18.7.6 Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: Negotiate' or higher

Information

This policy setting controls which protocols incoming Remote Procedure Call (RPC) connections to the print spooler are allowed to use.

The recommended state for this setting is: Enabled: Negotiate or Enabled: Kerberos.

This setting can prevent the use of named pipes for RPC connections to the print spooler and forces the use of TCP which is a more secure communication method.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: Negotiate or Enabled: Kerberos :

Computer Configuration\Policies\Administrative Templates\Printers\Configure RPC listener settings: Configure protocol options for incoming RPC connections

Note: This Group Policy path is provided by the Group Policy template Printing.admx/adml that is included with the Microsoft Windows 11 Release 22H2 Administrative Templates v1.0 (or newer).

Impact:

Warning: Many existing print configurations may be using the older named pipes protocol and therefore will cease to function.

Item Details

Audit Name: CIS Microsoft Windows Server 2022 v5.0.0 L1 DC

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-3(1)

Plugin: Windows

Control ID: 4985699b49366c951f78d873301abb6d2da15d6d663d18669818ad60aad28c29

Detections

Analytics

18.7.6 Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: Negotiate' or higher

Information

Solution

See Also

Item Details