By default IPv6 has been enabled and preferred over IPv4 since Windows Vista (this also includes all server variations). From a cybersecurity point of view it is recommended to disabled IPv6 if you are not using it as it can be abused by an attacker to redirect traffic to a malicious DNS server. This can be done by creating a rouge IPv6 DHCP server, start assigning IPv6 client addresses, and finally establishing the attacker system as the default DNS server. Since Windows OS prefers IPv6 DNS over IPv4 DNS, all A (IPv4) and AAAA (IPv6) client DNS queries will be send to the rogue DNS server.
Note – Microsoft recommends to change the IPv6 functionality to "Prefer IPv4 over IPv6"
instead of disabling IPv6 and this is what we will use for our domain controllers. If you are utilizing DirectAccess, IPv6 should not be disabled. Instead use this option: "Disable IPv6 on all nontunnel interfaces"
– Hexadecimal 0x10
.
Follow the steps below to change IPv6 settings via Group Policy(GPO):
- Open the Group Policy Management Console(gpmc.msc)
- Create a new GPO and link it to the OU containing the computer objects for which you want the IPv6 changes to apply
- Select the newly created GPO, click on the Details tab and disable the User Configuration settings for this GPO(in this particular case it’s best to disable the User Configuration settings entirely since we won’t need them. This reduces GPO processing times)
- Right click on the GPO and select Edit
- Disabling IPv6 (all systems except domain controllers):
- Navigate to Computer Configuration -> Preferences -> Windows Settings -> Registry
- Right click and choose New -> Registry Item
- Enter the following settings in the properties window:
- Hive –
HKEY_LOCAL_MACHINE
- Key Path –
SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\
- Value name –
DisabledComponents
- Type –
REG_DWORD
- Value data –
0xFF
(Hexadecimal)
- Hive –
-
- Click OK and exit the management console
- GPO settings:
- Prefer IPv4 over IPv6 (domain controllers):
- Navigate to Computer Configuration -> Preferences -> Windows Settings -> Registry
- Right click and choose New -> Registry Item
- Enter the following settings in the properties window:
- Hive –
HKEY_LOCAL_MACHINE
- Key Path –
SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\
- Value name –
DisabledComponents
- Type –
REG_DWORD
- Value data –
0x20
(Hexadecimal)
- Hive –
-
- Click OK and exit the management console
- GPO Settings: