Thursday, November 29, 2012

Microsoft PowerShell IPv6 best practices notes

I just wanted to jot down some notes about some PowerShell commands to use for IPv6 best practices for servers and workstations in enterprise environments.

I recommend turning off all the transition technology solutions on Windows systems, specifically 6to4, ISATAP and Teredo (unless you have a specific use case and design that leverages them.) To address each of those the follow PowerShell commands can be used to do this.

For Windows 8 and Server 2012 PowerShell v3 use:
# - specific IPv6 PowerShell cmdlets
# - turn off 6to4
Set-Net6to4Configuration -State Disabled
#
# - turn off isatap
Set-NetIsatapConfiguration -State Disabled
#
# - turn off teredo
Set-NetTeredoConfiguration -Type Disabled
#

For Windows 7 and Server 2008R2 PowerShell v2 use:
# - specific IPv6 netsh commands - still work from PowerShell
# - turn off 6to4
netsh interface ipv6 6to4 set state disable
#
# - turn off isatap
netsh interface isatap set state disable
#
# - turn off teredo
netsh interface teredo set state type=Disabled

#

To validate the configurations use the following.
For Windows 8 and Server 2012 PowerShell v3 use:
# - check 6to4 state
Get-Net6to4Configuration
#
# - check isatap state
Get-NetIsatapConfiguration
#
# - check teredo state
Get-NetTeredoConfiguration
#

For Windows 7 and Server 2008R2 PowerShell v2 use:
# - check 6to4 state
netsh interface ipv6 6to4 show state
#
# - check isatap state
netsh interface ipv6 isatap show state
#
# - check teredo state
netsh interface teredo show state
#

I hope to be putting together some more useful cmdlets for folks to get best practice configurations pushed out in mass for platforms regarding IPv6, adding in firewall rules and protections and perhaps some extensions for routing and source address selection for enterprises to control behavior the way they want.
- Ed

No comments: