Summary
A security bypass vulnerability exists in the way the Printer Remote Procedure Call (RPC) binding handles authentication for the remote Winspool interface. The Windows update addresses this vulnerability by increasing the RPC authentication level and introducing a new policy and registry key to allow customers to disable or enable Enforcement mode on the server-side to increase the authentication level.
To learn more about the vulnerability, see CVE-2021-1678 | Windows Print Spooler Spoofing Vulnerability.
|
Take Action To protect your environment and prevent outages, you must do the following:
|
Timing of updates
These Windows updates will be released in two phases:
-
The initial deployment phase for Windows updates released on or after January 12, 2021.
-
The enforcement phase for Windows updates released at some future date.
January 12, 2021: Initial Deployment Phase
The initial deployment phase starts with the Windows update released on January 12, 2021 by providing the ability for server customers to enable this increased security level on their own based on their environment's readiness.
This release:
-
Addresses CVE-2021-1678 (in Deployment mode set to Off by default).
-
Adds support for the RpcAuthnLevelPrivacyEnabled registry value to enable the increase of authorization level for printer IRemoteWinspool protection.
Mitigation consists of the installation of the Windows updates on all client and server-level devices.
September 14, 2021: Enforcement Phase
The release transitions into the enforcement phase on September 14, 2021. Enforcement phase enforces the changes to address CVE-2021-1678 by increasing the authorization level without having to set the registry value.
Installation guidance
Before installing this update
You must have the following required updates installed before you apply this update. If you use Windows Update, these required updates will be offered automatically as needed.
-
You must have the SHA-2 update (KB4474419) that is dated September 23, 2019 or a later SHA-2 update installed and then restart your device before you apply this update. For more information about SHA-2 updates, see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.
-
For Windows Server 2008 R2 SP1, you must have installed the servicing stack update (SSU) (KB4490628) that is dated March 12, 2019. After update KB4490628 is installed, we recommend that you install the latest SSU update. For more information about the latest SSU update, see ADV990001 | Latest Servicing Stack Updates.
-
For Windows Server 2008 SP2, you must have installed the servicing stack update (SSU) (KB4493730) that is dated April 9, 2019. After update KB4493730 is installed, we recommend that you install the latest SSU update. For more information about the latest SSU updates, see ADV990001 | Latest Servicing Stack Updates.
-
Customers are required to purchase the Extended Security Update (ESU) for on-premises versions of Windows Server 2008 SP2 or Windows Server 2008 R2 SP1 after extended support ended on January 14, 2020. Customers who have purchased the ESU must follow the procedures in KB4522133 to continue receiving security updates. For more information on ESU and which editions are supported, see KB4497181.
Important You must restart your device after you install these required updates.
Install the update
To resolve the security vulnerability, install the Windows updates and enable Enforcement mode by following these steps:
-
Deploy the January 12, 2021 update to all client and server devices.
-
After all client and server devices have been updated, full protection can be enabled by setting the registry value to 1.
Step 1: Install the Windows update
Install the January 12, 2021 Windows update or a later Windows update to all client and server devices.
|
Windows Server product |
KB # |
Type of update |
|
Windows Server, version 20H2 (Server Core Installation) |
Security Update |
|
|
Windows Server, version 2004 (Server Core installation) |
Security Update |
|
|
Windows Server, version 1909 (Server Core installation) |
Security Update |
|
|
Windows Server, version 1903 (Server Core installation) |
Security Update |
|
|
Windows Server 2019 (Server Core installation) |
Security Update |
|
|
Windows Server 2019 |
Security Update |
|
|
Windows Server 2016 (Server Core installation) |
Security Update |
|
|
Windows Server 2016 |
Security Update |
|
|
Windows Server 2012 R2 (Server Core installation) |
Monthly Rollup |
|
|
Security Only |
||
|
Windows Server 2012 R2 |
Monthly Rollup |
|
|
Security Only |
||
|
Windows Server 2012 (Server Core installation) |
Monthly Rollup |
|
|
Security Only |
||
|
Windows Server 2012 |
Monthly Rollup |
|
|
Security Only |
||
|
Windows Server 2008 R2 Service Pack 1 |
Monthly Rollup |
|
|
Security Only |
||
|
Windows Server 2008 Service Pack 2 |
Monthly Rollup |
|
|
Security Only |
Step 2: Enable Enforcement mode
Important This section, method, or task contains steps that tell you how to change the registry. However, serious problems might occur if you change the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you change it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, see How to back up and restore the registry in Windows.
After all client and server devices have been updated, you can enable full protection by deploying Enforcement mode. To do this, follow these steps:
-
Right-click Start, click Run, type cmd in the Run box, and then press Ctrl+Shift+Enter.
-
At the Administrator command prompt, type regedit and then press Enter.
-
Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print
-
Right-click Print, choose New, and then click DWORD VALUE (32-bit) Value.
-
Type RpcAuthnLevelPrivacyEnabled and then press Enter.
-
Right-click RpcAuthnLevelPrivacyEnabled and then click Modify.
-
In the Value data box, type 1 and then click Ok.
Note This update introduces support for the RpcAuthnLevelPrivacyEnabled registry value to increase the authorization level for printer IRemoteWinspool.
|
Registry subkey |
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print |
|
Value |
RpcAuthnLevelPrivacyEnabled |
|
Data type |
REG_DWORD |
|
Data |
1: Enables Enforcement mode. Before you enable Enforcement mode for server-side, make sure all client devices have installed the Windows update released on January 12, 2021 or a later Windows update. This fix increases the authorization level for printer IRemoteWinspool RPC interface and adds a new policy and registry value on the server-side to enforce the client to use the new authorization level if Enforcement mode is applied. If the client device does not have the January 12, 2021 security update or a later Windows update applied, the printing experience will be broken when the client connects to the server through the IRemoteWinspool interface. 0: Not recommended. Disables the increase authentication level for printer IRemoteWinspool, and your devices are not protected. |
|
Default |
Default behavior after installing updates when registry key is not set:
|
|
Is a Restart required? |
Yes, a device restart or a restart of the spooler service is required. |
