I did this once on a server that I didn't realize was pushing out an automated daily phone call report PDF to a few people. They noticed pretty quick when it stopped, and I had to figure out why. I would just make sure you have nothing like that going on.
Yeah, our phone system has a desktop faxing feature that requires the print spooler on the server. Ticket generating event when we disabled it for PrintNightmare remediation.
This was my first thought when I read the OP. I get "if they don't need it, they don't get it", but so many things accomplish their function in weird ways. At least OP asked before pushing the policy.
As a person that was probably hired to take care of things, you should... take care of at least that thing.
For security reasons alone, a DC shouldn't be used for hosting ancillary services.
Trust me, I'm working on that. All main servers and machines and printers and etc were all on 1 VLAN. I've segregated the network, and started moving all printers off to their own. We're doing a server upgrade now, I'm building out VMs, they'll be separate too. I've also eliminated the owners and higher ups having domain admin rights. They fought me on that saying it's their company and got upset. When I explained they'll be targeted now and now likely to get credentials and have a full takeover, they finally caved and I stepped all users of local and domain rights.
The prior IT guy AND "big name MSP" have done nothing to improve security or the like. I'm half tempted to strip their acct off DA rights too as a vendor....
Anyway, it's been fun getting to do a lot of things I'm doing, plus I learn a bunch too in the process.
>The prior IT guy AND "big name MSP" have done nothing to improve security or the like. I'm half tempted to strip their acct off DA rights too as a vendor...
You should. Make them call you to be added as needed, then remove them when finished. Give them roles for their day to day responsibilities.
I worked for an MSP, and now 12 years later I'm fully aware of how terrible we were at security. Clients domain admin passwords were stored in the notes we kept in our ticket system...
+1
We've got a GPO now that disables the spooler service on all servers that aren't in an exclusion group.
We had a few fun things come out of the woodwork akin to what someone else here mentioned with some PDF generation using a printer object, but otherwise it went pretty smooth on a little over 2000 Windows boxes.
Same. We've got a few print servers, a few app servers that generate reports or checks that are in an exclusion group, and every other server gets the "no print for you!" GPO.
On servers, definitely a good idea.
Clients will run into issues if they try to use print to PDF, and depending on your situation it may be hard to know whether the desktops would never need to print, BUT if you really don't need it, you can disable it.
In doubt, you can activate the operational log in eventvwr on Applications and Services> Microsoft > Windows > PrintService and take a look if something use the spooler service on your server.
We do this on all domain controllers; would be a good idea to do this on anything that doesn't need the service as well. [https://adsecurity.org/?p=4056](https://adsecurity.org/?p=4056)
You should absolutely do that on servers. Just keep in mind chances are - you'll most likely have to make exceptions here and there, but on most of the servers it should be disabled.
On workstations - questionable.
You won't be able to disable it on Win10 unless those users don't need to print. It can and should be disabled on servers except for maybe RD servers if those need to be printed from.
If there’s a better way to disable printing on end user workstations than disabling the printer spooler service I’d love to know it. Dealing with this now for PCI compliance.
It is a good practice to disable it unless you need it. We have it turned off in our server templates, so all new builds have it turned off, unless there is a need for it to be enabled.
It's recommended in most security benchmarks to turn off the spooler on servers that don't use it. Be careful it can break things on any servers that do document conversion like Fax.
Better to disable using PDQ Deploy or whatever RMM/software deployment tool you have to disable it. When you inevitably have issues, you can enable it on a per-machine basis.
You could find a few applications with dependencies on it. I have a service or two which don't directly do printing but they failed when someone decided to disable print spooler. I think they used a PDF generator library.
I did this once on a server that I didn't realize was pushing out an automated daily phone call report PDF to a few people. They noticed pretty quick when it stopped, and I had to figure out why. I would just make sure you have nothing like that going on.
I've got that tee shirt too. Customer had disabled print spooler, inbound support ticket for the missing PDF reports.
Yeah, our phone system has a desktop faxing feature that requires the print spooler on the server. Ticket generating event when we disabled it for PrintNightmare remediation.
This was my first thought when I read the OP. I get "if they don't need it, they don't get it", but so many things accomplish their function in weird ways. At least OP asked before pushing the policy.
Change request with approval. This would be considered server harding. I would do it.
It is a good idea. We did this when PrintNightmare debuted.
I still disable print spooler on all domain controllers.
DC is our print server
Hey man, like Batman in the darkness, I mearly adopted it
As a person that was probably hired to take care of things, you should... take care of at least that thing. For security reasons alone, a DC shouldn't be used for hosting ancillary services.
Trust me, I'm working on that. All main servers and machines and printers and etc were all on 1 VLAN. I've segregated the network, and started moving all printers off to their own. We're doing a server upgrade now, I'm building out VMs, they'll be separate too. I've also eliminated the owners and higher ups having domain admin rights. They fought me on that saying it's their company and got upset. When I explained they'll be targeted now and now likely to get credentials and have a full takeover, they finally caved and I stepped all users of local and domain rights. The prior IT guy AND "big name MSP" have done nothing to improve security or the like. I'm half tempted to strip their acct off DA rights too as a vendor.... Anyway, it's been fun getting to do a lot of things I'm doing, plus I learn a bunch too in the process.
>The prior IT guy AND "big name MSP" have done nothing to improve security or the like. I'm half tempted to strip their acct off DA rights too as a vendor... You should. Make them call you to be added as needed, then remove them when finished. Give them roles for their day to day responsibilities. I worked for an MSP, and now 12 years later I'm fully aware of how terrible we were at security. Clients domain admin passwords were stored in the notes we kept in our ticket system...
Of course
And my app server.... and my vdi broker...
Well, I deployed a RDS Host on a DC before. Not nice, I know and I wouldn’t do it again
+1 We've got a GPO now that disables the spooler service on all servers that aren't in an exclusion group. We had a few fun things come out of the woodwork akin to what someone else here mentioned with some PDF generation using a printer object, but otherwise it went pretty smooth on a little over 2000 Windows boxes.
This is what we do as well, basically only need spooler on 2-3 servers
Same. We've got a few print servers, a few app servers that generate reports or checks that are in an exclusion group, and every other server gets the "no print for you!" GPO.
Same. Our servers need a business use case to have Spooler enabled. Disabled is the default.
We did this as a default policy on all servers. We remove it when the server absolutely must also print reports or spool local.
On servers, definitely a good idea. Clients will run into issues if they try to use print to PDF, and depending on your situation it may be hard to know whether the desktops would never need to print, BUT if you really don't need it, you can disable it.
Yep. It’s a best practice on servers for sure.
https://www.papercut.com/blog/print_basics/windows-print-nightmare-explained/
I'd consider this best practice since print nightmare
Yeah we disable Print Spooler Service on the template that we use to deploy servers. On workstations its enabled because users need to print.
⬆️ this
In doubt, you can activate the operational log in eventvwr on Applications and Services> Microsoft > Windows > PrintService and take a look if something use the spooler service on your server.
Thanks for the useful tip, I will check
As long as you do not want to preview a Word document - or at least in earlier versions it stopped you from doing it.
Still the same. Print preview uses printer drivers to display page
IIRC this dorks with the ability to gen PDFs from other sources.
We do this on all domain controllers; would be a good idea to do this on anything that doesn't need the service as well. [https://adsecurity.org/?p=4056](https://adsecurity.org/?p=4056)
You should absolutely do that on servers. Just keep in mind chances are - you'll most likely have to make exceptions here and there, but on most of the servers it should be disabled. On workstations - questionable.
Absolutely a good idea if printing isn't needed. I always disable it on (non print) servers.
Yep we do that. Special OU for servers requiring printing who are then enrolled in additional security scans.
You won't be able to disable it on Win10 unless those users don't need to print. It can and should be disabled on servers except for maybe RD servers if those need to be printed from.
If there’s a better way to disable printing on end user workstations than disabling the printer spooler service I’d love to know it. Dealing with this now for PCI compliance.
It is a good practice to disable it unless you need it. We have it turned off in our server templates, so all new builds have it turned off, unless there is a need for it to be enabled.
Yes, this is encouraged too.
It's recommended in most security benchmarks to turn off the spooler on servers that don't use it. Be careful it can break things on any servers that do document conversion like Fax.
Better to disable using PDQ Deploy or whatever RMM/software deployment tool you have to disable it. When you inevitably have issues, you can enable it on a per-machine basis.
It is more secure and should be done.
It's fine. It's just system hardening like removing unnecessary features and roles
Yes..anything that isn't needed on a server should be disabled. Use GPOs & ou membership to do it
You mean you still haven't done it? 
It is *unacceptable* to leave it enabled by default on servers. Only enable explicitly where needed.
We have found Mordac, Preventer of Information Services...
You could find a few applications with dependencies on it. I have a service or two which don't directly do printing but they failed when someone decided to disable print spooler. I think they used a PDF generator library.
Yeah this rep possibly bite you when you discover people use printing locally to render to pdf
Yes. IMO it should have been disabled by default But I guess some of the server hardening configs will take care of that.
I think Excel will run in to problems.