Configuring Driver Signing Options

Realizing that poorly written drivers were often the cause of kernel stop errors (also known as the Blue Screen of Death) and other system problems, such as lockups and instability, Microsoft introduced digital driver signing in Windows 2000. Digitally signed device drivers are those that have been submitted to the Windows Hardware Quality Lab (WHQL) by vendors and subsequently subjected to compatibility tests administered by the WHQL. Drivers that complete the compatibility testing process successfully are approved by Microsoft and digitally signed. Due to this rigorous compatibility testing, digitally signed drivers can be counted on to be more robust and reliable. Driver files that have been digitally signed can be found on the Windows Update Web site and also on the Windows Hardware Compatibility List. Additionally, only digitally signed drivers are found on the Windows 2000 setup CD-ROM.

Driver signing, which is controlled from the System applet for standalone machines and via Group Policy for network machines, is important to ensure that your computers remain fully functional. By enforcing restrictions on the installation of unsigned drivers, you can prevent hardware conflicts and stop errors, both of which are common side effects of poorly written drivers. Poorly written drivers also tend to generate an unusually large number of CPU interrupts, thus interfering with all other operations.

The Windows Update Web site can be found at http://windowsupdate.microsoft.com/. The Windows Hardware Compatibility List (HCL) can be found at http://www.microsoft.com/hcl/default.asp.

By digitally signing a file, in this case a driver file, one can be relatively certain that the file is trustworthy and authentic . In this way, digitally signing a driver file works in the same fashion as digitally signing your email message that you send to a co-worker. Because any type of computer file can be signed with a digital certificate signature, a means must exist to handle all of the different file formats. This is accomplished via a technique known as catalog file signing , in which digital signing information about files is available without any modification to the files themselves .

In catalog file signing, a CAT file is created for each driver or operating system file that is being signed. The CAT file includes a hash of the binary file. A hash is the result of a mathematical operation on some data (in this case, the binary file) that is sensitive to any changes made in the source data. Any change to the binary file can be detected because the hash procedure produces a different value. Other information, such as filename and version number, is also added to the file. A certificate from the publisher, along with a Microsoft digital signature, is included in the catalog file to complete the signing process. The relationship between the catalog file and the driver binary is contained in the information file (.inf) maintained by the system after the driver is installed.

The options available for configuring how to handle unsigned drivers include the following:

• Ignore Directs the system to proceed with the installation even if it includes unsigned files. You have no protection from poorly written drivers when the Ignore option is selected. As a result, it is not recommended that you configure driver signing with the Ignore option due to the threat of viruses, Trojan horses, and so on.

• Warn Notifies the user that files are not digitally signed and allows the user to decide whether to stop or proceed with the installation and whether to permit unsigned files to be installed. Driver signing is set to Warn by default; however, it is not recommended to keep this setting in a production environment.

• Block Directs the system to refuse to install unsigned files. As a result, the installation stops, and none of the files in the driver package are installed. This is the recommended setting for a production environment, and it guarantees the highest level of protection for client machines against poorly written device drivers.

Be sure you know the three driver signing behaviors. This is an important feature of Windows 2000 that you can expect to be tested on.

As previously mentioned, you can configure driver signing from one of two locations depending on the configuration of your network and your preferences. Regardless of the location from which you choose to configure driver signing, you still have the same three choices available. The next section examines the process of configuring driver signing via Group Policy.

Configuring Driver Signing via Group Policy

If you have a Windows 2000 Active Directory domain, you should take advantage of Group Policy as often as possible. Using Group Policy Objects to configure your network and your computers gives you previously unavailable management abilities with very little overhead. Group Policy allows you to have granular control over the who, what, when, where, how, and why of configuring network settings. As an example of dealing with driver signing, assume that you work for a company that has the following departments:

• Engineering These individuals are technically savvy and frequently need to install and configure new hardware devices. They have, however, in the past caused serious issues when installing hardware devices that shipped with poorly written device drivers. All Engineering client computers and user accounts are located in the Engineering organizational unit (OU).

• Accounting The accountants rarely, if ever, need new hardware installed on their machines. In the event they need a new hardware device installed, it has been easy in the past to send out support personnel to install and configure the hardware device properly. All Accounting client computers and user accounts are located in the Accounting OU.

• Developers The development team is responsible for all the software associated with the civil engineering equipment your company manufactures. The team also creates device drivers for this hardware and must install the device drivers on test machines to test and troubleshoot the hardware/software combination before shipping to customers. The developers have client computers spread out in two organizational units: their standard network machines are located in the Engineering OU, whereas their testing machines are located in the Developers OU. All user accounts are located in the Developers OU.

In this example, you are faced with three different types of clients and thus three different driver signing options you can configure via Group Policy for their respective OUs. In this case, you should consider configuring driver signing as follows :

• Configure the Warn setting for the Engineering OU You want the Engineers to be able to install new hardware devices as required; however, you want them to be warned before installing unsigned drivers.

• Configure the Block setting for the Accounting OU The Accountants infrequently add new hardware; therefore, it is safer to prevent them from installing any new drivers that are not signed. Should they have an unsigned driver, you can address that on a case-by-case basis.

• Configure the Ignore setting for the Developers OU The Developers are responsible for writing the drivers for your company's products. They have a distinct need to install drivers, unsigned or not, on their computers.

You might decide against setting driver signing to Ignore for the Developers. Driver signing policy options are a User Group Policy item, so the key item is the location of the user accounts. The location of the computer accounts is irrelevant in this case.

As you can see in the preceding example, you may need to configure different driver signing policies for different groups of users. Group Policy Objects (GPOs) applied to the applicable organizational units makes this an easy task. The process to configure driver signing via Group Policy is fairly simple and is outlined as follows:

1. Open the Active Directory Users and Computers snap-in by selecting Start, Programs, Administrative Tools, Active Directory Users and Computers.

2. Locate and right-click the OU for which you want to configure the Group Policy. From the context menu, select Properties.

3. Click the Group Policy tab and either click New to create a new GPO or click Edit to work with an existing GPO. Because it is recommended to create GPOs for specific tasks , we will create a new GPO for this purpose by clicking New and entering the name Driver Signing Policies . Click Edit to open the Group Policy window.

4. As shown in Figure 4.1, the Group Policy option we want to work with is located in the User Configuration, Administrative Templates, System node.

   Figure 4.1. Locating the driver signing option.

   

5. Double-click the Code signing for device drivers option, which opens the Code signing for device drivers Properties dialog box shown in Figure 4.2.

   Figure 4.2. Configuring the driver signing options.

   

6. Select the Enabled option, and then select the appropriate behavior from the drop-down list. In this case, we enabled the Block configuration because this GPO is for the Accounting OU.

7. Click OK to close the Code signing for device drivers Properties dialog box. To close the Group Policy window, click the X in the upper-right corner of the window.

The Group Policy settings you configured will take effect as soon as Group Policy has been refreshed the next time users log on to the system. Now all users in the Accounting OU will be prevented from installing any device drivers that are not digitally signed.

Applying driver signing options via Group Policy is the quickest and easiest way to have them applied uniformly to a large number of users. However, if you only have a few computers to work with or need a specific computer configured in a certain manner, you can opt to configure driver signing from the Control Panel, which is discussed in the next section.

Although this exam (70-215) is not as in-depth about Group Policy as the 70-216 exam, you should still have a good understanding of the basic operations and functions of Group Policy.

Configuring Driver Signing Locally via the Control Panel

As an alternative to Group Policybased driver signing, you can configure driver signing from the Control Panel locally on each machine. This is not a good approach for large networks, but it works well in small ones with few machines or peer-to-peer workgroups. The process to configure driver signing is as follows:

1. Open the System applet in the Control Panel by selecting Start, Settings, Control Panel, System, or by right-clicking the My Computer icon on the Desktop and clicking Properties from the shortcut menu.

2. Click the Hardware tab and click Driver Signing. The Driver Signing Options dialog box opens, as shown in Figure 4.3.

   Figure 4.3. Configuring driver signing options from the Control Panel.

   

3. Make your selection from the three available choices (Ignore, Warn, or Block). When you are done, click OK twice to complete the process.

In just three easy steps you've now configured driver signing for a specific computer. Although this process is simple, you can see how you would quickly become overwhelmed if you had to perform this configuration on several hundred or even just several dozen computers.

If you are logged on with local Administrative privileges, selecting the Apply Settings as system default option applies the configured driver signing level for all users who log on to the computer. This option is not available to users without Administrative privileges, so don't worry about your users changing the setting after the fact! Users can adjust the settings to a strict control, such as from Warn to Block, but not to a more lenient setting, such as from Block to Allow.

Working with Digitally Signed Drivers

After you've set the driver signing options, you're pretty much done. Try to install an unsigned driver when you are configured for Warn, and you will get a warning dialog box similar to the one shown in Figure 4.4.

If you are installing Windows 2000 across the network in an unattended setup, the default driver signing setting is Warn. See KB# Q236029 at http://support.microsoft.com/default.aspx?scid=kb;EN-US;q236029 for help in changing the driver signing settings.

This section examined the concept of digital signatures and how you configure driver signing options for the installation of new device drivers on your computers. You've seen how to configure driver signing quickly and easily across an entire OU (domain or site) and also how to configure it on a computer-by-computer basis. The next section explores how you can ensure that your new hardware is ready for use with Windows 2000before you install it.