Allow Non-Admins Permission to Manage Windows Firewall
I am attempting to setup a process for our support team (non-administrators) to have access to remotely enable or disable a group of Windows firewall rules.
I did the following to get to the point of allowing remote access...
Enable-PSRemoting -Force
winrm quickconfig
Set-Item -Path WSMan:LocalhostClientTrustedHosts -Value '$supteam' -Concatenate
New-NetFirewallRule -DisplayName <dispName> -Profile <profile> -Enabled True -Action Allow -RemoteAddress $supteam -Direction Inbound -LocalPort <winRMport> -Protocol TCP -Program System
When running the command...
Invoke-Command -ComputerName <ipAddress> -ScriptBlock { netsh advfirewall firewall set rule group="<ruleGroupName>" new enable=<yes/no> } -Credential $creds
I get the following output...
The requested operation requires elevation (Run as administrator).
The PowerShell session from which I am running the above command is open as Administrator (i.e. the title bar reads "Administrator: Windows PowerShell"). User Account Control (UAC) is turned off on the destination server.
NOTE: I have also tried using the PowerShell equivalent for (en|dis)abling the firewall rules...
Invoke-Command -ComputerName <ipAddress> -ScriptBlock { Get-NetFirewallRule -Group "<ruleGroupName>" | <Enable/Disable>-NetFirewallRule } -Credential $creds
And get the following output times 3 (one for each rule)...
Access is denied.
+ CategoryInfo: PermissionDenied: (MSFT_NetFirewal...ystemName =
""):root/standardcimv2/MSFT_NetFirewallRule) [Enable-NetFirewallRule],
CimException
+ FullyQualifiedErrorId : Windows System Error 5,Enable-NetFirewallRule
+ PSComputerName : ipAddress
I can get a list of the rules using...
Invoke-Command -ComputerName <ipAddress> -ScriptBlock { Get-NetFirewallRule -Group "<ruleGroupName>" } -Credential $creds
So I am taking it that (en|dis)abling firewall rules can only be done by members of the local Administrator group of the remote server.
If my assumption is correct, is it possible to allow a non-admin group access to modify the firewall? If so, any instructions or links would be greatly appreciated!
permissions powershell windows-firewall non-admin
add a comment |
I am attempting to setup a process for our support team (non-administrators) to have access to remotely enable or disable a group of Windows firewall rules.
I did the following to get to the point of allowing remote access...
Enable-PSRemoting -Force
winrm quickconfig
Set-Item -Path WSMan:LocalhostClientTrustedHosts -Value '$supteam' -Concatenate
New-NetFirewallRule -DisplayName <dispName> -Profile <profile> -Enabled True -Action Allow -RemoteAddress $supteam -Direction Inbound -LocalPort <winRMport> -Protocol TCP -Program System
When running the command...
Invoke-Command -ComputerName <ipAddress> -ScriptBlock { netsh advfirewall firewall set rule group="<ruleGroupName>" new enable=<yes/no> } -Credential $creds
I get the following output...
The requested operation requires elevation (Run as administrator).
The PowerShell session from which I am running the above command is open as Administrator (i.e. the title bar reads "Administrator: Windows PowerShell"). User Account Control (UAC) is turned off on the destination server.
NOTE: I have also tried using the PowerShell equivalent for (en|dis)abling the firewall rules...
Invoke-Command -ComputerName <ipAddress> -ScriptBlock { Get-NetFirewallRule -Group "<ruleGroupName>" | <Enable/Disable>-NetFirewallRule } -Credential $creds
And get the following output times 3 (one for each rule)...
Access is denied.
+ CategoryInfo: PermissionDenied: (MSFT_NetFirewal...ystemName =
""):root/standardcimv2/MSFT_NetFirewallRule) [Enable-NetFirewallRule],
CimException
+ FullyQualifiedErrorId : Windows System Error 5,Enable-NetFirewallRule
+ PSComputerName : ipAddress
I can get a list of the rules using...
Invoke-Command -ComputerName <ipAddress> -ScriptBlock { Get-NetFirewallRule -Group "<ruleGroupName>" } -Credential $creds
So I am taking it that (en|dis)abling firewall rules can only be done by members of the local Administrator group of the remote server.
If my assumption is correct, is it possible to allow a non-admin group access to modify the firewall? If so, any instructions or links would be greatly appreciated!
permissions powershell windows-firewall non-admin
add a comment |
I am attempting to setup a process for our support team (non-administrators) to have access to remotely enable or disable a group of Windows firewall rules.
I did the following to get to the point of allowing remote access...
Enable-PSRemoting -Force
winrm quickconfig
Set-Item -Path WSMan:LocalhostClientTrustedHosts -Value '$supteam' -Concatenate
New-NetFirewallRule -DisplayName <dispName> -Profile <profile> -Enabled True -Action Allow -RemoteAddress $supteam -Direction Inbound -LocalPort <winRMport> -Protocol TCP -Program System
When running the command...
Invoke-Command -ComputerName <ipAddress> -ScriptBlock { netsh advfirewall firewall set rule group="<ruleGroupName>" new enable=<yes/no> } -Credential $creds
I get the following output...
The requested operation requires elevation (Run as administrator).
The PowerShell session from which I am running the above command is open as Administrator (i.e. the title bar reads "Administrator: Windows PowerShell"). User Account Control (UAC) is turned off on the destination server.
NOTE: I have also tried using the PowerShell equivalent for (en|dis)abling the firewall rules...
Invoke-Command -ComputerName <ipAddress> -ScriptBlock { Get-NetFirewallRule -Group "<ruleGroupName>" | <Enable/Disable>-NetFirewallRule } -Credential $creds
And get the following output times 3 (one for each rule)...
Access is denied.
+ CategoryInfo: PermissionDenied: (MSFT_NetFirewal...ystemName =
""):root/standardcimv2/MSFT_NetFirewallRule) [Enable-NetFirewallRule],
CimException
+ FullyQualifiedErrorId : Windows System Error 5,Enable-NetFirewallRule
+ PSComputerName : ipAddress
I can get a list of the rules using...
Invoke-Command -ComputerName <ipAddress> -ScriptBlock { Get-NetFirewallRule -Group "<ruleGroupName>" } -Credential $creds
So I am taking it that (en|dis)abling firewall rules can only be done by members of the local Administrator group of the remote server.
If my assumption is correct, is it possible to allow a non-admin group access to modify the firewall? If so, any instructions or links would be greatly appreciated!
permissions powershell windows-firewall non-admin
I am attempting to setup a process for our support team (non-administrators) to have access to remotely enable or disable a group of Windows firewall rules.
I did the following to get to the point of allowing remote access...
Enable-PSRemoting -Force
winrm quickconfig
Set-Item -Path WSMan:LocalhostClientTrustedHosts -Value '$supteam' -Concatenate
New-NetFirewallRule -DisplayName <dispName> -Profile <profile> -Enabled True -Action Allow -RemoteAddress $supteam -Direction Inbound -LocalPort <winRMport> -Protocol TCP -Program System
When running the command...
Invoke-Command -ComputerName <ipAddress> -ScriptBlock { netsh advfirewall firewall set rule group="<ruleGroupName>" new enable=<yes/no> } -Credential $creds
I get the following output...
The requested operation requires elevation (Run as administrator).
The PowerShell session from which I am running the above command is open as Administrator (i.e. the title bar reads "Administrator: Windows PowerShell"). User Account Control (UAC) is turned off on the destination server.
NOTE: I have also tried using the PowerShell equivalent for (en|dis)abling the firewall rules...
Invoke-Command -ComputerName <ipAddress> -ScriptBlock { Get-NetFirewallRule -Group "<ruleGroupName>" | <Enable/Disable>-NetFirewallRule } -Credential $creds
And get the following output times 3 (one for each rule)...
Access is denied.
+ CategoryInfo: PermissionDenied: (MSFT_NetFirewal...ystemName =
""):root/standardcimv2/MSFT_NetFirewallRule) [Enable-NetFirewallRule],
CimException
+ FullyQualifiedErrorId : Windows System Error 5,Enable-NetFirewallRule
+ PSComputerName : ipAddress
I can get a list of the rules using...
Invoke-Command -ComputerName <ipAddress> -ScriptBlock { Get-NetFirewallRule -Group "<ruleGroupName>" } -Credential $creds
So I am taking it that (en|dis)abling firewall rules can only be done by members of the local Administrator group of the remote server.
If my assumption is correct, is it possible to allow a non-admin group access to modify the firewall? If so, any instructions or links would be greatly appreciated!
permissions powershell windows-firewall non-admin
permissions powershell windows-firewall non-admin
edited Jan 23 at 15:53
sudosysadmin
asked Jan 23 at 15:01
sudosysadminsudosysadmin
11
11
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
This is a Windows security boundary, not a PowerShell issue. So, not a simple PowerShell script this. It's an environment and policy configuration.
You need to grant the needed permissions to the use or account that your control to make these settings.
The other option is to leverage PowerShell JEA (Just enough administration) and constrained endpoints.
Using JEA
$nonAdminCred = Get-Credential
Enter-PSSession -ComputerName localhost -ConfigurationName JEAMaintenance -Credential $nonAdminCred
Just Enough Administration (JEA) Infrastructure: An Introduction
Just Enough Administration (JEA) provides a RBAC platform through
Windows PowerShell. It allows specific users to perform specific
administrative tasks on servers without giving them administrator
rights. This allows you to fill in the gaps between your existing RBAC
solutions
JEA Helper Tool 2.0
This script provide a graphical "helper" to several Just Enough
Administration (JEA) features, for Windows Management Frameworek (WMF)
5.0 and Windows Server 2016 Technical Preview 4 (TP4)
PowerShell: Implementing Just-Enough-Administration (JEA), Step-by-Step
Leverage PowerShell Just Enough Administration for your Helpdesk
With JEA, you empowers your users to perform specific tasks through
PowerShell without providing them elevated rights. You can control the
available commands and parameters, validate input for the specified
parameters, and have full auditing capabilities with over-the-shoulder
transcripts, module logging, and deep script block logging.
Introduction to PowerShell Endpoints
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1397509%2fallow-non-admins-permission-to-manage-windows-firewall%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
This is a Windows security boundary, not a PowerShell issue. So, not a simple PowerShell script this. It's an environment and policy configuration.
You need to grant the needed permissions to the use or account that your control to make these settings.
The other option is to leverage PowerShell JEA (Just enough administration) and constrained endpoints.
Using JEA
$nonAdminCred = Get-Credential
Enter-PSSession -ComputerName localhost -ConfigurationName JEAMaintenance -Credential $nonAdminCred
Just Enough Administration (JEA) Infrastructure: An Introduction
Just Enough Administration (JEA) provides a RBAC platform through
Windows PowerShell. It allows specific users to perform specific
administrative tasks on servers without giving them administrator
rights. This allows you to fill in the gaps between your existing RBAC
solutions
JEA Helper Tool 2.0
This script provide a graphical "helper" to several Just Enough
Administration (JEA) features, for Windows Management Frameworek (WMF)
5.0 and Windows Server 2016 Technical Preview 4 (TP4)
PowerShell: Implementing Just-Enough-Administration (JEA), Step-by-Step
Leverage PowerShell Just Enough Administration for your Helpdesk
With JEA, you empowers your users to perform specific tasks through
PowerShell without providing them elevated rights. You can control the
available commands and parameters, validate input for the specified
parameters, and have full auditing capabilities with over-the-shoulder
transcripts, module logging, and deep script block logging.
Introduction to PowerShell Endpoints
add a comment |
This is a Windows security boundary, not a PowerShell issue. So, not a simple PowerShell script this. It's an environment and policy configuration.
You need to grant the needed permissions to the use or account that your control to make these settings.
The other option is to leverage PowerShell JEA (Just enough administration) and constrained endpoints.
Using JEA
$nonAdminCred = Get-Credential
Enter-PSSession -ComputerName localhost -ConfigurationName JEAMaintenance -Credential $nonAdminCred
Just Enough Administration (JEA) Infrastructure: An Introduction
Just Enough Administration (JEA) provides a RBAC platform through
Windows PowerShell. It allows specific users to perform specific
administrative tasks on servers without giving them administrator
rights. This allows you to fill in the gaps between your existing RBAC
solutions
JEA Helper Tool 2.0
This script provide a graphical "helper" to several Just Enough
Administration (JEA) features, for Windows Management Frameworek (WMF)
5.0 and Windows Server 2016 Technical Preview 4 (TP4)
PowerShell: Implementing Just-Enough-Administration (JEA), Step-by-Step
Leverage PowerShell Just Enough Administration for your Helpdesk
With JEA, you empowers your users to perform specific tasks through
PowerShell without providing them elevated rights. You can control the
available commands and parameters, validate input for the specified
parameters, and have full auditing capabilities with over-the-shoulder
transcripts, module logging, and deep script block logging.
Introduction to PowerShell Endpoints
add a comment |
This is a Windows security boundary, not a PowerShell issue. So, not a simple PowerShell script this. It's an environment and policy configuration.
You need to grant the needed permissions to the use or account that your control to make these settings.
The other option is to leverage PowerShell JEA (Just enough administration) and constrained endpoints.
Using JEA
$nonAdminCred = Get-Credential
Enter-PSSession -ComputerName localhost -ConfigurationName JEAMaintenance -Credential $nonAdminCred
Just Enough Administration (JEA) Infrastructure: An Introduction
Just Enough Administration (JEA) provides a RBAC platform through
Windows PowerShell. It allows specific users to perform specific
administrative tasks on servers without giving them administrator
rights. This allows you to fill in the gaps between your existing RBAC
solutions
JEA Helper Tool 2.0
This script provide a graphical "helper" to several Just Enough
Administration (JEA) features, for Windows Management Frameworek (WMF)
5.0 and Windows Server 2016 Technical Preview 4 (TP4)
PowerShell: Implementing Just-Enough-Administration (JEA), Step-by-Step
Leverage PowerShell Just Enough Administration for your Helpdesk
With JEA, you empowers your users to perform specific tasks through
PowerShell without providing them elevated rights. You can control the
available commands and parameters, validate input for the specified
parameters, and have full auditing capabilities with over-the-shoulder
transcripts, module logging, and deep script block logging.
Introduction to PowerShell Endpoints
This is a Windows security boundary, not a PowerShell issue. So, not a simple PowerShell script this. It's an environment and policy configuration.
You need to grant the needed permissions to the use or account that your control to make these settings.
The other option is to leverage PowerShell JEA (Just enough administration) and constrained endpoints.
Using JEA
$nonAdminCred = Get-Credential
Enter-PSSession -ComputerName localhost -ConfigurationName JEAMaintenance -Credential $nonAdminCred
Just Enough Administration (JEA) Infrastructure: An Introduction
Just Enough Administration (JEA) provides a RBAC platform through
Windows PowerShell. It allows specific users to perform specific
administrative tasks on servers without giving them administrator
rights. This allows you to fill in the gaps between your existing RBAC
solutions
JEA Helper Tool 2.0
This script provide a graphical "helper" to several Just Enough
Administration (JEA) features, for Windows Management Frameworek (WMF)
5.0 and Windows Server 2016 Technical Preview 4 (TP4)
PowerShell: Implementing Just-Enough-Administration (JEA), Step-by-Step
Leverage PowerShell Just Enough Administration for your Helpdesk
With JEA, you empowers your users to perform specific tasks through
PowerShell without providing them elevated rights. You can control the
available commands and parameters, validate input for the specified
parameters, and have full auditing capabilities with over-the-shoulder
transcripts, module logging, and deep script block logging.
Introduction to PowerShell Endpoints
answered Jan 24 at 1:13
postanotepostanote
1,04333
1,04333
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1397509%2fallow-non-admins-permission-to-manage-windows-firewall%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown