Security News > 2021 > July > PrintNightmare: Kicking users from Pre-Windows 2000 legacy group may thwart domain controller exploitation

Another potential mitigation has emerged for the PrintNightmare zero-day vuln, which lets low-privileged users execute code as SYSTEM on Windows domain controllers: remove those people from a backwards-compatibility group.

While the patch for CVE-2021-1675 also protects against PrintNightmare on most Windows devices, it didn't do so for domain controllers, which caused some puzzlement among security researchers.

The Pre-Windows 2000 Compatible Access Group exists for backwards compatibility with Windows NT boxes and appears to be populated with authenticated users by default in new Windows Server deployments.

As Windows Server blogger Dion Mosley explained: "Members of this group have Read access for viewing all users and groups within the domain. Depending on the security settings chosen during the installation of Active Directory, the Everyone group might be a member of this group."

Mimikatz maintainer Benjamin Delpy confirmed Zhang's findings to The Register, saying: "I can confirm that if we remove 'authenticated users' from this group, it stops the exploit." In short, membership of that group is an ingredient of the PrintNightmare exploit mechanism, and knowing that could at least help infosec and sysadmin folks better understand the underlying software bug.

The US government's Cybersecurity and Infrastructure Agency recommends disabling the Windows Print spooler service in domain controllers and hosts that do not print.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/07/01/printnightmare_windows_fix/