SBS 2008 Panics, Needs IPv6

March 4, 2009

Remember how you were told to disable all unused applications and protocols when securing a compute environment? If you’ve been in networking for years – like I have – it’s almost a reflex action. This is also more recently codified in PCI/DSS Section 2.2.2, right? It also seems like a really basic, logical approach. Apparently Microsoft doesn’t think so. Apparently, there is a “somewhat artificial albeit deeply ingrained” dependency on IPv6 in Windows Server 2008.

2.2.2 Disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the device’s specified function).

– PCI Security Standards Council

Considering the lackluster adoption rate of IPv6 in the Internet domain, it is hard to argue that IPv6 on the local network is a new requirement. Given that most system administrators have enough difficulty understanding IPv4 networks, a dependency on IPv6 seems both premature and an unnecessary complexity.

Corollary: Disabling IPv6 Kills SBS 2008

Simply disabling IPv6 at the network card level carries no dire warning. Services continue to function properly with no warnings or klaxon calls. However, a reboot tells a different story: the absence of IPv6 KILLS a myriad of service on reboot.

While I applaud Microsoft for catching-up with its peers vis a vis IPv6, I cannot think of another major operating system that kills-off its supporting application stack in the absence of IPv6. This “odd” behavior is tragically coupled with the “silent” objection you’ll get when simply “unchecking” the IPv6 boxes on your network interfaces. Then – laying in wait for your next service-pack-forced reboot – comes a storm of failed services (also silently failing) announced by a broken Exchange service and upset users.

Fine Print and Resolving the IPv6 Dependency

Fine print? Disabling IPv6 on Server 2008 requires a registry edit, not a mouse click. Why didn’t the “gurus” at Redmond just grey-out the IPv6 check box? It probably comes down to testing – short answer – leave IPv6 enabled.

If you really need to disable IPv6 – you know, since its likely untested and riddled with network security issues – then read the fine print and make a registry hack. The Knowledgebase article (#929852) gives some additional insight into the depth of IPv6’s dependencies and what is happening when they’re “simply” disabled.

%d bloggers like this: