18.7.9 Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'

Information

This policy setting manages how queue-specific files are processed during printer installation. At printer installation time, a vendor-supplied installation application can specify a set of files, of any type, to be associated with a particular print queue. The files are downloaded to each client that connects to the print server.

The recommended state for this setting is: Enabled: Limit Queue-specific files to Color profiles

A Windows Print Spooler Remote Code Execution Vulnerability (

CVE-2021-36958

) exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploits this vulnerability could run arbitrary code with SYSTEM privileges and then install programs; view, change, or delete data; or create new accounts with full user rights.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: Limit Queue-specific files to Color profiles :

Computer Configuration\Policies\Administrative Templates\Printers\Manage processing of Queue-specific files

Note: This Group Policy path is provided by the Group Policy template Printing.admx/adml that is included with the Microsoft Windows 11 Release 22H2 Administrative Templates v1.0 (or newer).

Impact:

None - this is default behavior.

See Also

https://workbench.cisecurity.org/benchmarks/18857

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-16

Plugin: Windows

Control ID: c98d97ac8b484fd5d080d824485f0840db4b45e23ea70efbbd5f51052eab8293