Describes the best practices, location, values, and security considerations for the Devices: Prevent users from installing printer drivers security policy setting. Reference For a device to print to a network printer, the driver for that network printer must be installed locally. Ensure your solution runs on the latest firmware and / or software by visiting the Bosch Security and Safety Systems Download Area. This page also redirects to a number of video security applications.

1. Download Bosch Security Driver Manual
2. Download Bosch Security Driver Installer
3. Download Bosch Security
4. Download Bosch Security Driver Download
5. Download Bosch Security Driver Updater

Downloads Library INNOVATION HAPPENS HERE Dynacord is part of the Bosch Communications Systems family of brands, offering the world’s most complete portfolio of professional audio and communications solutions. PnP device installation considers the digital signature of a driver package to be invalid if any file in the driver package is altered after the driver package was signed. Such files include the INF file, the catalog file, and all files that are copied by INF CopyFiles directives. Account and Configuration Assistants simplify key programming for control panels and Bosch Remote Connect and Cellular Services Alternative to keypad programming for Bosch control panels, including Fire FPD-7024 Remote firmware updates for GV4, B9512G/B8512G, and B Series control panels Updates prior versions of 9000 or G Series control panel accounts to GV4 or B9512G/B8512G control panel.

A digitally-signed catalog file (.cat) can be used as a digital signature for an arbitrary collection of files. A catalog file contains a collection of cryptographic hashes, or thumbprints. Each thumbprint corresponds to a file that is included in the collection.

Plug and Play (PnP) device installation recognizes the signed catalog file of a driver package as the digital signature for the driver package, where each thumbprint in the catalog file corresponds to a file that is installed by the driver package. Regardless of the intended operating system, cryptographic technology is used to digitally-sign the catalog file.

PnP device installation considers the digital signature of a driver package to be invalid if any file in the driver package is altered after the driver package was signed. Such files include the INF file, the catalog file, and all files that are copied by INF CopyFiles directives. For example, even a single-byte change to correct a misspelling invalidates the digital signature. If the digital signature is invalid, you must either resubmit the driver package to the Windows Hardware Quality Labs (WHQL) for a new signature or generate a new Authenticode signature for the driver package.

Similarly, changes to a device's hardware or firmware require a revised device ID value so that the system can detect the updated device and install the correct driver. Because the revised device ID value must appear in the INF file, you must either resubmit the package to WHQL for a new signature or generate a new Authenticode signature for the driver package. You must do this even if the driver binaries do not change.

The CatalogFile directive in the INF Version section of the driver's INF file specifies the name of the catalog file for the driver package. During driver installation, the operating system uses the CatalogFile directive to identify and validate the catalog file. The system copies the catalog file to the %SystemRoot%CatRoot directory and the INF file to the %SystemRoot%Inf directory.

Guidelines for Catalog Files

Starting with Windows 2000, if the driver package installs the same binaries on all versions of Windows, the INF file can contain a single, undecorated CatalogFile directive. However, if the package installs different binaries for different versions of Windows, the INF file should contain decorated CatalogFile directives. For more information about the CatalogFile directive, see INF Version Section.

If you have more than one driver package, you should create a separate catalog file for each driver package and give each catalog file a unique file name. Two unrelated driver packages cannot share a single catalog file. However, a single driver package that serves multiple devices requires only one catalog file.

Applies to

• Windows 10

Describes the best practices, location, values, and security considerations for the Devices: Prevent users from installing printer drivers security policy setting.

Reference

For a device to print to a network printer, the driver for that network printer must be installed locally. The Devices: Prevent users from installing printer drivers policy setting determines who can install a printer driver as part of adding a network printer. When you set the value to Enabled, only Administrators and Power Users can install a printer driver as part of adding a network printer. Setting the value to Disabled allows any user to install a printer driver as part of adding a network printer. This setting prevents unprivileged users from downloading and installing an untrusted printer driver.

This setting has no impact if you have configured a trusted path for downloading drivers. When using trusted paths, the print subsystem attempts to use the trusted path to download the driver. If the trusted path download succeeds, the driver is installed on behalf of any user. If the trusted path download fails, the driver is not installed and the network printer is not added.

Although it might be appropriate in some organizations to allow users to install printer drivers on their own workstations, this is not suitable for servers. Installing a printer driver on a server can cause the system to become less stable. Only administrators should have this user right on servers. A malicious user might deliberately try to damage the system by installing inappropriate printer drivers.

Possible values

• Enabled
• Disabled
• Not defined

Best practices

• It is advisable to set Devices: Prevent users from installing printer drivers to Enabled. Only users in the Administrative, Power User, or Server Operator groups will be able to install printers on servers. If this policy setting is enabled, but the driver for a network printer already exists on the local computer, users can still add the network printer. This policy setting does not affect a user's ability to add a local printer.

Location

Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options

Download Bosch Security Driver Manual

Default values

Download Bosch Security Driver Installer

The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.

Policy management

This section describes features and tools that are available to help you manage this policy.

Restart requirement

None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.

Security considerations

This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.

Vulnerability

It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only administrators, not users, to do so on servers because printer driver installation on a server may unintentionally cause the computer to become lessstable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver.

Download Bosch Security

Countermeasure

Enable the Devices: Prevent users from installing printer drivers setting.

Potential impact

Download Bosch Security Driver Download

Only members of the Administrator, Power Users, or Server Operator groups can install printers on the servers. If this policy setting is enabled but the driver for a network printer already exists on the local computer, users can still add the network printer.

Download Bosch Security Driver Updater

Related topics