Remember how you were told to disable all unused applications and protocols when securing a compute environment? If you’ve been in networking for years – like I have – it’s almost a reflex action. This is also more recently codified in PCI/DSS Section 2.2.2, right? It also seems like a really basic, logical approach. Apparently Microsoft doesn’t think so. Apparently, there is a “somewhat artificial albeit deeply ingrained” dependency on IPv6 in Windows Server 2008.
2.2.2 Disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the device’s specified function).
- PCI Security Standards Council
Considering the lackluster adoption rate of IPv6 in the Internet domain, it is hard to argue that IPv6 on the local network is a new requirement. Given that most system administrators have enough difficulty understanding IPv4 networks, a dependency on IPv6 seems both premature and an unnecessary complexity.
Corollary: Disabling IPv6 Kills SBS 2008
Simply disabling IPv6 at the network card level carries no dire warning. Services continue to function properly with no warnings or klaxon calls. However, a reboot tells a different story: the absence of IPv6 KILLS a myriad of service on reboot. Read the rest of this entry ?