EvotecIT / Testimo

Testimo is a PowerShell module for running health checks for Active Directory against a bunch of different tests
547 stars 58 forks source link

Disabling Print Spooler not recommended #38

Closed MarcLaf closed 5 years ago

MarcLaf commented 5 years ago

According to MS, it's not recommended to disable Print Spooler on a DC because this is responsible for removing stale printer objects from AD.

https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#print-spooler

The technet article in the Comments of that page doesn't exist anymore but it can be found via wayback machine.

Looks like you should have it enabled on at least 1 DC in each site.

PrzemyslawKlys commented 5 years ago

This may be true, however check this out: https://adsecurity.org/?p=4056

I wonder how we can kill both stones at the same time? Disable by default and enable to do the cleanup and shut down right after?

MarcLaf commented 5 years ago

Ahhh I see, thanks for the reply. I very much agree that having your domain compromised is much worse than having stale printers and I'm wondering how often the stale printers show up (I also can't quite figure out the scenario in which they would show up). Maybe the scan should indicate that disabled is recommended however you will need to do manual print queue cleanup?

PrzemyslawKlys commented 5 years ago

When you add a printer to Print Servers you have the ability to publish in AD. I guess AD then manages that removing/adding printers depending on Print Server availability. But that's my guess. I'll update the explanation.

MarcLaf commented 5 years ago

Yeah the explanation isn't complete on MS side which is confusing. Maybe if a printer is deleted before it's been un-published in AD? Who knows. But thank you for updating your side of things. This module is really slick!