Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

18.5.19.2.1 Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)') #58

Open
pillarsdotnet opened this issue Aug 24, 2019 · 0 comments
Open

18.5.19.2.1 Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)') #58

pillarsdotnet opened this issue Aug 24, 2019 · 0 comments

Comments

@pillarsdotnet
Copy link

18.5.19.2.1 Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')

Info

Internet Protocol version 6 (IPv6) is a set of protocols that computers use to exchange information over the Internet and over home and business networks. IPv6 allows for many more IP addresses to be assigned than IPv4 did. Older networking, hosts and operating systems may not support IPv6 natively.
The recommended state for this setting is: 'DisabledComponents - 0xff (255)'
Rationale:
Since the vast majority of private enterprise managed networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components reduces a possible attack surface that is also harder to monitor the traffic on. As a result, we recommend configuring IPv6 to a Disabled state when it is not needed.

Solution

To establish the recommended configuration, set the following Registry value to '0xff (255) (DWORD)':
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters:DisabledComponents
Note: This change does not take effect until the computer has been restarted.
Note #2: Although Microsoft does not provide an ADMX template to configure this registry value, a custom .ADM template ('Disable-IPv6-Components-KB929852.adm') is provided in the CIS Benchmark Remediation Kit to facilitate its configuration. Be aware though that simply turning off the group policy setting in the .ADM template will not 'undo' the change once applied. Instead, the opposite setting must be applied to change the registry value to the opposite state.
Impact:
Connectivity to other systems using IPv6 will no longer operate, and software that depends on IPv6 will cease to function. Examples of Microsoft applications that may use IPv6 include: Remote Assistance, HomeGroup, DirectAccess, Windows Mail.
This registry change is documented in Microsoft Knowledge Base article 929852: How to disable IPv6 or its components in Windows.
Note: This registry change does not take effect until the next reboot.

See IPv6 Configuration Policy
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pillarsdotnet