This is an exploit that affects domain controllers. In a nutshell, if you have the “Print Spooler” service enabled (which is the default), any remote authenticated user can execute code as SYSTEM on the domain controller. More detail in this article:

This worklet disables the print spooler service on domain controllers and disables it from running at startup. You can run it against any group that contains domain controllers and it will only target the DCs.

Note: More information has come out that this might affect all servers - not just DCs. I modified my original evaluation with the option of checking all servers (not just DCs). If you want to run this against all servers, just remark out the first If…Statement and un-remark the second one.

Evaluation:

$svcName = "Spooler"


$svcRunning = Get-Service -Name $svcName





# Used for the domain controller check


$dc = Get-ADDomainController





# Used for the server check


$compConfig = Get-WmiObject -Class Win32_ComputerSystem


$role = $compConfig.DomainRole


$serverRole = @(2,3,4,5) # 2 = Standalone Server, 3 = Member Server, 4 = Backup DC, 5 = Primary Domain Controller





# Check if system is a domain controller (or server) and if the Print Spooler service is running.  If so, exit 1 to remediate.





### Use this If statement if you only want to check domain controllers ###


If ($dc) {





### Remark out the above If statement and un-remark this one if you want to check all servers ###


# If ($role -in $serverRole) {





  If ($svcRunning.Status -eq 'Running') {


    Exit 1


  }


}


Exit 0

Remediation:

$svcName = "Spooler"





# Stop the Print Spooler service and disable it from running at system startup


Stop-Service -Name $svcName


Set-Service -Name $svcName -StartupType Disabled