18.7.9 (L1) Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'

Information

This policy setting manages how queue-specific files are processed during printer installation. At printer installation time, a vendor-supplied installation application can specify a set of files, of any type, to be associated with a particular print queue. The files are downloaded to each client that connects to the print server.

The recommended state for this setting is: Enabled: Limit Queue-specific files to Color profiles

A Windows Print Spooler Remote Code Execution Vulnerability (

CVE-2021-36958

) exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploits this vulnerability could run arbitrary code with SYSTEM privileges and then install programs; view, change, or delete data; or create new accounts with full user rights.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: Limit Queue-specific files to Color profiles :

Computer Configuration\Policies\Administrative Templates\Printers\Manage processing of Queue-specific files

Note: This Group Policy path is provided by the Group Policy template Printing.admx/adml that is included with the Microsoft Windows 11 Release 22H2 Administrative Templates v1.0 (or newer).

Impact:

None - this is default behavior.

See Also

https://workbench.cisecurity.org/benchmarks/17689

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-16

Plugin: Windows

Control ID: c2daedf0d421ba1d28680f8b6a12c07fd9759bd809f08fa223583e73a265eeb2