The unsigned driver installation behavior is improperly set.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-1160	3.050	SV-29686r1_rule	DCSL-1	Low

Description
Determines what should happen when an attempt is made to install a device driver (by means of the Windows device installer) that has not been certified by the Windows Hardware Quality Lab (WHQL). The options are: - Silently succeed - Warn but allow installation - Do not allow installation

STIG	Date
Windows 2003 Member Server Security Technical Implementation Guide	2014-01-07

Details

Check Text ( C-128r1_chk )
Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for “Devices: Unsigned driver installation behavior” is not set to “Warn but allow installation” or “Do not allow installation”, then this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Driver Signing\ Value Name: Policy Value Type: REG_BINARY Value: 1 (Warn but allow installation), 2 (Do not allow installation) Documentable Explanation: If the site is using a Software Update Server (SUS) server to distribute software updates, and the computer is configured to point at that server, then this can be set to "Silently succeed" to allow unattended installation of distributed updates. To determine if an SUS server is used, see if the following registry key value exists and is pointing to an organizational or DOD SUS URL: HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\WUServer, Reg_SZ: http://…

Check Text ( C-128r1_chk )

Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view.

Navigate to Local Policies -> Security Options.

If the value for “Devices: Unsigned driver installation behavior” is not set to “Warn but allow installation” or “Do not allow installation”, then this is a finding.

The policy referenced configures the following registry value:

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Microsoft\Driver Signing\

Value Name: Policy

Value Type: REG_BINARY
Value: 1 (Warn but allow installation), 2 (Do not allow installation)

Documentable Explanation: If the site is using a Software Update Server (SUS) server to distribute software updates, and the computer is configured to point at that server, then this can be set to "Silently succeed" to allow unattended installation of distributed updates. To determine if an SUS server is used, see if the following registry key value exists and is pointing to an organizational or DOD SUS URL:

HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\WUServer, Reg_SZ: http://…

Fix Text (F-109r1_fix)
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Devices: Unsigned driver installation behavior” to “Warn but allow installation” or “Do not allow installation”.