I’ve recently been helping a non-profit uplift their security – we’ve put in a UniFi Gateway along with cleaning up their 365 tenancy and endpoint management. As part of this, we’ve implemented a WireGuard VPN back to their NAS as well as remove local admin rights from end users. Unfortunately, WireGuard by default requires local admin rights to function, however we can get around this with a few tweaks.
You’ll need to be a local admin to do all this work, you can then lower the user permissions to the Network Configuration Operators builtin group (well-known S-1-5-32-556). This user permission is required to bring the tunnel up and down, it also grants the user the ability to modify local network settings and may prompt UAC for accessing other system components (however permissions will not be elevated).
reg add HKLM\Software\WireGuard /v LimitedOperatorUI /t REG_DWORD /d 1 /f
Once that registry key is loaded, we can now import our tunnel configuration. Then restart the endpoint. Once back at the desktop, lower the permissions to Network Configuration Operators for that user, logoff and back in – and WireGuard should be in the tray, with the ability to Activate and Deactivate the tunnel, but not edit or import any further configurations.
While it isn’t completly locked down, I’d rather that than give the end users full local administrator rights. Hope that helps someone.
Leave a Reply