CODEWITHSUNDEEP
windowspowershellfirewallrule
Lemonek
Lemonek

Reputation: 194

Powershell New-NetFirewallRule with -LocalUser example

How to create Firewall rule which will be impacting only one of the local accounts

In theory below example would be sufficient however Im missing value for parameter "-LocalUser"

Below PowerShell command

New-NetFirewallRule -DisplayName "BLOCKWWW" -Direction Outbound -LocalPort 80,443 -Protocol TCP -Action Block -LocalUser **WHATGOESHERE**

Upvotes: 1

Views: 2321

Answers (2)

Paul Vergouwe
Paul Vergouwe

Reputation: 11

$user = new-object System.Security.Principal.NTAccount ("corp.contoso.com\Administrators")
$SIDofSecureUserGroup = $user.Translate([System.Security.Principal.SecurityIdentifier]).Value
$secureUserGroup = "D:(A;;CC;;;$SIDofSecureUserGroup)"

Upvotes: 1

Mathias R. Jessen
Mathias R. Jessen

Reputation: 175085

Judging from the examples showing how to use other parameters with similar descriptions (like RemoteUser), it'll take a discretionary ACL in SDDL with a single entry per user.

You could write a small helper function to generate these based on username:

function Get-FirewallLocalUserSddl {
  param(
    [string[]]$UserName
  )

  $SDDL = 'D:{0}'

  $ACEs = foreach($Name in $UserName){
    try{
      $LocalUser = Get-LocalUser -Name $UserName -ErrorAction Stop
      '(A;;CC;;;{0})' -f $LocalUser.Sid.Value
    }
    catch{
      Write-Warning "Local user '$Username' not found"
      continue
    }
  }
  return $SDDL -f ($ACEs -join '')
}

Then use it like:

New-NetFirewallRule -DisplayName "BLOCKWWW" -LocalUser (Get-FirewallLocalUserSddl user1,user2) -Direction Outbound -LocalPort 80,443 -Protocol TCP -Action Block

Upvotes: 7

Related Questions