Johnathan Norman

New blog just dropped. https://techcommunity.microsoft.com/t5/security-compliance-and-identity/a-new-modern-and-secure-print-experience-from-windows/ba-p/4002645 We are making massive changes to the Print System in Windows to improve security. This represents a pretty big leap forward for security in Windows. The Print System in Windows has historically been a key target for attackers and these changes make significant reductions in total attack surface.

More over, we intend for this to become the default for users in the future. No more loading 3rd party print drivers, no more high privilege services, and robust exploit mitigations enabled to protect users.

There is a lot of work to do, this first release is only a step in the direction we are taking. But I feel it is the right direction for user safety.

A new, modern, and secure print experience from Windows

Over the past year, the MORSE team has been working in collaboration with the Windows Print team to modernize the Windows Print System. This new design,..

TECHCOMMUNITY.MICROSOFT.COM
Dec 13, 2023 at 6:11pmWeb
Show threadJimmy JimDec 13, 2023
@spoofy Good to see windows finally start to tackle legacy nonsense, even if it's still got a long long way to go
Show threadDaniel StefaniakDec 13, 2023
@spoofy no more NTLM then? :)
Show threadJohnathan NormanDec 13, 2023
@d0m3l glad you asked.. if you watched this https://www.youtube.com/watch?v=zlhoAYsSd4c you'd know spooler is one of the larger NTLM surfaces in Windows. Removing it by default would be a big win. A security guy like myself would really be pushing for something like that but i can't promise anything at the moment. There are a LOT of changes happening all at once which complicates things.
BlueHat Oct 23. S18: Deprecating NTLM is Easy and Other Lies we Tell Ourselves

YouTube
Show threadDaniel StefaniakDec 13, 2023
@spoofy I was at bluehat live and was heckling steve from the audience during this recording :)
Show threadSteve SyfuhsDec 14, 2023
@d0m3l @spoofy I REMEMBER
Show threadSteve SyfuhsDec 14, 2023
@d0m3l @spoofy We actually had a chat with the Print Spooler folks and as much as I would love to take credit for their actions, they actually did a TON of work to harden the heck out of this, as of Windows version [I don't remember]. Good things are afoot.
Show threadJoshua SmallDec 14, 2023
@spoofy I can already see every vendor rushing to write a Print Support App: 1.2GB of install so you can get features like "popups advertising ink subscriptions".
Show threadJernej Simončič �Dec 14, 2023
@jsmall @spoofy Yesterday I found HP Smart application installed on my computer, and associated with every printer I have (including Microsoft XPS Writer and Microsoft Print to PDF). The last time I had a HP printer at home was in the early 2000's…
Show threadJames Forshaw Dec 15, 2023
@spoofy curious if the "Spooler Worker process" still runs as SYSTEM but restricted? I'm sure I could try and get printing to work on an insider build, but well... :)
Show threadJohnathan NormanDec 15, 2023
@tiraniddo current WIP builds still run as SYSTEM due to a bug. Once RI is complete the Spooler will spawn a worker which runs under a different token and effectively does everything the Spooler previously did. Probably won’t land until next year due to the holiday. We should chat, I’m also trying to fix SEImpersonate
Show threadJames Forshaw Dec 15, 2023
@spoofy okay that's good, as running as SYSTEM, even in a restricted form is super risky. Anyway, always happy to give my thoughts on things if you want to grab some time to chat :)
Show threadDerek MartinDec 19, 2023
@spoofy If it means dealing with shitty print drivers less evil, then bless you.