Introduction
In the ever-evolving technology landscape, printer manufacturers are striving to ensure the security and reliability of their products. With the release of Windows 10 21H2, Microsoft has introduced significant changes in its approach to printer drivers[1], prompting concern among printer manufacturers about the implications for SMB printing. In this article we will look into these changes and explore how Visuality Systems’ SMB protocol solutions play a crucial role in ensuring that SMB printing remains secure and unaffected.
The Evolution of Windows Printing
Windows 10 21H2 brings a significant shift in the world of printer drivers. With its release, Microsoft offers inbox support for Mopria compliant printer devices via the Microsoft IPP Class Driver, eliminating the need for printer manufacturers to provide their own installers, drivers, and utilities. This innovation improves reliability and performance by moving customization from the traditional Win32 framework to the Universal Windows Platform (UWP). Furthermore, printer manufacturers can enjoy the ease of supporting their solutions across all Windows versions and editions without the need for constant rebuilding. However, this shift also marks the end of servicing for the legacy v3 and v4 Windows printer drivers, to be phased out over several years.
Security Concerns and PrintNightmare
In the realm of printer security, CVE-2021-34527[2], known as PrintNightmare, has been a significant concern. This vulnerability enabled remote code execution when the Windows Print Spooler service performed privileged file operations improperly. The potential exploits could lead to an attacker running code with SYSTEM privileges, installing programs, altering or deleting data, and creating accounts with full user rights.
Microsoft’s Response and Visuality Systems’ Bond
In response to the PrintNightmare vulnerability, Microsoft has introduced stringent security measures[3]. For example, printing over an RPC Spools encrypted channel is subject to additional authentication. This security enhancement is supported by Visuality Systems since YNQ version 1.8.4. With the release of Windows 11 version 22H2 Microsoft provided a substantial layer of protection for SMB printing, ensuring that vulnerabilities like PrintNightmare do not compromise the security of printing operations.
Modifications in how Windows machines communicate during print-related tasks to improve the overall security include:
- Default Usage: For client-server print-related communications, RPC over TCP is now the default method. RPC over Named Pipes is available but disabled by default.
- Control Options: Administrators can control RPC over TCP, and RPC over Named Pipes, via Group Policy or registry settings.
- Port Configuration: When using RPC over TCP, it is possible to configure a specific port for communication instead of relying on dynamic ports.
- Kerberos Enforcement: Environments where computers are domain-joined can enforce Kerberos authentication, if supported, adding an additional layer of security.
Conclusion
The recent changes introduced by Microsoft regarding printer drivers and their impact on SMB printing have been a subject of concern for printer manufacturers. However these changes are primarily focused on enhancing the overall security of printing operations, especially in light of vulnerabilities like PrintNightmare. Visuality Systems’ SMB protocol solutions, with their continuous updates and support for enhanced security measures, are instrumental in ensuring that printing via SMB protocol remains a reliable and secure process. By partnering with Visuality Systems, printer manufacturers can rest assured that their SMB printing solutions are not only compliant with the latest Windows updates but also well-protected from vulnerabilities.
[1] End of servicing plan for third-party printer drivers on Windows
[2] Windows Print Spooler Remote Code Execution Vulnerability
