2021-07-05

Disable Remote Print Spooler connections with CI

I suddenly felt the need to disable remote connections to client print spooler, and here is how I did it.




This is an action to the PrintNightmare incident in July 2021.

Since the service needs to be restarted after the register value has been applied, I thought that a CI was the better choice compared to a GPO. 


A discovery script containing:

$Status = Get-ItemProperty -Path "HKLM:\\SOFTWARE\Policies\Microsoft\Windows NT\Printers" -Name "RegisterSpoolerRemoteRpcEndPoint" -ErrorAction SilentlyContinue

IF ($Status.RegisterSpoolerRemoteRpcEndPoint -eq 2) {
    Return $true
} Else {
    Return $False
}


The Discovery script will return $true/$false where true is that the policy has been applied.



and a remediation script:

Get-Service Spooler | Stop-Service -Force
New-ItemProperty -Path "HKLM:\\SOFTWARE\Policies\Microsoft\Windows NT\Printers" -Name "RegisterSpoolerRemoteRpcEndPoint" -PropertyType Dword -Value 2
Get-Service Spooler | Start-Service -Force


No comments:

Post a Comment