?
Solved

How did the Unsigned non-driver installation behavior Group Policy setting (Windows 2000 only) port to Windows 2003 Group Policy?  Or did it?

Posted on 2009-02-11
8
Medium Priority
?
3,284 Views
Last Modified: 2012-05-06
On our Windows 2003 R2 domain controllers, we see the following registry setting:

HKEY_LOCAL_MACHINE\Software\Microsoft\Non-Driver Signing = 1

According to MS KB822798, this was set by the Unsigned non-driver installation behavior Group Policy setting in Windows 2000.  Is there a Group Policy setting in Windows 2003 which sets this?  If no policy setting currently exists in Windows 2003, what is the recommended way of setting this in Windows 2003 Group Policy?

Thanks in advance.
0
Comment
Question by:ISWSIMBX
  • 4
  • 3
8 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 23618394
Yes the policy exists in windows 2003 too
http://msdn.microsoft.com/en-us/library/ms814360.aspx
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
Devices: Unsigned driver installation behavior
 
Thanks
Mike
0
 
LVL 3

Author Comment

by:ISWSIMBX
ID: 23618457
Mike,

Your post is not what I am lookig for.  The referenced article is for a Windows 2000 system and the text of your post 'Devices: Unsigned driver installation behavior' deals with unsigned drivers.

Im looking for the 'Unsigned NON-DRIVER installation behavior' group policy setting in Windows 2003.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 23618938
ok
Screen shots are from a W2K3 DC (no W2K boxes in the environment.
 
Thanks
Mike

Unsigned-1.JPG
Unsigned-2.JPG
Unsigned3.JPG
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 23619667
Quick follow up here is some guidance on the setting from the DISA security guide
 
http://www.unifiedcompliance.com/matrices/live/02038.html
The DISA Windows Server 2003 Security Checklist Version 6 § 5.3.8.13 states that the system should warn users if they are about to install an unsigned driver or not install drivers if they are unsigned. The "Devices: Unsigned driver installation behavior" value should be set to either "Warn but allow installation" or "Do not allow installation".
Where I  work we use the DISA, NSA and Microsoft guides for security guidance
Thanks
Mike
0
 
LVL 3

Author Comment

by:ISWSIMBX
ID: 23628043
Mike,

Again, we are interested in Unsigned NON-Driver installation, not Unsigned Driver Installation.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 23628112
sorry about that man, my bad on that
I can't find the setting in 2003
I also went through the GP spreadsheet
http://www.microsoft.com/downloads/details.aspx?FamilyID=7821c32f-da15-438d-8e48-45915cd2bc14&displaylang=en
Doesn't seem to be in there natively.
 
0
 
LVL 3

Accepted Solution

by:
ISWSIMBX earned 0 total points
ID: 23628541
I agree.  I dont see it anywhere as well.

So Im going to write a custom ADM template to make the registry change via a 2003 Group Policy.  That should work and leave a good audit trail.
0
 

Expert Comment

by:BCSITS
ID: 36000832
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Non-Driver Signing\Policy
change Policy value from "01" to "00"
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question