connection": "Display alert and elevation prompt".
  • "When updating drivers for an existing connection": "Show warning and elevation prompt".

How Can ThreatLocker Mitigate CVE-2021-1675?

Our Team at ThreatLocker has automated the mitigation of CVE-2021-1675 through Configuration Manager. We have created a Configuration Manager policy titled “Disable Print Spool Service (Print Nightmare)”. If you wish to apply it to your environment, follow these steps:

  1. Select Modules
  2. Select Config Manager
  3. Select New Policy
  4. Set the Policy Level for your organization
  5. Select the dropdown for configuration
  6. Under AD Hardening Policies, Select “Disable Print Spool Service (PrintNightmare)”
  7. Select Create Policy
ThreatLocker Screenshot of Policy Configuration for CVE-2021-1675
ThreatLocker screenshot of Policy Configuration for mitigation against CVE-2021-1675
Recent Posts
ThreatLocker Raises $115M Series D to Continue Delivering Zero Trust Endpoint Security to More Organizations
April 24, 2024
The Ultimate Guide to File Integrity Monitoring
April 16, 2024
How to Prevent Ransomware Attacks
April 10, 2024
Contributor: