Mitigating Risk of Load and Unload Device Drivers

Posted on 2004-11-27
Last Modified: 2009-02-24
I am looking for ways to mitigate the security risk inherent in giving users the "Load and unload device drivers" right in XP Pro.

My users are mostly road warriors with laptops, often in austere areas for extended periods.  Their biggest complaint: They can't install the printers available at the remote locations.

However, in the interest of network security at home, I don't provide any one with local computer Power User or Administrator privileges.  In the few exceptions to that policy, the users have demonstrated they can't keep their hands out of the cookie jar when they have the ability to install software.  As such, software license management, software configuration control, and network security is compromised.  Microsoft has not well thought out device drivers, in my opinion, but I am now directed to provide the right to load and unload device drivers, which requires a user be a Power User or Administrator on the local machine.  

My specific question: Is there a method to prevent power users from installing non-device driver software?  

Rob B.
Question by:3RI
    LVL 2

    Accepted Solution

    Not that i know of...

    I dont see how to diferentiate between driver installations, and other software.
    Hope for your sake someone else has better news.

    Author Comment

    I discovered the problem is worse than I first thought...the netads applied a security template which removes Power Users from the system32 directory and God only knows where else they've made similar modifications that impact the default XP client operation.  Now I am forced to elevate plain old users to administrators (wow, that's real secure!) to allow them to install print drivers as I'm not allowed to reverse-engineer network security settings.

    Anyway, my problem.  I knew the answer before I asked, but thought (hoped?) there was something I overlooked.

    Rob B.

    Expert Comment

    I think you can possibly remove the admin rights and apply the following GPO or Local Security...

    "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Load and unload device drivers"

    MS says it might be a security risk but I think it's safer than adding Administrative rights.  Hope it helps.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    Suggested Solutions

    Most of the time we are in fix when all of sudden our systems behave weirdly.  Such problems cost time and effort... so it's best to take some preventive actions so that we can avoid such issues or overcome such problems more easily. Preventive M…
    There are 2 things you must have in order to connect to the internet behind a router, The "Gateway IP" of the router, which is usually something like, I've seen routers with default values of:,,, …
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now