To print to a network printer, you need to have the printer’s driver installed on your computer. The policy called “Devices: Prevent users from installing printer drivers” controls who can install the driver when adding a network printer. If set to “Enabled,” only Administrators and Power Users can install the driver. If set to “Disabled,” any user can do it. This setting is in place to stop regular users from installing untrusted printer drivers that could cause issues.
Prohibit users from adding printers
Using the built-in function provided by Windows Server with the Printer Server role, administrators can publish printers to users or computers through Group Policy:
- Open Print Management: Navigate to Print Management > Print Server > Printers > Deploy with Group Policy.
- In the “Deploy with Group Policy” dialog box, click Browse and select or create a new Group Policy Object (GPO) to store the printer connections.
- Specify whether to deploy the printer connections to users or computers:
To deploy to groups of computers, allowing all users on those computers to access the printers, select the “The computers that this GPO applies to (per machine)” checkbox.
To deploy to groups of users, enabling them to access the printers from any computer they log onto, select the “The users that this GPO applies to (per user)” checkbox.
Should I allow non admins to install print drivers?
While it could be acceptable for users to install printer drivers on their individual workstations in certain organizations, extending this privilege to servers is not advisable. Installing a printer driver on a server has the potential to compromise system stability and be vulnerable to attacks. The user right to install printer drivers on servers should be limited to administrators. Allowing non-administrative users this access raises the risk of malicious actions, where individuals may intentionally attempt to harm the system by installing unsuitable printer drivers.
Possible values
- Enabled
- Disabled
- Not defined
Vulnerabilities with Print Driver
It may be appropriate in some organizations to allow users to install print drivers on their own workstations. However, you should allow only Administrators, not users, to do so on servers, because printer driver installation on a server may unintentionally cause the computer to become less stable. A malicious user could install inappropriate print drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver.
The counter measure is to Enable the Devices: Prevent users from installing printer drivers setting.
Potential Impact
Only users with Administrative, Power User, or Server Operator privileges will be able to install printers on the servers. If this policy setting is enabled but the driver for a network printer already exists on the local computer, users can still add the network printer.
Printer Drivers Best Practice
Best practices for Setting “Devices: Prevent users from installing printer drivers” to Enabled is recommended. This configuration limits printer installation on servers to users in the Administrative, Power User, or Server Operator groups. However, if this policy is enabled and the driver for a network printer is already present on the local computer, users can still add the network printer. Importantly, this policy does not impact a user’s ability to add a local printer.
Hardening Your Printer Drivers
An enabled "Devices: Prevent Users From Installing Printer Drivers" setting can take your security up a notch, but this setting alone doesn't guarantee protection from all malicious activities. Print drivers operate with high privileges on systems and networks, making them an attractive target for attackers seeking to move laterally or escalate privileges. There is a significant history of published vulnerabilities in major print drivers that have allowed remote code execution and administrator-level takeovers. Proactively hardening drivers would protect against discovered and zero-day vulnerabilities.
Companies need to control printer access and functionality. Hardened drivers allow companies to set granular permissions, restrict certain users, and prevent changing of settings – maintaining access control.
By making a conscious effort to automate the hardening of your print drivers, you can significantly strengthen your overall security posture, protect sensitive data, and minimize the risk of attacks and system disruptions.
Remember, even seemingly insignificant components like printer drivers can be entry points for cyberattacks, so proactive hardening measures are essential to maintain a secure environment.
