Network Unisolation Security Commands
This comprehensive guide covers the essential commands and procedures for network unisolation in Windows environments. Network unisolation is the process of restoring normal network connectivity after a security isolation event, ensuring that systems can safely return to operational status while maintaining appropriate security controls.
Table of Contents
Open Table of Contents
- Understanding Network Unisolation
- Critical Security Analysis
- Essential Unisolation Commands
- Complete Unisolation Procedure
- Advanced Security Configurations
- Validation and Verification
- Troubleshooting Common Issues
- Security Best Practices
- Emergency Procedures
- Compliance and Audit Considerations
- Conclusion
Understanding Network Unisolation
Network unisolation refers to the controlled process of removing network isolation restrictions that were previously applied to a system for security purposes. This process requires careful execution to ensure that:
- Security threats are eliminated before restoration
- Proper network controls are re-established
- System integrity is verified and maintained
- Audit trails are preserved throughout the process
Critical Security Analysis
Security Context Overview
The unisolation process involves several security-critical operations that must be executed in the correct sequence:
- Firewall restoration with appropriate rules
- DNS cache clearing to remove potentially poisoned entries
- Group Policy refresh to ensure policy consistency
- Environment cleanup to remove isolation markers
- Security validation to confirm safe restoration
Risk Assessment
Before executing unisolation commands, consider:
- Threat elimination confirmation
- System integrity verification
- Network security posture assessment
- Compliance requirements adherence
Essential Unisolation Commands
1. Firewall Restoration Commands
Enable Windows Firewall (Critical First Step)
netsh advfirewall set allprofiles state on
Security context: This is the critical first step to restore network security controls before making any other changes. Never proceed with other network changes while the firewall is disabled.
Reset Firewall to Default Configuration
netsh advfirewall reset
Security context: Removes potentially compromised rules while ensuring baseline protection is restored.
Configure Default Firewall Policies
netsh advfirewall set allprofiles firewallpolicy allowinbound,allowoutbound
Security rationale: Establishes permissive but controlled default policies for normal operations.
2. Advanced Firewall Configuration
Restore Specific Profile Settings
# Enable firewall for specific profiles
netsh advfirewall set domainprofile state on
netsh advfirewall set privateprofile state on
netsh advfirewall set publicprofile state on
Configure Profile-Specific Policies
# Domain profile (most restrictive for enterprise)
netsh advfirewall set domainprofile firewallpolicy blockinbound,allowoutbound
# Private profile (moderate restrictions)
netsh advfirewall set privateprofile firewallpolicy blockinbound,allowoutbound
# Public profile (most restrictive)
netsh advfirewall set publicprofile firewallpolicy blockinbound,blockoutbound
3. DNS and Network Cache Management
Clear DNS Cache (Security Critical)
ipconfig /flushdns
Security context: Clears potentially poisoned DNS cache entries from the isolation period.
Reset Network Stack
# Reset TCP/IP stack
netsh int ip reset
netsh winsock reset
Renew Network Configuration
# Release and renew IP configuration
ipconfig /release
ipconfig /renew
4. Group Policy Synchronization
Force Group Policy Update
gpupdate /force /wait:0
Security context: Ensures security policies are properly applied and consistent with domain requirements.
Comprehensive Policy Refresh
# Force both computer and user policies
gpupdate /force /target:computer
gpupdate /force /target:user
5. Environment Cleanup Commands
Remove Isolation Environment Variables
# Remove isolation-related environment variables
[System.Environment]::SetEnvironmentVariable('IPWAZUH', $null, 'Machine')
[System.Environment]::SetEnvironmentVariable('NCSI_Domain', $null, 'Machine')
[System.Environment]::SetEnvironmentVariable('ISOLATION_STATUS', $null, 'Machine')
Clear Temporary Isolation Files
# Remove temporary isolation markers
del /f /q C:\Windows\Temp\isolation_*
del /f /q C:\Temp\security_isolation_*
Complete Unisolation Procedure
Step-by-Step Process
Phase 1: Pre-Unisolation Validation
# Verify threat elimination
Write-Host "=== PRE-UNISOLATION SECURITY CHECK ===" -ForegroundColor Yellow
# Check for active threats
$processes = Get-Process | Where-Object { $_.ProcessName -match "malware|suspicious" }
if ($processes) {
Write-Warning "Suspicious processes detected. Do not proceed with unisolation."
exit 1
}
# Verify system integrity
$integrityCheck = sfc /verifyonly 2>&1
if ($integrityCheck -match "violations") {
Write-Warning "System integrity violations detected."
}
Write-Host "Pre-unisolation checks completed" -ForegroundColor Green
Phase 2: Firewall Restoration
REM Critical firewall restoration sequence
echo === FIREWALL RESTORATION ===
REM 1. Reset firewall to defaults
netsh advfirewall reset
REM 2. Enable firewall for all profiles
netsh advfirewall set allprofiles state on
REM 3. Configure restrictive default policies
netsh advfirewall set domainprofile firewallpolicy blockinbound,allowoutbound
netsh advfirewall set privateprofile firewallpolicy blockinbound,allowoutbound
netsh advfirewall set publicprofile firewallpolicy blockinbound,blockoutbound
echo Firewall restoration completed
Phase 3: Network Stack Reset
REM Network stack cleanup
echo === NETWORK STACK RESET ===
REM Clear DNS cache
ipconfig /flushdns
REM Reset network interfaces
netsh int ip reset reset.log
netsh winsock reset
REM Renew network configuration
ipconfig /release
ipconfig /renew
echo Network stack reset completed
Phase 4: Policy Synchronization
REM Group Policy synchronization
echo === POLICY SYNCHRONIZATION ===
REM Force comprehensive GP update
gpupdate /force /wait:0
REM Restart policy-dependent services
net stop "Group Policy Client" /y
net start "Group Policy Client"
echo Policy synchronization completed
Phase 5: Environment Cleanup
# Environment cleanup
Write-Host "=== ENVIRONMENT CLEANUP ===" -ForegroundColor Yellow
# Remove isolation markers
$isolationVars = @('IPWAZUH', 'NCSI_Domain', 'ISOLATION_STATUS', 'QUARANTINE_FLAG')
foreach ($var in $isolationVars) {
[System.Environment]::SetEnvironmentVariable($var, $null, 'Machine')
Write-Host "Removed environment variable: $var" -ForegroundColor Green
}
# Clean registry isolation entries
$regPaths = @(
'HKLM:\SOFTWARE\Security\Isolation',
'HKLM:\SYSTEM\CurrentControlSet\Services\Isolation'
)
foreach ($path in $regPaths) {
if (Test-Path $path) {
Remove-Item -Path $path -Recurse -Force
Write-Host "Cleaned registry path: $path" -ForegroundColor Green
}
}
Write-Host "Environment cleanup completed" -ForegroundColor Green
Advanced Security Configurations
Enhanced Firewall Rules
Create Security-Focused Rules
REM Create specific security rules
netsh advfirewall firewall add rule name="Block Suspicious Outbound" dir=out action=block protocol=TCP remoteport=4444,6666,9999
REM Allow essential services
netsh advfirewall firewall add rule name="Allow DNS" dir=out action=allow protocol=UDP remoteport=53
netsh advfirewall firewall add rule name="Allow HTTP" dir=out action=allow protocol=TCP remoteport=80
netsh advfirewall firewall add rule name="Allow HTTPS" dir=out action=allow protocol=TCP remoteport=443
Application-Specific Rules
REM Allow specific applications through firewall
netsh advfirewall firewall add rule name="Allow Antivirus Updates" dir=out action=allow program="C:\Program Files\Antivirus\updater.exe"
netsh advfirewall firewall add rule name="Allow System Updates" dir=out action=allow program="C:\Windows\System32\wuauclt.exe"
Registry Security Restoration
# Restore security-critical registry settings
function Restore-SecurityRegistry {
$securitySettings = @{
'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' = @{
'RestrictAnonymous' = 1
'RestrictAnonymousSAM' = 1
}
'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' = @{
'RequireSecuritySignature' = 1
'EnableSecuritySignature' = 1
}
}
foreach ($regPath in $securitySettings.Keys) {
if (-not (Test-Path $regPath)) {
New-Item -Path $regPath -Force | Out-Null
}
foreach ($setting in $securitySettings[$regPath].GetEnumerator()) {
Set-ItemProperty -Path $regPath -Name $setting.Key -Value $setting.Value
Write-Host "Set $regPath\$($setting.Key) = $($setting.Value)" -ForegroundColor Green
}
}
}
Restore-SecurityRegistry
Validation and Verification
Post-Unisolation Security Checks
function Test-PostUnisolationSecurity {
Write-Host "=== POST-UNISOLATION SECURITY VALIDATION ===" -ForegroundColor Cyan
# Test firewall status
$firewallStatus = netsh advfirewall show allprofiles state
if ($firewallStatus -match "State\s+ON") {
Write-Host "✓ Firewall is enabled" -ForegroundColor Green
} else {
Write-Host "✗ Firewall is not properly enabled" -ForegroundColor Red
}
# Test network connectivity
$connectivityTests = @{
'DNS Resolution' = { Resolve-DnsName google.com -ErrorAction SilentlyContinue }
'HTTP Connectivity' = { Test-NetConnection -ComputerName google.com -Port 80 -InformationLevel Quiet }
'HTTPS Connectivity' = { Test-NetConnection -ComputerName google.com -Port 443 -InformationLevel Quiet }
}
foreach ($test in $connectivityTests.GetEnumerator()) {
try {
$result = & $test.Value
if ($result) {
Write-Host "✓ $($test.Key): Success" -ForegroundColor Green
} else {
Write-Host "✗ $($test.Key): Failed" -ForegroundColor Red
}
} catch {
Write-Host "✗ $($test.Key): Error - $($_.Exception.Message)" -ForegroundColor Red
}
}
# Verify Group Policy application
$gpResult = gpresult /r 2>&1
if ($gpResult -match "successfully") {
Write-Host "✓ Group Policy applied successfully" -ForegroundColor Green
} else {
Write-Host "✗ Group Policy application issues detected" -ForegroundColor Red
}
Write-Host "Security validation completed" -ForegroundColor Cyan
}
Test-PostUnisolationSecurity
Network Connectivity Verification
REM Comprehensive connectivity tests
echo === CONNECTIVITY VERIFICATION ===
REM Test internal connectivity
ping -n 4 127.0.0.1
ping -n 4 %COMPUTERNAME%
REM Test domain connectivity (if domain-joined)
nltest /dsgetdc:%USERDOMAIN%
REM Test external connectivity
nslookup google.com
ping -n 2 8.8.8.8
echo Connectivity verification completed
Troubleshooting Common Issues
Firewall Issues
# Diagnose firewall problems
function Diagnose-FirewallIssues {
Write-Host "=== FIREWALL DIAGNOSTICS ===" -ForegroundColor Yellow
# Check firewall service
$fwService = Get-Service -Name "MpsSvc" -ErrorAction SilentlyContinue
if ($fwService) {
Write-Host "Firewall Service Status: $($fwService.Status)" -ForegroundColor $(if ($fwService.Status -eq "Running") { "Green" } else { "Red" })
if ($fwService.Status -ne "Running") {
Write-Host "Attempting to start firewall service..." -ForegroundColor Yellow
Start-Service -Name "MpsSvc"
}
}
# Check firewall profiles
$profiles = @("Domain", "Private", "Public")
foreach ($profile in $profiles) {
$status = (netsh advfirewall show $profile.ToLower()profile state) -match "State\s+(\w+)"
if ($matches) {
Write-Host "$profile Profile: $($matches[1])" -ForegroundColor $(if ($matches[1] -eq "ON") { "Green" } else { "Red" })
}
}
}
Diagnose-FirewallIssues
Network Restoration Issues
REM Network troubleshooting commands
echo === NETWORK TROUBLESHOOTING ===
REM Check network adapters
ipconfig /all
REM Check routing table
route print
REM Check ARP table
arp -a
REM Reset network if needed
netsh int ip reset
netsh winsock reset
Group Policy Issues
# Group Policy troubleshooting
function Repair-GroupPolicy {
Write-Host "=== GROUP POLICY REPAIR ===" -ForegroundColor Yellow
try {
# Check GP service
$gpService = Get-Service -Name "gpsvc"
if ($gpService.Status -ne "Running") {
Start-Service -Name "gpsvc"
Write-Host "Started Group Policy Client service" -ForegroundColor Green
}
# Clear GP cache and force refresh
Remove-Item -Path "C:\Windows\System32\GroupPolicy\*" -Recurse -Force -ErrorAction SilentlyContinue
gpupdate /force /wait:0
Write-Host "Group Policy repair completed" -ForegroundColor Green
} catch {
Write-Host "Group Policy repair failed: $($_.Exception.Message)" -ForegroundColor Red
}
}
Repair-GroupPolicy
Security Best Practices
Pre-Unisolation Checklist
- Threat Analysis Complete: Verify all threats have been neutralized
- System Integrity Check: Run
sfc /scannow
and verify no violations - Backup Creation: Create system restore point before proceeding
- Documentation: Record current isolation status and reason
- Authorization: Obtain proper approval for unisolation
During Unisolation
- Sequential Execution: Follow the exact command sequence
- Verification Steps: Validate each phase before proceeding
- Logging: Maintain detailed logs of all actions
- Monitoring: Watch for unexpected system behavior
- Rollback Plan: Be prepared to re-isolate if issues occur
Post-Unisolation
- Security Validation: Run comprehensive security scans
- Functionality Testing: Verify all required services work
- Monitoring Setup: Implement enhanced monitoring for 24-48 hours
- Documentation Update: Record successful unisolation and any issues
- Incident Closure: Update incident tickets with resolution details
Emergency Procedures
Rapid Unisolation (Emergency Only)
@echo off
REM EMERGENCY UNISOLATION SCRIPT
REM Use only when immediate network access is critical
echo === EMERGENCY UNISOLATION ===
echo WARNING: This bypasses some security checks
REM Immediate firewall reset and enable
netsh advfirewall reset
netsh advfirewall set allprofiles state on
netsh advfirewall set allprofiles firewallpolicy allowinbound,allowoutbound
REM DNS and network reset
ipconfig /flushdns
ipconfig /release
ipconfig /renew
REM Force GP update
gpupdate /force /wait:0
echo Emergency unisolation completed
echo IMPORTANT: Run full security validation immediately
Re-isolation Commands (If Needed)
REM Emergency re-isolation if threats detected
echo === EMERGENCY RE-ISOLATION ===
REM Block all network access
netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound
REM Set isolation markers
set ISOLATION_STATUS=ACTIVE
set QUARANTINE_FLAG=TRUE
echo System re-isolated. Contact security team immediately.
Compliance and Audit Considerations
Audit Logging
# Enable audit logging for unisolation activities
function Enable-UnisolationAuditLogging {
$auditSettings = @{
"System\Audit Policy\System\Other System Events" = "Success,Failure"
"System\Audit Policy\System\Security System Extension" = "Success,Failure"
"System\Audit Policy\Logon-Logoff\Network Policy Server" = "Success,Failure"
}
foreach ($setting in $auditSettings.GetEnumerator()) {
auditpol /set /subcategory:"$($setting.Key)" /success:enable /failure:enable
Write-Host "Enabled audit for: $($setting.Key)" -ForegroundColor Green
}
}
Documentation Template
UNISOLATION INCIDENT REPORT
==========================
Date/Time: [TIMESTAMP]
Operator: [NAME]
System: [COMPUTER NAME]
Incident ID: [TICKET NUMBER]
PRE-UNISOLATION STATUS:
- Isolation Reason: [THREAT TYPE]
- Duration Isolated: [TIME PERIOD]
- Threat Resolution: [ACTIONS TAKEN]
UNISOLATION PROCEDURE:
- Commands Executed: [LIST]
- Issues Encountered: [DESCRIPTION]
- Resolution Time: [DURATION]
POST-UNISOLATION VALIDATION:
- Security Checks: [RESULTS]
- Functionality Tests: [STATUS]
- Monitoring Setup: [IMPLEMENTED]
APPROVALS:
- Security Team: [SIGNATURE]
- IT Manager: [SIGNATURE]
Conclusion
Network unisolation is a critical security procedure that requires careful planning, precise execution, and thorough validation. The commands and procedures outlined in this guide provide a comprehensive framework for safely restoring network connectivity while maintaining security integrity.
Key principles to remember:
- Security First: Always verify threat elimination before proceeding
- Sequential Execution: Follow the exact command sequence
- Thorough Validation: Test all security controls after unisolation
- Comprehensive Documentation: Maintain detailed audit trails
- Continuous Monitoring: Implement enhanced monitoring post-unisolation
Proper implementation of these procedures ensures that systems can be safely returned to operational status while maintaining the security posture required for enterprise environments.
This guide serves as a comprehensive reference for security professionals and system administrators responsible for network isolation and restoration procedures in Windows environments.