I'm trying to use COM objects from FirewallAPI.dll to set Windows Firewall rules programmatically from a C# application. The application is supposed to run under a user account that is not from the Administrators group.
I'm struggling with setting this user account permissions to modify the firewall.
I gave this user the full access to HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy, it doesn't help.
When I try to use INetFwRule::put_RemoteAddresses, I get access denied exception. How to get some information what rights are missing?
I found the answer. A user has to have a “Network Configuration Operators” group listed with the mandatory flag in her security token.
It can be achieved by adding the user to the “Network Configuration Operators” group and running a process with elevated privileges. Without elevated integrity the group will be listed with “Deny” flag and the user still won't have the access.