18.7.9 (L1) Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'

Information

This policy setting manages how queue-specific files are processed during printer installation. At printer installation time, a vendor-supplied installation application can specify a set of files, of any type, to be associated with a particular print queue. The files are downloaded to each client that connects to the print server.

The recommended state for this setting is: Enabled: Limit Queue-specific files to Color profiles

A Windows Print Spooler Remote Code Execution Vulnerability (

CVE-2021-36958

) exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploits this vulnerability could run arbitrary code with SYSTEM privileges and then install programs; view, change, or delete data; or create new accounts with full user rights.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: Limit Queue-specific files to Color profiles :

Computer Configuration\Policies\Administrative Templates\Printers\Manage processing of Queue-specific files

Note: This Group Policy path is provided by the Group Policy template Printing.admx/adml that is included with the Microsoft Windows 11 Release 22H2 Administrative Templates v1.0 (or newer).

Impact:

None - this is default behavior.

See Also

https://workbench.cisecurity.org/benchmarks/17096

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-16

Plugin: Windows

Control ID: 32a818d4b54b7d360e042cd1ea52b86ade3c7f44797bbfbf947d516b8164af1e