1

I am attempting to setup a process for our support team (non-administrators) to have access to remotely enable or disable a group of Windows firewall rules.

I did the following to get to the point of allowing remote access...

Enable-PSRemoting -Force

winrm quickconfig

Set-Item -Path WSMan:\Localhost\Client\TrustedHosts -Value '$supteam' -Concatenate

New-NetFirewallRule -DisplayName <dispName> -Profile <profile> -Enabled True -Action Allow -RemoteAddress $supteam -Direction Inbound -LocalPort <winRMport> -Protocol TCP -Program System

When running the command...

Invoke-Command -ComputerName <ipAddress> -ScriptBlock { netsh advfirewall firewall set rule group="<ruleGroupName>" new enable=<yes/no> } -Credential $creds

I get the following output...

The requested operation requires elevation (Run as administrator).

The PowerShell session from which I am running the above command is open as Administrator (i.e. the title bar reads "Administrator: Windows PowerShell"). User Account Control (UAC) is turned off on the destination server.

NOTE: I have also tried using the PowerShell equivalent for (en|dis)abling the firewall rules...

Invoke-Command -ComputerName <ipAddress> -ScriptBlock { Get-NetFirewallRule -Group "<ruleGroupName>" | <Enable/Disable>-NetFirewallRule } -Credential $creds

And get the following output times 3 (one for each rule)...

Access is denied.

+ CategoryInfo: PermissionDenied: (MSFT_NetFirewal...ystemName = ""):root/standardcimv2/MSFT_NetFirewallRule) [Enable-NetFirewallRule], CimException

+ FullyQualifiedErrorId : Windows System Error 5,Enable-NetFirewallRule

+ PSComputerName : ipAddress

I can get a list of the rules using...

Invoke-Command -ComputerName <ipAddress> -ScriptBlock { Get-NetFirewallRule -Group "<ruleGroupName>" } -Credential $creds

So I am taking it that (en|dis)abling firewall rules can only be done by members of the local Administrator group of the remote server.

If my assumption is correct, is it possible to allow a non-admin group access to modify the firewall? If so, any instructions or links would be greatly appreciated!

Improve this question

1 Answer 1

Reset to default
0

This is a Windows security boundary, not a PowerShell issue. So, not a simple PowerShell script this. It's an environment and policy configuration.

You need to grant the needed permissions to the use or account that your control to make these settings.

The other option is to leverage PowerShell JEA (Just enough administration) and constrained endpoints.

Using JEA

$nonAdminCred = Get-Credential
Enter-PSSession -ComputerName localhost -ConfigurationName JEAMaintenance -Credential $nonAdminCred

Just Enough Administration (JEA) Infrastructure: An Introduction

Just Enough Administration (JEA) provides a RBAC platform through Windows PowerShell. It allows specific users to perform specific administrative tasks on servers without giving them administrator rights. This allows you to fill in the gaps between your existing RBAC solutions

JEA Helper Tool 2.0

This script provide a graphical "helper" to several Just Enough Administration (JEA) features, for Windows Management Frameworek (WMF) 5.0 and Windows Server 2016 Technical Preview 4 (TP4)

PowerShell: Implementing Just-Enough-Administration (JEA), Step-by-Step

Leverage PowerShell Just Enough Administration for your Helpdesk

With JEA, you empowers your users to perform specific tasks through PowerShell without providing them elevated rights. You can control the available commands and parameters, validate input for the specified parameters, and have full auditing capabilities with over-the-shoulder transcripts, module logging, and deep script block logging.

Introduction to PowerShell Endpoints

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .