Score:0

Printer Point and Print restriction GPO not working

tr flag

As a fix for the Print Nightmare, I've disabled the need for administrator privileges to install print drivers (this is working). This is effectively the same as exposing oneself to the Print Nightmare exploit. Which is why I want to "whitelist" certain print servers, in order to partly mitigate the exploit.

To do this, I have tried enabling the GPO:
"Computer Configuration\Policies\Administrative Templates\Printers\Point and Print Restrictions".

This GPO is configured as such:

  • Users can only point and print to these servers: Enabled

  • Enter fully qualified server names separated by semicolons: test.[DOMAIN].int

  • Users can only point and print to machines in their forest: Disabled

  • Security Prompts:

    • When installing drivers for a new connection: Do not show warning or elevation prompt
    • When updating drivers for an existing connection: Do not show warning or elevation prompt

But the problem is that my clients are still able to print to our print server, although it does not have the FQDN test.[DOMAIN].int. So I'm not convinced that the way I've set up the test-GPO is actually whitelisting anything, thereby leaving us exposed to the Print Nightmare exploit.

I also tried enabling the GPO "Package Point and Print - Approved server" with test.[DOMAIN].int, to no avail.

I need help with understanding what I need to do differently in order to get whitelisting to work. I've been following this MS article on the subject: KB5005652—Manage new Point and Print default driver installation behavior (CVE-2021-34481)

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.