Windows Vista Add Printer Wizard security

[Paul Baker [MVP, Windows - Networking]]

These observations were made mostly through testing and partly through
examination of Windows XP source code through the Source Licensing Program.
Please correct me if I am mistaken.

** On Windows XP **

The Add Printer Wizard allows only a user with SERVER_ACCESS_ADMINISTER
access to add a local printer. This is hardcoded as Administrators, Power
Users and domain Print Operators.

The Add Printer Wizard uses the "SeLoadDriverPrivilege" privilege (which
corresponds to the "Load and unload device drivers" user right) to decide
whether or not a user can add a printer driver. The default is
Administrators.

A summary of the permissions on the
HKLM\system\CurrentControlSet\control\print\printers key is:
Users=Read
Power Users=Special
Administrators=Full Control
SYSTEM=Full Control
CREATOR OWNER=Full Control

The Server Properties dialog allows only a user with
SERVER_ACCESS_ADMINISTER access to add or remove a driver, without regard to
the "SeLoadDebugPrivilege" privilege.

** On Windows Vista **

The Add Printer Wizard appears to allow any user to add a local printer and
to add a driver.

A summary of the permissions on the
HKLM\system\CurrentControlSet\control\print\printers key is:
Users=Read
Administrators=Full Control
MACHINE\SYSTEM=Full Control
CREATOR OWNER=Special

I am not sure how it determines whether a user can add or remove a driver
using the Server Properties dialog, but my guess is that they must be an
administrator in elevated mode.

I used Windows Vista Business for my tests.

** Questions **

These are some of the things seem odd to me:
1. On Windows XP, only privileged users can uses the Add Printer Wizard to
add a local printer or driver whereas in Windows Vista, any user can add a
local printer and driver using the Add Printer Wizard and there is no
elevation prompt of any kind! Is this indeed the case? Is that not a
*decrease* in security?
2. The Server Properties dialog would appear to allow anyone with
SERVER_ACCESS_ADMINISTER access to add and remove drivers without regard to
the "SeLoadDebugPrivilege" privilege. The inconsistency of this when
compared to the Add Printer Wizard is more evident on Windows Vista, because
anyone can add a driver using the Add Printer Wizard, but not so in the
Server Properties dialog.
3. On Windows Vista, a standard user does not have permissions to add the
necessary registry entries to add a local printer, but the Add Printer
Wizard adds one anyway under the MACHINE\SYSTEM account (I know this because
that account is the owner). Is the Add Printer Wizard running under a
privileged account with no elevation prompt?

Perhaps this is just a case where ease of use won out over security and
consistency

The reason I ask is that I wrote software that can add a local printer with
special configuration through the AddPrinter API that reverts to a browse
dialog for network printers if the user does not have
SERVER_ACCESS_ADMINISTER access. This seems to be incorrect on Windows
Vista.

Paul

 

[Alan Morris [MSFT]]

Users can only add signed package drivers. Basically the inbox drivers
until vendors create package aware drivers.

--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Paul Baker [MVP, Windows - Networking]]

Okay, that explains drivers.

Can standard users add a local printer on Windows Vista, but not on Windows
XP? What condition should I use to decide whether or not to allow my user to
go through the configuration dialog that ends up calling AddPrinter for a
pre-existing driver? Or should I just always allow it and handle any error
(such as ERROR_ACCESS_DENIED) that I get?

Paul

Users can only add signed package drivers. Basically the inbox drivers
until vendors create package aware drivers.

--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no
rights.

These observations were made mostly through testing and partly through
examination of Windows XP source code through the Source Licensing
Program. Please correct me if I am mistaken.

** On Windows XP **

The Add Printer Wizard allows only a user with SERVER_ACCESS_ADMINISTER
access to add a local printer. This is hardcoded as Administrators, Power
Users and domain Print Operators.

The Add Printer Wizard uses the "SeLoadDriverPrivilege" privilege (which
corresponds to the "Load and unload device drivers" user right) to decide
whether or not a user can add a printer driver. The default is
Administrators.

A summary of the permissions on the
HKLM\system\CurrentControlSet\control\print\printers key is:
Users=Read
Power Users=Special
Administrators=Full Control
SYSTEM=Full Control
CREATOR OWNER=Full Control

The Server Properties dialog allows only a user with
SERVER_ACCESS_ADMINISTER access to add or remove a driver, without regard
to the "SeLoadDebugPrivilege" privilege.

** On Windows Vista **

The Add Printer Wizard appears to allow any user to add a local printer
and to add a driver.

A summary of the permissions on the
HKLM\system\CurrentControlSet\control\print\printers key is:
Users=Read
Administrators=Full Control
MACHINE\SYSTEM=Full Control
CREATOR OWNER=Special

I am not sure how it determines whether a user can add or remove a driver
using the Server Properties dialog, but my guess is that they must be an
administrator in elevated mode.

I used Windows Vista Business for my tests.

** Questions **

These are some of the things seem odd to me:
1. On Windows XP, only privileged users can uses the Add Printer Wizard
to add a local printer or driver whereas in Windows Vista, any user can
add a local printer and driver using the Add Printer Wizard and there is
no elevation prompt of any kind! Is this indeed the case? Is that not a
*decrease* in security?
2. The Server Properties dialog would appear to allow anyone with
SERVER_ACCESS_ADMINISTER access to add and remove drivers without regard
to the "SeLoadDebugPrivilege" privilege. The inconsistency of this when
compared to the Add Printer Wizard is more evident on Windows Vista,
because anyone can add a driver using the Add Printer Wizard, but not so
in the Server Properties dialog.
3. On Windows Vista, a standard user does not have permissions to add the
necessary registry entries to add a local printer, but the Add Printer
Wizard adds one anyway under the MACHINE\SYSTEM account (I know this
because that account is the owner). Is the Add Printer Wizard running
under a privileged account with no elevation prompt?

Perhaps this is just a case where ease of use won out over security and
consistency

The reason I ask is that I wrote software that can add a local printer
with special configuration through the AddPrinter API that reverts to a
browse dialog for network printers if the user does not have
SERVER_ACCESS_ADMINISTER access. This seems to be incorrect on Windows
Vista.

Paul

 

[Alan Morris [MSFT]]

On XP users can only add printer connections to Windows or Samba Version 3 >
machines.

Preinstalled driver or one that ships on XP/Vista?



--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

Okay, that explains drivers.

Can standard users add a local printer on Windows Vista, but not on
Windows XP? What condition should I use to decide whether or not to allow
my user to go through the configuration dialog that ends up calling
AddPrinter for a pre-existing driver? Or should I just always allow it and
handle any error (such as ERROR_ACCESS_DENIED) that I get?

Paul

Users can only add signed package drivers. Basically the inbox drivers
until vendors create package aware drivers.

--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no
rights.

These observations were made mostly through testing and partly through
examination of Windows XP source code through the Source Licensing
Program. Please correct me if I am mistaken.

** On Windows XP **

The Add Printer Wizard allows only a user with SERVER_ACCESS_ADMINISTER
access to add a local printer. This is hardcoded as Administrators,
Power Users and domain Print Operators.

The Add Printer Wizard uses the "SeLoadDriverPrivilege" privilege (which
corresponds to the "Load and unload device drivers" user right) to
decide whether or not a user can add a printer driver. The default is
Administrators.

A summary of the permissions on the
HKLM\system\CurrentControlSet\control\print\printers key is:
Users=Read
Power Users=Special
Administrators=Full Control
SYSTEM=Full Control
CREATOR OWNER=Full Control

The Server Properties dialog allows only a user with
SERVER_ACCESS_ADMINISTER access to add or remove a driver, without
regard to the "SeLoadDebugPrivilege" privilege.

** On Windows Vista **

The Add Printer Wizard appears to allow any user to add a local printer
and to add a driver.

A summary of the permissions on the
HKLM\system\CurrentControlSet\control\print\printers key is:
Users=Read
Administrators=Full Control
MACHINE\SYSTEM=Full Control
CREATOR OWNER=Special

I am not sure how it determines whether a user can add or remove a
driver using the Server Properties dialog, but my guess is that they
must be an administrator in elevated mode.

I used Windows Vista Business for my tests.

** Questions **

These are some of the things seem odd to me:
1. On Windows XP, only privileged users can uses the Add Printer Wizard
to add a local printer or driver whereas in Windows Vista, any user can
add a local printer and driver using the Add Printer Wizard and there is
no elevation prompt of any kind! Is this indeed the case? Is that not a
*decrease* in security?
2. The Server Properties dialog would appear to allow anyone with
SERVER_ACCESS_ADMINISTER access to add and remove drivers without regard
to the "SeLoadDebugPrivilege" privilege. The inconsistency of this when
compared to the Add Printer Wizard is more evident on Windows Vista,
because anyone can add a driver using the Add Printer Wizard, but not so
in the Server Properties dialog.
3. On Windows Vista, a standard user does not have permissions to add
the necessary registry entries to add a local printer, but the Add
Printer Wizard adds one anyway under the MACHINE\SYSTEM account (I know
this because that account is the owner). Is the Add Printer Wizard
running under a privileged account with no elevation prompt?

Perhaps this is just a case where ease of use won out over security and
consistency

The reason I ask is that I wrote software that can add a local printer
with special configuration through the AddPrinter API that reverts to a
browse dialog for network printers if the user does not have
SERVER_ACCESS_ADMINISTER access. This seems to be incorrect on Windows
Vista.

Paul

 

[Paul Baker [MVP, Windows - Networking]]

Alan,

I guess I should explain in more detail what I am trying to do.

When I call AddPrinter, I am setting PRINTER_INFO_2.pDriverName to "Generic
/ Text Only" and expecting that if the driver is not already installed,
there will be an ERROR_UNKNOWN_PRINTER_DRIVER (as far as I know, the
AddPrinter API does not install a printer driver, it only installs a
printer). In that case, I show a custom error message. For now, the user is
expected to pay attention to this message or to the instructions in the
manul and first install the driver somehow.

Normally, it would be the one that ships with Windows, but I don't really
care how it gets installed or where it came from because I'm going to call
StartDocPrinter instead of StartDoc in order to bypass the driver (while
still using the print spooler) in order to send the most efficient escape
sequences possible for the output I want.

Right now, if the user does not have SERVER_ACCESS_ADMINISTER access to the
local print server, I'm going to disallow this and call ConnectToPrinterDlg
instead. This is a case for a standard user (or non-elevated administrator)
on both Windows XP and Windows Vista, however it would seem that this is too
restrictive for Windows Vista.

Paul

On XP users can only add printer connections to Windows or Samba Version 3

machines.

Preinstalled driver or one that ships on XP/Vista?



--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no
rights.

Okay, that explains drivers.

Can standard users add a local printer on Windows Vista, but not on
Windows XP? What condition should I use to decide whether or not to allow
my user to go through the configuration dialog that ends up calling
AddPrinter for a pre-existing driver? Or should I just always allow it
and handle any error (such as ERROR_ACCESS_DENIED) that I get?

Paul

Users can only add signed package drivers. Basically the inbox drivers
until vendors create package aware drivers.

--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no
rights.

"Paul Baker [MVP, Windows - Networking]" <[email protected]>
wrote in message These observations were made mostly through testing and partly through
examination of Windows XP source code through the Source Licensing
Program. Please correct me if I am mistaken.

** On Windows XP **

The Add Printer Wizard allows only a user with SERVER_ACCESS_ADMINISTER
access to add a local printer. This is hardcoded as Administrators,
Power Users and domain Print Operators.

The Add Printer Wizard uses the "SeLoadDriverPrivilege" privilege
(which corresponds to the "Load and unload device drivers" user right)
to decide whether or not a user can add a printer driver. The default
is Administrators.

A summary of the permissions on the
HKLM\system\CurrentControlSet\control\print\printers key is:
Users=Read
Power Users=Special
Administrators=Full Control
SYSTEM=Full Control
CREATOR OWNER=Full Control

The Server Properties dialog allows only a user with
SERVER_ACCESS_ADMINISTER access to add or remove a driver, without
regard to the "SeLoadDebugPrivilege" privilege.

** On Windows Vista **

The Add Printer Wizard appears to allow any user to add a local printer
and to add a driver.

A summary of the permissions on the
HKLM\system\CurrentControlSet\control\print\printers key is:
Users=Read
Administrators=Full Control
MACHINE\SYSTEM=Full Control
CREATOR OWNER=Special

I am not sure how it determines whether a user can add or remove a
driver using the Server Properties dialog, but my guess is that they
must be an administrator in elevated mode.

I used Windows Vista Business for my tests.

** Questions **

These are some of the things seem odd to me:
1. On Windows XP, only privileged users can uses the Add Printer Wizard
to add a local printer or driver whereas in Windows Vista, any user can
add a local printer and driver using the Add Printer Wizard and there
is no elevation prompt of any kind! Is this indeed the case? Is that
not a *decrease* in security?
2. The Server Properties dialog would appear to allow anyone with
SERVER_ACCESS_ADMINISTER access to add and remove drivers without
regard to the "SeLoadDebugPrivilege" privilege. The inconsistency of
this when compared to the Add Printer Wizard is more evident on Windows
Vista, because anyone can add a driver using the Add Printer Wizard,
but not so in the Server Properties dialog.
3. On Windows Vista, a standard user does not have permissions to add
the necessary registry entries to add a local printer, but the Add
Printer Wizard adds one anyway under the MACHINE\SYSTEM account (I know
this because that account is the owner). Is the Add Printer Wizard
running under a privileged account with no elevation prompt?

Perhaps this is just a case where ease of use won out over security and
consistency

The reason I ask is that I wrote software that can add a local printer
with special configuration through the AddPrinter API that reverts to a
browse dialog for network printers if the user does not have
SERVER_ACCESS_ADMINISTER access. This seems to be incorrect on Windows
Vista.

Paul

 

[Paul Baker [MVP, Windows - Networking]]

When I refer to the "SeLoadDebugPrivilege" privilege, I intended to refer
again to the "SeLoadDriverPrivilege" privilege. I also do not think my
statements about this privilege are entirely accurate.

Paul