Note: A 2022 tutorial on the many aspects of IPv6 can be found in this All Things TECH IPv6 in Windows article.
Internet Protocol version 6 (IPv6) is enabled by default in all versions of Microsoft Windows 8 and later, and Server and 10 Enterprise versions released in 2013 or later. No action is required to enable IPv6.
In the absence of applicable policy or guidance about hardening Windows Server to guard against potential IPv6-related attacks, a guide for configuring Windows Server versions released in 2013 or later is provided by this article.
Internet Connection Sharing (ICS) is disabled by default, and should be disabled if found to be enabled on any network interface as described here. Wi-Fi Sense (present in Windows 10 versions 1709 and prior only) should be disabled if present as described here for desktop systems and here for corporate environments.
Server versions have a DHCPv6 client enabled by default. This may or may not be considered acceptable. Disabling the DHCPv6 client on server versions is described in Part 3: IPv6 Static Addressing and DNSv6 in the Enabling IPv6 in Microsoft Windows Applicationi Servers article in the Infrastructure section. Depending on the LAN segment router configuration, clients on that LAN segment may need to be reconfigured to use DHCPv6, as described in Part 4: Setting up DHCPv6 to Dynamically Issue IPv6 Addresses in a Network in the Enabling IPv6 in Microsoft Windows Application Servers article in the Infrastructure section.
Running the following cmdlets in PowerShell will disable some vulnerable tunneling interfaces that are enabled by default. Disabling them is not required, but is recommended for better security. The netsh command line interface used to configure and manage TCP/IP configurations still exists, but Microsoft recommends that you transition to Powershell. In future updates of Windows, Microsoft may remove the netsh functionality. It is also possible to disable these vulnerable interfaces using Group Policy Objects (GPO) as described in this article. (The .admx and .adml files available there do not disable IP-HTTPS-based interfaces, but are otherwise current.)
Run PowerShell as an Administrator, and then:
1. Run the cmdlet
If the value of RandomizeIdentifiers is anything other than Disabled, run the cmdlet
Set-NetIPv6Protocol –RandomizeIdentifiers Disabled
and if the value of UseTemporaryAddresses is anything other than Disabled, run the cmdlet
Set-NetIPv6Protocol –UseTemporaryAddresses Disabled
2. Run the cmdlet
This will show the State of 6to4 tunneling. If the State is other than Disabled, run the cmdlet
Unless 6to4 tunneling is disabled, any Network Adapter with a public IPv4 address will automatically be assigned a corresponding 6to4 address on the 6to4 tunneling interface, and an attempt will be made to register that 6to4 address in DNS. Use of the 6to4 server (6to4.ipv6.microsoft.com) is not recommended. It is no longer supported by Microsoft.
3. Run the cmdlet
This will show the State of ISATAP tunneling. If the State is other than Disabled, run the cmdlet
4. Run the cmdlet
This will show the State of Teredo tunneling. If the State is other than Disabled, run the cmdlet
(It is not recommended that you enable the Teredo protocol, but if for some reason you want to, omit the above cmdlet. You will likely also want to configure your own Teredo server using the cmdlet
Set-NetTeredoConfiguration –ServerName “Teredo.Server.FQDN”
where Teredo.Server.FQDN is the fully qualified domain name of your Teredo server. Use of any default Teredo servers (such as www.ipv6.microsoft.com, teredo.ipv6.microsoft.com, win10.ipv6.microsoft.com, or 1710.ipv6.microsoft.com) supported by Microsoft in the past is not recommended. If the computer you are configuring is also part of a Windows domain, then also run the cmdlet
Set-NetTeredoConfiguration –Type EnterpriseClient
It is generally not recommended to enable Teredo when connected to a Windows domain.)
The cmdlets in 1. delete a temporary randomly-generated global IPv6 address (which is neither useful nor desirable when you have a global IPv6 address assigned by either Stateless Address Autoconfiguration [SLAAC] or Dynamic Host Configuration Protocol version 6 [DHCPv6]). Note that this temporary address won’t be deleted until the next reboot. Whenever a mobile system moves to a different network, or whenever the network the system is connected to is renumbered, the above cmdlets must be rerun.
To verify that the tunneling interfaces were disabled by 2 through 4, run the Get-NetXXXConfiguration cmdlets again, with 6to4, ISATAP, and Teredo substituted for XXX.
If you want to re-enable IPv6 after it has been disabled, the following five methods are available. The method used should correspond to the manner in which IPv6 was disabled.
If Windows Server has not already been hardened to guard against potential IPv6-related attacks as mentioned at the beginning of the article, now may be time.
It is also strongly recommended to check the status of Internet Connection Sharing (ICS). ICS is disabled by default, and should be disabled if found to be enabled on any network interface as described here. Wi-Fi Sense (present in Windows 10 versions 1709 and prior only) should be disabled if present, as described here for desktop systems and here for corporate environments.
Method 1. (Traditional method used by all Windows versions.) In the Network Connections folder of the Network and Sharing Center on the Control Panel, obtain properties on all of your connections and adapters and set the check box next to the Internet Protocol version 6 (TCP/IPv6) component in the list under This connection uses the following items. This method can be used to re-enable IPv6 on each network interface and connection, but does not enable IPv6-tunneling interfaces nor the IPv6 loopback interface.
Method 2. Run PowerShell as an Administrator. Run the cmdlet
to list all Network Adapters on the computer and the state of the ms_tcpip6 ComponentID for each Network Adapter. For each Network Adapter for which the ComponentID ms_tcpip6 shows Enabled = False, run the cmdlet
Set-NetAdapterBinding -Name “Network Adapter Name” –ComponentID ms_tcpip6 –Enabled $True
Method 3. Use either (a) the wizard or (b) follow the directions for modifying the registry on this article on the docs.microsoft.com website. (As noted in that article, after following the directions for modifying the registry, method 1 above can no longer be used to enable IPv6.)
Method 4. Search for the regedit app and Run as Administrator (older than but similar to method 3(b) above.
Windows 8 “regedit” search Windows 10, 11 “regedit” search
The following registry value (DWORD type) should already exist. If it doesn’t, then create it:
DisabledComponents has a value of 0x0 by default. Set it to 0x8F to re-enable IPv6 on all your network interfaces and connections, while still disabling the IPv6 tunneling interfaces. You must restart the computer for this change to take effect.
When DisabledComponents exists and a DisabledComponents bit is set, it overrides any settings established by method 1 and 2. The DisabledComponents registry value is a bit mask that controls the following series of flags, starting with the low order bit (Bit 0):
- Bit 0 Set to 1 to disable all IPv6 tunnel interfaces, including ISATAP, 6to4, and Teredo tunnels. Default value is 0.
- Bit 1 Set to 1 to disable all 6to4-based interfaces. Default value is 0.
- Bit 2 Set to 1 to disable all ISATAP-based interfaces. Default value is 0.
- Bit 3 Set to 1 to disable all Teredo-based interfaces. Default value is 0.
- Bit 4 Set to 1 to disable IPv6 over all non-tunnel interfaces, including LAN interfaces and Point-to-Point Protocol (PPP)-based interfaces. Default value is 0.
- Bit 5 Set to 1 to modify the default prefix policy table to prefer IPv4 to IPv6 when attempting connections. Default value is 0.
- Bit 6 This bit was reserved for future use up until Windows Server 2019. Set to 1 to disable all CP-based interfaces. Default value is 0.
- Bit 7 Set to 1 to disable all IP-TPS-based interfaces. Default value is 0.
To determine the value of DisabledComponents for a specific set of bits, construct a binary number consisting of the bits and their values in their correct position and convert the resulting number to hexadecimal. For example, if you want to disable 6to4 interfaces, disable Teredo interfaces, and prefer IPv4 to IPv6, you would construct the following binary number: 00101010. When converted to hexadecimal, the value of DisabledComponents is 0×2A.
Method 5. Issue the following command line as an Administrator:
reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t
REG_DWORD /d 0x8F
The above registry entry should already exist. If it doesn’t, create it.