PrintNightmare Playbook

Patches and additional configuration changes (to prevent trivial UNC bypass) are required to mitigate this RCE. Fun.

1. Identify the list of vulnerable systems. You’ll need to provide a domain user (not administrator) account username and password.

   (grab code from https://github.com/byt3bl33d3r/ItWasAllADream)
   docker run -it itwasalladream -u user -p password -d domain 192.168.5.0/24
   

   You’ll get output like:

   [itwasalladream] INFO - 192.168.5.7 is vulnerable over MS-PAR. Reason: Host attempted to grab DLL from supplied share
   [itwasalladream] INFO - 192.168.5.7 is vulnerable over MS-RPRN. Reason: Host attempted to grab DLL from supplied share
   

2. Apply all patches on all systems. Reboot.
   1. If patches cause machines to misbehave, you probably should panic and apply mitigations.
3. Push Group Policy to disable Point and Print:
   1. Group Policy Management Editor window, click Computer Configuration, click Policies, click Administrative Templates, and then click Printers.
   2. Right-click Point and Print Restrictions, and then click Edit.
   3. Point and Print Restrictions dialog box, click Enabled.
   4. (enabled) Users can only point and print to these servers: (blank)
   5. Security Prompts: “Show warning and elevation prompt” for both.
4. On standalone servers/workstations:

   (from elevated command prompt)
   reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 1 /f
   

5. Verify list of vulnerable computers is empty.

   docker run -it itwasalladream -u user -p password -d domain 192.168.5.0/24
   

See also:

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
• https://docs.microsoft.com/en-us/troubleshoot/windows-client/group-policy/point-print-restrictions-policies-ignored
• https://github.com/byt3bl33d3r/ItWasAllADream