Windows Operating System Hardening Measure (RestrictDriverInstallationToAdministrators)

Summary

Tenable Research has released an informational plugin that will identify an optional Windows operating system hardening measure.

Impact

A new plugin was added that will check if the RestrictDriverInstallationToAdministrators value in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint value has been set to 0. A value of 1 or if the key is not defined or not present will require administrator privilege to install any printer driver when using Point and Print.

Note that this hardening measure is a recommendation from Microsoft, but that there is no combination of mitigations that is equivalent to setting RestrictDriverInstallationToAdministrators to 1 to prevent exploitation from vulnerabilities such as “PrintNightmare”. The value of 1 should be the default setting for all supported Windows versions with the installation of the security updates released on August 10, 2021.

This Windows hardening measure check logic was previously included in plugin 151488, but has now been moved into the new, separate Windows Operating System Hardening Measure (RestrictDriverInstallationToAdministrators) (158243). 

Plugin

Windows Operating System Hardening Measure (RestrictDriverInstallationToAdministrators) (158243)

References

point-and-print-default-behavior-change

KB5005652—Manage new Point and Print default driver installation behavior (CVE-2021-34481)

Target Release Date

2/22/2022