Ringfencing the Print Spooler

3 min. readlast update: 03.27.2025

Creating the Ringfencing policy

Threatlocker is able to block the interaction of the Print Spooler with high-risk applications along with internet access to avoid breaches via Print Spooler exploits, which are becoming commonplace. The recommended ringfenced policy is a default computer group policy and will be present upon creation of your computer group. 

On initial deployment, your machines will be placed in learning mode for 21 days. One function of learning mode is to catalog necessary exclusions if they are accessed during the learning period. If you delete and re-create this policy manually, you need to set the policy to be in a monitor only status so you can evaluate what is being Ringfenced and make changes accordingly. Every environment is different and what other applications this could affect will vary from situation to situation.   

Failure to set this policy to monitor only status when first setting it up will cause printing issues, and could interfere with normal business operations.  

To place a policy into monitor only mode, click the 'Status' dropdown next to the policy name. Select 'Monitor' from the list. 

undefined

 

undefined

After deploying policies, for the new Ringfencing policy to be applied, the Print Spooler service will need to be restarted. To restart the Print Spooler open command prompt as an administrator and enter: "net stop spooler && net start spooler"

Checking for Network Exceptions

Once you have set up the Print Spooler Ringfenced policy, and placed it into a monitor only status, wait a few days and then look through your Unified Audit to check for other exceptions that may need to be added before changing this policy to 'Inherit' or 'Secured'.

In the Unified Audit, narrow your search by entering the 'Policy Name', and in the 'Action' dropdown, selecting 'Ringfenced'. 

undefined

From here you can see any items that would have been blocked by this policy. You can add any exceptions you need to add to this Ringfencing policy so you can change the status of this policy to secured and your work environment will continue to function.

To investigate any Ringfenced items in the Unified Audit, click the arrow on the left of the Ringfenced item. Check the 'Policy' name. If it is your SpoolSv.exe (RingFenced) policy and you want to add this address as an Exclusion, click the 'Add to Policy' button on the right.   

The policy will open up, and the IP address will be prepopulated in the textbox. You can click the 'Add' button, and this IP address will now be added as an Exclusion to the policy. 

You can also utilize the 'Tags' feature to serve as a container for domains/IP addresses. This can be applied to the 'Internet' tab included in the Ringfence options.

For more information on Tags, please visit this:

ThreatLocker: Creating Tags

Was this article helpful?