This guide describes the device installation process and introduces the device identification strings that Windows uses to match a device with the device-driver packages available on a machine. The guide also illustrates two methods of controlling device installation. Each scenario shows, step by step, one method you can use to allow or prevent the installation of a specific device or a class of devices. The example device used in the scenarios is a USB storage device.
You can perform the steps in this guide using a different device. However, if you use a different device, then the instructions in the guide will not exactly match the user interface that appears on the computer. The steps provided in this guide are intended for use in a test lab environment.
This step-by-step guide is not meant to be used to deploy Windows Server features without accompanying documentation and should be used with discretion as a stand-alone document. Restricting the devices that users can install reduces the risk of data theft and reduces the cost of support. It is more difficult for users to make unauthorized copies of company data if users' computers cannot install unapproved devices that support removable media.
For example, if users cannot install a USB thumb-drive device, they cannot download copies of company data onto a removable storage. This benefit cannot eliminate data theft, but it creates another barrier to unauthorized removal of data. You can ensure that users install only those devices that your technical support team is trained and equipped to support. This benefit reduces support costs and user confusion. The scenarios presented in this guide illustrate how you can control device installation and usage on the computers that you manage.
The scenarios use Group Policy on a local machine to simplify using the procedures in a lab environment. In an environment where you manage multiple client computers, you should apply these settings using Group Policy..
With Group Policy deployed by Active Directory, you can apply settings to all computers that are members of a domain or an organizational unit in a domain. For more information about how to use Group Policy to manage your client computers, see Group Policy at the Microsoft Web site. In this scenario, the administrator wants to prevent users from installing any printers. In this scenario, the administrator allows standard users to install all printers while but preventing them from installing a specific one.
In this scenario, you will combine what you learned from both scenario 1 and scenario 2. The administrator wants to allow standard users to install only a specific printer while preventing the installation of all other printers. This is a more realistic scenario and brings you a step farther in understanding of the Device Installation Restrictions policies.
This scenario, although similar to scenario 2, brings another layer of complexity — how does device connectivity work in the PnP tree. The administrator wants to prevent standard users from installing a specific USB device. By the end of the scenario, you should understand the way devices are nested in layers under the PnP device connectivity tree.
In this scenario, combining all previous 4 scenarios, you will learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed.
This scenario builds on the policies and structure we introduced in the first 4 scenarios and therefore it is preferred to go over them first before attempting this scenario.
The following sections provide a brief overview of the core technologies discussed in this guide and give background information that is necessary to understand the scenarios. A device is a piece of hardware with which Windows interacts to perform some function, or in a more technical definition - it is a single instance of a hardware component with a unique representation in the Windows Plug and Play subsystem.
Windows can communicate with a device only through a piece of software called a device-driver also known as a driver. To install a driver, Windows detects the device, recognizes its type, and then finds the driver that matches that type. When Windows detects a device that has never been installed on the computer, the operating system queries the device to retrieve its list of device identification strings.
A device usually has multiple device identification strings, which the device manufacturer assigns. The same device identification strings are included in the. Windows chooses which driver package to install by matching the device identification strings retrieved from the device to those included with the driver packages.
Windows uses four types of identifiers to control device installation and configuration. You can use the Group Policy settings in Windows to specify which of these identifiers to allow or block. A device instance ID is a system-supplied device identification string that uniquely identifies a device in the system.
Windows can use each string to match a device to a driver package. The strings range from the specific, matching a single make and model of a device, to the general, possibly applying to an entire class of devices. There are two types of device identification strings: hardware IDs and compatible IDs.
Hardware IDs are the identifiers that provide the exact match between a device and a driver package. The first string in the list of hardware IDs is referred to as the device ID, because it matches the exact make, model, and revision of the device. The other hardware IDs in the list match the details of the device less exactly. For example, a hardware ID might identify the make and model of the device but not the specific revision.
This scheme allows Windows to use a driver for a different revision of the device if the driver for the correct revision is not available. Windows uses these identifiers to select a driver if the operating system cannot find a match with the device ID or any of the other hardware IDs. Compatible IDs are listed in the order of decreasing suitability. These strings are optional, and, when provided, they are very generic, such as Disk. When a match is made using a compatible ID, you can typically use only the most basic functions of the device.
When you install a device, such as a printer, a USB storage device, or a keyboard, Windows searches for driver packages that match the device you are attempting to install. During this search, Windows assigns a "rank" to each driver package it discovers with at least one match to a hardware or compatible ID.
The rank indicates how well the driver matches the device. Just adding a network printer is available. Some people say it's not possible wihout giving the user at least Power User rights locally on their machines. Do they have permission to install software and devices in general. The install driver allowance, only allows them to install drivers, but doesn't allow them to install devices.
By default, normal users don't have the permissions to install devices. To install devices the user needs to be an admin or power user, but I will have a look see if I can circumvent this with some group policy hacks. I'll let you know if I come up with anything. You could use restricted groups to give users that need it temp elevated privs. Or create a AD group for installing printers, elevate that group to power user, and when a user needs to install a printer, you can add them to that group for a short time, for them to install, then remove them.
Red Flag This Post Please let us know here why this post is inappropriate. By default, the pruning service on the domain controller prunes printer objects from Active Directory if the computer that published them doesn't respond to contact requests. When the computer that published the printers restarts, it republishes any deleted printer objects. Automatically publish new printers in the Active Directory: By default, this setting is turned on.
It can be turned off so that only shared printers that are selected are put in the directory. Check published state: Used to verify that published printers are published in Active Directory. By default, the published state isn't verified. If this bit isn't selected, the navigation pane of the Printers folder displays URLs for selected printer plus a vendor support URL if it's available.
The default isn't selected, which means no customized support URL. Computer Location: Specifies the default location criteria that are used when searching for printers. This setting is a component of the Location Tracking feature of Windows printers. To use this setting, enable Location Tracking by enabling the Pre-populate printer search location text setting.
When Location Tracking is enabled, the system uses the specified location as a criterion when users search for printers. The value that you type here overrides the actual location of the computer that is conducting the search.
Type the location of the user's computer. When users search for printers, the system uses the specified location and other search criteria to find a printer nearby. You can also use this setting to direct users to a particular printer or group of printers that you want them to use. Directory pruning interval: The pruning interval determines the period of time that the pruner sleeps between checks for abandoned PrintQueue objects. The pruner reads the pruning interval value every hour.
Directory pruning retry: Sets the number of times that the PrintQueue pruner tries to contact the print server before it deletes an abandoned PrintQueue object. Directory pruning priority: Sets the thread priority of the pruning thread.
The pruning thread runs only on domain controllers and is responsible for deleting stale printers from the directory. The default value is 0. Disallow installation of printers using kernel-mode drivers: Determines whether printers that use kernel-mode drivers may be installed on the local computer. Kernel-mode drivers have access to system-wide memory.
Therefore, poorly written kernel-mode drivers can cause stop errors. Log directory pruning retry events: Specifies whether to log events when the pruning service on a domain controller tries to contact a computer before it prunes the computer's printers. The pruning service periodically contacts computers that have published printers to verify that the printers are still available for use.
If a computer doesn't respond to the contact attempt, the attempt is retried a specified number of times, at a specified interval. The Directory pruning retry setting determines the number of times that the attempt is retried. The default value is two retries. The Directory Pruning Interval setting determines the time interval between retries. The default value is eight hours.
If the computer hasn't responded by the last contact attempt, its printers are pruned from the directory. Pre-populate printer search location text: Enables the physical Location Tracking setting for Windows printers.
Use Location Tracking to design a location scheme for your enterprise and assign computers and printers to locations in the scheme. By default, non-administrator users will no longer be able to do the following using Point and Print without an elevation of privilege to administrator:.
Note If you are not using Point and Print , you should not be affected by this change and will be protected by default after installing updates released August 10, or later. Important Printing clients in your environment must have an update released January 12, or later before installing updates release September 14, You can modify this default behavior using the registry key in the table below. However, be very careful when using a value of zero 0 because doing that makes devices vulnerable.
If you must use the registry value of 0 in your environment, we recommend using it temporarily while you adjust your environment to allow Windows devices to use the value of one 1. Default behavior: Setting this value to 1 or if the key is not defined or not present , will require administrator privilege to install any printer driver when using Point and Print.
This registry key will override all Point and Print Restrictions Group Policy settings and ensures that only administrators can install printer drivers from a print server using Point and Print. Setting the value to 0 allows non-administrators to install signed and unsigned drivers to a print server but does not override the Point and Print Group Policy settings.
Consequently, the Point and Print Restrictions Group Policy settings can override this registry key setting to prevent non-administrators from installing signed and unsigned print drivers from a print server.
Some administrators might set the value to 0 to allow non-admins to install and update drivers after adding additional restrictions, including adding a policy setting that constrains where drivers can be installed from. Important There is no combination of mitigations that is equivalent to setting RestrictDriverInstallationToAdministrators to 1.
Note Updates released July 6, or later have a default of 0 disabled until the installation of updates released August 10, or later. Updates released August 10, or later have a default of 1 enabled. Note Windows updates will not set or change the registry key. You can set the registry key before or after installing updates released August 10, or later. To automate the addition of the RestrictDriverInstallationToAdministrators registry value, follow these steps:.
After installing updates released October 12, or later, you can also set RestrictDriverInstallationToAdministrators using a Group Policy, using the following instructions:. Set the Limits print driver installation to Administrators setting to "Enabled". If you set RestrictDriverInstallationToAdministrators as not defined or to 1, depending on your environment, users must use one of the following methods to install printers:.
Provide an administrator username and password when prompted for credentials when attempting to install a printer driver. Note If you cannot install printer drivers, even with administrator privilege, you must disable the Only use Package Point and Print Group Policy.
The following mitigations can help secure all environments, but especially if you must set RestrictDriverInstallationToAdministrators to 0.
These mitigations do not completely address the vulnerabilities in CVE Verify that Security Prompts are enabled for Point and Print as described in KB Restricting installation of new printer drivers after applying the July 6, updates. This policy, Point and Print Restrictions , applies to Point and Print printers using a non-package-aware driver on the server.
0コメント