Mitigating Risk of Load and Unload Device Drivers

I am looking for ways to mitigate the security risk inherent in giving users the "Load and unload device drivers" right in XP Pro.

My users are mostly road warriors with laptops, often in austere areas for extended periods.  Their biggest complaint: They can't install the printers available at the remote locations.

However, in the interest of network security at home, I don't provide any one with local computer Power User or Administrator privileges.  In the few exceptions to that policy, the users have demonstrated they can't keep their hands out of the cookie jar when they have the ability to install software.  As such, software license management, software configuration control, and network security is compromised.  Microsoft has not well thought out device drivers, in my opinion, but I am now directed to provide the right to load and unload device drivers, which requires a user be a Power User or Administrator on the local machine.  

My specific question: Is there a method to prevent power users from installing non-device driver software?  


Rob B.
3RIAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BondfromHPCommented:
Not that i know of...

I dont see how to diferentiate between driver installations, and other software.
Hope for your sake someone else has better news.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
3RIAuthor Commented:
I discovered the problem is worse than I first thought...the netads applied a security template which removes Power Users from the system32 directory and God only knows where else they've made similar modifications that impact the default XP client operation.  Now I am forced to elevate plain old users to administrators (wow, that's real secure!) to allow them to install print drivers as I'm not allowed to reverse-engineer network security settings.

Anyway, my problem.  I knew the answer before I asked, but thought (hoped?) there was something I overlooked.

Rob B.
0
sthubertCommented:
I think you can possibly remove the admin rights and apply the following GPO or Local Security...

"Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Load and unload device drivers"

MS says it might be a security risk but I think it's safer than adding Administrative rights.  Hope it helps.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows XP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.