Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-14262 | 5.050 | SV-14873r1_rule | ECSC-1 | Medium |
Description |
---|
Any nodes’ interface with IPv6 enabled by default presents a potential risk of traffic being transmitted or received without proper risk mitigation strategy and therefore a serious security concern. |
STIG | Date |
---|---|
Windows Vista Security Technical Implementation Guide | 2014-01-07 |
Check Text ( C-32947r1_chk ) |
---|
Prior to transition, IPv6 will be disabled on all interfaces. If the following registry value doesn’t exist or is not configured as specified, then this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: System\CurrentControlSet\Services\Tcpip6\Parameters Value Name: DisabledComponents Type: REG_DWORD Value: 0xffffffff If IPv6 transition has been implemented, the following will disable tunnel interfaces allowing native IPv6. Registry Hive: HKEY_LOCAL_MACHINE Subkey: System\CurrentControlSet\Services\Tcpip6\Parameters Value Name: DisabledComponents Type: REG_DWORD Value: 0x1 Discrepancies in documentation have resulted in several changes to this requirement. See Microsoft article 929852 for details of the DisabledComponents registry value. The Gold Disk will check for disabling all IPv6. If the transition to IPv6 has been implemented and the tunneling interfaces have been disabled, manually close the finding. Documentable: If disabling IPv6 on all interfaces prior to the transition to supporting IPv6 causes issues with necessary applications or services, document this with the IAO. |
Fix Text (F-29101r1_fix) |
---|
Add the following registry key. To disable IPv6 on all interfaces: Registry Hive: HKEY_LOCAL_MACHINE Subkey: System\CurrentControlSet\Services\Tcpip6\Parameters Value Name: DisabledComponents Type: REG_DWORD Value: 0xffffffff To disable all IPv6 tunneling interfaces: Registry Hive: HKEY_LOCAL_MACHINE Subkey: System\CurrentControlSet\Services\Tcpip6\Parameters Value Name: DisabledComponents Type: REG_DWORD Value: 0x1 Discrepancies in documentation have resulted in several changes to this requirement. See Microsoft article 929852 for details of the DisabledComponents registry value. |