deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-19 08:47:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update quarantine.md

Browse Source
This commit is contained in:
Benny Shilpa 2020-11-17 13:32:45 +05:30 committed by GitHub
parent ab380bc58c
commit 390633dab6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 23 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
windows/security/threat-protection/windows-firewall/quarantine.md
View File

@ -1,8 +1,8 @@
---
title: "Quarantine"
description: Quarantine behavior is explained in detail.
ms.author: v-bshilpa
author: v-bshilpa
ms.author: Benny-54
author: Benny-54
manager: dansimp
ms.assetid:
ms.reviewer:
@ -19,15 +19,15 @@ ms.date: 11/17/2020
# Quarantine
One of the security challenges that network administrators face is configuring a machine properly after a network change.
One of the security challenges that network admins face is configuring a machine properly after a network change.
Network changes can happen frequently. Additionally, the operations required to re-categorize the network after a change and apply the correct security policies on a machine are non-trivial and may require considerable CPU time. This is especially true for machines that are domain joined. In the past, the delay in applying security policies during network re-categorization has been successfully exploited for vulnerabilities.
Network changes can happen frequently. Additionally, the operations required to re-categorize the network after a change and apply the correct security policies on a machine are non-trivial and may require considerable CPU time. This is especially true for machines that are part of the domain. In the past, the delay in applying security policies during network re-categorization has been successfully exploited for vulnerabilities.
To counter this potential exploitation, Windows Firewall will "quarantine" an interface until the system has successfully re-categorized the network and WFP has the correct filters applied for the updated interface configuration. During quarantine, all new inbound connections without exceptions are blocked to the machine.
While the quarantine feature has long been a part of Windows Firewall, the features behavior has often caused confusion for customers unaware of quarantine and its motivations.
Ultimately, the goal of this document is to describe the feature at a high level and help network administrators understand why application traffic is sometimes blocked by quarantine.
Ultimately, the goal of this document is to describe the quarantine feature at a high level and help network admins understand why the application traffic is sometimes blocked by quarantine.
## Quarantine Filters
@ -39,7 +39,7 @@ The quarantine feature creates filters which can be split into three categories:
3. Interface Un-quarantine Filters
These filters are added in the FWPM_SUBLAYER_MPSSVC_QUARANTINE sublayer and these layers:
These filters are added in the FWPM_SUBLAYER_MPSSVC_QUARANTINE sublayer and these layers are:
1. FWPM_LAYER_ALE_AUTH_CONNECT_V4
@ -49,9 +49,10 @@ These filters are added in the FWPM_SUBLAYER_MPSSVC_QUARANTINE sublayer and thes
4. FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6
Its important to note that any FW rules customers add will not affect the filters in the quarantine sublayer as filters from FW rules are added in the FWPM_SUBLAYER_MPSSVC_WF sublayer. In other words, customers cannot add their own exception filters to prevent packets from being evaluated by quarantine filters.
>[!NOTE]
> Any FW rules added by the customers will not affect the filters in the quarantine sublayer as filters from FW rules are added in the FWPM_SUBLAYER_MPSSVC_WF sublayer. In other words, customers cannot add their own exception filters to prevent packets from being evaluated by quarantine filters.
For more information about WFP layers and sublayers, see [WFP Operation](https://docs.microsoft.com/en-us/windows/win32/fwp/basic-operation).
For more information about WFP layers and sublayers, see [WFP Operation](https://docs.microsoft.com/windows/win32/fwp/basic-operation).
### Quarantine Default Inbound Block Filter
@ -73,11 +74,11 @@ The following describes the general flow of quarantine:
2. The Interface Un-quarantine filters will no longer permit new inbound connections. The interface is now in quarantine state.
3. All non-loopback inbound connections are either permitted by Quarantine Default Exception Filters OR dropped by the Quarantine Default Inbound Block filter.
3. All non-loopback inbound connections are either permitted by Quarantine Default Exception Filters or dropped by the Quarantine Default Inbound Block filter.
4. The WFP filters applicable to the old interface state are removed.
5. The WFP filters applicable to the new interface state are added, and the Interface Un-quarantine filters are updated with the current interfaces state.
5. The WFP filters applicable to the new interface state are added, which include the un-quarantine filters for this interface. These filters are updated to match the interface's current state.
6. The interface has now exited quarantine state as the Interface Un-quarantine filters permit any new non-loopback packets.
@ -93,9 +94,9 @@ Netsh wfp cap start
Netsh wfp cap stop
```
These commands generate a wfpdiag.cab. Inside the .cab exists a wfpdiag.xml, which contains drop netEvents and filters that existed during that repro.
These commands generate a wfpdiag.cab. Inside the .cab exists a wfpdiag.xml, which contains drop `netEvents` and filters that existed during that reproduction.
Inside the wfpdiag.xml, search for netEvents which have FWPM_NET_EVENT_TYPE_CLASSIFY_DROP as the netEvent type. To find the relevant drop events, search for the drop events with matching destination IP address, package SID, or application ID name.
Inside the wfpdiag.xml, search for `netEvents` which have `FWPM_NET_EVENT_TYPE_CLASSIFY_DROP` as the `netEvent` type. To find the relevant drop events, search for the drop events with matching destination IP address, package SID, or application ID name.
The characters in the application ID name will be separated by periods:
@ -103,11 +104,11 @@ The characters in the application ID name will be separated by periods:
<asString> \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.w.i.n.d.o.w.s.\\.s.y.s.t.e.m.3.2.\\.s.v.c.h.o.s.t...e.x.e... </asString>
```
The netEvent will have more information about the packet that was dropped including information about its capabilities, the filter that dropped the packet, and much more.
The `netEvent` will have more information about the packet that was dropped including information about its capabilities, the filter that dropped the packet, and much more.
If the filter that dropped that packet was by the Quarantine Default Inbound Block filter, then the drop netEvent will have filterOrigin as “Quarantine Default”.
If the filter that dropped that packet was by the Quarantine Default Inbound Block filter, then the drop `netEvent` will have `filterOrigin` as `Quarantine Default`.
Sample netEventwith filterOrigin “Quarantine Default”
The following is a sample `netEvent` with `filterOrigin` as `Quarantine Default`.
```XML
<netEvent>
@ -186,29 +187,29 @@ Sample netEventwith filterOrigin “Quarantine Default”
```
Alternatively, If the Filtering Platform Connection failure auditing is enabled, the drop event will be logged in Windows Event Viewer:
Alternatively, If the Filtering Platform Connection failure auditing is enabled, the drop event will be logged in Windows Event Viewer.
To enable Filtering Platform Connection audits, run the following command in an administrative command prompt
To enable Filtering Platform Connection audits, run the following command in an administrative command prompt:
```console
Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable
```
Sample Drop Audit with Filter Origin “Quarantine Default”
Sample Drop Audit with `filterOrigin` as `Quarantine Default`.
[image]
![Quarantine Default](images/quarantine-default-audit.png)
Once the drops filter origin has been identified as the Quarantine Default Inbound Block filter, the interface should be further investigated. To find the relevant interface, use the interface index value from the netEvent or event audit in the following PowerShell command to generate more information about the interface:
Once the drops filter origin has been identified as the Quarantine Default Inbound Block filter, the interface should be further investigated. To find the relevant interface, use the `InterfaceIndex` value from the `netEvent` or event audit in the following PowerShell command to generate more information about the interface:
```Powershell
Get-NetIPInterface InterfaceIndex <Interface Index>
Get-NetIPInterface InterfaceIndex 5
```
[image]
![Quarantine Interfaceindex](images/quarantine-interfaceindex1.png)
Using the interface name, Event Viewer can be searched for any interface related changes.
To enable more networking audit events, see [Enable IPsec and Windows Firewall Audit Events](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754714(v=ws.10)?redirectedfrom=MSDN).
To enable more networking audit events, see [Enable IPsec and Windows Firewall Audit Events](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754714(v=ws.10)?redirectedfrom=MSDN).
Packet drops from the Quarantine Default Inbound Block filter are often transient and do not signify anything more than a network change on the interface.