Network Unisolation Security Commands#

This comprehensive guide covers the essential commands and procedures for network unisolation in Windows environments. Network unisolation is the process of restoring normal network connectivity after a security isolation event, ensuring that systems can safely return to operational status while maintaining appropriate security controls.

Table of Contents#

Understanding Network Unisolation#

Network unisolation refers to the controlled process of removing network isolation restrictions that were previously applied to a system for security purposes. This process requires careful execution to ensure that:

Security threats are eliminated before restoration
Proper network controls are re-established
System integrity is verified and maintained
Audit trails are preserved throughout the process

Critical Security Analysis#

Security Context Overview#

The unisolation process involves several security-critical operations that must be executed in the correct sequence:

Firewall restoration with appropriate rules
DNS cache clearing to remove potentially poisoned entries
Group Policy refresh to ensure policy consistency
Environment cleanup to remove isolation markers
Security validation to confirm safe restoration

Risk Assessment#

Before executing unisolation commands, consider:

Threat elimination confirmation
System integrity verification
Network security posture assessment
Compliance requirements adherence

Essential Unisolation Commands#

1. Firewall Restoration Commands#

Enable Windows Firewall (Critical First Step)#

1
netsh advfirewall set allprofiles state on

Security context: This is the critical first step to restore network security controls before making any other changes. Never proceed with other network changes while the firewall is disabled.

Reset Firewall to Default Configuration#

1
netsh advfirewall reset

Security context: Removes potentially compromised rules while ensuring baseline protection is restored.

Configure Default Firewall Policies#

1
netsh advfirewall set allprofiles firewallpolicy allowinbound,allowoutbound

Security rationale: Establishes permissive but controlled default policies for normal operations.

2. Advanced Firewall Configuration#

Restore Specific Profile Settings#

1
# Enable firewall for specific profiles
2
netsh advfirewall set domainprofile state on
3
netsh advfirewall set privateprofile state on
4
netsh advfirewall set publicprofile state on

Configure Profile-Specific Policies#

1
# Domain profile (most restrictive for enterprise)
2
netsh advfirewall set domainprofile firewallpolicy blockinbound,allowoutbound
3

4
# Private profile (moderate restrictions)
5
netsh advfirewall set privateprofile firewallpolicy blockinbound,allowoutbound
6

7
# Public profile (most restrictive)
8
netsh advfirewall set publicprofile firewallpolicy blockinbound,blockoutbound

3. DNS and Network Cache Management#

Clear DNS Cache (Security Critical)#

1
ipconfig /flushdns

Security context: Clears potentially poisoned DNS cache entries from the isolation period.

Reset Network Stack#

1
# Reset TCP/IP stack
2
netsh int ip reset
3
netsh winsock reset

Renew Network Configuration#

1
# Release and renew IP configuration
2
ipconfig /release
3
ipconfig /renew

4. Group Policy Synchronization#

Force Group Policy Update#

1
gpupdate /force /wait:0

Security context: Ensures security policies are properly applied and consistent with domain requirements.

Comprehensive Policy Refresh#

1
# Force both computer and user policies
2
gpupdate /force /target:computer
3
gpupdate /force /target:user

5. Environment Cleanup Commands#

Remove Isolation Environment Variables#

1
# Remove isolation-related environment variables
2
[System.Environment]::SetEnvironmentVariable('IPWAZUH', $null, 'Machine')
3
[System.Environment]::SetEnvironmentVariable('NCSI_Domain', $null, 'Machine')
4
[System.Environment]::SetEnvironmentVariable('ISOLATION_STATUS', $null, 'Machine')

Clear Temporary Isolation Files#

1
# Remove temporary isolation markers
2
del /f /q C:\Windows\Temp\isolation_*
3
del /f /q C:\Temp\security_isolation_*

Complete Unisolation Procedure#

Step-by-Step Process#

Phase 1: Pre-Unisolation Validation#

1
# Verify threat elimination
2
Write-Host "=== PRE-UNISOLATION SECURITY CHECK ===" -ForegroundColor Yellow
3

4
# Check for active threats
5
$processes = Get-Process | Where-Object { $_.ProcessName -match "malware|suspicious" }
6
if ($processes) {
7
    Write-Warning "Suspicious processes detected. Do not proceed with unisolation."
8
    exit 1
9
}
10

11
# Verify system integrity
12
$integrityCheck = sfc /verifyonly 2>&1
13
if ($integrityCheck -match "violations") {
14
    Write-Warning "System integrity violations detected."
15
}
16

17
Write-Host "Pre-unisolation checks completed" -ForegroundColor Green

Phase 2: Firewall Restoration#

1
REM Critical firewall restoration sequence
2
echo === FIREWALL RESTORATION ===
3

4
REM 1. Reset firewall to defaults
5
netsh advfirewall reset
6

7
REM 2. Enable firewall for all profiles
8
netsh advfirewall set allprofiles state on
9

10
REM 3. Configure restrictive default policies
11
netsh advfirewall set domainprofile firewallpolicy blockinbound,allowoutbound
12
netsh advfirewall set privateprofile firewallpolicy blockinbound,allowoutbound
13
netsh advfirewall set publicprofile firewallpolicy blockinbound,blockoutbound
14

15
echo Firewall restoration completed

Phase 3: Network Stack Reset#

1
REM Network stack cleanup
2
echo === NETWORK STACK RESET ===
3

4
REM Clear DNS cache
5
ipconfig /flushdns
6

7
REM Reset network interfaces
8
netsh int ip reset reset.log
9
netsh winsock reset
10

11
REM Renew network configuration
12
ipconfig /release
13
ipconfig /renew
14

15
echo Network stack reset completed

Phase 4: Policy Synchronization#

1
REM Group Policy synchronization
2
echo === POLICY SYNCHRONIZATION ===
3

4
REM Force comprehensive GP update
5
gpupdate /force /wait:0
6

7
REM Restart policy-dependent services
8
net stop "Group Policy Client" /y
9
net start "Group Policy Client"
10

11
echo Policy synchronization completed

Phase 5: Environment Cleanup#

1
# Environment cleanup
2
Write-Host "=== ENVIRONMENT CLEANUP ===" -ForegroundColor Yellow
3

4
# Remove isolation markers
5
$isolationVars = @('IPWAZUH', 'NCSI_Domain', 'ISOLATION_STATUS', 'QUARANTINE_FLAG')
6
foreach ($var in $isolationVars) {
7
    [System.Environment]::SetEnvironmentVariable($var, $null, 'Machine')
8
    Write-Host "Removed environment variable: $var" -ForegroundColor Green
9
}
10

11
# Clean registry isolation entries
12
$regPaths = @(
13
    'HKLM:\SOFTWARE\Security\Isolation',
14
    'HKLM:\SYSTEM\CurrentControlSet\Services\Isolation'
15
)
16

17
foreach ($path in $regPaths) {
18
    if (Test-Path $path) {
19
        Remove-Item -Path $path -Recurse -Force
20
        Write-Host "Cleaned registry path: $path" -ForegroundColor Green
21
    }
22
}
23

24
Write-Host "Environment cleanup completed" -ForegroundColor Green

Advanced Security Configurations#

Enhanced Firewall Rules#

Create Security-Focused Rules#

1
REM Create specific security rules
2
netsh advfirewall firewall add rule name="Block Suspicious Outbound" dir=out action=block protocol=TCP remoteport=4444,6666,9999
3

4
REM Allow essential services
5
netsh advfirewall firewall add rule name="Allow DNS" dir=out action=allow protocol=UDP remoteport=53
6
netsh advfirewall firewall add rule name="Allow HTTP" dir=out action=allow protocol=TCP remoteport=80
7
netsh advfirewall firewall add rule name="Allow HTTPS" dir=out action=allow protocol=TCP remoteport=443

Application-Specific Rules#

1
REM Allow specific applications through firewall
2
netsh advfirewall firewall add rule name="Allow Antivirus Updates" dir=out action=allow program="C:\Program Files\Antivirus\updater.exe"
3
netsh advfirewall firewall add rule name="Allow System Updates" dir=out action=allow program="C:\Windows\System32\wuauclt.exe"

Registry Security Restoration#

1
# Restore security-critical registry settings
2
function Restore-SecurityRegistry {
3
    $securitySettings = @{
4
        'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' = @{
5
            'RestrictAnonymous' = 1
6
            'RestrictAnonymousSAM' = 1
7
        }
8
        'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' = @{
9
            'RequireSecuritySignature' = 1
10
            'EnableSecuritySignature' = 1
11
        }
12
    }
13

14
    foreach ($regPath in $securitySettings.Keys) {
15
        if (-not (Test-Path $regPath)) {
16
            New-Item -Path $regPath -Force | Out-Null
17
        }
18

19
        foreach ($setting in $securitySettings[$regPath].GetEnumerator()) {
20
            Set-ItemProperty -Path $regPath -Name $setting.Key -Value $setting.Value
21
            Write-Host "Set $regPath\$($setting.Key) = $($setting.Value)" -ForegroundColor Green
22
        }
23
    }
24
}
25

26
Restore-SecurityRegistry

Validation and Verification#

Post-Unisolation Security Checks#

1
function Test-PostUnisolationSecurity {
2
    Write-Host "=== POST-UNISOLATION SECURITY VALIDATION ===" -ForegroundColor Cyan
3

4
    # Test firewall status
5
    $firewallStatus = netsh advfirewall show allprofiles state
6
    if ($firewallStatus -match "State\s+ON") {
7
        Write-Host "✓ Firewall is enabled" -ForegroundColor Green
8
    } else {
9
        Write-Host "✗ Firewall is not properly enabled" -ForegroundColor Red
10
    }
11

12
    # Test network connectivity
13
    $connectivityTests = @{
14
        'DNS Resolution' = { Resolve-DnsName google.com -ErrorAction SilentlyContinue }
15
        'HTTP Connectivity' = { Test-NetConnection -ComputerName google.com -Port 80 -InformationLevel Quiet }
16
        'HTTPS Connectivity' = { Test-NetConnection -ComputerName google.com -Port 443 -InformationLevel Quiet }
17
    }
18

19
    foreach ($test in $connectivityTests.GetEnumerator()) {
20
        try {
21
            $result = & $test.Value
22
            if ($result) {
23
                Write-Host "✓ $($test.Key): Success" -ForegroundColor Green
24
            } else {
25
                Write-Host "✗ $($test.Key): Failed" -ForegroundColor Red
26
            }
27
        } catch {
28
            Write-Host "✗ $($test.Key): Error - $($_.Exception.Message)" -ForegroundColor Red
29
        }
30
    }
31

32
    # Verify Group Policy application
33
    $gpResult = gpresult /r 2>&1
34
    if ($gpResult -match "successfully") {
35
        Write-Host "✓ Group Policy applied successfully" -ForegroundColor Green
36
    } else {
37
        Write-Host "✗ Group Policy application issues detected" -ForegroundColor Red
38
    }
39

40
    Write-Host "Security validation completed" -ForegroundColor Cyan
41
}
42

43
Test-PostUnisolationSecurity

Network Connectivity Verification#

1
REM Comprehensive connectivity tests
2
echo === CONNECTIVITY VERIFICATION ===
3

4
REM Test internal connectivity
5
ping -n 4 127.0.0.1
6
ping -n 4 %COMPUTERNAME%
7

8
REM Test domain connectivity (if domain-joined)
9
nltest /dsgetdc:%USERDOMAIN%
10

11
REM Test external connectivity
12
nslookup google.com
13
ping -n 2 8.8.8.8
14

15
echo Connectivity verification completed

Troubleshooting Common Issues#

Firewall Issues#

1
# Diagnose firewall problems
2
function Diagnose-FirewallIssues {
3
    Write-Host "=== FIREWALL DIAGNOSTICS ===" -ForegroundColor Yellow
4

5
    # Check firewall service
6
    $fwService = Get-Service -Name "MpsSvc" -ErrorAction SilentlyContinue
7
    if ($fwService) {
8
        Write-Host "Firewall Service Status: $($fwService.Status)" -ForegroundColor $(if ($fwService.Status -eq "Running") { "Green" } else { "Red" })
9

10
        if ($fwService.Status -ne "Running") {
11
            Write-Host "Attempting to start firewall service..." -ForegroundColor Yellow
12
            Start-Service -Name "MpsSvc"
13
        }
14
    }
15

16
    # Check firewall profiles
17
    $profiles = @("Domain", "Private", "Public")
18
    foreach ($profile in $profiles) {
19
        $status = (netsh advfirewall show $profile.ToLower()profile state) -match "State\s+(\w+)"
20
        if ($matches) {
21
            Write-Host "$profile Profile: $($matches[1])" -ForegroundColor $(if ($matches[1] -eq "ON") { "Green" } else { "Red" })
22
        }
23
    }
24
}
25

26
Diagnose-FirewallIssues

Network Restoration Issues#

1
REM Network troubleshooting commands
2
echo === NETWORK TROUBLESHOOTING ===
3

4
REM Check network adapters
5
ipconfig /all
6

7
REM Check routing table
8
route print
9

10
REM Check ARP table
11
arp -a
12

13
REM Reset network if needed
14
netsh int ip reset
15
netsh winsock reset

Group Policy Issues#

1
# Group Policy troubleshooting
2
function Repair-GroupPolicy {
3
    Write-Host "=== GROUP POLICY REPAIR ===" -ForegroundColor Yellow
4

5
    try {
6
        # Check GP service
7
        $gpService = Get-Service -Name "gpsvc"
8
        if ($gpService.Status -ne "Running") {
9
            Start-Service -Name "gpsvc"
10
            Write-Host "Started Group Policy Client service" -ForegroundColor Green
11
        }
12

13
        # Clear GP cache and force refresh
14
        Remove-Item -Path "C:\Windows\System32\GroupPolicy\*" -Recurse -Force -ErrorAction SilentlyContinue
15
        gpupdate /force /wait:0
16

17
        Write-Host "Group Policy repair completed" -ForegroundColor Green
18

19
    } catch {
20
        Write-Host "Group Policy repair failed: $($_.Exception.Message)" -ForegroundColor Red
21
    }
22
}
23

24
Repair-GroupPolicy

Security Best Practices#

Pre-Unisolation Checklist#

Threat Analysis Complete: Verify all threats have been neutralized
System Integrity Check: Run sfc /scannow and verify no violations
Backup Creation: Create system restore point before proceeding
Documentation: Record current isolation status and reason
Authorization: Obtain proper approval for unisolation

During Unisolation#

Sequential Execution: Follow the exact command sequence
Verification Steps: Validate each phase before proceeding
Logging: Maintain detailed logs of all actions
Monitoring: Watch for unexpected system behavior
Rollback Plan: Be prepared to re-isolate if issues occur

Post-Unisolation#

Security Validation: Run comprehensive security scans
Functionality Testing: Verify all required services work
Monitoring Setup: Implement enhanced monitoring for 24-48 hours
Documentation Update: Record successful unisolation and any issues
Incident Closure: Update incident tickets with resolution details

Emergency Procedures#

Rapid Unisolation (Emergency Only)#

1
@echo off
2
REM EMERGENCY UNISOLATION SCRIPT
3
REM Use only when immediate network access is critical
4

5
echo === EMERGENCY UNISOLATION ===
6
echo WARNING: This bypasses some security checks
7

8
REM Immediate firewall reset and enable
9
netsh advfirewall reset
10
netsh advfirewall set allprofiles state on
11
netsh advfirewall set allprofiles firewallpolicy allowinbound,allowoutbound
12

13
REM DNS and network reset
14
ipconfig /flushdns
15
ipconfig /release
16
ipconfig /renew
17

18
REM Force GP update
19
gpupdate /force /wait:0
20

21
echo Emergency unisolation completed
22
echo IMPORTANT: Run full security validation immediately

Re-isolation Commands (If Needed)#

1
REM Emergency re-isolation if threats detected
2
echo === EMERGENCY RE-ISOLATION ===
3

4
REM Block all network access
5
netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound
6

7
REM Set isolation markers
8
set ISOLATION_STATUS=ACTIVE
9
set QUARANTINE_FLAG=TRUE
10

11
echo System re-isolated. Contact security team immediately.

Compliance and Audit Considerations#

Audit Logging#

1
# Enable audit logging for unisolation activities
2
function Enable-UnisolationAuditLogging {
3
    $auditSettings = @{
4
        "System\Audit Policy\System\Other System Events" = "Success,Failure"
5
        "System\Audit Policy\System\Security System Extension" = "Success,Failure"
6
        "System\Audit Policy\Logon-Logoff\Network Policy Server" = "Success,Failure"
7
    }
8

9
    foreach ($setting in $auditSettings.GetEnumerator()) {
10
        auditpol /set /subcategory:"$($setting.Key)" /success:enable /failure:enable
11
        Write-Host "Enabled audit for: $($setting.Key)" -ForegroundColor Green
12
    }
13
}

Documentation Template#

1
UNISOLATION INCIDENT REPORT
2
==========================
3
Date/Time: [TIMESTAMP]
4
Operator: [NAME]
5
System: [COMPUTER NAME]
6
Incident ID: [TICKET NUMBER]
7

8
PRE-UNISOLATION STATUS:
9
- Isolation Reason: [THREAT TYPE]
10
- Duration Isolated: [TIME PERIOD]
11
- Threat Resolution: [ACTIONS TAKEN]
12

13
UNISOLATION PROCEDURE:
14
- Commands Executed: [LIST]
15
- Issues Encountered: [DESCRIPTION]
16
- Resolution Time: [DURATION]
17

18
POST-UNISOLATION VALIDATION:
19
- Security Checks: [RESULTS]
20
- Functionality Tests: [STATUS]
21
- Monitoring Setup: [IMPLEMENTED]
22

23
APPROVALS:
24
- Security Team: [SIGNATURE]
25
- IT Manager: [SIGNATURE]

Conclusion#

Network unisolation is a critical security procedure that requires careful planning, precise execution, and thorough validation. The commands and procedures outlined in this guide provide a comprehensive framework for safely restoring network connectivity while maintaining security integrity.

Key principles to remember:

Security First: Always verify threat elimination before proceeding
Sequential Execution: Follow the exact command sequence
Thorough Validation: Test all security controls after unisolation
Comprehensive Documentation: Maintain detailed audit trails
Continuous Monitoring: Implement enhanced monitoring post-unisolation

Proper implementation of these procedures ensures that systems can be safely returned to operational status while maintaining the security posture required for enterprise environments.

This guide serves as a comprehensive reference for security professionals and system administrators responsible for network isolation and restoration procedures in Windows environments.