Andreas/noid-privacy
1
0
Fork 0
mirror of https://github.com/NexusOne23/noid-privacy.git synced 2026-02-07 12:11:53 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
noid-privacy/Modules/AdvancedSecurity/Private/Set-IPv6Security.ps1

103 lines
4.4 KiB
PowerShell
Raw Normal View History

v2.2.0 - Complete Security Hardening Framework (632 Settings)
2025-12-08 10:32:49 +01:00
function Set-IPv6Security {
<#
.SYNOPSIS
Disable IPv6 to prevent DHCPv6/Router Solicitation attacks (mitm6)
.DESCRIPTION
Disables IPv6 via registry to prevent:
- mitm6 attacks (DHCPv6 spoofing DNS takeover NTLM relay)
- IPv6 Router Advertisement spoofing
- DHCPv6 poisoning attacks
This is the recommended mitigation per Fox-IT security research.
WARNING: May break Exchange Server and some Active Directory features.
Only recommended for air-gapped or high-security systems.
.PARAMETER DisableCompletely
If true, completely disables IPv6 (DisabledComponents = 0xFF)
.EXAMPLE
Set-IPv6Security -DisableCompletely
.NOTES
Registry: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents
Value 0xFF = Disable all IPv6 components
REBOOT REQUIRED for changes to take effect.
References:
- https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows
#>
[CmdletBinding()]
param(
[switch]$DisableCompletely
)
try {
if (-not $DisableCompletely) {
Write-Log -Level INFO -Message "IPv6 disable not requested - keeping default configuration" -Module "AdvancedSecurity"
return $true
}
Write-Log -Level INFO -Message "Disabling IPv6 (mitm6 attack mitigation)..." -Module "AdvancedSecurity"
$regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters"
# Backup current value
$currentValue = Get-ItemProperty -Path $regPath -Name "DisabledComponents" -ErrorAction SilentlyContinue
$backupData = @{
Path = $regPath
Name = "DisabledComponents"
PreviousValue = if ($currentValue) { $currentValue.DisabledComponents } else { "_NOT_SET" }
NewValue = 255
BackupDate = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
}
$backupJson = $backupData | ConvertTo-Json -Depth 10
Register-Backup -Type "Registry" -Data $backupJson -Name "IPv6_DisabledComponents"
# Ensure registry path exists
if (-not (Test-Path $regPath)) {
New-Item -Path $regPath -Force | Out-Null
}
# Set DisabledComponents to 0xFF (255) = Disable all IPv6 components
Set-ItemProperty -Path $regPath -Name "DisabledComponents" -Value 255 -Type DWord -Force
Write-Log -Level SUCCESS -Message "IPv6 disabled (DisabledComponents = 0xFF)" -Module "AdvancedSecurity"
# Verify
$verifyValue = (Get-ItemProperty -Path $regPath -Name "DisabledComponents" -ErrorAction SilentlyContinue).DisabledComponents
if ($verifyValue -eq 255) {
Write-Log -Level SUCCESS -Message "IPv6 disable verified - REBOOT REQUIRED" -Module "AdvancedSecurity"
Write-Host ""
Write-Host "================================================" -ForegroundColor Yellow
Write-Host " IPv6 DISABLED (mitm6 Attack Mitigation)" -ForegroundColor Yellow
Write-Host "================================================" -ForegroundColor Yellow
Write-Host ""
Write-Host "Registry: DisabledComponents = 0xFF (255)" -ForegroundColor White
Write-Host ""
Write-Host "Protection against:" -ForegroundColor Cyan
Write-Host " - DHCPv6 spoofing (mitm6 tool)" -ForegroundColor Gray
Write-Host " - IPv6 Router Advertisement attacks" -ForegroundColor Gray
Write-Host " - DNS takeover via fake DHCPv6 server" -ForegroundColor Gray
Write-Host " - NTLM credential relay attacks" -ForegroundColor Gray
Write-Host ""
Write-Host "REBOOT REQUIRED for changes to take effect!" -ForegroundColor Red
Write-Host ""
return $true
}
else {
Write-Log -Level ERROR -Message "IPv6 disable verification failed" -Module "AdvancedSecurity"
return $false
}
}
catch {
Write-Log -Level ERROR -Message "Failed to disable IPv6: $_" -Module "AdvancedSecurity" -Exception $_.Exception
return $false
}
}
Reference in a new issue Copy permalink