UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Windows Firewall outbound rules must block IPv6 Protocols 41.


Overview

Finding ID Version Rule ID IA Controls Severity
V-17448 5.483 SV-25250r2_rule ECSC-1 Medium
Description
IPv6 transition technologies, which tunnel packets through other protocols, do not provide visibility. Blocking Protocols 41 with the firewall aids in preventing this.
STIG Date
Windows 7 Security Technical Implementation Guide 2013-03-14

Details

Check Text ( C-45417r1_chk )
Computer Configuration -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security -> Windows Firewall with Advanced Security -> Outbound Rules "IPv6 Block of Protocols 41" will be configured as follows. (The rule could have been created with a different name – view the properties to determine correct settings.)

Navigate to the rule, right click and select Properties. View the following on the tabs specified:

General: Enabled and Block the connections
Programs and Services: All programs that meet the specified conditions
Protocols and Ports: Protocol type - IPv6
Scope: Any IP addresses (Local and Remote)
Advanced: All profiles

If a third-party firewall is used, verify a comparable setting has been implemented.

The Remote Endpoint STIG contains additional firewall requirements for systems used remotely.
Fix Text (F-41981r2_fix)
Add the rule with the following steps:
Navigate to Outbound Rules.
Right click in right pane and select "New Rule".
Select "Custom", Next.
Select "All Programs", Next.
Select Protocol Type: IPv6 (Protocol number 41 will be automatically selected).
Select "Any IP address" for both local and remote IP address this rule will match.
Next.
Select "Block the connection", Next.
Select all (Domain, Private and Public) for When does this rule apply?
Next.
Supply the Name: IPv6 Block of Protocols 41.
Finish.

Configure a comparable setting if a third-party firewall is used.