P2S VPN Client Without Local Admin Rights
Currently the Azure P2S VPN client requires the user to be a local admin. The response to my support call was:
"This is By Design and unfortunately there is no alternative as running the Point-To-Site VPN connection as local admin, because you basically need to inject a new route in the routing table for the VPN and that can be done only by an admin.
Unfortunately, Point-to-Site users need to have machine admin rights at this time. There is no workaround for the Point-to-Site VPN, cause the VPN client needs admin permissions."
I would like to see the necessity to have local admin rights removed if possible.
Unfortunately, this is a constraint on the Windows platform. It’s not possible to change from Azure P2S VPNs.
Brandon Fox commented
In case anyone was still wondering, and I haven't tried this yet, but here is a guy that came up with a decent seeming work around: https://www.geekshangout.com/azure-customizing-the-point-to-site-vpn-client/
For the record, the Windows 10 team had removed this requirement of local admins on one of the Windows 10 builds, then they sneakly added it back!!!
Up there with the dumbest MS moments.
Microsoft "Hey lets secure our Windows platform and spend a decade reinforcing the best practice of not giving users admin access"
Azure Team "Lets not make this work as per every other VPN vendor out there as a service, lets be lazy incompetent children and need admin access".
2 years guys. 2 years to figure this out and make it something actually usable. Idiots.
Can another client be used? Maybe the AZURE team can build their own client vs using the standard client think what a independent company would do to support it's clients needs..
This is not a constraint of the Windows platform. I have several point-to-site VPN clients that don't require admin rights after installation to connect and route traffic. Did anyone on this team stop and ask "how do the other guys do it?" rather than give up and blame their own platform? How can you program on Windows and not be aware that a service can do the heavy lifting for you in the background? This response is shameful!
It is absolutely possible to add a P2S-connection AND the corresponding route(s) using PowerShell and information obtainable from the downloaded package. This has to be done as administrator (or SCCM-package) once - and every non-admin-user will be able to use this connection. Search for azure-p2s-vpn-client-non-admin on www.itninja.com and add the Add-VpnConnectionRoute and probably Add-VpnConnectionTriggerDnsConfiguration commands yourself.
While this option sounds like good news there should really be a scripted solution like this included in the VPN Client download.
Yushun: The Windows platform is probably not as limited as you think. Please go and work on this.
So basically, the Azure Networking team is pointing at the Windows Platform team saying "it's their constraint". We only leverage the built-in VPN capability. If there's a problem, the platform guys should address it. Wonderful. So who owns the follow-through on getting a significant vulnerability like this addressed?
Has there been any update to this or is this still an issue? I just tested this and found that unless the user is also a local admin, the VPN will fail.
Our company provides systems to government and public safety organizations. This restriction completely excludes using Azure-based delivery of PaaS and SaaS solutions to this marketplace!
Will Microsoft reconsider removing this significant constraint?
Trinh Anh Duc commented
You mentioned "inject a new route", is admin rights required only once when we set up the VPN connection or every time we dial it?
Is there a way for user just set it up and later admin to "modify" routing entries accordingly?
Joe McGlynn commented
With the proliferation of Ransomware and end user inability to understand the simple secuity threats, how do we protect the OS/ info if the VPN needs that user to have admin rights?
This is unfortunately a Windows platform constraint. Azure P2S VPN leverages Windows built-in VPN client capability, which at this point does require admin permission on the machine.