I have 15-20 technicians using Windows 10 and 11 laptops in the field who need to frequently switch between DHCP and static IPs for tasks like building commissioning and isolated networks. I don't want to give them full local admin rights because of the risks—like potential for random software installs or AV being disabled.
So far, I've tried a few methods: adding them to the Network Configuration Operators group (which still triggers UAC issues), using scripts wrapped with RunAsTool or PowerRun (but had inconsistent success), and setting up scheduled tasks as SYSTEM to run `netsh` or `Set-NetIPAddress`, which has been flaky across different devices.
What I really want is a clean solution where my techs can launch a simple GUI or menu, choose between DHCP or static, apply the configuration, and do all this without needing admin rights. If anyone has figured out a secure and effective way to manage this, maybe with PAM, AppLocker, whitelist tools, or other strategies, I'd appreciate your insights and experiences!
3 Answers
It sounds like the best approach is to develop a dedicated tool that handles network configuration adjustments for your techs. This avoids them needing to remember complex commands. With this setup, every action taken through the tool would be logged and auditable, making it easy to track activities related to their work tickets.
You could create a privileged background service with a front-end application. The service would allow only specified actions while letting users revert changes via a history log. Everything could be secured using a PKI encrypted config file, ensuring integrity and preventing manual tweaks. Plus, once they're back on the network, you can pull down signed logs for further troubleshooting when needed. Alternatively, the GUI can be simple, even a local web app that requires MFA for access before allowing techs to view and adjust IP settings.
Here's a couple of resources to consider:
- [Creating a Windows Service Application](https://learn.microsoft.com/en-us/dotnet/framework/windows-services/walkthrough-creating-a-windows-service-application-in-the-component-designer)
- [Best Practices for Writing Secure Apps](https://learn.microsoft.com/en-us/answers/questions/1179337/what-are-the-best-practices-for-writing-a-secure-a)
If your techs are part of the Network Configuration Operators group, they should be able to elevate their access when UAC prompts them. However, this could lead to UAC popping up for many tasks, which might be a hassle. But once they authenticate, they can carry out the necessary changes.
I’ve noticed several apps on GitHub that can simplify network settings changes. Just be cautious and analyze the code before using them. If UAC is an issue, you might want to explore registry permissions because that's where many of these settings seem to reside. If it’s just about tweaks in the registry, adjusting permissions on the right keys could potentially solve the problem.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures