Title

IPv6 will be disabled until a deliberate transition strategy has been implemented. Use of IPv6 transition technologies will be disabled. (Cat II impact)

Discussion

Any nodes’ interface with IPv6 enabled by default presents a potential risk of traffic being transmitted or received without proper risk mitigation strategy and therefore a serious security concern.

Check Content

Fix Text

Add the following registry key. To disable IPv6 on all interfaces: Registry Hive: HKEY_LOCAL_MACHINE Subkey: System\CurrentControlSet\Services\Tcpip6\Parameters Value Name: DisabledComponents Type: REG_DWORD Value: 0xffffffff To disable all IPv6 tunneling interfaces: Registry Hive: HKEY_LOCAL_MACHINE Subkey: System\CurrentControlSet\Services\Tcpip6\Parameters Value Name: DisabledComponents Type: REG_DWORD Value: 0x1 Discrepancies in documentation have resulted in several changes to this requirement. See Microsoft article 929852 for details of the DisabledComponents registry value.

Additional Identifiers

Rule ID: SV-29955r1_rule

Vulnerability ID: V-14262

Group Title: IPv6 Transition

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.