Back

Configure the unsigned non-driver installation behavior.


CONTROL ID
02038
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Remove all unnecessary functionality., CC ID: 00882

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • According to Microsoft, there are no non-drivers to install, so this setting has no effect. (Pg 21, The Center for Internet Security Windows 2000 Benchmark, 2.2.1)
  • With all software installations, a digital signature should be used. If not the user should be notified with a warning. This setting should be set to "Warn, but allow installation" or "Do not allow installation." (§ 3.2.1.38, The Center for Internet Security Windows 2000 Professional Benchmark, 2.2.1)
  • According to Microsoft, there are no non-drivers to install, so this setting has no effect. (§ 21, The Center for Internet Security Windows 2000 Professional Operating System Level 2 Benchmark, 2.2.1)
  • Not all software that is installed on a computer has a digital signature. The user should be alerted to the fact that software is being installed on their computer. Set this to "Warn, but allow installation" or "Do Not Allow Installation". (§ 3.2.1.38, The Center for Internet Security Windows 2000 Server Benchmark, 2.2.1)
  • The system should warn users if they are about to install an unsigned driver or not install drivers if they are unsigned. The "Devices: Unsigned driver installation behavior" value should be set to either "Warn but allow installation" or "Do not allow installation". (§ 5.3.8.13, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11)