Microsoft To Require Admin Rights Before Using Windows Point and Print Feature

Microsoft has released today a security update that will change the default behavior of the "Point and Print" feature to mitigate a severe security issue disclosed last month. From a report: First added in Windows 2000, the Point and Print feature works by connecting to a print server to download and install necessary print drivers every time a user creates a connection to a remote printer without providing installation media. Earlier this year, Jacob Baines, a reverse engineer for Dark Wolf Solutions, found that threat actors inside a company's network could abuse the Point and Print feature to run a malicious print server and force Windows systems to download and install malicious drivers.

Since Point and Print ran with SYSTEM privileges, the feature effectively provided threat actors with an easy way to gain admin rights inside any large corporate or government network. Microsoft initially tried to patch the issue -- tracked as CVE-2021-34481 -- last month, but the patches were deemed incomplete. Today, the company took another approach. Since the vulnerability is exploiting a design flaw, Microsoft chose today to change the default behavior of the Point and Print feature.

only admin users will be able to add a printer

[Vomitgod]

as per the article - "only admin users will be able to add or update a printer with drivers from a remote print server"

what's the problem?

certainly better then what was in place.

Re:

[oldgraybeard]

And the end users will always use the admin account for everything because it just works. Anyone that uses Microsoft products are just chum in the shark infested waters of the internet.

Re:

[thegarbz]

This is a threat to corporate networks from inside the network. If your users have admin privileges then you should fire your IT admins, they clearly aren't needed.

Re:

[GoTeam]

Very true. If you feel everyone needs admin access, find a different job. If the company you are working for says everyone should (or at least they ask for a lot of people to) have admin access, find a different job.

Re:

[raymorris]

That's what I keep saying over and over in my company.

In fact, I'm pushing to eliminate the concept of "admin" wherever possible. A user might need permission to write to a certain file. Maybe somebody needs to update a certain database column or table. That's fine.

Every time I get a ticket asking me to approve "admin access", I send it back basically saying:

Fill in the blanks
They need access to __ _ (read/write/execute) the specific file or data located at ___ __ .

Also, hello North Texas neighbor.

Why a kernal mode printer driver in the fist place

[aberglas]

That, surely is the design flaw. That a computer would need to download and install any code just to print to a new type of printer.

These should be standard, and printers should print something like PDF directly.

Re:

[raymorris]

> These should be standard, and printers should print something like PDF directly.

As you may know, PDF was created by starting with Postscript (the printer language), removing some things, and zipping the file. So printers DID "print something like PDF directly". That "something like pdf" was Postscript. It's not only "like pdf", it was a superset of pdf.

Let us consider the general case of what the kernel is for, what the kernel *does". Suppose a program could directly write to disk block #93629. We don

Re:

[Bert64]

Postscript is extremely flexible and extensible, i doubt there would be many features that would be useful and either aren't supported already or couldn't be supported by a future revision of the postscript spec.

Postscript already has the concept of printer definitions (PPDs) which describe the capabilities and limitations a printer has - eg does it have a duplex unit, what paper sizes and margins can it support etc. These are simple descriptions, not executable code, so it's safe to install them.

Postscript

Re:

[aberglas]

Indeed. And it is not just about security. I do not want to destabilize my computer just because some random printer driver has a bug.

The reason this is not done is because long, long ago printers were driven off a parallel port. There was no (expensive) CPU on the printer, the computer drove the dot matrix pins directly. So you needed a per printer driver. Dumb reason today though.

Re:

[Bert64]

Well even then, Epson were quite big in dot matrix printers so a lot of other printers were epson-compatible.

Re:

[Ol Olsoc]

That, surely is the design flaw. That a computer would need to download and install any code just to print to a new type of printer.

These should be standard, and printers should print something like PDF directly.

I know it won't be popular here, but perhaps Microsoft could follow Apple and write their own printer drivers?

Re:

[benjymouse]

That, surely is the design flaw. That a computer would need to download and install any code just to print to a new type of printer.

These should be standard, and printers should print something like PDF directly.

Yeah. I am so happy that they extended PDF so that my browser can discover collation capabilities, grayscale conversions, ink/toner levels, number of trays and paper sizes in them.

Re:

[CaptQuark]

If that happened, every printer would just be a clone of every other printer. What about the special features that differentiate one enterprise-level printer from another?

What if the printer has additional features like the ability to pull paper from multiple drawers - 24lb cover and back pagers, first page letterhead pages, automatic collation output, multiple copy caching, special eco-mode printing, page scaling, two-pages per side printing, multiple-color inkjet printing (4-, 8-, 12-color), photo-realis

Re:

[GoTeam]

And hello to you too fellow metroplexian!

Re:

[flink]

How do you run a development shop where your devs don't have local admin? They tried that twice in my career. The first time they rolled it back within weeks because it was a productivity killing nightmare. The second time I quit because it was a productivity killing nightmare.

Re:

[quonset]

How do you run a development shop where your devs don't have local admin?

There is a clear and distinct difference between developers needing admin rights to install/upgrade their tools, and Bob the pencil pusher who thinks they need admin rights just because.

As I mentioned above, we only give admin rights in extremely limited cases. Developers are one of two such cases.

Re:

[PPH]

developers needing admin rights to install/upgrade their tools

What kind of shit show development shop do you work in where you don't have a standard suite of tools?

Re:

[Trenjeska]

Attaching a debugger still seems to require admin privileges last I checked.
Something to do with cross process interaction into code segments not being allowed as a simple user.

Re:

[PPH]

I wouldn't know about that on Windows. On Linux, no. I can debug across multiple processes by starting each one I need to inspect in my user space under its own debugger. Inspecting the kernel side of system calls? Not really needed in Linux unless I'm developing a device driver (and then there's some user space driver tricks one can use). But the OS is stable enough that I don't need to chase down bugs on that side of the fence.

I've developed a lot of client-server stuff where even the server end doesn't

Re:

[bernywork]

Selective escalation via white listing.

Re:

[flink]

Selective escalation via white listing.

What if the thing I need whitelisted is a debugger to attach to arbitrary processes? You've just effectively given me root with extra steps.

What if I'm building a tool that needs to perform a privileged action and I need to test it locally? (e.g. a new USB driver). Am I going to have to call you to whitelist every new build every 5 minutes so you can whitelist the new exe hash? Or are you going to whitelist by exe name? If the latter, then I can just rename whatever I want to the whitelisted name and ag

Re:

[bernywork]

In windows land, sign the binary and whitelist the signer, or the CA if you have multiple signers.

CI/CD pipelines can be setup to automatically sign binaries if coming out of the right build process.

I appreciate, yes, I've given you root with extra steps, and that's fine if that's your use case. You can continue to do your job while I've now stopped admin / root access on the rest of the machines. My risk now for the entire environment is down to what it needs to be and not giving out admin access to everyo

Re:

[Ol Olsoc]

How do you run a development shop where your devs don't have local admin? They tried that twice in my career. The first time they rolled it back within weeks because it was a productivity killing nightmare. The second time I quit because it was a productivity killing nightmare.

Yup, I wasn't an IT guy, but I ended up doing a lot of computer support for the suits (mainly because I was in the meetings, and also because the IT people tended to piss themselves around the suits.

A fight occurred because the IT folks tried to deny me admin rights. It was almost impossible to work with basic user privileges. But I was told absolutely not - you will never get admin privileges.

So the director called down every time there was an issue, and told the IT people that an admin was needed imm

Re:

[thegarbz]

How do you run a development shop where your devs don't have local admin?

Implying that developers just as dumb at this computer stuff as the receptionist or Karen from accounting?

Re:

[scdeimos]

Unless you're a software developer, of course. For example, Microsoft's Visual Studio complains every time you run it without Administrator-level privileges because it needs those for software debugging.

Re:

[thegarbz]

Yeah. I'm sure software developers don't know how to use computers like everyone else in the corporate world.

Hint: ${edgecase} does in no way disqualify ${preceding_statement} Some users have legitimate reasons to be admins on their machines, and IT has as their job requirement to manage those users and part of that management is judging whether they are an internal threat to your network.

Re:

[iggymanz]

except now everyone who wants to print something on a different printer than normal will need admin privileges or need to bother an admin. What a dumpster fire. Microsoft can't architect anything.

Re:

[thegarbz]

Only if your IT group is useless enough not to have a method to roll out drivers for company used equipment in advance.

Seriously your "problems" are IT admin 101 kind of stuff. I expect better from a Slashdot veteran.

Re:

[iggymanz]

right, because people never buy new printers, or need to print somewhere not inside the corporation.

you're a theory boy with no real world experience.

Re:

[thegarbz]

If people buy a new printer they can install the drivers themselves. This change installing network printers doesn't affect them. Seriously do you spend all day posting about things you know nothing about?

That was rhetorical. We've all seen your post history.

If this changes anything for a company then the company IT people need to be fired. And you sound like one of those people.

Re:

[ghoul]

Thats like saying you should fire your drivers because you can drive. Duh. I can but I have more important things to do and can afford to pay someone to do it for me. IT needs to get their head out of their asses. Most users nowadays are just as coputer savvy. Admins have a job for the same reason Uber drivers have a job.

Re:

[thegarbz]

It's a great example when you apply it in the context of a corporation. I once worked for a company that did not allow employees to drive to site due to the state of the roads. They deemed it too risky. They paid for drivers to collect us from the city and drive us to plant. The drivers slept during the day, we worked, they drove us back to the city in the evening.

The government built a phenomenal highway out to the plant as they wanted to turn the surrounding area into a full on industrial park, and the co

Re:

[quonset]

And the end users will always use the admin account for everything because it just works. Anyone that uses Microsoft products are just chum in the shark infested waters of the internet.

What admin account? No responsible IT person would ever given out admin account information to end users unless it was a one-time use.

We do not give admin rights to end users except in extremely limited cases. They have to justify their supposed need, sign off on an acceptable use policy form, and have all of this documented so if they screw up, they're on the hook.

Re:

[ShanghaiBill]

what's the problem?

In a well-run organization, where users are knowledgable and admins are responsive, it isn't a problem.

In the real world, more users, especially managers, will demand admin privileges so they can "get stuff done" and then use those privileges inappropriately.

There is no good solution. Windows was not designed for security and has so much legacy baggage that every fix breaks something else.

Re: only admin users will be able to add a printer

[sixminuteabs]

The 1990s called and want their tired argument back Bill. I am sure you can produce a 10 paragraph screed on why your own personal secure by design OS would be secure by design and it will be filled with platitudes and bullshit. Meanwhile people who do not go out of their way to expose themselves to malware will continue to be just fine on Windows. Next time try contributing something to the discussion instead of getting high on cheap mod points.

Re:

[ArhcAngel]

Novell NetWare was more feature rich, and secure in the 90's than Windows Server has ever been.

Re:

[LostMyAccount]

It was a vastly superior directory service in addition to having much saner default behavior with regard to some file rights.

You can fuck around with advanced NTFS permissions and get something like Netware's default file traversal rights, but it takes a bunch of added effort.

Nothing you can do will make Active Directory work as well as NDS.

The thing that killed Netware, though, was that it was never a general purpose operating system. A few companies tried (Novell included, with Groupwise) to produce on-s

Re:

[vbdasc]

The main problem is that auto downloading the drivers from the print server when opening an icon of a printer on that server is an incredibly convenient feature.which saves lots of time.

Re:

[Ol Olsoc]

as per the article - "only admin users will be able to add or update a printer with drivers from a remote print server"

what's the problem?

certainly better then what was in place.

The problem is that Windows has so many security holes that I'm surprised that hackers haven't broken into systems that are supposed to be secure. Ohhh, wait... never mind.

So here we are in 2021, and Microsoft just patched a gaping flaw that's only existed for over 20 years.

A few weeks back they did an out of band update to patch a HP printer driver problem that is near as old.

That's why every time I hear https://www.infoworld.com/arti... [infoworld.com] That W10 is the most bestest secure Windows evah, which we he

That would be fun for corporate IT support.

[Z00L00K]

They will either have to grant admin right to every user or they will get flooded with support issues from users that want to install a printer.

That kind of support issues aren't even remotely fun.

Re:

[Rhipf]

Or the IT department could just install the printer driver on the non-admin account and not rely on point and print.

Is there an GPO way to enable install from X

[Joe_Dragon]

Is there an GPO way to enable install from X server without admin?
WSUS?

Need to use an 3rd party tool that let's people request and install software without admin?

Re:

[bhcompy]

If the issue is the software, just install the software on each PC with GPO. Then when the user adds the specific printer, it shouldn't need to install any new software.

Some registry magic, a third-party patch

[raymorris]

There is some registry magic you can do to allow certain listed print servers. There is a third party patch available that does those registry entries.

However, I don't yet know how that method is affected by today's patch from Microsoft.

The solution to prevent IT staff overload

[Teun]

Just make sure there are only a handful of types of printers in the company and have their drivers pre-installed on all systems.

Why is a print driver needed ...

[Alain Williams]

for a remote printer ? I can understand needing a driver installed for a direct connected printer (eg by USB), but why needed for a remote printer ? The remote printer user should generate a device agnostic file that is sent over the network to the machine that hosts the printer. The remote machine need to know a few things, eg: size, resolution, what colours, ... These could be queried and used to build the device agnostic file - postscript would be a good start.

Dumb network attached printers should be banned.

Many years ago printers would directly print a PDF, another popular standard was PCL5 (if memory serves), then printer vendors realised that they could make printers cheaper if they off loaded rendering to the operating system - which generally had a lot of resources. We need to go back to more competent printers - it would not add much to the cost.

tray config and other per printer settings?

[Joe_Dragon]

tray config and other per printer settings?

Re:

[PsychoSlashDot]

for a remote printer ?

That's exactly how printing over Remote Desktop has worked since Win7, so it's not like they haven't thought of it. It's just that Point & Print hasn't been redesigned since its inception a decade earlier. Maybe now that someone's realized it's got a design flaw it'll get some attention in Win11.

Re:

[freeze128]

Programs like MSWord use the printer drivers to determine what your page size/orientation should be. In the past, Word has been so dumb that it saves the printer name/path in the document file. This can be a problem if you mail the document to someone else, and they try to print it, and it complains that you don't have a printer by that name/path.

Printing under windows really needs to be re-thought, and engineered correctly.

Pretty sure this is already in effect.

[alanshot]

I help run a 1200 node network. Our users dont have admin rights by default. Because of that we have to deploy printers via GPO, or use a MDM to temporarily elevate privileges remotely so they can install the printer.

So I wonder what has actually changed, or if we over-tweaked our policies? Because we haven't been able to install printers without admin rights for over a year.

Re:

[Rhipf]

It sounds like you weren't using "Point and Print" which is the service that allowed installing print drivers without admin access. If you aren't using "Point and Print" then print drivers would install like all other drivers (i.e. they would need admin privileges).