18.7.9 (L1) Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'

Information

This policy setting manages how queue-specific files are processed during printer installation. At printer installation time, a vendor-supplied installation application can specify a set of files, of any type, to be associated with a particular print queue. The files are downloaded to each client that connects to the print server.

The recommended state for this setting is: Enabled: Limit Queue-specific files to Color profiles

A Windows Print Spooler Remote Code Execution Vulnerability (

CVE-2021-36958

) exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploits this vulnerability could run arbitrary code with SYSTEM privileges and then install programs; view, change, or delete data; or create new accounts with full user rights.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: Limit Queue-specific files to Color profiles :

Computer Configuration\Policies\Administrative Templates\Printers\Manage processing of Queue-specific files

Note: This Group Policy path is provided by the Group Policy template Printing.admx/adml that is included with the Microsoft Windows 11 Release 22H2 Administrative Templates v1.0 (or newer).

Impact:

None - this is default behavior.

See Also

https://workbench.cisecurity.org/benchmarks/17603

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-16, CSCv7|8.3

Plugin: Windows

Control ID: 8cb5a0f30dd3e0e72239a58bacef22b747d437120374a133be1156eaf2e52d72