Windows 7 IPv6 in Enterprise Environments
If you roll out Windows 7 in an enterprise environment you may need to decide what to do with IPv6. As you probably know, Windows 7 comes with IPv6 enabled by default. That is certainly nice, but what if your network does not “do” IPv6 yet? Should you disable IPv6 in Windows 7?
Microsoft’s Recommendation
Here is what Microsoft has to say to the question of whether to disable IPv6:
It is unfortunate that some organizations disable IPv6 on their computers running Windows 7, Windows Vista, Windows Server 2008 R2, or Windows Server 2008, where it is installed and enabled by default. Many disable IPv6-based on the assumption that they are not running any applications or services that use it. Others might disable it because of a misperception that having both IPv4 and IPv6 enabled effectively doubles their DNS and Web traffic. This is not true.
From Microsoft’s perspective, IPv6 is a mandatory part of the Windows operating system and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6. If IPv6 is disabled on Windows 7, Windows Vista, Windows Server 2008 R2, or Windows Server 2008, or later versions, some components will not function. Moreover, applications that you might not think are using IPv6—such as Remote Assistance, HomeGroup, DirectAccess, and Windows Mail—could be.
Therefore, Microsoft recommends that you leave IPv6 enabled, even if you do not have an IPv6-enabled network, either native or tunneled. By leaving IPv6 enabled, you do not disable IPv6-only applications and services (for example, HomeGroup in Windows 7 and DirectAccess in Windows 7 and Windows Server 2008 R2 are IPv6-only) and your hosts can take advantage of IPv6-enhanced connectivity.
What IPv6 is Used for in Windows 7
While IPv6 generally is optional it is required for certain Windows features:
- HomeGroup
- DirectAccess and IP-HTTPS
BranchCache does not require IPv6, by the way, but uses it if available.
How to disable IPv6
IPv6 can be disabled partly or completely by creating or modifying the DWORD registry value DisabledComponents
in the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
:
Value of DisabledComponents | Description |
0 | Enables all IPv6 components (Windows default setting) |
0xffffffff | Disables all IPv6 components, except the IPv6 loopback interface. This value also configures Windows to prefer using IPv4 over IPv6 by modifying entries in the prefix policy table. |
0x20 | Prefers IPv4 over IPv6 by modifying entries in the prefix policy table. |
0x10 | Disables IPv6 on all nontunnel interfaces (on both LAN and Point-to-Point Protocol [PPP] interfaces). |
0x01 | Disables IPv6 on all tunnel interfaces. These include Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), 6to4, and Teredo. |
0x11 | Disables all IPv6 interfaces except for the IPv6 loopback interface. |
References
If you want to read up on IPv6 Microsoft’s Introduction to IPv6 (92 pages) may be right for you.
The Cable Guy – Support for IPv6 in Windows Server 2008 R2 and Windows 7
IPv6 for Microsoft Windows: Frequently Asked Questions
Microsoft Knowledge Base: How to disable IPv6 or its specific components
1 Comment
If you are running Symantec Endpoint Protection on Windows 7 machines, and IPv6 is enabled, Symantec Network threat protection will log lots of blocks and also potentially block legitimate communication until you disable IPv6. I have ran into this personally.
-td