ISM-1828 ASD Information Security Manual (ISM)

Disable Print Spooler on AD DS Domain Controllers

Ensure the Print Spooler is turned off on AD DS domain controllers for security.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security Manual Governance Hardening Configuration management

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Feb 2023

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for system hardening

Section

Server application hardening

Topic

Microsoft Active Directory Domain Services Domain Controllers

Official control statement

The Print Spooler service is disabled on Microsoft AD DS domain controllers.

Source: ASD Information Security Manual (ISM)

Plain language

Disabling the Print Spooler service on your Microsoft Active Directory Domain Services (AD DS) domain controllers is like locking a door that doesn’t need to be opened. It prevents unnecessary risk because hackers can exploit this service to access sensitive data or disrupt your network. By turning it off, you’re simply reducing an avenue for cyber attacks on your important systems.

Why it matters

If Print Spooler runs on AD DS domain controllers, spooler flaws (e.g. PrintNightmare) can enable domain-level privilege escalation or credential theft.

Operational notes

Use GPO to disable Print Spooler on all domain controllers; regularly audit service state after patches and ensure no admin action re-enables it.

Implementation tips

IT team should disable the Print Spooler service on all domain controllers. To do this, they must access each server, locate the Print Spooler in the services list, and set it to 'Disabled'. This ensures it won’t start even after a reboot.
System administrators should update their server management procedures to reflect this change. They should document the steps taken to disable the service and inform other staff involved in system management about the changes to avoid confusion.
The IT manager should ensure that staff are aware that printers should be handled through other servers or services, not domain controllers. This involves coordinating with office managers to discuss alternative options for managing printers.
Compliance officers should update any internal control documents and security policies. They should include this specific practice of disabling the Print Spooler to ensure it aligns with organisational security protocols and the Essential Eight strategies.
Audit teams should schedule regular checks to confirm the Print Spooler service remains disabled on domain controllers. They can create a checklist for IT staff verifying that the service setting hasn’t changed.

Audit / evidence tips

Ask: a recent screenshot or report of the services running on a sample of domain controllers

Good: shows the service is set to 'Disabled'
Good: clearly states that the service should be disabled and outlines the steps taken
Ask: training records or meeting notes where IT staff discussed managing printers on the network

Good: includes discussion notes or an action item confirming understanding
Good: confirms no such activities have occurred
Ask: an incident response plan that includes procedures for when unexpected services are found running. Check that it covers identifying and addressing the Print Spooler being enabled

Good: details immediate steps to disable it and investigate further

Cross-framework mappings

How ISM-1828 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control	Notes	Details
Partially meets (1)
Annex A 8.9	ISM-1828 requires the Print Spooler service to be disabled specifically on Microsoft AD DS domain controllers to reduce attack surface