WinSecWiki > Security Settings > Local Policies > Security Options > Devices > Prevent users from installing printer drivers
Devices: Prevent users from installing printer drivers
The idea of this setting is to protect against users loading untrusted, potentially unstable or malicious printer drivers which in most versions of Windows run in Kernel mode. If enabled this is limited to Administrators, Power Users, or Server Operators.
This setting apparently only applies to installing printer drivers in the context of adding a network printer. This is not to be confused with a standalone network printer to which you connect directly with via TCP/IP. The right terminology would be to have called it a shared printer in my opinion, instead of network printer. But in Windows’ twisted view of the world, a network printer to which you directly connect (without going through a print server) is a “local” printer – you just use a “Standard TCP/IP Port” instead of a LPT, COM or USB port.
This setting has effect on users ability to install printer drivers in the context of adding a local printer. I know, makes no sense to me either. Well it does make sense in the context of Terminal Services and I think that’s what this policy is really all about; read on.
Anyway, if this setting is enabled, only Administrators (and according to some documentation, Power Users) are allowed to install printer drivers for network printers on another Windows server. Even with this setting enabled, unprivileged users may still install network printer drivers if the computer can find the driver on the “trusted path”. Administrators can configure a trusted path that Windows will search for the needed printer driver instead of loading it from the network print server. To configure a trusted path, locate HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers in the registry and add 2 values:
- LoadTrustedDrivers - REG_DWORD = 1
- TrustedDriverPath – REG_SZ = \\servername\sharename
With LoadTrustedDrivers set to 1, Windows will only allow users to install printer drivers found in TrustedDriverPath.
How do you find and install those drivers? You must install the drivers on a given computer. When you install a printer driver, Windows adds it to %SystemRoot%\System32\Spool\Drivers\W32x86\. Just copy the files and subfolders in w32x86 to the shared folder in TrustedDriverPath and make sure your users have permissions to read it.
That brings us to where this policy is useful. It’s not useful on workstations since users can install printer drivers for local printers anyway. However think about a Terminal Services environment. Users typically don’t have physical access to the Terminal Server itself and so can’t install local printers. Users often want to be able to print to printers on their local workstation where they are physically present. But printing to a local printer through Remote Desktop Connection utilizes the Windows shared printer capability and requires the driver for that printer be installed on Terminal Server where the printer output originates. Of course, you might not want users installing just any printer driver on a sensitive or large Terminal Server hosting many different users and that’s what this policy controls. The trusted path option allows you to prepopulate the Terminal Server with a number or printer drivers you anticipate users my want to use. In the real world of course, it will always work out to be the one model you didn’t install right?
Bottom line
So anyway, unless this is a Terminal Server I wouldn’t worry about this option.
Back to top