Microsoft have released information regarding a critical server vulnerability that is caused by the Print Spooler service. As of yet, there is no patch available and there is known working code in the wild that can exploit it.
If exploited, a remote user could gain full control of a domain controller and customer network causing untold havoc and financial damage.
There are a few ways to mitigate this vulnerability which we have already put in place for our clients.
First, if your server does not need to be running the print spooler service, then disable it immediately! This can be done via services.msc
Second, lock down the c:\windows\system32\spool\drivers folder and subfolders. This will prevent a remote user from exploiting this vulnerability. Here is the powershell code to do this:
$Path = “C:\Windows\System32\spool\drivers”
$Acl = (Get-Item $Path).GetAccessControl(‘Access’)
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule(“System”, “Modify”, “ContainerInherit, ObjectInherit”, “None”, “Deny”)
Set-Acl $Path $Acl
This code will add SYSTEM as a DENY permission to the c:\windows\system32\spool\drivers folder and subfolders.