1

I'm trying to use COM objects from FirewallAPI.dll to set Windows Firewall rules programmatically from a C# application. The application is supposed to run under a user account that is not from the Administrators group.

I'm struggling with setting this user account permissions to modify the firewall.

I gave this user the full access to HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy, it doesn't help.

When I try to use INetFwRule::put_RemoteAddresses, I get access denied exception. How to get some information what rights are missing?

facetus
  • 1,091
  • 6
  • 20

1 Answers1

4

I found the answer. A user has to have a “Network Configuration Operators” group listed with the mandatory flag in her security token.

It can be achieved by adding the user to the “Network Configuration Operators” group and running a process with elevated privileges. Without elevated integrity the group will be listed with “Deny” flag and the user still won't have the access.

facetus
  • 1,091
  • 6
  • 20
  • Thanks for this @facetus. In my case I am writing a Windows Service to manage a particular Windows Firewall rule. I found that adding the user to the group you mentioned was enough to get it to work. Perhaps running code as a service is considered elevated. – Mike Jul 06 '19 at 01:36
  • 1
    The funny part is that I had to disassemble Microsoft's dlls to find the answer. People from Microsoft's Tech Network didn't know anything. – facetus Jul 06 '19 at 23:26