DEM in 20 – Will Printer Audits continue to exist

Transcript

Alex:
Hello, everyone. We're back with Dem in 20, episode five. Good to see you all. This is the Digital Experience Show by 1E where we solve your digital experience management issues in 20 minutes or less, or your money back, terms and conditions may apply. Today, I'm your host, Alex. I'm with Michael. How you doing?

Michael:
Hey, I'm doing well. Thanks so much, everyone, for joining us. That's correct, Dem in 20. We're back at it and we were on demand now. We've created something special where you can just find everything in one place, this episode and all existing episodes. You can come back to this window. You can bookmark it if you like. You can always pick up right where you left off. We're really excited that you joined us for episode five.

Michael:
Today, we're going to be talking about printers, the exciting world of printers, and whether printing audits will continue to exist or printers and themselves with us going back to the offices, whether that even happens. Do you need a printer? Are we going eco-friendly? Do we need to keep printing in general? Lots of things to consider. What do you think about printers? Are they going to come back?

Alex:
I've been having nightmares about printers, Michael. I don't know about you. Dream bad, bad dreams about the printers. It couldn't be more topical to have this topic this week, the coming weeks. I know that everyone in IT has been really rushing to solve this issue. Can't wait to introduce our guest in just a minute, but I think printers in the office, yeah, they're going to come back. That's normal, but I think where it's really interesting is printers at home. Those who do have those, how do you manage those? How do you audit those? I don't know, so let's introduce our guest. Gary, welcome to the show. How are you doing?

Gary Edwards:
Hello, folks, My name is Gary Edwards. I'm the Senior Solutions Architect or Engineer from 1E. I've been in the industry since, gosh, let's just say 30 years or so, so long time. Happy to be here.

Alex:
It's good to have you.

Michael:
And your expertise, especially as we talk about printers and how awesome they are.

Gary Edwards:
Absolutely. If most of you follow the news, the last few weeks have been a rush of activity with Microsoft getting their new CVE bulletin out with printers and enterprises are struggling to figure out how are they going to manage their printer environment? How are they going to audit what's going on in their printer environment? Then by all means, how are they going to stop these security holes that have come out in the last couple of months?

Alex:
Yeah, precisely. I think everyone's really interested to hear about your perspective on this and will audits exist in the future? Run us through, high-level, what you're going to be showing us today.

Gary Edwards:
Sure. We'll be talking about today, obviously making sure all your enterprise workstations are patched, so main thing. Microsoft releases a patch. You've got to have it patched and then are there any other loopholes, are any type of security flaws in those patches? Then if they are, how do you fix them? How do you make your environment secure? We'll take a look at this little thing called the spooler, which has been around forever. You talked about printing auditing. Yeah, if you're going to print there's this little service that runs in the background on Windows. Has been for years, called a print spooler service. It's always on. Comes on when you start your machine up. There's really no user interactions. There's nothing in the task bar that you can say, "Oh, yeah, I need to maybe turn that off," or that type thing. It sits there waiting for a user like yourself to click something to print and then it clicks in.

Gary Edwards:
Two months ago, the Microsoft Security Response Center started getting some word that some cybersecurity researchers found a hole or a bug, if you will, around the print spooler. The bug was severe enough, the security flaw, that bad guys could exploit it and literally be able to go view data on a machine remotely, be able to add applications to the machine, delete data, even create additional administrator accounts. Now they have full access to your machine. So let's talk for a minute.

Gary Edwards:
I'm going to share a screen and we'll talk about what Microsoft released. So, Microsoft came out... The cybersecurity researchers heard about this and that people had the ability to target the print spooler. It was severe enough that Microsoft released a CDE, which is common vulnerabilities and exposures classification. At CVE-2021-34527, and you see it here on my screen, and it came out July 1st. Now Microsoft said, "We're aware this bug's been found. This flaw has been found. How do we solve it?" Their developers did a bunch of work. If you scroll down, what they do is, "Oh, here's some registry settings that we can apply. We can change these registry settings, meaning audit your computers, audit your printers and make sure HQ local machine software, your print settings are configured correctly." It sounds all well and good. They released the CVE. Patches went out. Microsoft's print nightmare wasn't over yet.

Gary Edwards:
In other words, then we start getting these type articles. This is from The Guardian. This was from The Guardian updated a week after Microsoft released that CVE print, says, "Hey, hang on. This emergency update happened. It's not enough just to change the registry settings." There's a lot of articles out there like this. In effect, if I scroll down, this is what they're saying. In short, disable the vulnerability of the print spooler service on your Windows system to prevent exploitation. Meaning that's the one-two punch. Not only do we have to change the registry, we've got to make sure these settings are secure. There's saying disable printing. What's that going to do to your environment? What's that going to do to your enterprise environment? What's going to do to your home users? Are we now all going to disable our print spoolers? Even furthermore, how do you go about doing that in an enterprise that may have 80,000 endpoints or more? Let's talk about some of the different capabilities of our platform, the Tachyon platform and how we can solve and remediate these issues.

Michael:
Because that's no simple ask. Just turn it all off. Stop printing. Shut it down.

Gary Edwards:
Stop printing. Sorry. You got to print out your, I don't know your trip summary or your trip itinerary. You can't print that. Just put it on your phone. No, we all still will need to print. This isn't going away of checks and a checkbook. Most of us can get around checks for right now. You still once in a while have to print out something. You've got to be able to enable your users, still some print functionality, but the caveat is how do you secure your network? Let's take a look at how Tachyon, our platform, gives you the options to not only quickly remediate this, but find out what's going on in your environment. We'll talk a couple of different ways.

Gary Edwards:
We're going on into Tachyon Explorer, which allows us the ability to immediately ask queries in real time against our end points. In this case, I want to be able to go out and ask what registry settings do we have? I'm typing in registry and one of the keys under the registry key is sub key. Let's type in this environment, ask this question. Now, as you can see right away, I get a return, my responses coming back in, and I already got a response from 23,000 people. 23,000 endpoints. It shows me what's going on on the device and that the registry values are not set. That's critical. That's the first part of Microsoft's CVE solution is set these registry keys. Let's go out and then I'll show you the ability within Tachyon Explorer again, I can go out and actually set a registry value and go set the key, HQ local machine, software, all the way down the path and set it to the value that they recommend. That gives us the ability for the first part of the remediation for Microsoft. Does that make sense?

Alex:
Yeah, that makes a ton of sense. I have a question. Obviously, we're using the power of Explorer here to manipulate many machines' registries all at once. How would you go about manipulating an entire estate's worth of registry keys without this tool?

Gary Edwards:
It would be really difficult. A couple of different ways. You'd have to create a group policy and push it out that way. You could create a PowerShell script or some VB script to be able to push it out because you're talking as my largest customer is 600,000 endpoints. That's huge. Now I've got to go out and be able to manipulate and change those settings and then reinforce those settings. That's a critical piece. Does that make sense, Alex?

Alex:
Yeah, that's a great answer. Thank you.

Gary Edwards:
Absolutely. The next thing we want to take a look at is Microsoft said then, "You need to be able to stop this print spooler service." In our environment, and I came back to my lab, this is my Azure Instance, for printer auditing, we need to be able to take a look at things like the spooler service. Notice I've shifted over to one of my Azure instances, which is PC0004, and the spooler service is running. Well, according to Microsoft, we need to stop that and we need to disable that. I'm going to minimize this screen for a sec and let's go out and take a look at printers.

Gary Edwards:
First, for auditing capability, I need to be able to audit what's going on in my environment. I'm simply querying my Azure lab environment to see what printers we actually have in the environment. Then notice there's a desktop-Edwards machine. That's my home machine. I actually have it connected to my Azure lab. If we scroll down, I've got HP Office Jet, a 6960, an 8710. I've got a couple of different printers. I'm definitely vulnerable, if you will, to this print nightmare.

Gary Edwards:
Now, for us to change, according to Microsoft's documentation, I need to be able to change service name. Remember, we had the print spooler running. I am going to change the spooler service. Spooler service, it's start-up type to disabled and I'm going to stop it. We already saw it was running. Now, in my environment, Tachyon, we built a solution to have approval workflows throughout. If a user, even an admin like in my lab, is trying to do something like delete a registry key, change a registry key, to stop a service, delete files, we need to be able to approve those. I'm confirming my credentials and I'm opening a second window that is a different user in my lab. I will approve this spooler startup query for instruction. I approve that. I go back over to my initial window and noticed, I've stopped the spooler service on all my machines, my desktop, my PC004, my002, my 1E01, which is my server.

Gary Edwards:
Now, how can I confirm that? Let's go back over to PC004. Here's where we were. I can now refresh that screen and notice boom, it's disabled and the start-up service is set to stop. That's one way to stop it in your environment, but how do I do that consistently? How do I keep people from coming in here and modifying the spooler service maybe and going automatic, click apply and start it back up? Now, boom, I've got a vulnerability again.

Michael:
Yeah, because there's lots of people that, like myself, would probably just go on Google and try to maybe troubleshoot based off of tips and tricks.

Gary Edwards:
Absolutely. How do I start my printer? Absolutely. Within Tachyon, on one of our other modules is called Guaranteed State. What Guaranteed State does is it reinforces rules and policies on our endpoints to keep them compliant. How does that fit into printer auditing and this print nightmare? Because somebody started a print spooler service, stop it. I can see with our dashboard right away, my compliance in my environment and my non-compliance in my environment. I've also gone out and created a rule in Guaranteed State. I'm going to do a quick search for that rule and it contains print nightmare since that was the relevant topic for this. Here's my rule. Print spooler service state and start-up values. The rule is, and notice it's a fixed rule, meaning it has the ability to continually fix or take action on the end points that this is applied to, ensure the principal or service has the correct state and the startup type and #printnightmare. That will allow me-

Michael:
Does that mean ...

Gary Edwards:
Yeah, go ahead.

Michael:
Sorry to interrupt. Say we know Microsoft published the CV at the start of the month. Then a couple of weeks later, there's a bit of news around there's still vulnerabilities. The threat actor comes up and finds another loophole. It's not really going to matter technically because if they breach it or find that, typically anytime this detects that it's been switched back on, it's going to switch it off.

Gary Edwards:
It's going to switch it back off. Absolutely. You can set this trigger for a certain amount of time. In other words, I could say, if we find it, leave it on for five minutes because users may be printing or we say, stop it immediately. Now what does that do in our environment? All of a sudden, nobody can print in my network. Notice my lab, when I did that, all my machines, my desktop, my PCO3, my 04, everybody had the print spooler service stopped. Well, with our tight integration with our partner, ServiceNow, we have the ability to go out and enable self-service. Let's say Alex, or you Michael, needs to print something, yet we stopped the print spooler service. That's our security requirement. Boom, no print spooler service because security hole. Let's be able to enable it and start it on demand and then shut it back off.

Gary Edwards:
Since we've partnered with ServiceNow we have the ability to go out in things like our service catalog and run Tachyon instructions directly from ServiceNow. In this environment, when we take a look at our integration with Chat Bot, I can go out and say things like print and go I want to check printers, so printer and see if I can find something on printers. Here's our office printer. Now, what this allows us to do is behind the scenes, Tachyon instructions would be taking over and clicking off the print spooler service, enabling it and then we have a rule, once again, Guaranteed State, would shut it back down the next time it's triggered.

Gary Edwards:
We have the same thing, you could allow this within the ServiceNow catalog. With the catalog, we could go out, end these type services or software, whatever. This gives your users, then, self-service capability to be able to go out. I need to print a document. Boom, go into the service catalog, print it, and then Guaranteed State will stop the print spooler service. That stops the print nightmare. Does that make sense? Questions?

Michael:
I'm just trying to think here. Does this impact, I get that we're back in the office and we want to make sure that we have control over the office printers, but my wife has started to resell old baby clothes, and she has to print shipping labels on our printer. Is this something that I need to...
Gary Edwards:
In your home environment, is something you need to worry about. Make sure you, at least you're up-to-date with the security patches that Microsoft's released. Now, with your home computer, do you want to stop the print spooler? To be totally secure, yes, you should stop your print spooler service. Maybe create a shortcut on your desktop to the Surfaces applet, so you can go out any time you want to print, go start the print spooler and then turn it off. Until Microsoft releases another patch to truly fix this security flaw, that's what we're relegated to is stopping the service that runs in the background.

Alex:
I guess that's where my question leads into is I think this really shows, to me at least, and correct me if I'm wrong, the flexibility of this tool. Let's say Microsoft has fixed this issue. They've patched it out and print spooler is now safe, so you can just disable that rule whilst not deleting it. Is that right?

Gary Edwards:
Absolutely. Yes, absolutely, Alex. Great observation.

Alex:
Super interesting. Obviously, this would work for any other service. Let's say another service starts behaving badly. Same device rules etc.

Gary Edwards:
Same type. We have, within the Tachyon on platform and [inaudible 00:19:01] within Guaranteed State, the ability to fix all your CM health issues, all your Windows client health issues. Meaning if WMI repository is not consistent, fix it, if it gets corrupted. If the Windows configuration manager, or MECM manager client gets corrupted, re-install it, fix it. That's one of the beautiful things about the Tachyon platform and specifically the Guaranteed State is keep your machines consistent while connected to the network and fix any security vulnerabilities.

Michael:
Nice. Just one extra way to augment Microsoft's modern management when it comes to Tachyon.

Gary Edwards:
Absolutely. Absolutely. Hopefully, this was helpful.

Michael:
Yeah, very helpful.

Alex:
Thank you so much for coming on Gary. I think our audience really, really appreciate it. Not only the way that you segmented the topics. I found it as a sort of a novice, very easy to understand. I'm already thinking about the possibilities outside of printers and hopefully, my nightmares will be solved. How are we doing for time, Michaae?

Michael:
Yeah, we're wrapping it up. We've got a minute. Just under a minute to go.

Alex:
Great. We're going to use this time to let you know that episode six is coming on the 11th of August. You should view that. What are we talking about?

Michael:
It's about devices and whether they're compliant and if they're not compliant, are they considered dangerous? Technically, what we talked about there around the spooler, if that was not compliant, then it could be dangerous if it was on automatically. We're going to dig down to that to a bit more detail. Definitely join us in two weeks time or just the 11th if you're watching this on demand and you've bookmarked our page.

Gary Edwards:
Sounds like a good one.

Alex:
Thank you so much for watching, everyone. This has Dem in 20. This has been 20 minutes. Thank you. See you next time.

Michael:
Appreciate it. Thank, Gary.

Gary Edwards:
Thanks, folks. Bye.