- Microsoft has improved the printing mechanism in Windows 11 with Windows Protected Print (WPP) mode to protect against security threats like PrintNightmare.
- WPP eliminates the need for third-party printer drivers and encourages the use of Internet Printing Protocol (IPP) for secure and encrypted printing.
- WPP enhances security by disabling third-party drivers, preventing the loading of malicious code, and enforcing the use of Microsoft-signed binaries for IPP. Users can revert to their previous configuration if their printer is not supported.
Yesterday, Microsoft began rolling out its last Windows 11 Canary flight for this year in the form of build 26016. The update includes lots of new features, fixes, and a few bugs, but perhaps the headliner is a significantly improved printing mechanism called Windows Protected Print (WPP) mode. Now, Microsoft has published a detailed blog post highlighting the advancements made in this implementation.
The Microsoft Offensive Research & Security Engineering (MORSE) team has been collaborating with the Windows Print group to modernize the built-in printing mechanism in Windows and make it more secure. The motivation behind this joint effort was the fact that the existing system serves as an attack surface for malicious actors – some may recall PrintNightmare which wreaked havoc across Windows PCs, along with other Print Spooler vulnerabilities -, and it’s essential to protect the printing stack against such threats.
WPP gets rid of third-party printer drivers altogether, which is something that Microsoft has been working toward for the past few months. The Redmond tech firm says that it’s particularly challenging to build a frictionless printing system that also has a secure printing stack while working with third-party vendors. Other problems include compatibility issues with legacy drivers, and the fact that printer drivers require elevated permissions which can cause bugs or security risks if not implemented properly. In such cases, Microsoft is dependent on third-parties to update their drivers with patches, which is even more problematic if the driver manufacturer has gone out of business or no longer supports a particular configuration.
Windows currently offers Internet Printing Protocol (IPP), which works in tandem with driverless printing. It offers numerous advantages, including built-in encryption, access control, authentication, simplification of code, and more. Microsoft recommends customers to switch to IPP printing, and has been encouraging driver vendors to build Print Support Apps (PSA) when they need to offer custom functionality not provided by the inbox class driver.
IPP printing has lots of benefits, such as the fact that it automatically installs and updates a PSA, if available, through the Microsoft Store. Similarly, Point and Print has also been enhanced in IPP so that it no longer requires the installation of a driver. While vendors can build PSAs to extend certain functionality, that code runs in an AppContainer with encrypted communication in order to reduce the risk of security threats. That said, IPP still allows the use of drivers on the server, if a user prefers this approach.
This is where Microsoft’s latest WPP implementation comes into play. It improves the IPP mechanism by only allowing Mopria-certified printers and disabling third-party drivers completely. This is accomplished through a new Spooler service, with customers having the option to disable WPP and revert to their previous configuration if they find out that their printer is not supported.
WPP advances security in lots of ways. Attackers cannot use a Dynamic Linking Library (DLL) to load malicious code, nor can they leverage symbolic links to manipulate the Spooler service. In the same vein, legacy APIs have been updated to take advantage of WPP configurations; they do not allow the loading of new modules and ensure that only Microsoft-signed binaries required for IPP are used. Importantly, XPS rendering will leverage “user” privileges rather than “SYSTEM” and other common Spooler processes will have lower permissions too.
In addition, WPP will be able to use Microsoft’s binary mitigations rather than relying on support from third-party vendors. It will also completely disable the installation of third-party drivers for Point and Print. Lastly, since WPP builds on top of IPP; which supports encryption, it informs users if their traffic is encrypted, and recommends them to enable encryption if it’s not.
WPP is now being rolled out to Windows Insiders through Canary build 26016. That said, Microsoft has cautioned that since this is the initial release, some features have not been fully implemented yet and there is no UI to use either. The Redmond tech firm says that it will continue enhancing WPP in the next Insider builds, but there is no word on general availability yet.