Securing Device Driver Packages with Digital Signatures

Applies To: Windows Server 2008

Because device driver software runs as a part of the operating system with unrestricted access to the entire computer, it is critical that only known and authorized device drivers are permitted. Signing and staging your device driver packages on client computers by using the techniques described in this guide provide the following benefits:

• Improved security. Because standard users cannot install device drivers that are not signed, or that are signed by a publisher that is not trusted, an administrator has much more control over which device drivers can be used in the organization. Unknown device drivers or any device driver not explicitly permitted by the administrator can be prevented. By using Group Policy the administrator can provide all client computers in the organization with the certificates for those publishers that are considered trusted, allowing drivers to be installed without any user interaction to verify that the digital signature is trusted.

• Reduced support costs. Users can only install devices that your organization has tested and is prepared to support. You therefore maintain the security of the computer while simultaneously reducing the demands on your help desk.

• Better user experience. A driver package that is signed by a trusted publisher and then staged in the driver store works automatically when the user plugs in the device. No user interaction is required.

This section includes the following tasks for securing your device driver packages:

• Signing Device Driver Packages

• Deploying Certificates to the Trusted Publishers Store