UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

IPv6 must be disabled until a deliberate transition strategy has been implemented.


Overview

Finding ID Version Rule ID IA Controls Severity
V-14262 5.050 SV-25272r3_rule ECSC-1 Medium
Description
Any nodes’ interface with IPv6 enabled by default presents a potential risk of traffic being transmitted or received without proper risk mitigation strategy and therefore a serious security concern.
STIG Date
Windows 7 Security Technical Implementation Guide 2015-09-02

Details

Check Text ( C-58011r3_chk )
Prior to transition, IPv6 will be disabled on all interfaces. If the following registry value does not exist or is not configured as specified, this is a finding:

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\

Value Name: DisabledComponents

Type: REG_DWORD
Value: 0xff or 0xffffffff

Microsoft updated article 929852 with regard to disabling all IPv6 components, changing the value to 0xff. A value of 0xffffffff results in a 5-second delay in system startup. However, either value can be used to disable all IPv6 components.

If disabling IPv6 on all interfaces prior to the transition to supporting IPv6 causes issues with necessary applications or services, document this with the ISSO.
Fix Text (F-62373r2_fix)
To disable IPv6 on all interfaces, configure the following registry value:

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\

Value Name: DisabledComponents

Type: REG_DWORD
Value: 0xff or 0xffffffff

Microsoft updated article 929852 with regard to disabling all IPv6 components, changing the value to 0xff. A value of 0xffffffff results in a 5-second delay in system startup. However, either value can be used to disable all IPv6 components.