Jump to content

how to block inbound remote printing


Recommended Posts

  • Administrators

You can temporarily switch the firewall to interactive mode and print a test page remotely. When asked about the communication, choose Block and tick the appropriate check-box to create a new rule. Afterwards you can switch back to automatic fw mode.

Link to comment
Share on other sites

The Print Spooler service uses a port from the dynamic range and is allocated by default in Windows Vista and newer, starting at 49152.
To block it correctly, you need to change the dynamic range to your own.
Here is an example of the range from 9000 to 9099: 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Internet]
"Ports"=hex(7):39,00,30,00,30,00,30,00,2d,00,39,00,31,00,35,00,31,00,00,00,00,00
"PortsInternetAvailable"="Y"
"UseInternetPorts"="Y"

After reboot, the Print Spooler service will reserve a port in the range 9000 - 9099.
This range will need to be blocked for incoming connections.

Link to comment
Share on other sites

This article: https://www.kb.cert.org/vuls/id/383432 is the best I have found to determine if your still exploitable after applying the recent MS patch. Of note is the use of flowchart check steps.  Follow the steps to determine proper mitigation to apply for current status unpatched remote printing vulnerability.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...