Grant users permission to add firewall rules RRS feed

  • Question

  • Hi,

    My users are software developers and support engineers who need to be able to run and test an undefined amount of different versions of our software which is a network distributed system. They need to be able to run the software from their own devices, which has the windows firewall prompt for permissions whenever they run the software from a new location (which happens up to multiple times a day).

    I do not want to disable the Windows firewall, as it adds an extra layer of security to the systems, and I also do not want to give users local administrator rights for obvious reasons either.

    So there is two approaches that I tried but couldn't find a solution to (and they may not be possible?):

    a.) give the users permission to modify and/or disable the firewall at need or alternatively allow them to confirm the UAC permission dialogue for firewall related issues only

    b.) set firewall rules globally via GPO that allow all programs in a specific directory and its sub-directories through the firewall (by using wildcards like "*") so user will just have to copy their test versions there or alternatively allow all programs with a specific name or other means of general identification that works for all versions through the firewall by GPO. This will also have to work on UNC paths as software may be located on network shares

    I cannot just allow a port range for this to work as the software uses dynamic ports with a very wide-span range which wouldn't be much different from disabling the firewall in the first place.

    I am aware that granting users the ability to disable the firewall is just as well a security risk, but that isn't a very good point if it means they cannot do their job.

    Wednesday, June 10, 2020 10:30 AM

All replies

  • Hi,

    As far as I know, the user has to have a “Network Configuration Operators” group listed with the mandatory flag in his security token.

    It can be achieved by adding the user to the “Network Configuration Operators” group and running a process with elevated privileges. Without elevated integrity the group will be listed with “Deny” flag and the user still won't have the access.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 2, 2020 9:30 AM
  • Hi,

    this does work as described. Running all applications with elevated privileges isn't feasible though and thus this is not a solution for my problem.

    Running without elevation will prompt for login credentials when confirming the infamous firewall dialogue that pops up and will result in a "deny" rule being added when using the normal user credentials.

    Using local administrator credentials does add the correct firewall rules but will get annoying for our application testers as there will be a lot of credential typing....

    Would be nice to just allow them to just click the "accept" button in the dialogue to add the rule and be done with it, as they can when they're using local administrator accounts.

    Monday, July 27, 2020 12:39 PM