What’s the proper way to deploy printers post-PrintNightmare?
It’s the million-dollar question on almost every IT-filled social feed.
Following PrintNightmare and the endless flow of patch releases that ensued, everything in traditional print environments felt broken. Deployments via GPOs became a chore. You received error messages when trying to install printer drivers, despite the drivers already existing on your system. Even if you didn’t run into issues like these, you were at least stuck getting the proper mitigations in place so users could print.
In short, PrintNightmare spooked everyone.
And when Microsoft released patch KB5005625 back in September 2021, everything was done and dusted.
At least, that’s what most of us thought.
Why are we still talking about PrintNightmare?
Because patches are still being released to stop attackers from gaining SYSTEM privileges.
To be more exact, recently, Microsoft released patches for 68 vulnerabilities. One of the most notable vulnerabilities, CVE-2022-41073, affected the Print Spooler service. A month before that, a separate spooler vulnerability, CVE-2022-38028, caused admins to install more patches to keep threats out.
Sound familiar?
It’s not like this wasn’t predictable. Since July 2021, over 65,000 attacks have targeted print servers, and around 31,000 of those happened in 2022. Print servers continue to be a popular attack vector. As Satnam Narang, a senior staff research engineer at Tenable, points out, PrintNightmare may have just opened up the floodgates to more potential threats:
We’ve long warned that once Pandora’s box was open with PrintNightmare, that flaws within Windows Print Spooler would come back to haunt organizations, and based on the success ransomware groups and other threat actors have had with PrintNightmare, a continued focus on the ubiquitous nature of Windows Print Spooler makes it one of the most attractive targets for privilege escalation and remote code execution.
Achieving a vulnerability-free traditional print environment seems highly unlikely, given the constant updates required to stop threats. Each blurb in the news about print spooler vulnerabilities is further evidence to cybercriminals that print servers are, in fact, the “Swiss cheese” of legacy systems—they just have too many holes.
Tired of rolling the dice on security? We have a few quick ways to help you deploy printers without jumping through endless loopholes.
Here are the best ways to deploy printers post-PrintNightmare…
Step 1: Get rid of your print servers.
If legacy systems like print servers and spoolers are already deemed the root of the problem, doesn’t it make sense to eliminate them? You’d get rid of the patch installations, maintenance costs, and the single point of failure. Plus, you don’t have to find workarounds to allow your users to print securely.
Serverless, cloud-based print management solutions simplify driver management across your entire print environment. Instead of managing multiple driver repositories or outdated print drivers, you can store and manage printers, drivers, and profiles from any manufacturer from a single driver repository. You can even print to a universal driver instead of wrestling with individual manufacturer drivers—without worrying about incompatibilities.
You’re probably thinking about the stress of finding a new solution. Potential printer downtime when migrating to a new platform. Problems with learning how to maneuver new software or hardware. All are valid reasons to hesitate.
However, the risk of leaving yourself vulnerable isn’t worth the cost of an average print-related data breach.
Don’t just take it from us.
Here are a few answers from Reddit users on how to deploy printers post-PrintNightmare:
The best method I’ve seen is getting rid of print servers and use PrinterLogic to deploy direct IP printing.
-Reddit User jmp242
PrinterLogic completely took printers off my list. It just works, and I hardly think about it until our rep emails me asking how things are going.
-Reddit User mortalwombat
Step 2: Eliminate scripts and GPOs.
Getting rid of print servers already means that deployments are easier since you don’t have to try various workarounds that may sacrifice security. Similar to print servers, deploying printers via scripts and GPOs is unreliable and old-school. GPO printer deployments offer a long list of limitations and potential failure points, often leading to calls to the helpdesk to solve the issue. This also results in high costs and more aggravation on your end.
Take it from this admin, who got tired of deployment issues and removed GPOs and scripts completely:
We had so many problems with deploying printers via GPO and scripts that we eventually went to PrinterLogic.
-Reddit User randomguy3
Migrating to a centrally managed, serverless printing platform eliminates scripts and GPOs for good and gives you granular control over which users get which printer. Deploy printers individually or en masse, one-time or automated—all by ticking a few boxes.
PrinterLogic is the bomb. It has saved us thousands of dollars in color printing costs by being able to reset printer preferences after every job. And deploying printers is sooooooo simple.
-Reddit User bla4free (IT Manager)
Step 3: Try Serverless Printing (for free)
If we made eliminating print servers, scripting, and GPOs sound easy, that’s because it really is.
Another vote for PrinterLogic. We did a 2-week trial with them and immediately signed the contract after the first week. They helped get us fully up and running in about 2 hours.
-Reddit User Randalldeflagg
PrinterLogic offers a quick, painless way to go serverless and move to our centrally managed direct IP printing platform. Experience almost no printer downtime during the migration process. Get optimized security and accurate deployments without worrying about compromising your organization’s data security.
And be the problem-solver to all IT professionals searching through Google for “How to deploy printers post-PrintNightmare.”
Try PrinterLogic free for 30 days to get a glimpse of stress-free print management.