Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 775
  • Last Modified:

Mitigating Risk of Load and Unload Device Drivers

I am looking for ways to mitigate the security risk inherent in giving users the "Load and unload device drivers" right in XP Pro.

My users are mostly road warriors with laptops, often in austere areas for extended periods.  Their biggest complaint: They can't install the printers available at the remote locations.

However, in the interest of network security at home, I don't provide any one with local computer Power User or Administrator privileges.  In the few exceptions to that policy, the users have demonstrated they can't keep their hands out of the cookie jar when they have the ability to install software.  As such, software license management, software configuration control, and network security is compromised.  Microsoft has not well thought out device drivers, in my opinion, but I am now directed to provide the right to load and unload device drivers, which requires a user be a Power User or Administrator on the local machine.  

My specific question: Is there a method to prevent power users from installing non-device driver software?  

Rob B.
1 Solution
Not that i know of...

I dont see how to diferentiate between driver installations, and other software.
Hope for your sake someone else has better news.
3RIAuthor Commented:
I discovered the problem is worse than I first thought...the netads applied a security template which removes Power Users from the system32 directory and God only knows where else they've made similar modifications that impact the default XP client operation.  Now I am forced to elevate plain old users to administrators (wow, that's real secure!) to allow them to install print drivers as I'm not allowed to reverse-engineer network security settings.

Anyway, my problem.  I knew the answer before I asked, but thought (hoped?) there was something I overlooked.

Rob B.
I think you can possibly remove the admin rights and apply the following GPO or Local Security...

"Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Load and unload device drivers"

MS says it might be a security risk but I think it's safer than adding Administrative rights.  Hope it helps.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now