Ringfencing the Print Spooler

6 min. readlast update: 01.13.2024
Note: This article contains directions for both the ThreatLocker Portal and the ThreatLocker Legacy Portal. If you are using the Legacy Portal, you can find the appropriate directions by scrolling down in the article.  

Creating the Ringfencing policy

Threatlocker is able to block the interaction of the Print Spooler with high-risk applications along with internet access to avoid breaches via Print Spooler exploits, which are becoming commonplace. The recommended ringfenced policy is a default computer group policy and will be present upon creation of your computer group. 

On initial deployment, your machines will be placed in learning mode for 21 days. One function of learning mode is to catalog necessary exclusions if they are accessed during the learning period. If you delete and re-create this policy manually, you need to set the policy to be in a monitor only status so you can evaluate what is being Ringfenced and make changes accordingly. Every environment is different and what other applications this could affect will vary from situation to situation.   

Failure to set this policy to monitor only status when first setting it up will cause printing issues, and could interfere with normal business operations.  

To place a policy into monitor only mode, click the 'Status' dropdown next to the policy name. Select 'Monitor' from the list. 

undefined

undefined
After deploying policies, for the new Ringfencing policy to be applied, the Print Spooler service will need to be restarted. To restart the Print Spooler open command prompt as an administrator and enter: "net stop spooler && net start spooler"

Checking for Network Exceptions

Once you have set up the Print Spooler Ringfenced policy, and placed it into a monitor only status, wait a few days and then look through your Unified Audit to check for other exceptions that may need to be added before changing this policy to 'Inherit' or 'Secured'.

In the Unified Audit, narrow your search by entering the 'Policy Name', and in the 'Action' dropdown, selecting 'Ringfenced'. 

undefined

From here you can see any items that would have been blocked by this policy. You can add any exceptions you need to add to this Ringfencing policy so you can change the status of this policy to secured and your work environment will continue to function.

To investigate any Ringfenced items in the Unified Audit, click the arrow on the left of the Ringfenced item. Check the 'Policy' name. If it is your SpoolSv.exe (RingFenced) policy and you want to add this address as an Exclusion, click the 'Add to Policy' button on the right.   

undefined

The policy will open up, and the IP address will be prepopulated in the textbox. You can click the 'Add' button, and this IP address will now be added as an Exclusion to the policy. 

undefined

You can also utilize the 'Tags' feature to serve as a container for domains/IP addresses. This can be applied to the 'Internet' tab included in the Ringfence options.

For more information on Tags, please visit this:

ThreatLocker: Creating Tags 

Ringfencing the Print Spooler in the Legacy Portal

Creating the Ringfencing policy

Threatlocker is able to block the interaction of the Print Spooler with high-risk applications along with internet access to avoid breaches via Print Spooler exploits, which are becoming commonplace.  

Navigate to Application Control > Policies. Then select 'Add Suggested Policies' at the top middle of the page. 

undefined

This will populate a list of ThreatLocker recommended policies. From this list, select the 'Print Spooler (Ringfenced)' policy by selecting the checkbox, and then selecting the 'Add Suggested Policies' button at the top. 

undefined

When you add this policy, by default, it will be placed at the top of the policy list for whichever computer group you applied it to. It is important that this policy is always above your Windows Core policies.  

When you first set this policy up, you need to set the policy to be in a monitor only status so you can evaluate what is being Ringfenced and make changes accordingly. Every environment is different and what other applications this could affect will vary from situation to situation.   

Failure to set this policy to monitor only status when first setting it up will cause printing issues, and could interfere with normal business operations.  

To place a policy into monitor only mode, click the 'Status' dropdown next to the policy name. Select 'Monitor Only' from the list. 

undefined

undefined

After deploying policies, for the new Ringfencing policy to be applied, the Print Spooler service will need to be restarted. To restart the Print Spooler open command prompt as an administrator and enter: "net stop spooler && net start spooler"

Checking for Network Exceptions

Once you have set up the Print Spooler Ringfenced policy, and placed it into a monitor only status, wait a few days and then look through your Unified Audit to check for other exceptions that may need to be added before changing this policy to 'Inherit' or 'Secured'.

In the Unified Audit, narrow your search by entering the 'Policy Name', and in the 'Action' dropdown, selecting 'Ringfenced'. 

undefined

From here you can see any items that would have been blocked by this policy. You can add any exceptions you need to add to this Ringfencing policy so you can change the status of this policy to secured and your work environment will continue to function.

To investigate any Ringfenced items in the Unified Audit, click the arrow on the left of the Ringfenced item. Check the 'Policy' name. If it is your SpoolSv.exe (RingFenced) policy and you want to add this address as an Exclusion, click the 'Add to Policy' button on the right.   

undefined

The policy will open up, and the IP address will be prepopulated in the 'Value' textbox. You can click the 'Add' button, and this IP address will now be added as an Exclusion to the policy. 

undefined

You can also utilize the 'Tags' feature to serve as a container for domains/IP addresses. This can be applied to the 'Internet' tab included in the Ringfence options.

For more information on Tags, please visit this:

ThreatLocker: Creating Tags 

Was this article helpful?