Jump to content

Recommended Posts

On my own systems since I do not use any kind of file or printer sharing or remote desktop/remote login capabilities my systems I go to Network Connections (accessible by entering the following in the Run box or from a command prompt: Rundll32.exe shell32.dll,Control_RunDLL ncpa.cpl) and then right-click on each network connection listed individually and select Properties and uncheck everything listed there except Internet Protocol Version 4 (TCP/IPv4), and I also right-click each item aside from that one and select Uninstall (this cannot be done for Internet Protocol Version 6 (TCP/IPv6) however it may still uncheck it to disable it) so that it looks like this when I'm done:

connection.png.79303720463bfb62db66c6f617943183.png

Since no version of SMB is enabled/installed once I'm done, I am automatically immune to any sort of exploit or attack that relies on it.  Once IPv6 replaces IPv4 I will enable IPv6 and disable IPv4 but IPv6 has not yet become the standard.

Also, if you open services.msc accessible either by searching from the start menu or by accessing Administrative Tools and you may disable and stop each of the following services; note that if you do so, as long as you connect directly to the internet through a router or modem you shouldn't have any problems, however if you access the internet through a work network or shared network connection then it may cause problems so if this is a work PC I would recommend contacting your IT personnel before attempting any changes (for home users this should not cause any problems) and also note that these services apply to Windows 7, some of them do exist on earlier and later Windows versions but not all of them:

Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Desktop Configuration
Remote Desktop Services
Remote Desktop Services UserMode Port Redirector
Remote Registry
Routing and Remote Access

By default, Remote Registry should already be disabled, at least if you have the latest service pack for your operating system as Microsoft decided to disable this service due to the high potential risk of abuse.

I also have several Group Policy and Windows registry modifications that I make to my systems that further disable other components related to remote access and file/printer sharing to prevent any kind of remote or over the network access to my system.  I also further optimize the system's performance by eliminating or disabling any Windows services and components that I do not use (for example, Media Center, anything related to touch/tablet input and other optional components added to Windows by Microsoft over the years).

Share this post


Link to post
Share on other sites
Posted (edited)
1 hour ago, exile360 said:

(accessible by entering the following in the Run box or from a command prompt: Rundll32.exe shell32.dll,Control_RunDLL ncpa.cpl)

All you really have to type is ncpa.cpl and it takes you to the same windows...

Edited by Firefox

Share this post


Link to post
Share on other sites

Cool, I didn't know that.  Will that work in all Windows versions?

Share this post


Link to post
Share on other sites

@exile360, as fair I understand this from a security standpoint one should not disable ipv6 in Windows 10 / Server 2016 or later MS needs the fe80 address for some services and said they expect this to be turned on.

on a same subnet ipv6 is said to be used over ipv4.

Share this post


Link to post
Share on other sites
19 minutes ago, alQamar said:

as fair I understand this from a security standpoint one should not disable ipv6 in Windows 10 / Server 2016 or later MS needs the fe80 address for some services and said they expect this to be turned on.

Not saying this is the case... but I have always turned off IPv6 on all my Windows 7/10 computers with no ill effects....

Share this post


Link to post
Share on other sites

If properly setup then ipv6 should not be an issue, but since it really doesn't seem to bring enough value to most businesses, many end up disabling it. The recommendation from Microsoft originated back in Vista/Server 2008 days and practical operations in real life don't seem to prove out an obvious issue that Admins seem to worry about.

https://support.microsoft.com/en-us/help/929852/guidance-for-configuring-ipv6-in-windows-for-advanced-users

 

Share this post


Link to post
Share on other sites

Hi guys, though this is offtopic, I've to disagree with IPv6. 

Some products even list it in their requirements just as SQL Server and others. Customers has seen issues disabling IPv6 with Windows Client / Server internal services, aswell as Windows Store etc. It back from 2008 but still apply to Windows 10.

 

https://blogs.technet.microsoft.com/netro/2010/11/24/arguments-against-disabling-ipv6/ (2010)

https://blogs.technet.microsoft.com/rmilne/2014/10/29/disabling-ipv6-and-exchange-going-all-the-way/ (2014)

https://blogs.technet.microsoft.com/yongrhee/2018/02/28/stop-hurting-yourself-by-disabling-ipv6-why-do-you-really-do-it-2/ (2018)

 

 

Share this post


Link to post
Share on other sites
1 hour ago, alQamar said:

Hi guys, though this is offtopic, I've to disagree with IPv6. 

Some products even list it in their requirements just as SQL Server and others. Customers has seen issues disabling IPv6 with Windows Client / Server internal services, aswell as Windows Store etc. It back from 2008 but still apply to Windows 10.

That may be, but I have yet to have any problems since I started disabling it on all my systems years ago.  Also as I mentioned in my post, once IPv6 becomes the standard and replaces IPv4 I will re-enable it and disable IPv4, but until that time comes it stays disabled, at least on my systems/devices because I have no use for it (as far as I know, my ISP isn't even set up for IPv6 support yet so I couldn't use anything that requires IPv6 anyway even if I wanted to so it's moot).  It's another case of the tech industry jumping all over a new technology but then allowing it to stagnate due to lack of widespread adoption; it was much the same when x64 first became available as a standard in the early days of Windows Vista and it took quite a while for it to become common enough for widespread support and especially for it to become a hard requirement for any software (there are a few games that I know of that require it and that's about it, the rest are either fully 32-bit or they provide both x86 and x64 versions and I haven't seen much software outside of video games that actually do require it, at least for consumer level software even though today the vast majority of systems are running x64 versions of Windows).  A time will come that we will need to switch to IPv6 due to a lack of available addresses but we aren't there yet, and just like x64, it is taking much longer than expected for it to replace the existing standard even though most devices have native support for it, but eventually it inevitably will.  Until then I see no reason not to disable it.

Share this post


Link to post
Share on other sites

Not saying someone doesn't have an issue but many shops have ipv6 disabled and are not having issues as reported by Microsoft. Maybe the exact specifics are not in place to experience it or the workaround is working in either case it's just not an area I feel a need to champion because as @exile360 said, Microsoft is one of the bigger players that let ipv6 die on the vine so to speak. Just like x64 it took forever for them to get it out as a standard and they still have some of their own products that do not fully support x64.

Share this post


Link to post
Share on other sites
55 minutes ago, AdvancedSetup said:

Not saying someone doesn't have an issue but many shops have ipv6 disabled and are not having issues as reported by Microsoft. Maybe the exact specifics are not in place to experience it or the workaround is working in either case it's just not an area I feel a need to champion because as @exile360 said, Microsoft is one of the bigger players that let ipv6 die on the vine so to speak. Just like x64 it took forever for them to get it out as a standard and they still have some of their own products that do not fully support x64.

Too true, and specifically in the case of x64, you may have noticed that they always warn *against* installing the native x64 version of MS Office products due to possible compatibility issues with plugins and the like and that's one of their own products.  Of course this may have changed in more recent versions (I'm still using 2010 as they haven't made a single change to any of the major MS Office document formats since 2007 when they first rolled out the .x formats and I don't like all the cloud integration in the later Office releases).

Share this post


Link to post
Share on other sites

We disable IPv6 on our network and have had no issues.  I will say this, we have a few computers where the Windows Store Apps have stopped working, perhaps I will try to enable IPv6 to see if it makes a difference.  Symptom: Open any Windows Store App (calculator for example) it opens and closes immediately. Only fix it to restore to a point when it was working before, or re-install windows.

Found this article that may be worth reading.

 

Share this post


Link to post
Share on other sites
15 minutes ago, Firefox said:

...we have a few computers where the Windows Store Apps have stopped working...

That's a good thing in my opinion :P 

All kidding aside though, it is odd that MS would implement their store/apps with an IPv6 dependency at this point given that they must know that many users/businesses disable it and that many ISPs still have yet to roll out support for it.  I guess they could simply be preparing for when it is finally adopted by the masses, but it seems kind of odd to have it be a hard requirement since it's not impossible for their apps and store to be capable of supporting both (and I assume they must otherwise they wouldn't work on the many systems which lack IPv6 connectivity).

Share this post


Link to post
Share on other sites
14 minutes ago, exile360 said:

That's a good thing in my opinion :P 

not so good if they can't run calculator in the accounting department, and can't listen to voice mails because media player does not run.

Share this post


Link to post
Share on other sites
Posted (edited)

Are there no longer included desktop versions of those applications/Windows components in Windows 10?

By the way, while I'm sure they've addressed it by now, apparently at one point there was a but in Windows 10 that broke IPv6 compatibility and according to the article, actually prevented Microsoft from rolling out full IPv6 support at their own Seattle headquarters.

Edited by exile360

Share this post


Link to post
Share on other sites

Those apps that we have gotten so used to in the past are part of the Windows Store now.

Sure I can install 3rd party apps to use but that's not the point, these apps should run in Windows as default apps. Here are most of them that won't run if you run into the issue of Windows Apps not working (as many people are having)

 

store_apps1.jpg

store_apps2.jpg

Share this post


Link to post
Share on other sites
Posted (edited)
1 hour ago, exile360 said:

Well that's frustrating.  I thought you could install WMP in Windows 10 though without the app store.

Windows Media player is still part of Windows including 1903 It is located in Start-Windows accessories folder.

 

2019-05-23_19h30_52.png

Edited by Porthos

Share this post


Link to post
Share on other sites

I've split and moved the posts above as the IPv6 discussion and WMP don't relate to the original article about the RDP worm update from Microsoft

 

 

Share this post


Link to post
Share on other sites
Posted (edited)

Back to the discussion about the IPv6, here is general information mainly for those who might be searching and come across this post. They won't have to do as much searching for information.

 

Talk about leaving IPv6 in the dust - this is a dedicated blog from Microsoft about IPv6 with the last entry being July 13, 2012 - 7 years ago. Makes one wonder how serious Microsoft really is about forcing the use or need of IPv6

News and comments from the IPv6 product team at Microsoft.
https://blogs.technet.microsoft.com/ipv6/

This is their main Web page for IPv6 and it too was last updated in 2012
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd379473(v=ws.10)


All of this said. In the majority of cases, there probably is no real need to disable IPv6 on a modern computer running Windows.
As a business, if you have IPv6 disabled on all systems and then decide you want to use it, you then have to update all the system not using it to use it which could be costly in time


Microsoft does make GPOs available though to disable and enable IPv6 or it can be done via the Registry manually as well

Guidance for configuring IPv6 in Windows for advanced users
https://support.microsoft.com/en-us/help/929852/guidance-for-configuring-ipv6-in-windows-for-advanced-users

Startup delay occurs after you disable IPv6 in Windows
https://support.microsoft.com/en-us/help/3014406/startup-delay-occurs-after-you-disable-ipv6-in-windows


Example of recent use of IPv6 by Microsoft in Azure

What is IPv6 for Azure Virtual Network? (Preview)
https://docs.microsoft.com/en-us/azure/virtual-network/ipv6-overview

Support for anonymous inbound email messages over IPv6
https://docs.microsoft.com/en-us/office365/securitycompliance/support-for-anonymous-inbound-email-messages-over-ipv6

Internet Protocol Version 6 (IPv6) Overview
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/hh831730(v=ws.11)

Understanding IPv6 Link-Local Address
https://www.cisco.com/c/en/us/support/docs/ip/ip-version-6-ipv6/113328-ipv6-lla.html

Link-local address
https://en.wikipedia.org/wiki/Link-local_address

what is the use of link-local address
https://learningnetwork.cisco.com/thread/105286

APIPA - Automatic Private IP Addressing
https://www.webopedia.com/TERM/A/APIPA.html

IPv6 - Site-local addresses and link-local addresses
https://4sysops.com/archives/ipv6-tutorial-part-6-site-local-addresses-and-link-local-addresses

IPv6 tutorial - Part 1: Get started now!
Michael Pietroforte  Wed, Feb 9, 2011
https://4sysops.com/archives/ipv6-part-1-get-started-now/

User Interface Issues for IPv6 Winsock Applications
https://docs.microsoft.com/en-us/windows/desktop/winsock/user-interface-issues-2


Article about Windows deployment with much of the Windows 10  OneDrive, Location and Telemetry tracking, the Windows Store, default applications and etc. gutted out of the installation
https://4sysops.com/activity/p/23484/#acomment-23496

 

 

Edited by AdvancedSetup
updated information

Share this post


Link to post
Share on other sites
58 minutes ago, AdvancedSetup said:

I've split and moved the posts above as the IPv6 discussion and WMP don't relate to the original article about the RDP worm update from Microsoft

 

Muy apreciado.

Share this post


Link to post
Share on other sites

One of the major issues/concerns with IPv6 is that we actually lose some important functionality that was implemented for IPv4 as a workaround for IPv4's limitations that resulted in an increase in privacy and security in some ways such as NAT (Network Address Translation) which helps to increase anonymity online when connecting to the web using a NAT enabled device such as a hardware router or external modem from an ISP.  Since IPv6 provides a unique IP address, which includes MAC address information from the user's current network device (the actual network hardware/NIC in your computer such as your wireless card or wired ethernet controller in your PC), even if you connect to the web through a router or modem, IPv6 provides your device's exact IP address to the sites you connect to rather than the generic/translated IP provided by your modem/router and ISP.  Some features have been developed in the IPv6 implementations of some platforms to prevent user/device tracking through IPv6 by randomizing the IP address for individual devices on a daily basis so that a device's IP does not remain static across sessions/days/networks, however this depends a lot on the operating system being used and its implementation of IPv6.  There are also other privacy and security concerns with regards to IPv6 which have yet to be addressed, for example many security and privacy tools designed to secure networks and connected devices were built to secure IPv4 connections/devices, and with the functions of IPv6 being very different in many ways this breaks compatibility with many such tools.  I have no doubt that tools will be upgraded over time to provide similar functionality and protection for IPv6 connections/networks/devices, however yet another issue with the slow, sporadic rollout of IPv6 is that many of the vendors/developers who create/maintain these tools have yet to implement full IPv6 support.

Additional information on the details of IPv6 and many of the concerns about it as well as many of the benefits (aside from just the simple fact that it provides many more IPs so that we hopefully won't be running out of addresses for the foreseeable future once it is rolled out across the board) are detailed in the links below:

https://iapp.org/news/a/2011-09-09-facing-the-privacy-implications-of-ipv6/
https://reclaimthenet.org/what-is-ipv6-and-what-are-the-privacy-issues/
https://tools.ietf.org/html/rfc4864
https://tools.ietf.org/html/draft-ietf-6man-ipv6-address-generation-privacy-08
https://www.internetsociety.org/blog/2014/12/ipv6-privacy-addresses-provide-protection-against-surveillance-and-tracking/
https://www.privateinternetaccess.com/blog/2017/04/nato-warns-ipv6-security-concerns-network-intrusion-detection-systems-may-miss/

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.