Disable Print Spooler on AD DS Domain Controllers
Ensure the Print Spooler is turned off on AD DS domain controllers for security.
Plain language
Disabling the Print Spooler service on your Microsoft Active Directory Domain Services (AD DS) domain controllers is like locking a door that doesn’t need to be opened. It prevents unnecessary risk because hackers can exploit this service to access sensitive data or disrupt your network. By turning it off, you’re simply reducing an avenue for cyber attacks on your important systems.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
The Print Spooler service is disabled on Microsoft AD DS domain controllers.
Why it matters
If Print Spooler runs on AD DS domain controllers, spooler flaws (e.g. PrintNightmare) can enable domain-level privilege escalation or credential theft.
Operational notes
Use GPO to disable Print Spooler on all domain controllers; regularly audit service state after patches and ensure no admin action re-enables it.
Implementation tips
- IT team should disable the Print Spooler service on all domain controllers. To do this, they must access each server, locate the Print Spooler in the services list, and set it to 'Disabled'. This ensures it won’t start even after a reboot.
- System administrators should update their server management procedures to reflect this change. They should document the steps taken to disable the service and inform other staff involved in system management about the changes to avoid confusion.
- The IT manager should ensure that staff are aware that printers should be handled through other servers or services, not domain controllers. This involves coordinating with office managers to discuss alternative options for managing printers.
- Compliance officers should update any internal control documents and security policies. They should include this specific practice of disabling the Print Spooler to ensure it aligns with organisational security protocols and the Essential Eight strategies.
- Audit teams should schedule regular checks to confirm the Print Spooler service remains disabled on domain controllers. They can create a checklist for IT staff verifying that the service setting hasn’t changed.
Audit / evidence tips
-
Aska recent screenshot or report of the services running on a sample of domain controllers
Goodshows the service is set to 'Disabled'
-
Goodclearly states that the service should be disabled and outlines the steps taken
-
Asktraining records or meeting notes where IT staff discussed managing printers on the network
Goodincludes discussion notes or an action item confirming understanding
-
Goodconfirms no such activities have occurred
-
Askan incident response plan that includes procedures for when unexpected services are found running. Check that it covers identifying and addressing the Print Spooler being enabled
Gooddetails immediate steps to disable it and investigate further
Cross-framework mappings
How ISM-1828 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | ISM-1828 requires the Print Spooler service to be disabled specifically on Microsoft AD DS domain controllers to reduce attack surface | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.