6.2 Driver Signing

Device drivers represent a significant security vulnerability, because drivers run in a very privileged, powerful level of the Windows operating system. Poorly written drivers are behind most operating system crashes. Drivers can be infected with viruses as easily as other software and can do much more damage than regular software because of the driver's privileged relationship with the operating system.

Microsoft provides a special software signing program for device drivers. Device driver authors can submit their drivers to Microsoft, which tests the drivers for operating system compatibility and overall software integrity. Microsoft then applies its own digital signature to the driver, assuring recipients that the driver is compatible and has not been altered since it was tested.

You can configure your computers to reject any device drivers that do not contain a Microsoft digital signature. This is a powerful feature that may help reject a significant number of malicious or poorly written device drivers before they're installed.

6.2.1 Configuring Driver Signing

We'll now take a look at how to put security measures in place that restrict the use of unsigned drivers. This can help both stabilize your environment and increase security. We'll look at these configuration changes exclusively from a security perspective, but you should remember that there may be other benefits to these configuration changes.

6.2.2 Example: Warning When Installing Unsigned Drivers

David Loudon has a laptop computer, which he carries with him on business trips. David often needs to attach his laptop to high-speed Internet connectivity devices in hotels, which sometimes requires that he install networking device drivers. David's laptop is configured with your company's default secure code configuration via local policy, which prevents him from installing unsigned drivers. After discussing the risks of unsigned drivers with David, you decide to modify his computer to simply warn him before installing unsigned drivers, but to allow him to install the drivers anyway if he needs to. Here's what you do:

  1. Log on to David's computer as an Administrator.

  2. Right-click My Computer and select Properties.

  3. On the Hardware tab, click Driver Signing.

  4. Select the option to Warn, as shown in Figure 6-1.

  5. Select the "Make this action the system default" checkbox.

  6. Log off. Test the new configuration by logging on to the computer as David and installing an unsigned device driver.

This scenario allows David to run some unsigned code. While not completely assuring that safe code will run on his computer, it does provide some protection and ensures that David will know the difference between signed and unsigned code. If stability or other issues arise with David's computer after his installation, both you and he have some idea where to begin troubleshooting.