Qualys Blog

www.qualys.com
wkandek

Disabling IPv6 – Updated

Update: As Mike pointed out in the comments to disable IPv6 completely on the host, rather than on just the adapter selected one needs to change the HKLM\SYSTEM\CurrentControlSet\
Services\Tcpip6\Parameters\
DisabledComponents and set it to 0xffffffff.

ipv6_on

to a pure IPv4 type system:

ipv6_off

Original: If you do not use IPv6 on your network, you should consider disabling it all together to minimize your exposure to IPv6 based vulnerabilities, for example MS13-065 released in Microsoft Patch Tuesday for August and others. There is also some anecdotal evidence about malware starting to use IPv6 based protocols to escape detection.

It is pretty easy to do if you are familiar with the Windows Control Panel.

For Windows 7 – simply uncheck the IPv6 checkbox in the “Properties” of the Network Interfaces in use.

Here is an example for our local network. The status before: IPv6 configured on the Local Area Connection and a local address exists, i.e. the machine can communicate through local IPv6, but is not routed, so no further network or Internet connectivity is available.

ipv6_1_1

After unsetting the “Internet Protocol Version 6 (TCP/IPv6)” checkbox IPv6 unchecked, the IPv6 address on the interface goes away as IPv6 has been disabled.

ipv6_2_2

For Mac OS X: recent versions do not allow to disable through the GUI, but one can still use the commandline and get the desired effect:

> networksetup -setv6off Ethernet

for the typical wired interface and

> networksetup -setv6off Wi-Fi

for the typical wireless interface. You will be prompted for your password to change the network configuration.

mac_wifi

One response to “Disabling IPv6 – Updated”

Leave a Reply