Vulnarex | Elite Cybersecurity Learning Platform

#The Print Spooler Is Not a Print Service—It's a Kernel Exploit Waiting to Happen#link

Between 2021 and 2023, vulnerabilities in the Windows Print Spooler (CVE-2021-34527, CVE-2022-22718) provided domain admin privileges to attackers on patched systems. The root issue: unnecessary services running by default on servers that never touch a printer. This lesson provides a definitive methodology to identify, disable, and harden Windows services—including SMBv1, RDP, and Windows Search—to eliminate entire classes of attacks.

The Service Disabling Methodology

1. Inventory all running services with Get-Service | Where-Object {$_.Status -eq 'Running'}. 2. Map each service to the server's role: a web server does not need Print Spooler or Server service. 3. Set unnecessary services to Disabled via sc config or Group Policy. 4. Test application functionality thoroughly; some applications have hidden dependencies. 5. Document the disabled services in the baseline image for audit traceability.

powershell

# List all running services and export to CSV
Get-Service | Where-Object {$_.Status -eq "Running"} | Select Name, DisplayName, StartType | Export-Csv -Path services.csv -NoTypeInformation
# Disable a service
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

This approach stops the service immediately and prevents it from restarting on next boot. The CSV provides an audit trail.

High-Risk Services to Target First

Print Spooler (Spooler), SMBv1 (disabled via Features or registry), Remote Registry (RemoteRegistry), Windows Search (WSearch), and XPS Services are top candidates for servers. Also consider disabling the Server service (LanmanServer) on a purely client machine—this removes the ability to share folders, closing an entire attack vector. Each disabled service reduces the attack surface and frees up resources.

Disable SMBv1 completely via registry and DISM

root@vulnarex:~#Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name SMB1 -Type DWORD -Value 0 -Force

info

💡 The Server service (LanmanServer) is distinct from SMBv1. You can disable SMBv1 while keeping SMB2/3 active for file sharing. But if the machine never shares files, disable LanmanServer entirely.

Service	Display Name	Recommended Action on Server
Spooler	Print Spooler	Disable unless server is a print server
LanmanServer	Server	Disable if no file sharing needed
RemoteRegistry	Remote Registry	Always disable
WSearch	Windows Search	Disable on web/database servers
XblGameSave	Xbox Live Game Save	Disable on all servers

RDP Lockdown: Not Just a Service Toggle

Disabling the Remote Desktop Services service (TermService) is the ultimate RDP lockout, but if RDP is required, enforce Network Level Authentication (NLA), set an account lockout policy, and use RDP gateways or VPNs instead of directly exposing 3389. Additionally, restrict the 'Remote Desktop Users' group and set interactive logon timeouts.

▪Create a role-based service baseline: disable services not needed for each server role.
▪Stop and disable SMBv1, Print Spooler, Remote Registry, and Windows Search on all non-essential servers.
▪Disable the Server service on client-only machines.
▪For servers requiring RDP, enforce NLA and restrict user access.

STRICT SECURE AUDIT RULE

⚠️ Disabling the Server service on a machine that is also an AD domain controller breaks replication. Understand the role before disabling.

quiz BLOCK (★ 50 XP)

After disabling Print Spooler on a critical application server, a legacy app stops working. What should you do first?

Select your proof vectors above

challenge BLOCK (★ 100 XP)

Service Hardening Drill