Details
For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer.
The recommended state for this setting is: Enabled.
Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators.
Rationale:
It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, in a high security environment, you should allow only Administrators, not users, to do this, because printer driver installation may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network.
Impact:
Only Administrators will be able to install a printer driver as part of connecting to a shared printer. The ability to add a local printer will not be affected.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled:
Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDevices: Prevent users from installing printer drivers
Default Value:
Disabled. (Any user can install a printer driver as part of connecting to a shared printer.)
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Windows.