Information
This policy setting controls whether the Print Spooler service will accept client connections.
The recommended state for this setting is: Disabled.
Note: The Print Spooler service must be restarted for changes to this policy to take effect.
Warning: An exception to this recommendation must be made for print servers in order for them to function properly. Users will not be able to print to the server when client connections are disabled.
Rationale:
Disabling the ability for the Print Spooler service to accept client connections mitigates remote attacks against the PrintNightmare vulnerability (CVE-2021-34527) and other remote Print Spooler attacks. However, this recommendation does not mitigate against local attacks on the Print Spooler service.
Impact:
Provided that the Print Spooler service is not disabled, applications on and users logged in to servers will continue to be able to print from the server. However, the Print Spooler service will not accept client connections or allow users to share printers. Note that all printers that were already shared will continue to be shared.
Warning: An exception to this recommendation must be made for print servers in order for them to function properly. Users will not be able to print to the server when client connections are disabled.
Solution
To establish the recommended configuration via GP, set the following UI path to Disabled:
Computer Configuration\Policies\Administrative Templates\Printers:Allow Print Spooler to accept client connections
Note: This Group Policy path is provided by the Group Policy template Printing2.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.
Default Value:
Enabled. (The Print Spooler will always accept client connections.)