Mitigating Risk of Load and Unload Device Drivers
Posted on 2004-11-27
I am looking for ways to mitigate the security risk inherent in giving users the "Load and unload device drivers" right in XP Pro.
My users are mostly road warriors with laptops, often in austere areas for extended periods. Their biggest complaint: They can't install the printers available at the remote locations.
However, in the interest of network security at home, I don't provide any one with local computer Power User or Administrator privileges. In the few exceptions to that policy, the users have demonstrated they can't keep their hands out of the cookie jar when they have the ability to install software. As such, software license management, software configuration control, and network security is compromised. Microsoft has not well thought out device drivers, in my opinion, but I am now directed to provide the right to load and unload device drivers, which requires a user be a Power User or Administrator on the local machine.
My specific question: Is there a method to prevent power users from installing non-device driver software?