Disabling IPv6 via Group Policy

IPv6 is the future! Well, not exactly. While IPv6 is pretty important to internet traffic, because we are legitimately running out of addresses in the IPv4 world, a company's internal network is a different story. I have heard the warnings about moving to IPv6 for many years, and yet it is extremely rare that I run into any network that is actually using it inside of their buildings. Why is that? Because it is just not necessary in most cases. IPv6 has always been touted as having enough address space so that every device in the entire world could have its own globally-unique IPv6 address, but the implication in that statement is that companies would actually allow their devices to be connected directly to the internet using these globally-routable addresses. The level of trust required here is simply too great. Instead, we hide our internal networks behind firewalls and NATs, just like we always have, and it continues to function fine and dandy. It is my guess that this trend will continue for many, many, many more years.

What is my point? Most corporate-owned computers do not need IPv6 in any way, shape, or form. Unfortunately, IPv6 is still a mysterious black box to many IT groups, so it actually makes pretty good sense to disable it, if you are not using it anyway. You see, the IPv6 stack in Windows is pretty smart, maybe a little too smart, and whenever your IPv6-enabled computer sees other IPv6-enabled computers on the same network, they will start to create networks among themselves. While this is not inherently a bad thing—it is actually very useful for home networks—in a restricted domain environment, it can create communication pathways that are outside the scope of your IPv4-based network protection systems. Most network admins want to ensure that they know about all the traffic flowing to and from their computers, and IPv6 is often viewed as rogue in that scenario.

If you are not using IPv6, let's disable it. Thankfully this is easily done via Group Policy. One simple registry key, called DisabledComponents, will allow us to tweak the IPv6 stack inside the operating system in myriad different ways.

To create a new Registry key via Group Policy, create a new GPO and navigate to Computer Configuration | Preferences | Windows Settings | Registry.

Right-click here to create a New | Registry Item and we want to create the following registry key:

  • ActionUpdate (unless you want a different CRUD)
  • HiveHKEY_LOCAL_MACHINE
  • Key PathSystemCurrentControlSetServicesTcpip6Parameters

We are creating a DWORD called DisabledComponents:

Value data is where you get to decide the specifics about what you are disabling/squashing inside IPv6. The following are the configurable options for this registry key. You can see in the previous screenshot that I have configured mine to 0x10, which blocks native IPv6, but allows the IPv6 transition-tunneling adapters to continue working. I am doing this because I often work with the remote-access technology DirectAccess and this requires the transition-tunneling adapters to be active on my laptops:

  • Prefer IPv4 over IPv6 = 0x20
  • Completely disable IPv6 = 0xFF
  • Disable IPv6 on all nontunnel interfaces = 0x10
  • Disable IPv6 on tunnel interfaces = 0x01
  • Disable IPv6 on nontunnel interfaces (except loopback) and on IPv6 tunnel interfaces = 0x11

More details on these options are provided here: https://support.microsoft.com/en-us/help/929852/guidance-for-configuring-ipv6-in-windows-for-advanced-users.

After creating the regkey, pushing it out to some computers via GPO, and then restarting those computers, IPv6 will now be configured to meet your corporate needs.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.226.93.104