Prevent Users From Installing Printer Drivers

Contributor Icon Contributed by davak Date Icon August 3, 2003  
Tag Icon Tagged: Windows security

Printer drivers can contain trojans. The default level user should not have the ability to intall drivers on a secure system. This recipe closes this hole.


Block Users From Installing Printer Drivers

On Win2k, WinXP, and WinNT the default level user can install (potentially trojan) printer drivers.

This involves editing your registry. One should always export your current registry to backup and save it before editing.

Make this simple change:
Hive: HKEY_LOCAL_MACHINE
Path: System\CurrentcontrolSet\Control\Print\Providers\LanMan Print Services\Servers
Key: AddPrinterDrivers
Type: REG_DWORD
Value: 1

Previous recipe | Next recipe |
 
  • Anonymous
    Type: REG_DWORD ... ?

    Then what? Clear the value? Enter 0? What's the change?
  • AlexTheBeast
    I don't know the registry change.

    Here's how I prevent people from installing printer drivers:

    1. Open the Start Menu
    2. Click Run.
    3. In the Open field, type gpedit.msc and then click OK.
    4. Expand the following branches in the left pane in sequence:
    <ul> -Computer Configuration branch
    -Windows Settings branch
    -Security Settings branch
    -Local Policies branch
    -Security Options folder.</ul>
    5. In the right pane, double-click the Prevent users from installing printer drivers policy.
    6. Click Enabled, and then click OK.
  • davak
    The recipe was a little garbled...

    I believe I have corrected it.

    I haven't used this reghack in a while as I, too, have been mainly using the group policy editor.

    If you need further info, you can find it here:
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/msdn_secinst.asp
  • ustek
    As far as I know a USER can not install a printer (or read install a printer driver). Only a Power User can.
    Let me know if I'm incorrect
    ustek@hotmail.com
  • Anonymous
    Using the group policy editor is definatley the way to go. On the registry edit, the 0 would be the alternate switch, but registry is a bad way to go.
blog comments powered by Disqus