Bdtyktl

I am attempting to setup a process for our support team (non-administrators) to have access to remotely enable or disable a group of Windows firewall rules.

I did the following to get to the point of allowing remote access...

Enable-PSRemoting -Force



winrm quickconfig



Set-Item -Path WSMan:LocalhostClientTrustedHosts -Value '$supteam' -Concatenate



New-NetFirewallRule -DisplayName <dispName> -Profile <profile> -Enabled True -Action Allow -RemoteAddress $supteam -Direction Inbound -LocalPort <winRMport> -Protocol TCP -Program System

When running the command...

Invoke-Command -ComputerName <ipAddress> -ScriptBlock { netsh advfirewall firewall set rule group="<ruleGroupName>" new enable=<yes/no> } -Credential $creds

I get the following output...

The requested operation requires elevation (Run as administrator).

The PowerShell session from which I am running the above command is open as Administrator (i.e. the title bar reads "Administrator: Windows PowerShell"). User Account Control (UAC) is turned off on the destination server.

NOTE: I have also tried using the PowerShell equivalent for (en|dis)abling the firewall rules...

Invoke-Command -ComputerName <ipAddress> -ScriptBlock { Get-NetFirewallRule -Group "<ruleGroupName>" | <Enable/Disable>-NetFirewallRule } -Credential $creds

And get the following output times 3 (one for each rule)...

Access is denied.

+ CategoryInfo: PermissionDenied: (MSFT_NetFirewal...ystemName =
""):root/standardcimv2/MSFT_NetFirewallRule) [Enable-NetFirewallRule],
CimException

+ FullyQualifiedErrorId : Windows System Error 5,Enable-NetFirewallRule

+ PSComputerName : ipAddress

I can get a list of the rules using...

Invoke-Command -ComputerName <ipAddress> -ScriptBlock { Get-NetFirewallRule -Group "<ruleGroupName>" } -Credential $creds

So I am taking it that (en|dis)abling firewall rules can only be done by members of the local Administrator group of the remote server.

If my assumption is correct, is it possible to allow a non-admin group access to modify the firewall? If so, any instructions or links would be greatly appreciated!

This is a Windows security boundary, not a PowerShell issue. So, not a simple PowerShell script this. It's an environment and policy configuration.

You need to grant the needed permissions to the use or account that your control to make these settings.

The other option is to leverage PowerShell JEA (Just enough administration) and constrained endpoints.

Using JEA

$nonAdminCred = Get-Credential

Enter-PSSession -ComputerName localhost -ConfigurationName JEAMaintenance -Credential $nonAdminCred

Just Enough Administration (JEA) Infrastructure: An Introduction

Just Enough Administration (JEA) provides a RBAC platform through
Windows PowerShell. It allows specific users to perform specific
administrative tasks on servers without giving them administrator
rights. This allows you to fill in the gaps between your existing RBAC
solutions

JEA Helper Tool 2.0

This script provide a graphical "helper" to several Just Enough
Administration (JEA) features, for Windows Management Frameworek (WMF)
5.0 and Windows Server 2016 Technical Preview 4 (TP4)

PowerShell: Implementing Just-Enough-Administration (JEA), Step-by-Step

Leverage PowerShell Just Enough Administration for your Helpdesk

With JEA, you empowers your users to perform specific tasks through
PowerShell without providing them elevated rights. You can control the
available commands and parameters, validate input for the specified
parameters, and have full auditing capabilities with over-the-shoulder
transcripts, module logging, and deep script block logging.

Introduction to PowerShell Endpoints