MDM & GP Tips Blog

Jul 2022
05

4 Group Policy Settings That Can Help Prevent Ransomware

We all know how serious the ransomware threat is today and that unfortunately, there is no one magical solution to stop it. Protecting against ransomware requires a multilayer cybersecurity strategy, also referred to as defense in depth. This includes steps such as ensuring that all systems are up to date in their patching, enforcing MFA for email access, and not allowing local admin rights for standard users. There are also some group policy settings that you can use to incorporate into your strategy as well. Below are four that can help in different ways.

1. Enabling Network Protection

Network protection is a Windows features that helps prevent users from using an application inadvertently to access dangerous domains that may host phishing scams, exploits, ransomware payloads and other malicious content.  It’s a component of Microsoft Defender for Endpoint and requires Windows 10 or 11 Pro (Pro and Enterprise) and Windows Server 2019+. The list of domains is supplied by Microsoft. Network protection blocks all HTTP and HTTPS traffic that attempts to connect to these contains. Think of it as web protection for non-browser applications.

To enable this feature, create a GPO and go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Network Protection. There there are two policies for you to configure. The first step is to enable “This setting controls whether Network Protection is allowed to be configured into blog or audit mode” as shown below.

You then need to choose between Block and Audit. Block is self-explanatory in that users will not be able to access the domains in question. Audit mode allows users to still connect to the flagged domains but records the event into a log file. This allows you to get a read on what sites your users are utilizing before blocking them entirely. The screen shot below shows how to select between the two options.

2. Enable Controlled Folder Access

Controlled folder access was made available in Windows 10 and is supported in Window 11 as well as Server 2019 and 2022. It’s a component of Windows Defender Exploit Guard that prevents the data hosted in designated folders from being altered. In other words, if malware attempts to modify (encrypt) the files in these protected folders without authorization, the attempt is blocked, and an alert is generated. By default, certain system folders are protected such as a user’s Documents folder, Pictures, Desktop, etc. but you can also add folders as well. Note that the controlled folder access feature does not function if a third-party antivirus application is installed on the targeted system.

To configure Controlled folder access simply create a GPO and go to Computer configuration > Administrative templates > Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access. Start by enabling “Configure controlled folder access” as shown below. You can choose to disable it, block it or choose Audit mode, both of which in the same fashion as Network Protection. You can also choose to only block or audit disk modifications which involve the writing to disk sectors by untrusted apps.

You can add additional folders to the list by clicking “Configure Protected Folders” and add the folders you want protected.

The end result will look like the example below. Note that you can also choose “Configure allowed application” to specify applications that are allowed to alter the data contained in the protected folders.


3. Disable Remote Desktop

Once a ransomware variant takes hold in your network, it then works to spread laterally across your IT estate. One of the ways is through remote desktop connection. That’s one of the reasons why Windows 11 has an account lockout policy enabled that only allows for 10 failed sign-in attempts over a 10-minute period. This blocks RDP brute-force attacks. Because some ransomware variants utilize RDP connection to spread, it’s a good idea just to disable it unless required.

Create a GPO and go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host and disable “Allow users to connect remotely by using Remote Desktop Services” as shown in the screenshot below.


4. Show Hidden File Extensions

Cybercriminals use multiple nefarious tactics to get users to click on a malicious file. One of these methods includes the use of double file extensions. An example may be “letter.doc.exe” in which a user mistakes the file for a Word document if the executable extension is hidden. To ensure that file extensions are visible you can create a GPO and go to User Configuration > Group Policy Preferences > Control Panel Settings > Folder Options and make sure that “Hide extensions for known file types” is unchecked as shown in the screenshot below.

We’ve only touched the surface here. There are many other group policy settings available that can aid in preventing ransomware from bringing down your systems and we will cover more in the future.

 

 

Jun 2022
29

Managing Removable Disks and Devices Using Group Policy and MEM

Your organization can invest in an entire portfolio of cybersecurity tools including email and web filtering, next generation firewall appliances and endpoint security solutions to protect your Windows computing devices. But deploying all those tools can still leave your machines vulnerable to zero-day attacks and malware infestations. That’s because all the filtering and firewall policies in the world won’t stop malicious code from being transferred from an insertable USB stick. The USB port remains a viable attack avenue for hackers and their malicious code creations to infiltrate computers thanks to users sharing USB drives. Fortunately, there are easy ways to manage removable storage access for your fleet of enterprise Windows devices.

Using Group Policy


Let’s start with Group Policy. You can manage removable storage settings on the Computer or User side. A Computer policy would prevent IT personnel with admin privileges from using USB sticks, thus preventing them from performing some of their everyday tasks. The purpose of this policy is to prevent standard users from transferring malicious code, so a User Configuration policy makes the most sense. Create a GPO and go to User Configuration > Administrative Templates > System > Removable Storage Access as shown below.

Let’s clear up any confusion concerning the various removable storage options listed. If you are younger than age 30 you probably don’t know what a floppy disk is and that’s a good thing. For most modern computers today, you need only worry about Removable Disks (USB sticks and external drives) and Windows Portable Devices which include things such as smart phones, cameras, etc. An example would be transferring pictures from a smart phone to a laptop. In the screenshot above I have enabled settings to deny read and write access to removable disks and denied write access to WPD devices.

Another option is to prevent users from installing removable devices onto their machines. You can only do this on the Computer side but there is a setting called “Prevent installation of devices not described by other policy settings” that is perfect for this situation. You can find it by going to Computer Configuration > Administrative Templates > System > Device Installation Restrictions. The enabled policy is shown below.

Using MEM


You can also configure removable storage policies using Microsoft Endpoint Manager. There are a couple of ways to do it. The first is to go to Devices > Configuration profiles and create a profile. Select “Windows 10 and later” as the platform and Templates as the Profile > then choose Administrative Templates from the list of available templates.  Name the policy and then drill down to System. Here you will find both groups of desired settings as shown below.

Drilling down into Device Installation we can enable the “Prevent installation of devices not described by other policy settings” policy for MDM enrolled devices.

You can then go up one level and scroll over to the Removable Storage Access settings. Below I have enabled the “Removable Disks: Deny execute access” setting.

You can also configure these settings using the Settings picker.  Rather than choosing Templates as the profile type, select Settings. Then use the Settings picker to search for “Removable Storage” and select the correct category. Then choose the desired settings in the section below and configure them as shown in the screenshot below. You can do the same then for Device Installation settings.

May 2022
02

How to Prevent Users from Resetting Windows 10 Devices with Applocker and MEM

Anyone who has been a Windows device admin for a school system that implements a student laptop program is aware of the constant battle to keep students in check when it comes to their devices.  A common ploy by the students is to reset their devices to factory default to bypass enforced security policies.  Even if students can’t get to system settings, they can always hold down the shift key while they use the mouse to select the Restart option from the Windows Start button.  This gets them to the Advanced Startup screen where they can then reset the device.  This of course starts the computer with a clean slate, giving students time to make local accounts on their device.  It also gives them access to the command prompt screen and other things.  For computers that are managed byGroup Policy, students that reset their devices off premise will enjoy a newfound freedom until the computer returns to campus and receives its assigned policies once again.  What’s more, a PC tech may have to manually deploy a package file to install the required applications, consuming precious time from both the student and the technician.  For those computers managed by an MDM provider, policies and applications will be deployed once the computer connects to the Internet, making any acquired freedom brief, but perhaps meaningful enough to be worth the effort to the student.

Even if you don’t work for a school system, you still might want to stop your users from resetting their devices.  Fortunately, there is an easy way to do it using AppLocker to create a policy that can be deployed using Group Policy or your preferred MDM solution that will prevent standard users from implementing a factory reset. 

Create an AppLocker Executable Rule

Using Windows Group Policy Management Editor, create a GPO and go to Computer Configuration > Security Settings > Application Control Policies > AppLocker > Executable Rules.  Right-click and select Create New Rule as shown in the screenshot below.

Using the wizard, choose Deny as the action.  You can target a specific group or just go with the default Everyone group as shown below.

In the next screen choose “Path” as the primary condition.  There are two path executables we need to block.  Each will require their own rule.  For this rule let’s choose:

C:\Windows\system32\systemreset.exe

as shown in the following screenshot.

Continue with the Wizard.  Name the rule and click Create.  Now create another executable rule using the same process.  This time we will use environmental variables for the file path which is %SYSTEM32\ReAgentc.exe.  Now you will have two rules as shown below.

Now assign the GPO to the targeted computers.  But what about Windows 10 devices that are managed by Microsoft Endpoint Manager or similar MDM provider?  In that instance, you can export the AppLocker rules by right-clicking on AppLocker and exporting the policy as shown below.

Name the policy and save it as an XML file.

Now import that XML file into MEM by going to Devices > Configuration profiles > Create policy > Windows 10 and later > Templates and choose Custom and click the Create button.

Now open the saved XML file with a text editor and highlight and copy all the content within the AppLocker tags as shown in the screenshot below.

Using the wizard, name the policy and go to configuration settings.  Here you will need to add the OMA-URI settings.  In the OMA-URI textbox you will input the following path:

/Vendor/MSFT/AppLocker/AppLocker/ApplicationLaunchRestrictions/apps/EXE/Policy

Choose String as the Data type and then paste the XML code you copied into the Value box as shown below.  Then click next until you finish out the wizard and create the policy.

You will then assign the policy to your targeted users.  The next time a student or user attempts a factory reset, they will receive a message informing them that the action is not allowed for their organization. 

 

Nov 2021
10

New Microsoft v95 Security Baseline for Group Policy

Microsoft recently released the Chromium-based Microsoft Edge 95 version to Stable channel for Windows and Mac, which coincides with a new security baseline for it as well.  Some of the new features of the new Edge version include the following:

 

  • A new efficiency mode that becomes active when a laptop enters battery saver mode so that the two work in tandem to extend the battery life of the machine.
  • The ability to pick up where you left off on PDF documents and resume your review of the documents.
  • The ability to update your passwords with fewer clicks as the browser will navigate a user to the Change Password page for a given website assuming that the website supports that feature.  The browser will also suggest a strong, unique new password. 
  • Supports free form text boxes within PDF documents that allows users to use them to fill out a form. 


Because the browser today is the most frequently used application, it is critically important to keep your security baselines up to date to ensure you are running best practice.  MDM administrators that utilize Microsoft Endpoint Management (Intune) are familiar with the concept of Security Baselines.  A security baseline is a collection of Microsoft recommended configuration settings that help secure and protect enterprise users and devices.  Security baselines are an easy and effective way for admins to ensure that they are consistently enforcing a minimum-security level that will address fundamental security and compliance issues.  The Security Baselines for Group Policy are designed around the same principle as the MEM Security Baselines.  You can download the new security baseline package here by selecting the Microsoft Edge v95 Security Baseline.zip file

The Benefits of Using Security Baselines

While it is perfectly ok to configure your own MDM profile or GPO to select and configure available settings, baselines are a quick and easy way to enforce a default baseline that prevents users from making changes that will result in an insecure state.  There are several benefits of using security baselines offered by Microsoft.

  • They are already configured by Microsoft security experts
  • They enforce settings that mitigates contemporary security threats.
  • Baseline settings have been pretested to ensure that they do not cause operational issues that are worse than the risks they mitigate
  • They ensure that users and device configuration settings are compliant with the baseline

Installing the Microsoft Edge v93 Security Baseline

Once downloaded, you will see that the package contains multiple folder directories as is shown below.  Note that unlike other packages, this one doesn’t include a Template folder as this package does not include the ADMX/ADM template files.  You can download the template files directly from the Microsoft website for any of the current Edge versions.  You must have the required template files in your central store for the package to work.

The next step is to import the new security baselines.  You can import these policies either locally or into AD using the enclosed scripts.  I am choosing to import them into my AD environment using the appropriate scripts as shown below.

Then choose the location where you want to link the new policy and browse for the new MSFT Edge 95 – Computer.

In my case, I chose the East Sales OU to link it.  Note that this is a computer side GPO, so it needs to be linked to an OU that contains computer objects.  The screenshot shows the enclosed settings below.

There are two new security baseline settings.  The first is “Enable browser legacy extension point blocking” which blocks code injection from third party applications on the new Edge browser.  The setting is enabled by default as is shown below.

The other new enforced setting is “Specifies whether the display-capture permissions-policy is checked or skipped.  It allows web applications using the getDisplayMedia() API to bypass a permission policy check required by the API specification This setting is only temporary and will be deprecated after Microsoft Edge 100.  It is intended to block Enterprise users whose application is non-spec compliant.  The setting is enabled by default as is shown below.

All in all there were 1 new computer settings and 1 new user settings for Microsoft Edge version 95 with 3 settings being removed.  You can learn more about these settings here.

 

Nov 2021
05

How to Use Security Baseline Releases for Windows 11-2

Microsoft has a new operating system, which means we need a new security baseline.  Microsoft released the new package on October 5 which features two new settings and some recommended setting changes.  The Security Baselines for Group Policy are designed around the same principle as the MEM Security Baselines.  They provide an easy and effective way for admins to ensure that they are consistently enforcing a minimum-security level that addresses fundamental security and compliance issues.  The baseline settings are preconfigured by Microsoft security specialists and have been tested for proven compatibility. 

Installing the Windows 11 Security Baselines

Once you download the package you will see that it contains multiple folder directories as is shown below.

If you don’t have the Windows 11 ADMX/ADML templates, you can copy them from the Template folder and paste them into your central store.  The templates are shown below.

The real purpose of the package is to import the new security baselines.  You can import these policies either locally or into AD using the enclosed scripts.  I am choosing to import them into my AD environment using the appropriate scripts as shown below.

Domain Security GPO


Let’s look at some of the settings included in the package.  The package includes a GPO called MSFT Windows 11 – Domain Security.  A big change here is the recommended password length.  While a 14-character password has been supported on multiple Windows 10 versions, Security Baselines have continued to enforce an 8-character password length only, which remains a standard in the industry.  The Windows 11 baseline has now increased the minimum password length to 14-characters as shown in the screenshot below.  Advanced password breaking applications powered by readily available increased CPU power has made the 8-character passwords far too vulnerable as they can be potentially cracked in mere hours.

It is highly recommended that you confirm that all your systems and applications are compatible with a password of this length before you enact this policy.  It’s a good idea to first Enable the ‘MinimumPasswordLengthAudit’ Group Policy setting which is located at Computer Configuration > Windows Settings > Security Settings > Account Policies -> Password Policy -> Minimum password length audit.  Enabling this setting will provide insights into the potential impact of increasing your password length.

Restrict Printer Driver Installations


In July of 2021, Microsoft released CVE-2021-34527 which patched a remote code execution vulnerability in the Windows Print Spooler service.  Essentially, it prevents non-admin users from installing a print driver, which caused a great deal of havoc early on as enterprises that freely allowed standard users to install print drivers were inundated with calls to the helpdesk.  I wrote a blog back in August called the Utlimate Guide to PrintNightmare that lists the options you now have as a result of the update.  Note that Microsoft has added this setting to the Windows 11 Security Baseline as is shown in the screenshot below.

Microsoft Legacy Edge is No More

As Microsoft Edge Legacy reached EOL earlier this year, it is not a part of Windows 11.  That means that all its supported settings have been removed from the baseline.  Only Chromium Edge is now supported.

Script Scanning

According to Microsoft, script scanning was a parity gap between Group Policy and MDM.  As the gap has now been closed, Microsoft is enforcing the enablement of script scanning in this baseline.  Enabling script scanning means that scripts are scanned before being executed to determine their threat status. 

One thing lacking in the Group Policy version of Windows 11 Baseline Security is the ability to enable Microsoft Defender for Endpoint's tamper protection feature which is available using Microsoft Endpoint Manager.  Microsoft does encourage you to enable it however using other means.  More information here.

 

 

Oct 2021
28

New Microsoft v93 Security Baselines for Group Policy

Last month, Microsoft released a security baseline for Microsoft Edge version 93.  While there isn’t a whole lot new here it’s important to keep your security baselines up to date in order to ensure you are running best practice.  You can download the latest security baseline packages here by selecting the Microsoft Edge v93 Security Baseline.zip file.  The Security Baselines for Group Policy are designed around the same principle as the MEM Security Baselines.  They provide an easy and effective way for admins to ensure that they are consistently enforcing a minimum-security level that addresses fundamental security and compliance issues.  The baseline settings are preconfigured by Microsoft security specialists and have been tested for compatibility. 

Installing the Microsoft Edge v93 Security Baseline


Once downloaded, you will see that the package contains multiple folder directories as is shown below.  Note that unlike other packages, this one doesn’t include a Template folder as this package does not include the ADMX/ADM template files.  You can download the template files directly from the Microsoft website for any of the current Edge versions.  You must have the required template files in your central store for the package to work.

The next step is to import the new security baselines.  You can import these policies either locally or into AD using the enclosed scripts.  I am choosing to import them into my AD environment using the appropriate scripts as shown below.

In my case, I chose the East Sales OU, and I linked the MSFT Edge Version 93 – Computer GPO.  Note that this is a computer side GPO, so it needs to be linked to an OU that contains computer objects.  Now let’s look at the preconfigured settings below.

 

There is only one newly enforced setting and that is the disabling of 3DES which is outlined in the screenshot above.  In Microsoft Edge version 95, the 3DES encryption cipher is completely removed and will no longer function so this is way to prepare you for the inevitable deprecation of it. The upcoming baseline security release will have the 3DES setting completely removed.

The other thing new is an addition by subtraction setting.  Since Adobe Flash support has now ended and been removed from Microsoft Edge completely, there is no need to enforce the setting that disabled Flash. 

All in all there were 31 new computer settings and 26 new user settings for Microsoft Edge version 93 which you learn more about here.

 

Aug 2021
24

The Ultimate Guide to PrintNightmare (and overcoming it)

Background and Timelines

Printing is something that most admins don’t want to think about. This tweet (which is a single picture) sums up most admins’ perspective about printers:

https://twitter.com/nixcraft/status/1428786599479988227 

That being said, the original gory details of WHAT the vulnerability is, which include a privilege escalation and remote code execution can be found here: https://www.csoonline.com/article/3623760/printnightmare-vulnerability-explained-exploits-patches-and-workarounds.html

You can be forgiven for not wanting to go too too deep here. But the gist is: If the bad guys convinced your users to click on a thing, that would automatically install an “evil driver” which would then give the bad guy full admin access. I’m summarizing a little bit, but that’s the gist.

Essentially: you are / were open to attack and have to fix it. 

Okay. Got it. So what does fixing it look like? 

There’s three dates we have to take into consideration for the discussion:

  • Anything before July 6th.

  • Between July 6th and Aug 10.

  • Anything after Aug 10.

Let’s break down each date and method here.

 

Before July 6: How would you mitigate Printnightmare WITHOUT any patches

Microsoft’s recommendations which would at least “Shut the door” on possible attacks (BEFORE the July and Aug patches.)

Tip: These are / were PREVIOUS recommendations (applicable if you don’t have patches everywhere:

  1. Completely disable the Print Spooler Service:

    1. DCs because they’re important

    2. Everywhere else because they’re important too.

  2. Use the “Allow Print Spooler to accept client connections” and set to DISABLE. This will keep the the print spooler service running, but prevent REMOTE connections to the Print Spooler Service. And, moreover, it still works LOCALLY from the machine for local print jobs. It just prevents sharing printers for OTHER machines. This setting is actually a good mitigation on workstations, which in most cases do not need to share their printers with anyone else.  Note that after this setting is deployed it requires a reboot of the system or at least a restart of the spooler service.  (Thanks to Haemish Edgerton for the clarity adjustment here.)

  3. You can use GPPrefs SERVICES or Powershell scripts or whatever to also do the same thing. 

Now the print spooler services are stopped dead. Printing has now stopped. 

Now what?

 

Dateline: July 6th - The Patch Arrives

The July 6th patch seemed like it would get the problem solved. From the July patch notes: https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7 

After putting the July 6th patch everywhere, Microsoft ALSO suggested that you use “Point and print Restrictions” policy setting to force “Show warning and elevation prompt” as follows:

Result:

 

Setting the value to 0, or leaving the value undefined, allows non-administrators to install signed and unsigned drivers to a print server but does not override the Point and Print Group Policy settings. This is the default value. Consequently, the Point and Print Restrictions Group Policy setting can override this to allow non-administrators to be able to install signed and unsigned print drivers to a print server.

 

But one day later, this was overcome with some example code. Here’s the original tweet and video: https://twitter.com/gentilkiwi/status/1412771368534528001 

Ack ! Back to Printnightmare and re-shut down all print servers ! OMG.. run for the hills !

Now the print spooler services are stopped dead. Printing has now stopped. 

Now what?

 

Dateline: Aug 10 - Patch 2 is released (Aka Slam the door shut / no more non-admin access for Print Drivers.)

That’s it, no more Mr. Nice guy. Microsoft decides to go nuclear at this problem. They release another Patch for Aug 10.

From: https://support.microsoft.com/en-us/topic/august-10-2021-kb5005031-os-build-18363-1734-8af726da-a39b-417d-a5fb-670c42d69e78 

 

Changes the default privilege requirement for installing drivers when using Point and Print. After installing this update, you must have administrative privileges to install drivers.

 

Net results: 

  1. You need to be a local admin to do anything Printer-y. Technically this was already true; as standard users could never install, say, local print drivers from some unusual source.

  2. Users who are used to finding printers by the Click to Print method are simply blocked at showtime.

Now, there’s a little SIDE NOTE here (Tip of the Hat to Hasain Alshakarti from TRUESEC security @Alshakarti). The door MAY NOT EVEN BE COMPLETELY SHUT. MS released CVE-2021-36958 Aug 11, 2021 that describes the LPE/RCE Windows Print Spooler Remote Code Execution Vulnerability.  Depending on the version of the driver the elevation prompt is not triggering as shown by Benjamin Delphi as seen here https://twitter.com/gentilkiwi/status/1425154484167188480 


Here’s what it looks like (in pictures, not a video) when a user attempts to click to print on a printer (where the drivers have never been installed).

Step 1: Find the printer and get initial prompt

Step 2: Final prompt requiring local admin access to proceed

So, the August 10th patch really did close the door for the good guys.

Now what? How do we let them back in?

 

Now that the door is shut, how do we open it for SOME people?

So first thing’s first. If the spooler is stopped by ANY of those original methods above, then, nothing else is ever going to work. You’ll have to back out any change which killed the printer spooler.  

Then, after that I’ve rounded up a few POSSIBLE workarounds. Some anecdotally and others from Microsoft’s guidance here (https://support.microsoft.com/en-gb/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872) which we’ll review in a bit.

Additionally, I want to show how there’s also a slew of other workarounds if you happen to be a PolicyPak Customer. I’ll field these at the end.

 

Tip 1: Just keep using Group Policy Preferences to deliver printers to those who need it. (Maybe. Will likely work.)

So this whole Printnightmare is basically trying to solve the problem of a user making a choice where to print (and that vector being insecure.) 

But there isn’t any problem with real admins making choices to deliver printers via Group Policy Preferences (even after the patches are in place.) That still works. Sure, I realize this is a little “Apples and Oranges.” Because GP Preferences is not “Click to Print”.

But if you could use Group Policy Preferences to mass-deliver printers like this to your domain-joined machines, you could still be a-ok. Here’s an example.

Note there still can be problems. If the server is 2016 (or OLDER, like 2012, 2012R2)... and the drivers are “v3” drivers, then… users are still prompted to re-install them as admins. Gah ! The workaround is to upgrade your server’s print drivers to v4 drivers if they are available (which, there may not be.) 

Tip: If you want to see what version of the drivers you're using, on a target machine run the Print Manager utility (again, this is on the endpoint where you already use the printers.) Then, see this column to determine driver type.

The details are documented here by MVP Susan Bradley (@susanbradley): https://www.computerworld.com/article/3630629/windows-print-nightmare-continues-enterprise.html 

I’ll update this space if there’s more on this story.

 

Tip 2 (which didn’t work for me): Use Point and Print Restrictions to specify the GOOD servers

I mention this tip, because it really looks like it SHOULD work, but just.. Doesn’t.  Read thru it anyway, because we’ll make some lemonade out of lemons here in a minute.

Maybe this worked AFTER the July patch but stopped working AFTER the August patch but I didn’t expressly test that.

The idea would be to simply specify the GOOD servers, so the user wouldn’t be able to print to any BAD servers. Example configuration below (again, doesn’t work) which would specify the servers, but then also NOT prompt for elevation.

Microsoft’s text says:

 

  1. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint

  2. NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)

  3. UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.

 

The result on endpoints would be something like this..

Again: This proposed workaround did not work for me, your experience might be different.

If I was asked how to solve this problem within Microsoft engineering, this is how I would have proposed to do it: Specify ONLY the good servers and make it so Standard Users couldn’t make changes from that list.

Mayyyybe Microsoft will fix the problem (again) this way, but no signs yet.


 

Tip 2 (From Microsoft):  “Just screw it” and let Standard Users do whatever they want anyway (NOT RECOMMENDED)

So, of course it sounds like, and would be a terrible idea to just turn off the new August 10th protection, even after you’re patched. If you wanted to do that, the advantage of course is that Standard Users could click to print on whatever servers they wanted. Which of course, would also be bad if the bad guys used this against you.

This tested out a-ok as you can see here.

Again, not a great idea, but it does work, even if the August patch is on the machine.

 

Tip 3: Combine (non-working) Tip 2 and (working) Tip 3 to attempt to make something (reasonably) secure

So Tip 2 where we specified the GOOD server didn’t work. And Tip 3 where we specified that non-admins could overcome this driver thing… that worked.  

I’m trying here to specify a SPECIFIC server that’s good, and therefore everything else is bad.

I’m then using the special bypass registry key to let non-admins install the drivers.

This should work, right ?

Let’s break it down.

Well, this works when 100% by itself. If I attempt to connect to some rogue server, I do get blocked. Yay.

But then when I add the bypass registry item….  It doesn’t work.. YET !

So far, this is equally bad as just letting non-admins install their own drivers.

The secret to making this work is a SECOND setting, which expresses where the “Package Point and print - Approved servers” are.

Then, I get the basic / final / good result I want:

  • Non-Admins can point to good “specified” servers 

  • Non-Admins cannot point to rogue servers

Even though I showed how to do this, Microsoft does go out of their way to say : “Important There is no combination of mitigations that is equivalent to setting RestrictDriverInstallationToAdministrators to 1.”

I don’t know exactly what the differences are between the super secure admin only method and the “open the doggie door to the right people” method I just stepped though, and maybe Microsoft doesn’t want us to know. :-) 

 

Okay: Really, what are some OTHER SECURE workarounds?

First of all the method I showed above is only “OK” because Microsoft stated that you aren’t really in a totally secure state. The second problem with the method I showed is that you have to keep on top of your print servers all the time and update the TWO policy settings to accommodate. Maybe this is fine in a small or static environment. Or maybe this could get out of hand quickly.

 

Solid Workaround 1: Using PolicyPak Least Privilege Manager + Printer Helper Tool

I’m going to jump RIGHT TO THE END, and tell you what I think is the ideal solution problem, and, sorry to say, this is not a free solution. And, I’m the founder and CTO of the solution, so, maybe I’m a little biased.

But in short, here’s a video where you can use PolicyPak Least Privilege Manager to elevate the installation of printers on any server, while the person is a standard user. 

Overcome Print Nightmare Standard User UAC Prompts

Why is this the best method? 

  • First, you don’t have to enable this for all users; just the users who need to do this from time to time. 

  • Second, you don’t need to really be opening up admin rights everywhere; it’s just for this key case. 

  • Third, it quacks like the native tool, but does require one click to get it started, instead of “Print to click.” 

  • And lastly, this technique also works for installing LOCAL printers, which might also come in handy.

This also dovetails nicely into the whole “Zero Trust” model. Let only the users who need this technique get this technique. Remove local admin rights and reduce your attack surface.

 

Solid Workaround 2: Pre-install the drivers to the machine (somehow)

If you are able to magically pre-install the drivers into the machine’s local cache then you get a hall pass here.

You can do this in your image, or, if you already have 10,000 machines out there, you can script your way to glory.

Tip of the hat to my friends at PDQ for the inspiration for this tip. You can find their lashup here: https://www.pdq.com/blog/using-powershell-to-install-printers/

The idea I tested manually, worked awesome, as you can see here. The gist is to use PNPUtil to get the drivers pre-installed as an admin. Then the user can click on the network printer and they’re done. No prompts. It just works.


 

There’s another method that I found, which involves getting a machine prepped with all your drivers and backing up the driver store and preparing them as a “package.”  Printbrm.exe and PrintbrmUI.exe are the in-box utilities which do this. A good write up if you want to do this is here (https://lakeforestconsulting.com/adminprintnightmare/). You can then deploy the package using SCCM, Intune, PolicyPak or another method of your choice. 

 

Solid Workaround 3: Use the same printer driver as many times as you can

I found this one from here: https://community.spiceworks.com/topic/2328739-best-way-to-deploy-printnightmare-proof-printers-to-non-admin-users?page=1#entry-9250842 (Courtesy https://community.spiceworks.com/people/ethanharris). I’ll just quote him and make this easier for everyone:

“We get around it by using the same universal HP driver on our print server for all black & white printing.  Since they already have the print driver installed they get no admin prompt when they add other printers.

For each color printer we create two printers on the print server, "PrinterName" and "PrinterName-Color" with the actual driver for that printer model used on the -Color version.  It is understood by staff that anyone can add a printer to print in B&W but IT needs to enter the admin password if they need to add a printer to print in color.  This also helps to cut down on printing costs as color printing costs 10x as much as B&W on our printing contract.“

 

Are there Workarounds if I’m not domain joined?

Yes, Here’s the others I’m able to come up with. If you have more to add, let me know and I’ll add them here and give you credit.

 

Using an MDM Service + PowerShell

If you use an MDM service like Intune, then you could use the script method from the PDQ guys (see above). That’s a little more than I want to get into here, but it should get you near the goal. 

 

Using PolicyPak + Least Privilege Manager

I already mentioned the Least Privilege Manager and the Helper Tool; here's a link to an alternate video which shows a few more magic tricks of the Helper Tools.

https://kb.policypak.com/kb/article/889-overcome-network-card-printer-and-remove-programs-uac-prompts/ 

 

Using PolicyPak + Remote Work Delivery Manager

We’ve had this KB around for a while; but it works great to overcome Printnightmare. The gist is that you copy install files from, say, Dropbox, Amazon S3 or Azure storage, then script the install.

https://kb.policypak.com/kb/article/1103-how-to-deploy-a-tcp-ip-printer-using-policypak-remote-work-delivery-manager/

 

Using PP Scripts to Deploy Printers for Users (so they don’t have to.) 

This method is similar to the PP + REmote Work Delivery Manager Method, but could be useful if you only have PP Scripts and Triggers and not Remote Work Delivery Manager. 

 

Using PolicyPak Cloud + GPPRefs TCPIP Printers 

This could help some people, so I’m adding it here.

https://kb.policypak.com/kb/article/788-how-to-deploy-a-tcpip-printer-using-group-policy-preferences-in-policypak-cloud/

 

Final thoughts about Printnightmare

The world is heading toward Zero Trust. Which means every piece of the network needs (or should have) explicit allow rules.

We believe in this idea at PolicyPak, and can do blocking by default for regular downloads, Windows Store downloads, and even block stuff on USB sticks.

With the Printnightmare patch, they are basically saying the same thing: trust no one but your admins. But if you give someone local admin rights on the box, you’re shooting yourself in the foot.

Remove local admin rights and get to Least Privilege land (using PolicyPak Least Privilege Manager). And then give back what you need to with rules to open up specific admin-like-things to your end-users (like adding printers) as needed.

Hope this guide helps you out.

Special thanks to my two Technical Reviewers: Viktor Hedberg and Hasain Alshakarti for help with the article.

Jun 2020
09

Establishing Edge v83 Security Baselines with Group Policy

MDM administrators that utilize Microsoft Endpoint Management (Intune) are familiar with the concept of Security Baselines.  A security baseline is a collection of Microsoft recommended configuration settings that help secure and protect enterprise users and devices.  For instance, MEM offers security baselines for Windows 10, Microsoft Defender ATP and Edge.  Security baselines are an easy and effective way for admins to ensure that they are consistently enforcing a minimum security level that will address fundamental security and compliance issues.  Some admins may be surprised that security baselines are available for Group Policy as well.

The Benefits of Using Security Baselines


While it is perfectly ok to configure your own MDM profile or GPO to select and configure available settings, baselines are a quick and easy way to enforce a default baseline that prevents users from making changes that will result in an insecure state.  There are a number of benefits of using security baselines offered by Microsoft.

  • They are already configured by Microsoft security experts
  • They enforce settings that mitigates contemporary security threats.
  • Baseline settings have been pretested to ensure that they do not cause operational issues that are worse than the risks they mitigate
  • They ensure that users and device configuration settings are compliant with the baseline

Security Baselines are not just for MDM

Microsoft has been releasing Security baselines since the Windows XP days.  Because Group Policy offers far more settings than MDM, the simplification that they offer for AD environments is even more of a benefit.  For instance, there are more than 200 Microsoft Edge Group Policy settings for Windows, but only some of these are security related.   By implementing Microsoft Edge baselines, you can rest assure that you are deploying the most up-to-date security settings for Microsoft Edge using your GPO environment.

Security Baseline for Microsoft Edge v83

Microsoft just recently announced the release of the Microsoft v83 of Microsoft Edge.  Microsoft continues to release new versions and settings for the new Chromium Edge browser.  Version 83 includes 19 new computer and user based settings.  The accumulated total of Edge settings currently stands at 311 Computer policy settings and 286 User configuration policy settings.  The current baseline involves 12 of these settings which are identical to the v80 security baseline.

To obtain the security baseline for Microsoft Edge, you need to download the Security Compliance Kit.  The compliance kit the following:

  • Importable GPOs
  • A script to apply the GPOs to local policy
  • A script to import the GPOs into Active Directory Group Policy
  • A spreadsheet documenting all recommended settings in spreadsheet form
  • Policy Analyzer rules
  • GP Reports
  • Documentation

Implementing the Baseline into your AD Environment

Keep in mind that you must have the Edge v83 ADMX files contained within your Central Store as a prerequisite.  Once you download the toolkit, open the Scripts folder and run either the local policy script or the AD import script as shown below.

In this example we using the Baseline-ADimport script.  The script will then import a GPO called MSFT Edge version 80 – Computer that involves the following Administrative Templates.

Some of the configured settings include the following:

The toolkit includes a GP Reports Folder that contains an HTML report of GPO templates available in the baseline.

It is recommended that you stay current with the latest security baselines of Edge and Windows 10.  You can keep abreast of future baselines as they become available through the Microsoft website.   

You can learn about the newest policy settings available with Edge v83 on the Microsoft website

 

Oct 2016
04

Next Group Policy Training: Atlanta. (And some security stuff that scared my pants off !)

Next GP Class Stop: Atlanta. (And some security stuff that scared my pants off !)

Hey Team.. ! Just got back from Atlanta… where last week I was at Ignite.

Quick Ignite report: Nothing blew my face off, but it was nice to physically be back in touch with friends, customers and students.
The human connection CANNOT be underrated !

Check this picture out of a dinner on Wednesday night. Can you name all the people in this photo: http://screencast.com/t/daL5kTOFfU ?

And, guess what? I’m coming back to Atlanta… TWICE MORE this year.
First: Techstravaganza 2016 Nov 18th !

What is it? This is the annual Atlanta IT Pro user group meetup, and it’s awesome. And I’m giving two speeches and one is the keynote ! Come hear me speak about:
– “Top Windows Server 2016 and Windows 10 Gotchas”
– “Why Group Policy isn’t dead, still matters, and what’s new in Group Policy for Windows 10”

When is it? Nov 18th, 2016.. One Day only !

How do you sign up? Sign up and get tickets here: https://www.eventbrite.com/e/atlanta-techstravaganza-2016-tickets-27792984565
Second: My next Group Policy Class : Dec 12 – 15 (Four Days)

We have two seats remaining my class next week in Chicago.. and see you all who are coming NEXT MONDAY!!
And it’s really been like forever since I’ve had GP class in Atlanta.
So.. Guess where I’m going next!? Atlanta ! Dec 12 -15.
We’ve got a great location, great room rate, it’s just going to be a super awesome amazeballs class.. I know it.
And you can join aboard… How do you do that I hear you cry? http://dev.gpanswers.com/training
Price: $2500 for the four days.
Results?: Priceless.
So what scared the heck out of me? Well, check this out.. There’s a video you have to see. It will freak you out.. !
Stealing login credentials from a locked PC or Mac just got easier
http://arstechnica.com/security/2016/09/stealing-login-credentials-from-a-locked-pc-or-mac-just-got-easier/

Some possible remediations could be:
– Block the USB\Class_02 device using a Device Installation restrictions GPO as a countermeasure based on the following info:
https://isc.sans.edu/diary/Collecting%2BUsers%2BCredentials%2Bfrom%2BLocked%2BDevices/21461

Another proposed protection was:
https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning

These are both UN-tested, and were suggested by a two fellow MVPs (not me.)

You’ll learn about Device Installation Restrictions in my Group Policy class. And a billion other security tips and tricks.

So.. what are you waiting for?
Dec 12 – 15 in Atlanta… !

Get Training

See you there !!