Managing deployment of Printer RPC binding changes for CVE-2021-1678 (KB4599464)

Summary

A security bypass vulnerability exists in the way the Printer Remote Procedure Call (RPC) binding handles authentication for the remote Winspool interface. The Windows update addresses this vulnerability by increasing the RPC authentication level and introducing a new policy and registry key to allow customers to disable or enable Enforcement mode on the server-side to increase the authentication level.   

To learn more about the vulnerability, see CVE-2021-1678 | NTLM Security Feature Bypass Vulnerability.

Take Action

To protect your environment and prevent outages, you must do the following:

  1. Update all client and server devices by installing the January 12, 2021 Windows update or a later Windows update. Be aware that installing the Windows update does not fully mitigate the security vulnerability and might impact your current print setup. You must perform Step 2.

  2. Enable Enforcement mode on the print server. Enforcement mode will be enabled on all Windows devices at some future date.

Timing of updates

These Windows updates will be released in two phases:

  • The initial deployment phase for Windows updates released on or after January 12, 2021.

  • The enforcement phase for Windows updates released at some future date.

January 12, 2021: Initial Deployment Phase

The initial deployment phase starts with the Windows update released on January 12, 2021 by providing the ability for server customers to enable this increased security level on their own based on their environment's readiness.

This release:

  • Addresses CVE-2021-1678 (in Deployment mode set to Off by default).

  • Adds support for the RpcAuthnLevelPrivacyEnabled registry value to enable the increase of authorization level for printer IRemoteWinspool protection.

Mitigation consists of the installation of the Windows updates on all client and server-level devices.

Enforcement Phase

The release transitions into the enforcement phase at some future date. Enforcement phase enforces the changes to address CVE-2021-1678 by increasing the authorization level without having to set the registry value.

Installation guidance

Before installing this update

You must have the following required updates installed before you apply this update. If you use Windows Update, these required updates will be offered automatically as needed.

  • You must have the SHA-2 update (KB4474419) that is dated September 23, 2019 or a later SHA-2 update installed and then restart your device before you apply this update. For more information about SHA-2 updates, see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.

  • For Windows Server 2008 R2 SP1, you must have installed the servicing stack update (SSU) (KB4490628) that is dated March 12, 2019. After update KB4490628 is installed, we recommend that you install the latest SSU update. For more information about the latest SSU update, see ADV990001 | Latest Servicing Stack Updates.

  • For Windows Server 2008 SP2, you must have installed the servicing stack update (SSU) (KB4493730) that is dated April 9, 2019. After update KB4493730 is installed, we recommend that you install the latest SSU update. For more information about the latest SSU updates, see ADV990001 | Latest Servicing Stack Updates.

  • Customers are required to purchase the Extended Security Update (ESU) for on-premises versions of Windows Server 2008 SP2 or Windows Server 2008 R2 SP1 after extended support ended on January 14, 2020. Customers who have purchased the ESU must follow the procedures in KB4522133 to continue receiving security updates. For more information on ESU and which editions are supported, see KB4497181.

Important You must restart your device after you install these required updates.

Install the update

To resolve the security vulnerability, install the Windows updates and enable Enforcement mode by following these steps:

  1. Deploy the January 12, 2021 update to all client and server devices.

  2. After all client and server devices have been updated, full protection can be enabled by setting the registry value to 1.


Step 1: Install the Windows update

Install the January 12, 2021 Windows update or a later Windows update to all client and server devices.

Windows Server product

KB #

Type of update

Windows Server, version 20H2 (Server Core Installation)

4598242

Security Update

Windows Server, version 2004 (Server Core installation)

4598242

Security Update

Windows Server, version 1909 (Server Core installation)

4598229

Security Update

Windows Server, version 1903 (Server Core installation)

4598229

Security Update

Windows Server 2019 (Server Core installation)

4598230

Security Update

Windows Server 2019

4598230

Security Update

Windows Server 2016 (Server Core installation)

4598243

Security Update

Windows Server 2016

4598243

Security Update

Windows Server 2012 R2 (Server Core installation)

4598285

Monthly Rollup

4598275

Security Only

Windows Server 2012 R2

4598285

Monthly Rollup

4598275

Security Only

Windows Server 2012 (Server Core installation)

4598278

Monthly Rollup

4598297

Security Only

Windows Server 2012

4598278

Monthly Rollup

4598297

Security Only

Windows Server 2008 R2 Service Pack 1

4598279

Monthly Rollup

4598289

Security Only

Windows Server 2008 Service Pack 2

4598288

Monthly Rollup

4598287

Security Only

Step 2: Enable Enforcement mode

Important This section, method, or task contains steps that tell you how to change the registry. However, serious problems might occur if you change the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you change it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, see How to back up and restore the registry in Windows.

After all client and server devices have been updated, you can enable full protection by deploying Enforcement mode. To do this, follow these steps:

  1. Right-click Start, click Run, type cmd in the Run box, and then press Ctrl+Shift+Enter.

  2. At the Administrator command prompt, type regedit and then press Enter.

  3. Locate the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print

  1. Right-click Print, choose New, and then click DWORD VALUE (32-bit) Value.

  2. Type RpcAuthnLevelPrivacyEnabled and then press Enter.

  3. Right-click RpcAuthnLevelPrivacyEnabled and then click Modify.

  4. In the Value data box, type 1 and then click Ok.

Note This update introduces support for the RpcAuthnLevelPrivacyEnabled registry value to increase the authorization level for printer IRemoteWinspool.

Registry subkey

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print

Value

RpcAuthnLevelPrivacyEnabled

Data type

REG_DWORD

Data

1: Enables Enforcement mode. Before you enable Enforcement mode for server-side, make sure all client devices have installed the Windows update released on January 12, 2021 or a later Windows update. This fix increases the authorization level for printer IRemoteWinspool RPC interface and adds a new policy and registry value on the server-side to enforce the client to use the new authorization level if Enforcement mode is applied. If the client device does not have the January 12, 2021 security update or a later Windows update applied, the printing experience will be broken when the client connects to the server through the IRemoteWinspool interface.

0: Not recommended. Disables the increase authentication level for printer IRemoteWinspool, and your devices are not protected.

Default

0 (when registry key is not set)

Is a Restart required?

Yes, a device restart or a restart of the spooler service is required.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

Thank you for your feedback!

×