Monday, August 31, 2009

Windows 2008 - Disabling driver signature enforcement

Many of the virus, adware, security, and crash problems with Windows occu when someone installs a driver of dubious origin. The driver supposedly provides some special feature for Windows but in reality makes Windows unstable and can open doors for people of ill intent who want your system for themselves. Of course, Microsoft’s solution is to lock down Windows so that you can use only signed drivers. A signed driver is one in which the driver creator uses a special digital signature to “sign” the driver software. You can examine this signature (as can Windows) to ensure that the driver is legitimate.

Windows 2008 doesn’t load a driver that the vendor hasn’t signed. Unfortunately, you’ll find more unsigned than signed drivers on the market right now. Vendors haven’t signed their drivers, for the most part, because the process is incredibly expensive and difficult. Many vendors see the new Windows 2008 feature as Microsoft’s method of forcing them to spend money on something that they dispute as having value. Theoretically, someone can forge a signature, which means that the signing process isn’t foolproof and may not actually make Windows more secure or reliable. Of course, the market will eventually decide whether Microsoft or the vendors are correct, but for now you have to worry about having signed drivers to use with Windows.

Sometimes, not having a signed driver can cause your system to boot incorrectly or not at all. The Disable Driver Signature Enforcement option lets you override Microsoft’s decision to use only signed drivers. When you choose this option, Windows boots as it normally does. The only difference is that it doesn’t check the drivers it loads for a signature. You may even notice that Windows starts faster. Of course, you’re giving up a little extra reliability and security to use this feature — at least in theory.

You can’t permanently disable the use of signed drivers in the 64-bit version of Windows Server 2008 — at least, not using any Microsoft-recognized technique. It’s possible to disable the use of signed drivers in the 32-bit version by making a change in the global policy (more on this technique later in the section). A company named Linchpin Labs has a product called Atsiv (http://www.linchpinlabs.com/resources/atsiv/usage-design.htm), which lets you overcome this problem, even on 64-bit systems. Microsoft is fighting a very nasty war to prevent people from using the product. (They recently asked VeriSign to revoke the company’s digital certificate and had the product declared malware; read more about this issue at http://avantgo.computerworld.com.au/avantgo_story.php?id=69104626.) doesn’t check the drivers it loads for a signature. You may even notice that Windows starts faster. Of course, you’re giving up a little extra reliability and security to use this feature — at least in theory.



Using the boot method of permanently disabling signed driver checking
An undocumented method of disabling the signed driver requirement for both 32-bit and 64-bit versions of Windows Server 2008 is to use the BCDEdit utility to make a change to the boot configuration. Because this feature isn’t documented, Microsoft could remove it at any time. This procedure isn’t something that a novice administrator should attempt to do, but it’s doable. The following steps describe the process:

1. Choose Start -> Programs -> Accessories.
You see the Accessories menu.

2. Right-click Command Prompt and choose Run As Administrator from the context menu. Windows opens a command line with elevated privileges. You can tell that the privileges are elevated because the title bar states that this is the administrator’s command prompt rather than a standard command prompt.

3. Type BCDEdit /Export C:\BCDBackup and press Enter. BCDEdit displays the message This Operation Completed Successfully. This command saves a copy of your current boot configuration to the C:\BCDBackup file. Never change the boot configuration without making a backup.

4. Type BCDEdit /Set LoadOptions DDISABLE_INTEGRITY_CHECKS and press Enter. BCDEdit displays the message This Operation Completed Successfully. The Driver Disable (DDISABLE) option tells Windows not to check the signing of your drivers during the boot process. Be sure to type the BCDEdit command precisely as shown. The BCDEdit utility is very powerful and can cause your system not to boot when used incorrectly. If you make a mistake, you probably have to use the technique described in the “Using the Command Prompt” section of this chapter to open a command prompt using your boot CD and then fix the problem by using the BCDEdit / Import C:\BCDBackup command. This technique modifies only the current boot configuration. If your server has multiple boot partitions, you must make this change for each partition individually.

5. Restart your system as normal to use the new configuration.



Using the group policy method of permanently disabling signed driver checking
Users of the 32-bit version of Windows Server 2008 also have a documented and Microsoft-approved method of bypassing the signing requirement. (This technique will never work on the 64-bit version of the product.) In this case, you set a global policy that disables the requirement for the local machine (when made on the local machine) or the domain (when made on the domain controller). The following steps describe how to use the Global Policy Edit (GPEdit) console to perform this task.

1. Choose Start -> Run.
You see the Run dialog box.

2. Type GPEdit.MSC (for Group Policy Edit) in the Open field and click OK. Windows displays the Local Group Policy Editor window.

3. Locate the Local Computer Policy\User Configuration\Administrative Templates\System\Driver Installation folder.

4. Double-click the Code Signing for Device Drivers policy.

5. Select Enabled.

6. Choose Ignore (installs unsigned drivers without asking), Warn (displays a message asking whether you want to install the unsigned driver), or Block (disallows unsigned driver installation automatically) from the drop-down list.

7. Click OK.
The Local Group Policy Editor console sets the new policy for installing device drivers.

8. Close the Local Group Policy Editor console.

9. Reboot the server.
Theoretically, the changes you made should take effect immediately after you log back in to the system. However, to make sure the policy takes effect for everyone, reboot the server.

Source of Information : For Dummies Windows Server 2008 All In One Desk Reference For Dummies

4 comments:

  1. I tried to disable driver signature but failed to complete the task. I am not about the reason but after reading this article I find these steps much simpler and easy to operate. Thanks.
    electronic signature

    ReplyDelete
  2. Strangely changing this policy value is not affecting behavior the installation of an unsigned driver for my Windows 2008 32-bit box even after logging off and then logging back in. Does the server need to be rebooted compulsorily?

    ReplyDelete
  3. Nice and very helpful information i have got from your post. Even your whole blog is full of interesting information which is the great sign of a great blogger.

    Lenovo - IdeaPad Yoga Ultrabook 2-in-1 11.6" Touch-Screen Laptop - 4GB Memory - Clementine Orange

    Lenovo - 15.6" Laptop - 4GB Memory - 500GB Hard Drive - Black

    ReplyDelete