The Future of Print Management in Higher Education 

In recent years, shifting print trends have forced universities to rethink their approach to print management. 

Although print volumes have declined, print is still a basic necessity for students and staff. However, managing print creates conflicting priorities for IT. On one hand, it’s often an afterthought, excluded from robust security protocols. On the other hand, it consumes significant resources and requires ongoing maintenance to function smoothly. 

What can universities do to make sure students can easily print when they need to? How can campuses keep the system running securely 24/7 without bogging down IT? 

The answer, as with many IT challenges today, lies in the cloud. 

Delivering a Seamless Student Experience  

Given the challenges around attracting and retaining students today, providing them with the best experience possible has become a core focus for universities. From a print perspective, this means creating an environment where printing is simple and solves students’ biggest challenges around printing. 

Moving print infrastructure to the cloud provides 24/7 reliability of print services, allowing students to: 

  • Easily connect to the nearest printer from anywhere on campus with any device, without having to download new drivers 
  • Avoid sending jobs to devices needing support, which the system automatically takes offline 
  • Access self-serve support for tasks like changing passcodes and connecting to printers without having to submit a help desk ticket 

Reducing the IT Print Burden 

Print continues to be a persistent challenge for IT departments, requiring significant resources for server maintenance, driver management, and resolving individual printer issues. 

A cloud-based printing solution designed specifically for higher education can cut the time IT departments spend on print in half and deliver significant cost savings from: 

  • Eliminating print servers, saving an average of $7,500 annually per server 
  • Reducing labor hours spent on driver management, server upgrades, and IT help desk tickets 
  • Automatically scanning the network for error codes to find devices that need toner, color or servicing, taking them offline and sending jobs to other nearby printers 

As institutions’ network models evolve towards decentralization or software-based networking, print historically either doesn’t work in those scenarios or has to be the exception case. That’s no longer true with cloud-based printing, as tools like end-to-end encryption bring print in line with security frameworks such as zero-trust. 

Analytics-Driven Efficiency 

Print in higher education is undergoing a shift towards greater efficiency, where IT will have complete visibility into printer performance and status – irrespective of device manufacturer – via web dashboards without having to visit individual devices. All of this will be driven by robust analytics that enable IT teams to: 

  • Get detailed data for drilling down and finding patterns of waste among different devices, users, and groups 
  • Improve device utilization and load balancing, for example by identifying underutilized printers that might be more useful elsewhere 
  • Identify which printers are likely to fail and should be flagged for service or replacement 

Making the Mindset Shift Around Cost Recovery 

Cloud print management is forcing a mindset shift around the traditional cost recovery model in universities. For decades, universities have treated upfront billing for print costs as a revenue stream. 

When they run the numbers, however, they often make an eye-opening discovery: 

The amount they spend on labor, IT and accounting resources to manage the process of reconciling student print accounts far surpasses the costs they recover. 

With the cloud, universities can automatically collect data from print jobs and send it directly to the accounting or bursar’s office. This allows them to recover costs based on what students actually use—which universities need to track regardless—and charge print jobs to specific departments or grants. 

The Future is Here 

As IT infrastructure continues its shift to the cloud, print management in higher education is ripe for transformation. A robust PrintOps platform like Pharos Cloud Education Edition provides the tools universities need to: 

  • Deliver a seamless student experience that makes print easy 
  • Eliminate onsite print infrastructure and server management 
  • Manage fewer drivers by deploying the IPP Everywhere driver 
  • Reduce printing costs through quotas, chargeback, and secure release, plus advanced analytics to find cost-saving opportunities 
  • Create a print environment that supports zero-trust security principles 

Much of how universities used to think about print is starting to go by the wayside. Addressing the challenges of users, administrators, and IT demands a new way of thinking, and print infrastructure aligned with the university’s overall migration strategy. 

The Print Security Landscape, 2023 Report by Quocirca

The Print Security Landscape, 2023 report by Quocirca

Quocirca’s Global Print Security Landscape 2023 report highlights continuous security challenges for organisations, with 61% experiencing at least one print-related data breach in the past year. By delving into this report, readers can gain comprehensive insights into the evolving landscape of print security, including understanding the discrepancies between key stakeholders’ perspectives, which is instrumental in developing effective strategies to strengthen their own organization’s print security and mitigate potential risks.

Access the Report

PrintNightmare: Securing Your Print Infrastructure

Introduction

Since 2021, the “PrintNightmare” issue has become a topic of concern. This class of vulnerabilities affects Windows-based devices, including servers, desktops, and laptops. The vulnerabilities are found in the print spooler service, which is enabled by default and responsible for managing printers and printing documents. This article aims to explore the PrintNightmare problem, its implications, and long-term solutions to secure your print infrastructure.

The Print Nightmare Story

Understanding the Problem

In June of 2021, a vulnerability in Microsoft’s print spooler software, known as CVE-2021-34527 or “PrintNightmare,” was identified. This vulnerability allows remote network access to exploit the system, gaining privileged access rights and executing malicious code. It poses a significant risk as attackers can remotely control the affected system, potentially stealing sensitive data or disrupting operations.

Print Spooler Service: A Brief Overview

The print spooler service is responsible for managing printer connections and operations on Windows-based devices. It facilitates communication between the device and printers, ensuring compatibility by downloading and installing the required printer drivers. Additionally, it handles print jobs by organizing queues, prioritizing tasks, and buffering data into the printer’s memory.

Domain controllers also utilize the print spooler service for managing printers on a network. However, this introduces a security vulnerability, as any authenticated user can remotely connect to the print spooler service of a domain controller, compromising network security controls.

The print spooler service also allows Windows devices to act as print clients or print servers. While this ease of use is convenient, it grants privileged access to the print spooler service across the entire network, bypassing security controls and automatically updating printer drivers.

The Risk with PrintNightmare

The PrintNightmare vulnerability enables attackers external to the network to upload malicious code disguised as a Dynamic-link Library (DLL). This code can be executed with administrator privileges across the network, providing an entry point for further attacks and potential data exfiltration. The presence of proof-of-concept code circulating in the hacker community further exacerbates this risk.

Continuing Challenges

Although efforts have been made to patch the PrintNightmare vulnerability, new flaws in the Windows print spooler service continue to be identified. These vulnerabilities, such as CVE-2021-34481, pose critical risks, including local privilege escalation and potential Remote Code Execution (RCE) exploits. To mitigate these risks, it is recommended to temporarily stop and disable the print spooler service until all security patches are applied.

Long-Term Protective Measures Against PrintNightmare

Option 1: Patching and Praying

Keeping up with security patches for printer spooler service vulnerabilities provides a level of protection. However, the existence of well-resourced hackers who exploit vulnerabilities before patches are released poses a significant risk. Organizations must consider the potential consequences of falling victim to attacks targeting their intellectual property or sensitive information.

Option 2: Moving Print Services to a Secure Cloud-Based Solution

To effectively address the vulnerabilities introduced by Windows-based print servers, a long-term solution should eliminate the inherent weaknesses. Migrating print services to a secure cloud-based print management solution offers several advantages:

  1. Elimination of Printer Driver Management: Legacy communication protocols used by printer drivers often introduce security vulnerabilities. A cloud-based solution that eliminates the reliance on manufacturer drivers ensures secure connectivity by default.
  2. Improved Security Controls: By using a cloud-based service, the need for network-wide access and exceptions for print services is eliminated. This simplifies configuration and enhances overall security.
  3. Mitigation of Legacy Protocol Risks: Older operating systems rely on legacy print protocols that can be exploited. Cloud-based secure printing solutions enforce secure protocols, minimizing the risks associated with legacy support.
  4. Isolation of Print Functions: Dedicated print servers separate print functions from multi-use servers, reducing vulnerabilities and potential misconfigurations.
  5. Enhanced Encryption: Cloud-based secure printing solutions encrypt all print file transmission and storage, protecting against eavesdropping and unauthorized access.

Pharos Cloud: A Secure Solution

Pharos Cloud offers a serverless printing infrastructure that ensures secure and direct-to-printer workflows for businesses. By replacing Windows-based print servers with Pharos Cloud’s cloud-based print management solution, organizations can eliminate print spooler services, printer drivers, and associated vulnerabilities.

The benefits of adopting Pharos Cloud include:

  1. Reduced Attack Surface: Centralized cloud print management minimizes security risks by eliminating the need for print spooler services on every Windows-based device, including domain controllers.
  2. Simplified Security Configuration: Security software no longer needs to include print services in allow lists and exceptions, closing potential security holes.
  3. Robust Encryption: Pharos Cloud employs strong encryption algorithms to protect print job communications and data at rest, ensuring maximum security.
  4. Compatibility and Ease of Use: Pharos Cloud seamlessly integrates with existing infrastructure and does not require workstation or printer fleet upgrades. It simplifies administration tasks and improves the overall printing experience.

By adopting Pharos Cloud’s cloud-based serverless secure printing service, organizations can mitigate the risks associated with the PrintNightmare vulnerability and future vulnerabilities yet to be discovered. This solution offers compatibility, enhanced security, and reduced administrative workload, ensuring a win-win situation for businesses while thwarting potential hackers.

Conclusion

Securing your print infrastructure is crucial in the face of vulnerabilities like PrintNightmare. Organizations must consider long-term solutions that address the weaknesses of Windows-based print servers. Migrating to a cloud-based print management solution, such as Pharos Cloud, offers enhanced security, reduced attack surfaces, simplified administration, and robust encryption. By proactively adopting these measures, businesses can wake up from the PrintNightmare without sacrificing their printing capabilities and ensure a more secure future.

Now available: Uniprint 9.2 release enhances user experience!

Pharos is happy to announce the release of Uniprint 9.2! Uniprint continues to be the premier print management solution trusted by higher education institutions and libraries looking to control and recover printing costs while providing students and staff with intuitive and efficient printing options. The new release includes updates that enhance the user experience and security.   

Common User Interface 

Uniprint 9.2 sets the groundwork for a consistent UI and user experience across all multifunction printers—regardless of manufacturer—with the introduction of Pharos Sentry Print, our next-generation embedded platform for supported MFP models.  The embedded Sentry Print application operates as a layered interface above the printer manufacturer’s interface to provide print release and copy services. A consistent look-and-feel and user experience across all devices helps institutions with multi-vendor printer fleets reduce the onboarding and training required for staff—and particularly new incoming students every year—as well as service tickets for IT. In addition, the UI can be customized to match the look and feel of your institution with logo and school colors.  

At this time, the common UI is supported on Canon, HP, Konica Minolta, and Ricoh devices. Pharos is working closely with other leading print device manufacturers to expand support of the Common UI onto their MFPs.   

Touchless printing via Proximity Card 

Service Pack 3 of Uniprint 9.1 introduced touchless printing with QR code release from Pharos MobilePrint™. Uniprint 9.2, introduces another way administrators can provide touchless workflows for students and staff who prefer not to touch printer control panels to reduce their exposure to shared surfaces. On Canon, HP, Konica Minolta, and Ricoh devices, Users can now simply tap or swipe their supported proximity card at their preferred printer, and all documents in their queue will begin printing.  

IPPS/IPP release for secure jobs 

IPPS (Internet Printing Protocol, Secured) has been added as a method of delivering print jobs from Uniprint servers to printers. To further enhance the security of print jobs, Uniprint utilizes IPPS to encrypt print jobs and protect the “last mile,” helping keep print jobs safe from threats, such as sniffer software. 

Chrome printing 

Service Pack 3 of Uniprint 9.1 also introduced Chromebook support for customers looking to transition from the since-retired, Google Print Cloud. Uniprint 9.2 makes it easy to natively print securely from a Chrome OS device or Chrome browser without requiring Pharos MobilePrint to render the jobs.  

To learn more about the full capabilities of the Uniprint 9.2 release, read the brochure and release documentation

Preview: What’s New with Uniprint 9.2

Preview: What’s New with Uniprint 9.2

Join Product Manager Swati Agarwal as she previews the upcoming release of Pharos’ Uniprint 9.2 release. We encourage you to attend this session to learn about new enhancements that will help organizations:

  • Reduce training requirements with a consistent look-and-feel
  • Simplify administrative burden of managing printers
  • Enhance the security of print jobs
  • Support Chrome printing
  • And more!

Optimize Print with Pharos

Learn more about how to simplify print security, increase IT productivity, and cut waste with Pharos Cloud. Schedule a meeting with us today.

Request More Information
Screenshots of Pharos Cloud on mobile and desktop devices.

Hope and Resilience: A New Years Message from our CEO

I wish a very Happy New Year to all of our partners, customers and friends on this first month of 2022!

As one year welcomes the next, millions of people are taking this time to reflect on the past year to assess what was and to envision the year ahead to make choices on what can be. So, I take this moment to share some of my thoughts with you.

Most anyone would describe 2021 as anything but a normal year. I heard one commentator referring to this past year as a ‘lost year’, but I believe 2021 challenged us to be more alive and more aware than most years. With so many unknowns between the pandemic, the impact of social distancing on work and life, the challenges of global supply shortages, the impacts of fires and natural disasters, unprecedented cybersecurity threats, and so much more sent our way, it is easy to feel lost and destabilized. However, the challenge to each of us has not changed. Each and every year, and each and every minute, our challenges are the same – to grow in resilience as individuals and a society. That is, to accept whatever life presents us and expand our ability to respond in the healthiest way possible.

I believe this is what it means to be human, to live a good and meaningful life. Any living being, individual, organization or society measures its health by its ability to adapt. Witness the adaptation of the virus to find ever new ways to accelerate its growth. We are no different, needing to assess the world as it is and choose actions that accelerate growth. This is why 2021 presented us so many opportunities to be more alive and more human than most years. It asked us to become more alert to changes around us and more adept at choosing healthy responses.

This is true for Pharos as well and how we serve in the world. While our customers’ fundamental needs changed little this past year – they still needed to create environments in which employees can work effectively and efficiently from wherever they may be, optimize the use of assets (the most valuable of which is time), and ensure a secure and safe work environment for their employees and customers they serve – the way those needs present themselves changed considerably.

The new hybrid workforce (working from home, the coffee shop and elsewhere) has become a longer-term reality, not the blip we once anticipated. This accelerated digital and cloud transformation from a vision of the future to today’s reality. Zero infrastructure and zero trust networks are becoming widespread – even mandatory in the Federal Government. There is more pressure than ever to act and adapt quickly and decisively.

In 2021, Pharos worked to support our customers facing these challenges. We significantly increased our investment in our safe, zero trust, global cloud printing infrastructure, enabling our customers to serve their end users better while reducing the time and cost burden on IT to manage the growing complexities of the new hybrid reality. We welcomed more clients to our cloud printing platform than in any other year, improving their employee experience and saving them time and money. We adapted our technologies to be zero touch so that employees can feel safe in shared workspaces. In short, we listened to the new problems that our clients are experiencing, and we adapted our services and technologies to meet them.

In a time of significant reductions in office printing, we experienced a strong year of growth serving our current clients. Printing may have declined, but as one client put it, printing remained a ‘dial-tone’ service that must be supplied to workers – even if in ever new ways.

Even as the omicron variant of COVID threatens renewed closures and worker shortages as we begin 2022, it also may usher in a final, and less severe, wave of infection. We will adapt – because that is what healthy species do. I look into the coming days with great optimism – because I look at the people around me, my Pharos colleagues, and those of you we serve and I see the hills we have climbed together. I know that there is no mountain too high for those committed to climb it.

Thank you for the faith you show in Pharos, and the choices you have made to make us part of your journey. We will, in 2022, strive every day to earn the great honor you do us by being a part of our journey.

We wish you health, happiness, faith, and resilience in this New Year!

Printing Trends to Monitor in 2022

2020 and 2021 changed the way people work around the globe and across industries, and printing is no exception. How much companies print—and why and from where—became very different, and the need for improved print workflow and flexibility became apparent.

2022 promises to be different yet again, but it’s unlikely that things will ever go back to pre-pandemic status. For one, hybrid and remote work are here to stay, and digitalization of processes has sped up dramatically in response to COVID-19.

While some offices are opening up and bringing employees back in, many are not, and most employees expect a hybrid remote/in-office situation in 2022. In fact, only 10% of American workers expect to be in the office full-time next year.

While increased numbers of remote employees have impacted the print industry, they haven’t eliminated it by any stretch of the imagination. In fact, it’s likely that by December 2022, on-site print volumes won’t be far off from pre-pandemic levels. Meanwhile, the new landscape could present an exciting opportunity for organizations adopting cloud printingsince providers are well positioned to help streamline offices as they move into the future.

Trends to Monitor in 2022

A majority of workers who work from home now expect to be going back to the office in 2022—but only part-time. 56% of U.S. and 58% of European employees expect to be in a hybrid work situation by January 2022, which means an increase in on-site printing needs. Not to mention, print still plays an important role in workers’ at-home lives, both for work and personal reasons.

Much of what happens in 2022 will be determined by what happens with new COVID-19 variants, so companies need to be prepared for a shifting landscape. Security should be top of mind, and smart IT departments are investing in shoring up vulnerabilities in print equipment and networks. Meanwhile, managed print services are still maintaining traction.

With this in mind, consider some key trends, stats, and predictions to get a picture of what 2022 might look like:

1. Yes, 2020 and 2021 Saw Less Printing Overall, but It Is On the Rebound

It’s worth acknowledging that printing overall saw a drop in 2020 and 2021. Yale University released stats on its own printing needs in 2020 and found that from March to April 2020, there was a 90% decrease in costs associated with paper purchase and a 96% decrease in printing costs. However, office print volumes are expected to recover to 80% of pre-COVID output by December 2022. Meanwhile, home printing is expected to increase by 25% over pre-pandemic levels in that time.

2. Printing Is Still Preferred

55% of respondents in a print-from-home study conducted by Pharos said they’re more productive and retain information better when working with paper. Less than 20% preferred digital documents. This means printing is still important, and in general, printed materials are unlikely to go away anytime soon.

3. Business Printing Is Going Nowhere

According to Quocirca’s 2020 report on printer security, 77% of IT Decision Makers (ITDMs) in the U.S. and Europe believed printing would still be very important to their enterprise in 2021, even though COVID-19 radically changed the face of business interaction and set some employees on the path to permanent remote work. That 77% includes a significant group (29%) who considered printing as “critical” to their business’ success.

4. Demand for Cloud Services (Including Print) Will Continue to Rise

Companies continue to embrace cloud computing for a variety of IT services, and 34% of all organizations use the cloud for all their IT needs, with 70% of them planning to increase their budgets in the future. In fact, the cloud computing sector expects a CAGR of 17.5% between 2020 and 2025, bringing that market to $832 billion. Cloud-based print management stands to be a big part of that uptick.

In a study of 219 organizations conducted in January 2021, over 75% said they expect to adopt cloud print management by 2025, and 45% say cloud print management is a key consideration when choosing a managed print service provider.

At the same time, there’s room for growth here. According to Quocirca’s 2021 market landscape report, 21% of respondents are using cloud print services to manage more than 50% of the workload. This stands to increase in 2022.

5. Security Is Top of Mind

42% of respondents from a global survey say they’re already in the process of adopting a zero trust strategy. In total, 72% have either already adopted zero trust and security principles or plan to in the future. Security concerns were top priority even before the pandemic, but with so many workers working from home now, zero trust principles need to be top of mind, especially in printing, where security vulnerabilities are common.

In fact, 64% of IT Decision Makers in the above-referenced Quocirca report on printer security suffered print-related data loss in 2020, costing them an average of $1 million just from printer security failures. These losses were due to a conglomeration of factors, from malware to cyberattacks to improper disposal of printed material. Given the increased need for remote-ready operations, including the security risks this entails and losses already incurred, 78% of those same ITDMs surveyed planned to increase security spending in 2021. 2022 can be expected to look very similar in this regard.

6. Health Remains a Concern

Concerns over touching shared surfaces are likely here to stay. Perhaps because of these concerns, the gesture recognition and touchless sensing market is expected to grow by 22.6% to $37 billion by 2026. So touchless print release will remain an important innovation. Even academic institutions are getting in on touchless printing, with MIT announcing in February that touchless print release would be available for students returning to campus.

7. Print Analytics Will Be a Major Contributor to Success

As organizations look to keep up with the constantly changing post-pandemic landscape, robust analytics like Pharos’s Beacon Analytics help them understand how the pandemic has impacted their print office printing environment and adjust accordingly. Organizations will leverage actionable insights to identify outliers and cost savings opportunities. Businesses that take advantage of this data to optimize their print environment can remain efficient and ensure employees have the tools needed to stay productive.

9. Companies Are Embracing Managed Print Services

63% of the ITDMs surveyed in the print security report by Quocirca use managed print services, and according to the report, “a managed print service is fundamental to ensuring that an organization operates a secure and cost-efficient print infrastructure.”

Meanwhile, the managed print services market is expected to grow to over $50 billion by 2023 (up from $28 billion in 2016), with a CAGR of 8.5% between 2017 and 2023. Plenty believe this sector is primed for a comeback in 2022.

Specifically, managed service providers (MSPs) who are tailored to hybrid work environments, offering in-office solutions with robust security, stand to have the advantage in this new work paradigm.

Flexibility and Agility Will Define Printing in 2022

2022 promises to be an exciting year for business in general. Although the lingering COVID-19 pandemic isn’t showing signs of disappearing soon, companies and employees have learned a great deal about how to stay productive despite changing circumstances.

Printing, like all other industries, took a hit in 2020, scrambled to adjust in 2021, and now finds itself poised to enter a new era in 2022. The need for improved security, more ways to print regardless of location, and top-notch MSPs to help manage printing in a holistic fashion is clear.

So companies, employees, and print management providers will all have to remain flexible, agile, and innovative as 2022 plays out. Those players that can do this stand to come out ahead not only over the next year but also in the years to come.

Pharos is well positioned to help organizations be at the forefront of this new era. If you’re ready to find out how Pharos can help you adapt to the changing environment and become more resilient, contact us now for a demo of Beacon, Pharos’s innovative cloud-based print management solution.

Pharos Products and Log4j Exploit

December 15th Update: This blog post has been updated with new information as we learn more. For the latest information on Log4j impact on Pharos products and how we’re mitigating the risk of this exploit, please visit our Community Page

Background

Recently, a new zero-day vulnerability in the popular Java library Apache Log4j (CVE-2021-44228) was uncovered. This vulnerability allows attackers to inject arbitrary code in Log4j versions 2.0-2.14.1. This Java library is widely used by multiple closed and open source projects. 

This vulnerability is rated critical (CVSS severity level 10 out of 10), with immediate patching or mitigation recommended if affected, because it allows a possible Remote Code Execution when an attacker sends a malicious code string that gets logged by Log4j. That string allows the attacker to load Java onto a server and therefore take control. 

Impact of Apache Log4j Exploit on Pharos Products

After initial review, Pharos believes that Pharos customers are not impacted by the Log4j JNDI exploit.  

A non-customer facing cloud component used by Pharos was potentially susceptible to log4shell – specifically ElasticSearch, which is used by Pharos to log events across our infrastructure. We have applied patches to all production environments. In addition, Pharos has scanned all our logs and confirmed that no attempts were made to exploit this vulnerability.  

Pharos uses Java in our embedded solutions for some devices; however, the vulnerable library version is not used. 

For more detail and up-to-date information, please visit our technical page on this topic on our community site. If you have further questions, please reach out pharossecurityteam@pharos.com.

PrintNightmare: Securing Your Print Infrastructure

You have no doubt heard about the “PrintNightmare” problem in the news. It’s a class of vulnerabilities in just about every Windows-based device, including servers, desktops, and laptops. The problem is present in the print spooler service that is enabled by default and provides facilities for managing printers and printing documents.

This particular story started on June 8th when Microsoft’s weekly set of patches included a fix for CVE-2021-1675, a flaw in the print spooler service that allowed an attacker to exploit a local privilege escalation (LPE) vulnerability and execute malicious code using the print spooler service.

This is not the first time such a vulnerability has been identified and patched. There’s a long history of attackers using the print spooler service as an entry point to compromise systems. For example, the infamous Stuxnet malware that affected the Iranian nuclear facilities in 2010 used a similar mechanism.

So, what has this got to do with PrintNightmare? Well, it was the actions of a security researcher looking at June’s printer server patch that led to its discovery.

The Print Nightmare Story

What is the Problem?

A vulnerability in Microsoft’s print spooler software was identified on July 1st in CVE-2021-34527, which was dubbed “PrintNightmare.” This is distinct from the previous month’s disclosure with a different attack vector but through the same print spooler service. Any remote network access can exploit this vulnerability, while the earlier CVE-2021-1675 can be thought of as a local version of PrintNightmare. It allows an attacker to gain remote access and execute malicious code with privileged access rights. Exploiting this Remote Code Execution (RCE) means they effectively control the affected system to steal sensitive data passively or disrupt operations.

What is a Print Spooler Service?

In essence, the printer spooler service manages the connection and operation of any printer connected to a Windows-based device. It downloads and installs the printer drivers needed to allow the device to talk to any printer in its specific language, irrespective of the protocols used by the manufacturer of the printer. It manages print jobs, documents sent by the device to the printer by organizing the queueing of jobs, ordering queued jobs by priority, buffering the data into the printer’s memory.

Domain controllers often also use the same printer spooler service to manage the addition and removal of printers to a network. Domain controllers inherently run with system privileges, manage security authentication requests within a computer network domain, and allow host access to domain resources. As a result, any authenticated user can remotely connect to a domain controller’s print spooler service, a significant weakness at the core of the network’s security controls.

The print spooler service also allows any device running a Windows operating system to act as a print client, printing to a local printer, or as a print server, allowing any networked devices to access its local printer. Its problem is that we have grown used to connecting a new printer anywhere on a network and reasonably painlessly using that printer from any device connected to that network. This useability is down to the privileged access that the print spooler service has across the entire network, bypassing security controls and offering the ability to update printer drivers to the latest version automatically.

So, what is the Risk with PrintNightmare?

The problem with the PrintNightmare vulnerability is that an attacker external to the network can upload malicious code disguised as a Dynamic-link library (DLL) and execute this with administrator privileges across the network. Additionally, this flaw provides an entry point for uploading additional malicious programs or exfiltrating sensitive information.

The concern with PrintNightmare is that such code is already in existence thanks to a security researcher publishing a proof of concept for June’s patched LPE vulnerability that identified the presence of July’s RCE vulnerability. While Microsoft has issued an emergency patch for this second flaw, it’s safe to say that copies of the proof of concept code will be circulating amongst the hacker community and probably being exploited.

Is that the End of the Story?

Sadly the “PrintNightmare” vulnerability may have been patched, but more flaws in the Windows print spooler service have been identified – and more will be discovered.

The latest, CVE-2021-34481, identifies a critical elevation of local privileges. Another potential defect with a possible RCE exploit has been reported but is yet to be assigned a CVE number. The official advice for the short-term fix is to stop and disable the print spooler service on all devices until this flaw is patched.

Update 8/13/2021: we address a new one, CVE-2021-36958, on our Community site.

The downside of the recommended advice is that you will lose the ability to print until all security patches are applied. Also, it won’t plug the holes from the vulnerabilities that are not yet patched. Although the various short term fixes published on the internet are temporary solutions, a long term solution is essential to protect your infrastructure effectively.

Long Term Protective Measures Against PrintNightmare

Option 1: Patching and Praying

Keeping up to date with security patches for the printer spooler service vulnerabilities will provide a level of protection. Still, it seems like it’s just a matter of time before the next PrintNightmare is found. The CVE database currently contains 37 records for the printer spooler service, and more vulnerabilities are known to have been found.

The problem is that well-resourced hackers may find and exploit a vulnerability before Microsoft is made aware of its existence and creates and distributes a security patch. This window of opportunity for the hackers means that any organization using Windows-based print servers is potentially at risk from remote attack. A well-organized, typically state-backed hacking collective will silently use such a window of opportunity to plant malware within as many vulnerable organizations as possible. This strategy enables them to complete any attack later, even when the original vulnerability has been found, patched, and resolved.

For organizations that present an attractive target to hackers, this risk may be substantial. Intellectual property and sensitive commercial information are as much a target as cash reserves. The financial or reputational cost of falling victim to an attack could result in the collapse of the business.

Option 2: Permanently Counter Windows Print Server Vulnerabilities by Moving Print Services

Windows-based print servers introduce a significant range of attack points that an attacker can exploit. Windows print server security will always contain exploitable weaknesses. Therefore, any long-term solution will need to address these if it is to be effective. Moving print services to a secure cloud-based print management solution will address all these points.

Eliminate the need for printer driver management, which often allows weak legacy communications protocols

The installed printer drivers on a network are only as secure as the technologies used to implement their communications protocols – well outside the network administrators’ control. For example, the Simple Network Management Protocol (SNMP) and other commonly used protocols are vulnerable to man-in-the-middle attacks through file replacement, proxy monitoring, or other means. This gives an attacker the ability to compromise the integrity of the server and provide the base for lateral movement and privilege escalation across the network.

Eliminate drivers and eliminate this attack surface. A cloud-based secure printing solution that does not rely on manufacturer drivers doesn’t require a network administrator to configure communications protocols, enforcing secure connectivity by default.

Avoid unconstrained network-wide access, required for print processes using allow lists and exceptions in security software that bypass protective controls

One feature of shared print queues is they require access to specific Transmission Control Protocol (TCP) ports and often require access to hidden shares and different privileged folders within the Windows operating system. This requires installed security software to blanket allow these operations across the network, open access that an attacker who has penetrated the network can exploit to extend their reach.

Eliminate the need for your network security controls to include exceptions for print services, by moving print infrastructure to the cloud, simplifying configuration and enhancing security robustness.

Default support for printers connected to devices running older operating systems allows the use of weak legacy print protocols that can be exploited

The print spooler services and their Point-and-Print functionality have been present in all Windows versions dating back to NT4 in the 1990s. As a result, they include support for legacy protocols that enable them to manage Windows clients that do not support the latest Server Message Block (SMB) and Common Internet File System (CIFS) protocols.

While this legacy support simplifies integration with older systems, it allows an attacker to exploit the inherent weaknesses in older protocols. If networks include legacy systems that cannot be upgraded, then this risk cannot be removed. Upgrading and hardening systems to eliminate this risk has the potential for introducing misconfiguration problems and compatibility issues.

Cloud-based secure printing solutions eliminate the need for your network administrator to configure print mechanisms and enforces secure protocols by default.

Remove print spoolers and servers from multi-use servers

Most typical infrastructures are not afforded the luxury of having a dedicated print server. Usually, the print server device also performs other functions such as file-sharing or an internal web server. Unfortunately, these multiple uses open the potential for vulnerabilities or misconfiguration of Access Control Lists (ACLs) or Active Directory group memberships that allow unauthorized users access to the print server function.

By replacing print servers with a cloud service, companies eliminate the associated risks that multi-use servers can create.

Encrypt all print file transmission and storage to prevent eavesdropping

The standard implementation of the printer spooler service passes data across the network in an unencrypted form where it is vulnerable to eavesdropping or interference while in transit or at rest in a temporary storage location, including within the printer.

Cloud-based secure printing solutions protect your data in transit and at rest using robust encryption algorithms managed by the solution provider.

Eliminating the Print Nightmare Risk

The fundamental problem with print servers is that they cannot be securely locked down without disabling the ability for users to print documents across a network.

The best long-term protective measure is arguably to eliminate the need for the printer spooler service from the network. This not only removes the risk but has the added benefit of reducing your infrastructure overhead and administration workload.

This is where Pharos can help. Pharos Beacon provides a completely serverless printing infrastructure that delivers both secure and direct-to-printer workflows for businesses.

Pharos Beacon as a Solution

Removing Windows-based print servers from your network may sound like a radical concept. Still, Pharos has been providing serverless printing services since 2015, using trusted technology utilized on over 2,250,000 desktops worldwide. The Pharos Beacon cloud-based print management solution replaces legacy Windows printers with a secure service that eliminates print spooler services, printer drivers, and all the vulnerabilities they bring to your infrastructure.

Adopting a centrally managed cloud print management solution will reduce the attack surface for your organization by eliminating the need for a printer spooler service to be running on every Windows-based device, including the domain controllers. The removal of the printer spooler service from a domain controller represents eliminating a significant security weakness in the network.

Being a cloud-based service, security software running on your network does not need to include print services in the allow lists and exceptions. This closes any potential holes in your security controls that an unauthorized user can exploit to transverse around your network in the search for additional vulnerabilities.

Pharos Beacon encrypts all communications channels used for print jobs to eliminate any risk of eavesdropping on an organization’s network, accessing potentially sensitive information as it transits from the end-user device to the printer. Its Secure Print facility also encrypts the data for print jobs while at rest utilizing a zero-knowledge AES-256 encryption algorithm to maximize protection.

The final and critical point is that this service does not require clients to upgrade their workstations or existing printer fleet. Instead, what it does is remove an expensive security problem from your network and improve the printing experience for your IT administrators and users alike, thanks to our best-in-class cloud technologies.

You can wake up from the PrintNightmare without turning off printing

The “PrintNightmare” story has highlighted the myriad of security issues that printer services can introduce into your business’s infrastructure. The migration to a cloud-based serverless secure printing service can eliminate not just the “PrintNightmare” risks but all future risks created by weaknesses in the Windows printer spooler services code that have yet to be found. Added benefits are compatibility with existing infrastructure and a reduced IT administration workload. The good news is that Pharos can help you achieve this painlessly and cost-effectively; everybody wins except the hackers.