IPv6 must be disabled until a deliberate transition strategy has been implemented.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-14262 | 5.050 | SV-25272r3_rule | Medium |
| Description |
|---|
| Any nodes’ interface with IPv6 enabled by default presents a potential risk of traffic being transmitted or received without proper risk mitigation strategy and therefore a serious security concern. |
| STIG | Date |
|---|---|
| Windows 7 Security Technical Implementation Guide | 2016-06-08 |
Details
| Check Text ( C-58011r3_chk ) |
|---|
| Prior to transition, IPv6 will be disabled on all interfaces. If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ Value Name: DisabledComponents Type: REG_DWORD Value: 0xff or 0xffffffff Microsoft updated article 929852 with regard to disabling all IPv6 components, changing the value to 0xff. A value of 0xffffffff results in a 5-second delay in system startup. However, either value can be used to disable all IPv6 components. If disabling IPv6 on all interfaces prior to the transition to supporting IPv6 causes issues with necessary applications or services, document this with the ISSO. |
| Fix Text (F-62373r2_fix) |
|---|
| To disable IPv6 on all interfaces, configure the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ Value Name: DisabledComponents Type: REG_DWORD Value: 0xff or 0xffffffff Microsoft updated article 929852 with regard to disabling all IPv6 components, changing the value to 0xff. A value of 0xffffffff results in a 5-second delay in system startup. However, either value can be used to disable all IPv6 components. |