Export (0) Print
Expand All

Control printer driver installation security

Applies To: Windows Server 2008

The default security settings for Windows Vista and Windows Server 2008 allow users who are not members of the local Administrators group to install only trustworthy printer drivers, such as those provided with Windows or in digitally signed printer-driver packages. This helps ensure that users do not install untested or unreliable printer drivers or drivers that have been modified to contain malicious code (malware). However, it means that sometimes users cannot install the appropriate driver for a shared printer, even if the driver has been tested and approved in your environment.

The following sections provide information about how to allow users who are not members of the local Administrators group to connect to a print server and install printer drivers that are hosted by the server:

Installing printer-driver packages on the print server

Printer-driver packages are digitally signed printer drivers that install all the components of the driver to the driver store on client computers (if the server and the client computers are running Windows Vista or Windows Server 2008). Additionally, using printer-driver packages on a print server that is running Windows Vista or Windows Server 2008 enables users who are not members of the local Administrators group to connect to the print server and install or receive updated printer drivers.

To use printer-driver packages, on a print server that is running Windows Server 2008 or Windows Vista, download and install the appropriate printer-driver packages from the printer vendor.

noteNote
You can also download and install printer-driver packages from a print server to client computers that are running Windows Server 2003, Windows XP, and Windows 2000. However, the client computers do not check the driver's digital signature or install all components of the driver into the driver store because the client operating system does not support these features.

Using Group Policy to deploy printer connections to users or computers

Print Management can be used with Group Policy to automatically add printer connections to the Printers folder, without the user requiring local Administrator privileges. For more information see Deploy printers by using Group Policy.

Using Group Policy to modify printer driver security settings

You can use the Point and Print Restrictions Group Policy setting to control how users can install printer drivers from print servers. You can use this setting to permit users to connect to only specific print servers that you trust. Because this prevents users from connecting to other print servers that could potentially host malicious or untested printer drivers, you can disable printer driver installation warning messages without adversely compromising security.

Carefully evaluate your users' printing needs before limiting which print servers they can connect to. If users occasionally need to connect to shared printers in a branch office or another department, make sure to include those printer servers on the list (if you trust the printer drivers that are installed on the servers).

You can also use the Point and Print Restrictions setting to disable warning prompts entirely, although this disables the enhanced printer driver installation security of Windows Vista and Windows Server 2008 for these users.

noteNote
The following procedure assumes that you are using the version of the Group Policy Management Console (GPMC) that is included with Windows Server 2008. To install GPMC on Windows Server 2008, use the Add Features Wizard of Server Manager. If you are using a different version of GPMC, the steps might vary slightly.

To modify the Point and Print Restrictions setting

  1. Open the Group Policy Management Console (GPMC).

  2. In the GPMC console tree, navigate to the domain or organizational unit (OU) that stores the user accounts for which you want to modify printer driver security settings.

  3. Right-click the appropriate domain or OU, click Create a GPO in this domain, and Link it here, type a name for the new GPO, and then click OK.

  4. Right-click the GPO that you created and then click Edit.

  5. In the Group Policy Management Editor tree, click User Configuration, click Policies, click Administrative Templates, click Control Panel, and then click Printers.

  6. Right-click Point and Print Restrictions, and then click Properties.

To permit users to connect only to specific print servers that you trust:

  1. In the Point and Print Restrictions dialog box, click Enabled.

  2. Select the Users can only point and print to these servers check box if it is not already selected.

  3. In the text box, type the fully qualified server names to which you want to allow users to connect. Separate each name with a semi-colon.

  4. In the When installing drivers for a new connection box, choose Do not show warning or elevation prompt.

  5. In the When updating drivers for an existing connection box, choose Show warning only.

  6. Click OK.

    noteNote
    To disable driver installation warning messages and elevation prompts on computers that are running Windows Vista and Windows Server 2008, in the Point and Print Restrictions dialog box, click Disabled, and then click OK. This disables the enhanced printer driver installation security of Windows Vista and Windows Server 2008.

Additional references

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft