Remove IPv6 from Windows

Removing IPv6 from systems is a good idea if you are not using IPv6. This is especially true if you see no foreseeable implementation of the protocol in your organizations or your ISPs future. There are a few practical reasons to take away IPv6 capability. However, it is not readily apparent how to remove it. In fact, it is very misleading. Many administrators think IPv6 is disabled when it really is not. That is remedied by using a simple trick with Window’s Device Manager.

What is IPv6?

IPv6 is the new protocol used to replace IPv4. IPv4 is the Internet Protocol currently used by all commercial Internet Service Providers. The Internet is somewhat limited to the small address space within IPv4. So ICANN governing body is prescribing the migration to IPv6 which will allow more devices to connect to the Internet (see http://www.icann.org/en/announcements/factsheet-ipv6-26oct07.pdf). There is no certain time when the transfer will happen, so why transfer if there is not a need.

A big reason to remove IPv6 is limited network resources. This includes personnel as well as physical hardware. How well does your support staff understand IPv6? How much practical experience do they have with IPv6? Do you trust your network to those individuals? I would not trust them until they practically demonstrated a working understanding of IPv6. What IPv6 security tools are in use on the network? How many tools provide 100% visibility into IPv6? Do your personnel know how to interpret that data? This is of course a manageable situation. Do not be too quick to take the plunge though. The last thing everyone wants is a call from the VP asking why he or she cannot check his or her email.

Perhaps more fundamentally, why would you have something enabled if it is not being used? This is especially a concern with Microsoft products. Historically, problems with Microsoft come not from system critical code, but code that they leave in place for convenience. SMB password attacks instantly come to mind. There was also the fun webdav functionality installed with IIS. Sorry Microsoft, given your track-record: if I’m not using it – it needs to be turned off.

IPv6 is Already Disabled (Epic Fail)

Windows Server, Vista and 7 networking uses a peculiar system to support both IPv4 and IPv6. Quite commonly, this support is disabled from the Network Properties Dialog box (see Figure 1).

Figure 1 - It looks disabled to me...

That however does not really disable it. Execute ipconfig /all and you’ll see something like this:

Windows IP Configuration

Host Name . . . . . . . . . . . . : Penny Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : hog.lomin.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : my.domain.com Description . . . . . . . . . . . : Intel(R) 82567LF-1 Gigabit Network Connection Physical Address. . . . . . . . . : 00-28-E8-2C-A0-C5 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 10.10.1.6(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Tuesday, March 16, 2010 7:34:34 AM Lease Expires . . . . . . . . . . : Wednesday, March 17, 2010 11:10:52 AM Default Gateway . . . . . . . . . : 10.10.1.1 DHCP Server . . . . . . . . . . . : 10.10.1.1 DNS Servers . . . . . . . . . . . : 10.10.1.1 NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 6:

Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : my.domain.com Description . . . . . . . . . . . : Microsoft ISATAP Adapter Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface Physical Address. . . . . . . . . : 02-00-54-55-4E-01 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:2c9c:2617:3f57:f3cb(Preferred) Link-local IPv6 Address . . . . . : fe80::2c9c:2617:3f57:f3cb%10(Preferred) Default Gateway . . . . . . . . . : :: NetBIOS over Tcpip. . . . . . . . : Disabled

What exactly is a Teredo Tunneling Pseudo-Interface? What is an ISATAP Adapter? Could that be malware? It is not malware. It is the IPv6 support you thought was disabled already.

Disabling IPv6

Really disable IPv6 by opening your device manager, showing hidden devices, and disabling the offenders.

The device manager can be found in a number of different places. The quickest way is perhaps from the run dialog. Use the Windows Key-R to open up the dialog and type in devmgmt.msc. That will bring up just the device manager.

Expand Network adapters to reveal however many network cards are on that system. Select view->show hidden devices and you may now see a number of different adapters. The example below shows just how many adapters are hidden (see Figure 2).

Figure 2 - Network Adapters before and after Show Hidden

Disable the isatap and Teredo adapters. Those two are responsible for IPv6 on Windows. A little arrow icon will be over the icon once the adapter is disabled (see Figure 3).