Last week, I did a routine check of a client site's firewall log and discovered, as usual, the log was clogged with records showing that the firewall had blocked Universal Plug and Play (UPnP) packets from three Windows XP systems on the network. Every time the UPnP specter raises its ugly head, the traffic pattern is always consistent: The firewall logs four UPnP packets every 25 seconds from each system, 24 hours a day. Aside from the fact that these packets consume bandwidth and are useless on a corporate network, UPnP events clog the firewall log. If you haven’t yet tackled the constant UPnP chatter on your network, read on to discover what UPnP traffic is, the security issues around UPnP, the XP services and components that generate UPnP traffic, and a few commands you can use to identify and kill the responsible process.
What is UPnP?
Unlike the Plug and Play (PnP) protocol the OS uses to detect the presence or absence of locally connected PnP-compatible hardware devices, UPnP is designed to locate UPnP-compatible network devices. UPnP is a group of protocols that enable home-based XP networks to be self configuring and reduce the technical acumen users need to implement peer-to-peer networking. In theory, when you plug a UPnP-compatible printer, digital camera, or scanner into the network, XP’s UPnP discovery process helps the OS locate, identify, and connect to such devices. I've never purchased or installed a UPnP-compatible network device, so I don't know whether such hardware is widely available or how well it works.
UPnP Security Risks
Every default install of XP Professional Edition and XP Home Edition includes the UPnP service and MSN Explorer. The UPnP service is a native service and MSN Explorer is an XP component. You introduce UPnP traffic on Windows 2000 and Windows 9x systems when you install MSN Messenger. Unless you perform a custom MSN Messenger install, each system will start transmitting UPnP packets as soon as it boots. Even worse, the packets indicate that the system is ready, willing, and able to accept incoming traffic on TCP port 5000 and UDP port 1900. If you have an XP system connected to the Internet and you don’t disable UPnP traffic, you’re inviting intrusive activity.
If you don’t disable UPnP or install the hotfix that Security Bulletin MS01-059 (Unchecked Buffer in Universal Plug and Play can Lead to System Compromise) describes, a malicious user can remotely gain control of the system and download and run code of the user’s choice. For more information, read the Microsoft article "Unchecked Buffer in Universal Plug and Play Can Lead to System Compromise for Windows XP" at http://support.microsoft.com/default.aspx?scid=kb;en-us;q315000. You can download the English version of the UPnP hotfix at http://www.microsoft.com/downloads/release.asp?releaseid=34951.
Some of the malicious code is responsible for well-documented Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. Security experts anticipate that UPnP attacks will increase in frequency and severity as hackers ramp up to exploit existing and future vulnerabilities.
XP’s UPnP feature uses two native services: the UPnP Device Host service and the Simple Service Discovery Protocol (SSDP) service. The UPnP Device Host service depends on the SSDP service. A standard XP install enables the SSDP service and sets the startup type to automatic; a standard install also sets the UPnP Device Host service startup type to manual startup, but doesn't enable the service. XP components that implement UPnP functionality start the UPnP Device Host service as needed. These services generate UPnP traffic at hourly or longer intervals and announce to anyone listening that the system will accept incoming TCP and UDP connections. The announcements contain the TCP/IP address of the XP system, which means that an XP system connected to the Internet is a well-known and vulnerable entity. You can eliminate this source of vulnerability by disabling both services.
To disable activity from the native services, start the Microsoft Management Console (MMC) Control Panel Services applet. First, stop the dependent UPnP Device Host service if it's running and set the startup type to disabled. Then stop the SSDP service and set the startup type to disabled. Some automatic XP updates and hotfixes re-enable both services, so you’ll need to check your firewall log regularly to ensure that UPnP packets are not present on the network. If you’re building images for a corporate network, you can use a security template or Group Policy to permanently disable both services.
MSN Explorer is a suite of utilities that facilitate Internet communication, one of which is the Messenger service. The Messenger service, which you can install as a standalone feature using Windows Update, is the source of the every-25-seconds UPnP traffic that clogs the firewall log. MSN Explorer is an XP component so it doesn't appear in the Add/Remove Programs list. To remove MSN Explorer, go to Add/Remove Programs, click the Windows components button, and uncheck MSN Explorer when it appears in the component list. Best practices suggest that you remove MSN Explorer from all versions of XP builds you plan to distribute on your network.