Microsoft has identified a vulnerability with the Windows Print Spooler service, and has recommended disabling the Print Spooler service if it is not needed. We’ve noticed that some IT departments are following this recommendation.
However, disabling the Print Spooler service on the server that is hosting the PDF Converter will cause it to stop working. The PDF Converter uses a part of the Microsoft Office application called ‘Export to PDF’, which in turn uses parts of the Windows printing subsystems including the Print Spooler service. For continued use of the PDF Converter please ensure the Print Spooler is enabled.
For IT departments who wish to follow Microsoft’s advice on the issue, we recommend following ‘Option 2’ found on Microsoft’s article regarding the issue: Windows Print Spooler Remote Code Execution Vulnerability.
‘Option 2’ applies a group policy which restricts access to the Print Spooler service by external devices. This allows the PDF Converter to work uninterrupted, while offering security for this vulnerability.
Option 2 – Disable inbound remote printing through Group Policy
You can also configure the settings via Group Policy as follows:
Computer Configuration / Administrative Templates / Printers
Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.
You must restart the Print Spooler service for the group policy to take effect.Impact of workaround: This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible. For more information see: Use Group Policy settings to control printers.
If you’d like more information on this, please contact the InformationLeader support team.