Allow Non-Admins Permission to Manage Windows Firewall












0















I am attempting to setup a process for our support team (non-administrators) to have access to remotely enable or disable a group of Windows firewall rules.



I did the following to get to the point of allowing remote access...



Enable-PSRemoting -Force

winrm quickconfig

Set-Item -Path WSMan:LocalhostClientTrustedHosts -Value '$supteam' -Concatenate

New-NetFirewallRule -DisplayName <dispName> -Profile <profile> -Enabled True -Action Allow -RemoteAddress $supteam -Direction Inbound -LocalPort <winRMport> -Protocol TCP -Program System


When running the command...



Invoke-Command -ComputerName <ipAddress> -ScriptBlock { netsh advfirewall firewall set rule group="<ruleGroupName>" new enable=<yes/no> } -Credential $creds


I get the following output...




The requested operation requires elevation (Run as administrator).




The PowerShell session from which I am running the above command is open as Administrator (i.e. the title bar reads "Administrator: Windows PowerShell"). User Account Control (UAC) is turned off on the destination server.



NOTE: I have also tried using the PowerShell equivalent for (en|dis)abling the firewall rules...



Invoke-Command -ComputerName <ipAddress> -ScriptBlock { Get-NetFirewallRule -Group "<ruleGroupName>" | <Enable/Disable>-NetFirewallRule } -Credential $creds


And get the following output times 3 (one for each rule)...




Access is denied.



+ CategoryInfo: PermissionDenied: (MSFT_NetFirewal...ystemName =
""):root/standardcimv2/MSFT_NetFirewallRule) [Enable-NetFirewallRule],
CimException



+ FullyQualifiedErrorId : Windows System Error 5,Enable-NetFirewallRule



+ PSComputerName : ipAddress




I can get a list of the rules using...



Invoke-Command -ComputerName <ipAddress> -ScriptBlock { Get-NetFirewallRule -Group "<ruleGroupName>" } -Credential $creds


So I am taking it that (en|dis)abling firewall rules can only be done by members of the local Administrator group of the remote server.



If my assumption is correct, is it possible to allow a non-admin group access to modify the firewall? If so, any instructions or links would be greatly appreciated!










share|improve this question





























    0















    I am attempting to setup a process for our support team (non-administrators) to have access to remotely enable or disable a group of Windows firewall rules.



    I did the following to get to the point of allowing remote access...



    Enable-PSRemoting -Force

    winrm quickconfig

    Set-Item -Path WSMan:LocalhostClientTrustedHosts -Value '$supteam' -Concatenate

    New-NetFirewallRule -DisplayName <dispName> -Profile <profile> -Enabled True -Action Allow -RemoteAddress $supteam -Direction Inbound -LocalPort <winRMport> -Protocol TCP -Program System


    When running the command...



    Invoke-Command -ComputerName <ipAddress> -ScriptBlock { netsh advfirewall firewall set rule group="<ruleGroupName>" new enable=<yes/no> } -Credential $creds


    I get the following output...




    The requested operation requires elevation (Run as administrator).




    The PowerShell session from which I am running the above command is open as Administrator (i.e. the title bar reads "Administrator: Windows PowerShell"). User Account Control (UAC) is turned off on the destination server.



    NOTE: I have also tried using the PowerShell equivalent for (en|dis)abling the firewall rules...



    Invoke-Command -ComputerName <ipAddress> -ScriptBlock { Get-NetFirewallRule -Group "<ruleGroupName>" | <Enable/Disable>-NetFirewallRule } -Credential $creds


    And get the following output times 3 (one for each rule)...




    Access is denied.



    + CategoryInfo: PermissionDenied: (MSFT_NetFirewal...ystemName =
    ""):root/standardcimv2/MSFT_NetFirewallRule) [Enable-NetFirewallRule],
    CimException



    + FullyQualifiedErrorId : Windows System Error 5,Enable-NetFirewallRule



    + PSComputerName : ipAddress




    I can get a list of the rules using...



    Invoke-Command -ComputerName <ipAddress> -ScriptBlock { Get-NetFirewallRule -Group "<ruleGroupName>" } -Credential $creds


    So I am taking it that (en|dis)abling firewall rules can only be done by members of the local Administrator group of the remote server.



    If my assumption is correct, is it possible to allow a non-admin group access to modify the firewall? If so, any instructions or links would be greatly appreciated!










    share|improve this question



























      0












      0








      0








      I am attempting to setup a process for our support team (non-administrators) to have access to remotely enable or disable a group of Windows firewall rules.



      I did the following to get to the point of allowing remote access...



      Enable-PSRemoting -Force

      winrm quickconfig

      Set-Item -Path WSMan:LocalhostClientTrustedHosts -Value '$supteam' -Concatenate

      New-NetFirewallRule -DisplayName <dispName> -Profile <profile> -Enabled True -Action Allow -RemoteAddress $supteam -Direction Inbound -LocalPort <winRMport> -Protocol TCP -Program System


      When running the command...



      Invoke-Command -ComputerName <ipAddress> -ScriptBlock { netsh advfirewall firewall set rule group="<ruleGroupName>" new enable=<yes/no> } -Credential $creds


      I get the following output...




      The requested operation requires elevation (Run as administrator).




      The PowerShell session from which I am running the above command is open as Administrator (i.e. the title bar reads "Administrator: Windows PowerShell"). User Account Control (UAC) is turned off on the destination server.



      NOTE: I have also tried using the PowerShell equivalent for (en|dis)abling the firewall rules...



      Invoke-Command -ComputerName <ipAddress> -ScriptBlock { Get-NetFirewallRule -Group "<ruleGroupName>" | <Enable/Disable>-NetFirewallRule } -Credential $creds


      And get the following output times 3 (one for each rule)...




      Access is denied.



      + CategoryInfo: PermissionDenied: (MSFT_NetFirewal...ystemName =
      ""):root/standardcimv2/MSFT_NetFirewallRule) [Enable-NetFirewallRule],
      CimException



      + FullyQualifiedErrorId : Windows System Error 5,Enable-NetFirewallRule



      + PSComputerName : ipAddress




      I can get a list of the rules using...



      Invoke-Command -ComputerName <ipAddress> -ScriptBlock { Get-NetFirewallRule -Group "<ruleGroupName>" } -Credential $creds


      So I am taking it that (en|dis)abling firewall rules can only be done by members of the local Administrator group of the remote server.



      If my assumption is correct, is it possible to allow a non-admin group access to modify the firewall? If so, any instructions or links would be greatly appreciated!










      share|improve this question
















      I am attempting to setup a process for our support team (non-administrators) to have access to remotely enable or disable a group of Windows firewall rules.



      I did the following to get to the point of allowing remote access...



      Enable-PSRemoting -Force

      winrm quickconfig

      Set-Item -Path WSMan:LocalhostClientTrustedHosts -Value '$supteam' -Concatenate

      New-NetFirewallRule -DisplayName <dispName> -Profile <profile> -Enabled True -Action Allow -RemoteAddress $supteam -Direction Inbound -LocalPort <winRMport> -Protocol TCP -Program System


      When running the command...



      Invoke-Command -ComputerName <ipAddress> -ScriptBlock { netsh advfirewall firewall set rule group="<ruleGroupName>" new enable=<yes/no> } -Credential $creds


      I get the following output...




      The requested operation requires elevation (Run as administrator).




      The PowerShell session from which I am running the above command is open as Administrator (i.e. the title bar reads "Administrator: Windows PowerShell"). User Account Control (UAC) is turned off on the destination server.



      NOTE: I have also tried using the PowerShell equivalent for (en|dis)abling the firewall rules...



      Invoke-Command -ComputerName <ipAddress> -ScriptBlock { Get-NetFirewallRule -Group "<ruleGroupName>" | <Enable/Disable>-NetFirewallRule } -Credential $creds


      And get the following output times 3 (one for each rule)...




      Access is denied.



      + CategoryInfo: PermissionDenied: (MSFT_NetFirewal...ystemName =
      ""):root/standardcimv2/MSFT_NetFirewallRule) [Enable-NetFirewallRule],
      CimException



      + FullyQualifiedErrorId : Windows System Error 5,Enable-NetFirewallRule



      + PSComputerName : ipAddress




      I can get a list of the rules using...



      Invoke-Command -ComputerName <ipAddress> -ScriptBlock { Get-NetFirewallRule -Group "<ruleGroupName>" } -Credential $creds


      So I am taking it that (en|dis)abling firewall rules can only be done by members of the local Administrator group of the remote server.



      If my assumption is correct, is it possible to allow a non-admin group access to modify the firewall? If so, any instructions or links would be greatly appreciated!







      permissions powershell windows-firewall non-admin






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Jan 23 at 15:53







      sudosysadmin

















      asked Jan 23 at 15:01









      sudosysadminsudosysadmin

      11




      11






















          1 Answer
          1






          active

          oldest

          votes


















          0














          This is a Windows security boundary, not a PowerShell issue. So, not a simple PowerShell script this. It's an environment and policy configuration.



          You need to grant the needed permissions to the use or account that your control to make these settings.



          The other option is to leverage PowerShell JEA (Just enough administration) and constrained endpoints.



          Using JEA



          $nonAdminCred = Get-Credential
          Enter-PSSession -ComputerName localhost -ConfigurationName JEAMaintenance -Credential $nonAdminCred


          Just Enough Administration (JEA) Infrastructure: An Introduction




          Just Enough Administration (JEA) provides a RBAC platform through
          Windows PowerShell. It allows specific users to perform specific
          administrative tasks on servers without giving them administrator
          rights. This allows you to fill in the gaps between your existing RBAC
          solutions




          JEA Helper Tool 2.0




          This script provide a graphical "helper" to several Just Enough
          Administration (JEA) features, for Windows Management Frameworek (WMF)
          5.0 and Windows Server 2016 Technical Preview 4 (TP4)




          PowerShell: Implementing Just-Enough-Administration (JEA), Step-by-Step



          Leverage PowerShell Just Enough Administration for your Helpdesk




          With JEA, you empowers your users to perform specific tasks through
          PowerShell without providing them elevated rights. You can control the
          available commands and parameters, validate input for the specified
          parameters, and have full auditing capabilities with over-the-shoulder
          transcripts, module logging, and deep script block logging.




          Introduction to PowerShell Endpoints






          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "3"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1397509%2fallow-non-admins-permission-to-manage-windows-firewall%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            This is a Windows security boundary, not a PowerShell issue. So, not a simple PowerShell script this. It's an environment and policy configuration.



            You need to grant the needed permissions to the use or account that your control to make these settings.



            The other option is to leverage PowerShell JEA (Just enough administration) and constrained endpoints.



            Using JEA



            $nonAdminCred = Get-Credential
            Enter-PSSession -ComputerName localhost -ConfigurationName JEAMaintenance -Credential $nonAdminCred


            Just Enough Administration (JEA) Infrastructure: An Introduction




            Just Enough Administration (JEA) provides a RBAC platform through
            Windows PowerShell. It allows specific users to perform specific
            administrative tasks on servers without giving them administrator
            rights. This allows you to fill in the gaps between your existing RBAC
            solutions




            JEA Helper Tool 2.0




            This script provide a graphical "helper" to several Just Enough
            Administration (JEA) features, for Windows Management Frameworek (WMF)
            5.0 and Windows Server 2016 Technical Preview 4 (TP4)




            PowerShell: Implementing Just-Enough-Administration (JEA), Step-by-Step



            Leverage PowerShell Just Enough Administration for your Helpdesk




            With JEA, you empowers your users to perform specific tasks through
            PowerShell without providing them elevated rights. You can control the
            available commands and parameters, validate input for the specified
            parameters, and have full auditing capabilities with over-the-shoulder
            transcripts, module logging, and deep script block logging.




            Introduction to PowerShell Endpoints






            share|improve this answer




























              0














              This is a Windows security boundary, not a PowerShell issue. So, not a simple PowerShell script this. It's an environment and policy configuration.



              You need to grant the needed permissions to the use or account that your control to make these settings.



              The other option is to leverage PowerShell JEA (Just enough administration) and constrained endpoints.



              Using JEA



              $nonAdminCred = Get-Credential
              Enter-PSSession -ComputerName localhost -ConfigurationName JEAMaintenance -Credential $nonAdminCred


              Just Enough Administration (JEA) Infrastructure: An Introduction




              Just Enough Administration (JEA) provides a RBAC platform through
              Windows PowerShell. It allows specific users to perform specific
              administrative tasks on servers without giving them administrator
              rights. This allows you to fill in the gaps between your existing RBAC
              solutions




              JEA Helper Tool 2.0




              This script provide a graphical "helper" to several Just Enough
              Administration (JEA) features, for Windows Management Frameworek (WMF)
              5.0 and Windows Server 2016 Technical Preview 4 (TP4)




              PowerShell: Implementing Just-Enough-Administration (JEA), Step-by-Step



              Leverage PowerShell Just Enough Administration for your Helpdesk




              With JEA, you empowers your users to perform specific tasks through
              PowerShell without providing them elevated rights. You can control the
              available commands and parameters, validate input for the specified
              parameters, and have full auditing capabilities with over-the-shoulder
              transcripts, module logging, and deep script block logging.




              Introduction to PowerShell Endpoints






              share|improve this answer


























                0












                0








                0







                This is a Windows security boundary, not a PowerShell issue. So, not a simple PowerShell script this. It's an environment and policy configuration.



                You need to grant the needed permissions to the use or account that your control to make these settings.



                The other option is to leverage PowerShell JEA (Just enough administration) and constrained endpoints.



                Using JEA



                $nonAdminCred = Get-Credential
                Enter-PSSession -ComputerName localhost -ConfigurationName JEAMaintenance -Credential $nonAdminCred


                Just Enough Administration (JEA) Infrastructure: An Introduction




                Just Enough Administration (JEA) provides a RBAC platform through
                Windows PowerShell. It allows specific users to perform specific
                administrative tasks on servers without giving them administrator
                rights. This allows you to fill in the gaps between your existing RBAC
                solutions




                JEA Helper Tool 2.0




                This script provide a graphical "helper" to several Just Enough
                Administration (JEA) features, for Windows Management Frameworek (WMF)
                5.0 and Windows Server 2016 Technical Preview 4 (TP4)




                PowerShell: Implementing Just-Enough-Administration (JEA), Step-by-Step



                Leverage PowerShell Just Enough Administration for your Helpdesk




                With JEA, you empowers your users to perform specific tasks through
                PowerShell without providing them elevated rights. You can control the
                available commands and parameters, validate input for the specified
                parameters, and have full auditing capabilities with over-the-shoulder
                transcripts, module logging, and deep script block logging.




                Introduction to PowerShell Endpoints






                share|improve this answer













                This is a Windows security boundary, not a PowerShell issue. So, not a simple PowerShell script this. It's an environment and policy configuration.



                You need to grant the needed permissions to the use or account that your control to make these settings.



                The other option is to leverage PowerShell JEA (Just enough administration) and constrained endpoints.



                Using JEA



                $nonAdminCred = Get-Credential
                Enter-PSSession -ComputerName localhost -ConfigurationName JEAMaintenance -Credential $nonAdminCred


                Just Enough Administration (JEA) Infrastructure: An Introduction




                Just Enough Administration (JEA) provides a RBAC platform through
                Windows PowerShell. It allows specific users to perform specific
                administrative tasks on servers without giving them administrator
                rights. This allows you to fill in the gaps between your existing RBAC
                solutions




                JEA Helper Tool 2.0




                This script provide a graphical "helper" to several Just Enough
                Administration (JEA) features, for Windows Management Frameworek (WMF)
                5.0 and Windows Server 2016 Technical Preview 4 (TP4)




                PowerShell: Implementing Just-Enough-Administration (JEA), Step-by-Step



                Leverage PowerShell Just Enough Administration for your Helpdesk




                With JEA, you empowers your users to perform specific tasks through
                PowerShell without providing them elevated rights. You can control the
                available commands and parameters, validate input for the specified
                parameters, and have full auditing capabilities with over-the-shoulder
                transcripts, module logging, and deep script block logging.




                Introduction to PowerShell Endpoints







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Jan 24 at 1:13









                postanotepostanote

                1,088133




                1,088133






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Super User!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1397509%2fallow-non-admins-permission-to-manage-windows-firewall%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

                    Alcedinidae

                    Origin of the phrase “under your belt”?