mbarnesseo
asked on
How to allow network connections via powershell using an elevated account
We have our computers locked down pretty well and only our more privileged accounts can access desktops via the network - UNC, WMI, pssessions and such.
Is there a way to give a program, such as PowerShell, rights to access through the network? I thought I could run PowerShell as my elevated account and that would suffice. However, that is not the case.
For security reasons, I do not want to add our less privileged accounts to the allow list. I'm
Thank you
Mike
Is there a way to give a program, such as PowerShell, rights to access through the network? I thought I could run PowerShell as my elevated account and that would suffice. However, that is not the case.
For security reasons, I do not want to add our less privileged accounts to the allow list. I'm
Thank you
Mike
footech
What's your method of doing this currently?
best option imo is to run a gpo based whitelisting solution that only allows user specified processes to run on machines based on WHATEVER criteria you set in configuration of this policy, we could do this via gpo for example,, multiple gpo with multiple security group application if required ie user1 group this gpo and user2 group that gpo both contains different gpo configs.
this is also v effective VS ransomware and i woild want this policy in my network period 2028
this is also v effective VS ransomware and i woild want this policy in my network period 2028
2018 *
Mark, the OP didn't ask for further means to lock down even more, but to add exceptions for more privileged accounts, which is quite the contrary.
Mike, what does your use of "elevated" exactly mean here? Are you just referring to the more privileged accounts, or running processes with admin privileges?
What exactly should they be able to do? Going from some desktop to theirs, or the other way round?
Mike, what does your use of "elevated" exactly mean here? Are you just referring to the more privileged accounts, or running processes with admin privileges?
What exactly should they be able to do? Going from some desktop to theirs, or the other way round?
If you have an "up to date" client environment, then the solution is "Just Enough Administration". Give that an internet search and you'll find everything you need to now about it.
ASKER
Sorry for the late response.
Currently, we have a GPO pushing out the allow list and deny list for accessing a PC via the network. My elevated account is in the allow list and my everyday use is in the deny list via an AD group membership.
To answer some of the questions...
Elevated means a privileged account and yes, Just enough Administration is the goal but I'm having trouble with this one part. I do most of my administrative tasks via PowerShell. I would like to run PowerShell as my elevated account which works except for accessing another PC through the network.
Example. I'm on "mypclt" logged in as my regular non-elevated account. I runas "elevated" PowerShell. I can access AD admin tasks with no problem. However, I cannot access WMI requests or UNC paths which we use almost every day. I do not want to add my non-elevated account to the allow list for network access. That defeats the purpose of the everyday non-elevated account.
BTW, powershell commands such as get-childitem works. I can copy-item as well. I might have to recreate the scripts I have that use WMI requests to use only PowerShell commandlets.
Thanks
Mike
Currently, we have a GPO pushing out the allow list and deny list for accessing a PC via the network. My elevated account is in the allow list and my everyday use is in the deny list via an AD group membership.
To answer some of the questions...
Elevated means a privileged account and yes, Just enough Administration is the goal but I'm having trouble with this one part. I do most of my administrative tasks via PowerShell. I would like to run PowerShell as my elevated account which works except for accessing another PC through the network.
Example. I'm on "mypclt" logged in as my regular non-elevated account. I runas "elevated" PowerShell. I can access AD admin tasks with no problem. However, I cannot access WMI requests or UNC paths which we use almost every day. I do not want to add my non-elevated account to the allow list for network access. That defeats the purpose of the everyday non-elevated account.
BTW, powershell commands such as get-childitem works. I can copy-item as well. I might have to recreate the scripts I have that use WMI requests to use only PowerShell commandlets.
Thanks
Mike
I think what you are describing is the traditional "double-hop" problem. I can't get to several Microsoft properties right now - but search for that using your favorite Internet search engine.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.