3RI
asked on
Mitigating Risk of Load and Unload Device Drivers
I am looking for ways to mitigate the security risk inherent in giving users the "Load and unload device drivers" right in XP Pro.
My users are mostly road warriors with laptops, often in austere areas for extended periods. Their biggest complaint: They can't install the printers available at the remote locations.
However, in the interest of network security at home, I don't provide any one with local computer Power User or Administrator privileges. In the few exceptions to that policy, the users have demonstrated they can't keep their hands out of the cookie jar when they have the ability to install software. As such, software license management, software configuration control, and network security is compromised. Microsoft has not well thought out device drivers, in my opinion, but I am now directed to provide the right to load and unload device drivers, which requires a user be a Power User or Administrator on the local machine.
My specific question: Is there a method to prevent power users from installing non-device driver software?
Rob B.
My users are mostly road warriors with laptops, often in austere areas for extended periods. Their biggest complaint: They can't install the printers available at the remote locations.
However, in the interest of network security at home, I don't provide any one with local computer Power User or Administrator privileges. In the few exceptions to that policy, the users have demonstrated they can't keep their hands out of the cookie jar when they have the ability to install software. As such, software license management, software configuration control, and network security is compromised. Microsoft has not well thought out device drivers, in my opinion, but I am now directed to provide the right to load and unload device drivers, which requires a user be a Power User or Administrator on the local machine.
My specific question: Is there a method to prevent power users from installing non-device driver software?
Rob B.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I think you can possibly remove the admin rights and apply the following GPO or Local Security...
"Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Load and unload device drivers"
MS says it might be a security risk but I think it's safer than adding Administrative rights. Hope it helps.
"Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Load and unload device drivers"
MS says it might be a security risk but I think it's safer than adding Administrative rights. Hope it helps.
ASKER
Anyway, my problem. I knew the answer before I asked, but thought (hoped?) there was something I overlooked.
Rob B.