3.7.1 (L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'

Information

This policy setting controls whether the Print Spooler service will accept client connections.

The recommended state for this setting is: Disabled

Note: The Print Spooler service must be restarted for changes to this policy to take effect.

Disabling the ability for the Print Spooler service to accept client connections mitigates remote attacks against the PrintNightmare vulnerability (

CVE-2021-34527

) and other remote Print Spooler attacks. However, this recommendation

does not

mitigate against local attacks on the Print Spooler service.

Solution

To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Disabled

Administrative Templates\Printers\Allow Print Spooler to accept client connections

Impact:

Provided that the Print Spooler service is not disabled, users will continue to be able to print

from their workstation

. However, the workstation's Print Spooler service will not accept client connections or allow users to share printers. Note that all printers that were already shared will continue to be shared.

See Also

https://workbench.cisecurity.org/benchmarks/16852

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10

Plugin: Windows

Control ID: 20b75ffdadf62e6642e8c9a8936d8b48c254fad3b62b0f73448ceb3636e91cb6