is there a way i can disable the print spooler on multiple servers?

Hi I've just received details of this Microsoft vulnerability:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

Just wondering what's the best way to stop & disabled the print spooler on multiple servers. I would like to do this without rebooting the servers so I don't think GPO would work. Can this be done in PowerShell or Config Manager?

Thanks.

PowershellWindows OS

Last Comment

Philip Elder

8/22/2022 - Mon

ASKER CERTIFIED SOLUTION

James Rankin

7/2/2021

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.

View this solution by signing up for a free trial.

Members can start a 7-Day free trial and enjoy unlimited access to the platform.

See Pricing Options

Start Free Trial

GET A PERSONALIZED SOLUTION

Ask your own question & get feedback from real experts

Find out why thousands trust the EE community with their toughest problems.

carbonbase

7/2/2021

ASKER

Thanks, if it's a computer policy, wouldn't I need to reboot the server to pick up the new policy? or force a policy refresh at the command line, which often prompts for a reboot anyway would involve logging into each server.

James Rankin

7/2/2021

No. Running gpupdate will refresh the policy and apply it. You can do a refresh from GPMC for all machines in an OU. Just right-click the OU and choose "Group Policy Update"

carbonbase

7/2/2021

ASKER

Thanks for your advice!

This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.

rwheeler23

Philip Elder

7/2/2021

Here's some PowerShell for you. The first checks, the second disables, and the third modifies the ACLs on the directory the rogue .DLL gets dropped on:

# Detection by Bronson M.
Get-ADDomain | ForEach-Object ReplicaDirectoryServers |  ForEach-Object { 
    get-service -name spooler -ComputerName $_ -ErrorAction SilentlyContinue | Select-Object MachineName, Status, StartType 
}

# Mitigation Option 1 Kill the Service on DCs
$DCs = get-addomaincontroller -filter * | Select-Object -expand hostname 
foreach ($DC in $DCs) {
    invoke-command -ComputerName $DC -ScriptBlock { 
        stop-service -name spooler ; set-service -name spooler -StartupType Disabled } }


# Mitigation Option #2
# Step 2a: Set Permissions
$Path = "C:\Windows\System32\spool\drivers"
$Acl = Get-Acl $Path
$Ar = New-Object  System.Security.AccessControl.FileSystemAccessRule("System", "Modify", "ContainerInherit, ObjectInherit", "None", "Deny")
$Acl.AddAccessRule($Ar)
Set-Acl $Path $Acl

# Step 2b: Remove the Above
$Path = "C:\Windows\System32\spool\drivers"
$Acl = Get-Acl $Path
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("System", "Modify", "ContainerInherit, ObjectInherit", "None", "Deny")
$Acl.RemoveAccessRule($Ar)
Set-Acl $Path $Acl

Open in new window