IPv6 will be disabled until a deliberate transition strategy has been implemented. Use of IPv6 transition technologies will be disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-14262	5.050	SV-29955r1_rule	ECSC-1	Medium

Description
Any nodes’ interface with IPv6 enabled by default presents a potential risk of traffic being transmitted or received without proper risk mitigation strategy and therefore a serious security concern.

STIG	Date
Windows 2008 Domain Controller Security Technical Implementation Guide	2013-07-03

Details

Check Text ( C-32947r1_chk )
Prior to transition, IPv6 will be disabled on all interfaces. If the following registry value doesn’t exist or is not configured as specified, then this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: System\CurrentControlSet\Services\Tcpip6\Parameters Value Name: DisabledComponents Type: REG_DWORD Value: 0xffffffff If IPv6 transition has been implemented, the following will disable tunnel interfaces allowing native IPv6. Registry Hive: HKEY_LOCAL_MACHINE Subkey: System\CurrentControlSet\Services\Tcpip6\Parameters Value Name: DisabledComponents Type: REG_DWORD Value: 0x1 Discrepancies in documentation have resulted in several changes to this requirement. See Microsoft article 929852 for details of the DisabledComponents registry value. The Gold Disk will check for disabling all IPv6. If the transition to IPv6 has been implemented and the tunneling interfaces have been disabled, manually close the finding. Documentable: If disabling IPv6 on all interfaces prior to the transition to supporting IPv6 causes issues with necessary applications or services, document this with the IAO.

Check Text ( C-32947r1_chk )

Prior to transition, IPv6 will be disabled on all interfaces. If the following registry value doesn’t exist or is not configured as specified, then this is a finding:

Registry Hive: HKEY_LOCAL_MACHINE
Subkey: System\CurrentControlSet\Services\Tcpip6\Parameters
Value Name: DisabledComponents
Type: REG_DWORD
Value: 0xffffffff

If IPv6 transition has been implemented, the following will disable tunnel interfaces allowing native IPv6.

Registry Hive: HKEY_LOCAL_MACHINE
Subkey: System\CurrentControlSet\Services\Tcpip6\Parameters
Value Name: DisabledComponents
Type: REG_DWORD
Value: 0x1

Discrepancies in documentation have resulted in several changes to this requirement. See Microsoft article 929852 for details of the DisabledComponents registry value.

The Gold Disk will check for disabling all IPv6. If the transition to IPv6 has been implemented and the tunneling interfaces have been disabled, manually close the finding.

Documentable: If disabling IPv6 on all interfaces prior to the transition to supporting IPv6 causes issues with necessary applications or services, document this with the IAO.

Fix Text (F-29101r1_fix)
Add the following registry key. To disable IPv6 on all interfaces: Registry Hive: HKEY_LOCAL_MACHINE Subkey: System\CurrentControlSet\Services\Tcpip6\Parameters Value Name: DisabledComponents Type: REG_DWORD Value: 0xffffffff To disable all IPv6 tunneling interfaces: Registry Hive: HKEY_LOCAL_MACHINE Subkey: System\CurrentControlSet\Services\Tcpip6\Parameters Value Name: DisabledComponents Type: REG_DWORD Value: 0x1 Discrepancies in documentation have resulted in several changes to this requirement. See Microsoft article 929852 for details of the DisabledComponents registry value.

Fix Text (F-29101r1_fix)

Add the following registry key.

To disable IPv6 on all interfaces:

Registry Hive: HKEY_LOCAL_MACHINE
Subkey: System\CurrentControlSet\Services\Tcpip6\Parameters
Value Name: DisabledComponents
Type: REG_DWORD
Value: 0xffffffff

To disable all IPv6 tunneling interfaces:

Registry Hive: HKEY_LOCAL_MACHINE
Subkey: System\CurrentControlSet\Services\Tcpip6\Parameters
Value Name: DisabledComponents
Type: REG_DWORD
Value: 0x1

Discrepancies in documentation have resulted in several changes to this requirement. See Microsoft article 929852 for details of the DisabledComponents registry value.