My tray icons did now show on XP startup, so after reading some pages I
disabled
2 services, sspd and upnp, and now the icons show right away!

Some sites URGE you to disable these because they are a security risk!!!

however this may not let some programs use the upnp feature of my router...

what are the disadvantages in general with these disabled...

also... can I do the manual settings for my router instead of using upnp?


thanks

On Tue, 30 Jan 2007 16:52:33 +0200, "jim" <1@1.1> wrote:

>My tray icons did now show on XP startup, so after reading some pages I
>disabled
>2 services, sspd and upnp, and now the icons show right away!
>
>Some sites URGE you to disable these because they are a security risk!!!
>
>however this may not let some programs use the upnp feature of my router...
>
>what are the disadvantages in general with these disabled...
>
>also... can I do the manual settings for my router instead of using upnp?

You can do manual setting for your router if you wish. But think a bit. On a
LAN with computers uncontrolled, running unknown software, opening UPnP on the
router would be bad. UPnP is an essential layer of security there. Then, you
would need to manually open a port when you want to run a program.

But what if you forget to close the port, when you should? On a LAN with a
properly designed layer security strategy, UPnP may be safer than manual
settings.
<http://nitecruzr.blogspot.com/2006/01/nat-routers-with-upnp-security-risk-or.html>
http://nitecruzr.blogspot.com/2006/0...y-risk-or.html

But UPnP is no substitute for proper security.
<http://nitecruzr.blogspot.com/2005/05/please-protect-yourself-layer-your.html>
http://nitecruzr.blogspot.com/2005/0...ayer-your.html

--
Cheers,
Chuck, MS-MVP [Windows - Networking]
http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org.

very nice info there... can you answer some of these questions for me?

1) I thought you had to have upnp enabled both on router and on xp for upnp
to work,
however I saw that one application works with upnp with upnp disabled in
windows, and only enabled on the router. What is the significance of this?
2) what is the difference between upnp on the router and on XP?

3) If the router can do all the UPNP work, why do we need upnp on XP in the
first place?

thanks!


"Chuck" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Tue, 30 Jan 2007 16:52:33 +0200, "jim" <1@1.1> wrote:
>
>>My tray icons did now show on XP startup, so after reading some pages I
>>disabled
>>2 services, sspd and upnp, and now the icons show right away!
>>
>>Some sites URGE you to disable these because they are a security risk!!!
>>
>>however this may not let some programs use the upnp feature of my
>>router...
>>
>>what are the disadvantages in general with these disabled...
>>
>>also... can I do the manual settings for my router instead of using upnp?
>
> You can do manual setting for your router if you wish. But think a bit.
> On a
> LAN with computers uncontrolled, running unknown software, opening UPnP on
> the
> router would be bad. UPnP is an essential layer of security there. Then,
> you
> would need to manually open a port when you want to run a program.
>
> But what if you forget to close the port, when you should? On a LAN with
> a
> properly designed layer security strategy, UPnP may be safer than manual
> settings.
> <http://nitecruzr.blogspot.com/2006/01/nat-routers-with-upnp-security-risk-or.html>
> http://nitecruzr.blogspot.com/2006/0...y-risk-or.html
>
> But UPnP is no substitute for proper security.
> <http://nitecruzr.blogspot.com/2005/05/please-protect-yourself-layer-your.html>
> http://nitecruzr.blogspot.com/2005/0...ayer-your.html
>
> --
> Cheers,
> Chuck, MS-MVP [Windows - Networking]
> http://nitecruzr.blogspot.com/
> Paranoia is not a problem, when it's a normal response from experience.
> My email is AT DOT
> actual address pchuck mvps org.

On Tue, 30 Jan 2007 18:30:20 +0200, "jim" <1@1.1> wrote:

>"Chuck" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed)...
>> On Tue, 30 Jan 2007 16:52:33 +0200, "jim" <1@1.1> wrote:
>>
>>>My tray icons did now show on XP startup, so after reading some pages I
>>>disabled
>>>2 services, sspd and upnp, and now the icons show right away!
>>>
>>>Some sites URGE you to disable these because they are a security risk!!!
>>>
>>>however this may not let some programs use the upnp feature of my
>>>router...
>>>
>>>what are the disadvantages in general with these disabled...
>>>
>>>also... can I do the manual settings for my router instead of using upnp?
>>
>> You can do manual setting for your router if you wish. But think a bit.
>> On a
>> LAN with computers uncontrolled, running unknown software, opening UPnP on
>> the
>> router would be bad. UPnP is an essential layer of security there. Then,
>> you
>> would need to manually open a port when you want to run a program.
>>
>> But what if you forget to close the port, when you should? On a LAN with
>> a
>> properly designed layer security strategy, UPnP may be safer than manual
>> settings.
>> <http://nitecruzr.blogspot.com/2006/01/nat-routers-with-upnp-security-risk-or.html>
>> http://nitecruzr.blogspot.com/2006/0...y-risk-or.html
>>
>> But UPnP is no substitute for proper security.
>> <http://nitecruzr.blogspot.com/2005/05/please-protect-yourself-layer-your.html>
>> http://nitecruzr.blogspot.com/2005/0...ayer-your.html

>very nice info there... can you answer some of these questions for me?
>
>1) I thought you had to have upnp enabled both on router and on xp for upnp
>to work,
>however I saw that one application works with upnp with upnp disabled in
>windows, and only enabled on the router. What is the significance of this?
>2) what is the difference between upnp on the router and on XP?
>
>3) If the router can do all the UPNP work, why do we need upnp on XP in the
>first place?

Jim,

UPnP allows software running on a computer to discover, and to control,
hardware. Router UPnP is a subset of UPnP, and allows UPnP capable network
applications (like your IM program) to control a UPnP capable NAT router.

UPnP requires two components. The Hardware has to support UPnP, to be
controlled. The Software has to support UPnP, to do the controlling.

Unfortunately, it's easy to overlook the differences, and the similarities, and
focus on only one issue. That, I believe, is Steve Gibson's problem - he
focuses too narrowly on one issue, usually the one that gets him the most media
exposure.
<http://www.grc.com/unpnp/unpnp.htm>
http://www.grc.com/unpnp/unpnp.htm

--
Cheers,
Chuck, MS-MVP [Windows - Networking]
http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org.

wow.. I am ashamed to say that I am ignorant about all this..

so what you are saying is that the xp upnp is only for hardware
and the upnp on the router is for software? In that case I need only the
upnp on the router!

thanks in advance

"Chuck" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Tue, 30 Jan 2007 18:30:20 +0200, "jim" <1@1.1> wrote:
>
>>"Chuck" <(E-Mail Removed)> wrote in message
>>news:(E-Mail Removed)...
>>> On Tue, 30 Jan 2007 16:52:33 +0200, "jim" <1@1.1> wrote:
>>>
>>>>My tray icons did now show on XP startup, so after reading some pages I
>>>>disabled
>>>>2 services, sspd and upnp, and now the icons show right away!
>>>>
>>>>Some sites URGE you to disable these because they are a security risk!!!
>>>>
>>>>however this may not let some programs use the upnp feature of my
>>>>router...
>>>>
>>>>what are the disadvantages in general with these disabled...
>>>>
>>>>also... can I do the manual settings for my router instead of using
>>>>upnp?
>>>
>>> You can do manual setting for your router if you wish. But think a bit.
>>> On a
>>> LAN with computers uncontrolled, running unknown software, opening UPnP
>>> on
>>> the
>>> router would be bad. UPnP is an essential layer of security there.
>>> Then,
>>> you
>>> would need to manually open a port when you want to run a program.
>>>
>>> But what if you forget to close the port, when you should? On a LAN
>>> with
>>> a
>>> properly designed layer security strategy, UPnP may be safer than manual
>>> settings.
>>> <http://nitecruzr.blogspot.com/2006/01/nat-routers-with-upnp-security-risk-or.html>
>>> http://nitecruzr.blogspot.com/2006/0...y-risk-or.html
>>>
>>> But UPnP is no substitute for proper security.
>>> <http://nitecruzr.blogspot.com/2005/05/please-protect-yourself-layer-your.html>
>>> http://nitecruzr.blogspot.com/2005/0...ayer-your.html
>
>>very nice info there... can you answer some of these questions for me?
>>
>>1) I thought you had to have upnp enabled both on router and on xp for
>>upnp
>>to work,
>>however I saw that one application works with upnp with upnp disabled in
>>windows, and only enabled on the router. What is the significance of this?
>>2) what is the difference between upnp on the router and on XP?
>>
>>3) If the router can do all the UPNP work, why do we need upnp on XP in
>>the
>>first place?
>
> Jim,
>
> UPnP allows software running on a computer to discover, and to control,
> hardware. Router UPnP is a subset of UPnP, and allows UPnP capable
> network
> applications (like your IM program) to control a UPnP capable NAT router.
>
> UPnP requires two components. The Hardware has to support UPnP, to be
> controlled. The Software has to support UPnP, to do the controlling.
>
> Unfortunately, it's easy to overlook the differences, and the
> similarities, and
> focus on only one issue. That, I believe, is Steve Gibson's problem - he
> focuses too narrowly on one issue, usually the one that gets him the most
> media
> exposure.
> <http://www.grc.com/unpnp/unpnp.htm>
> http://www.grc.com/unpnp/unpnp.htm
>
> --
> Cheers,
> Chuck, MS-MVP [Windows - Networking]
> http://nitecruzr.blogspot.com/
> Paranoia is not a problem, when it's a normal response from experience.
> My email is AT DOT
> actual address pchuck mvps org.

On Tue, 30 Jan 2007 19:10:27 +0200, "jim" <1@1.1> wrote:

>"Chuck" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed)...
>> On Tue, 30 Jan 2007 18:30:20 +0200, "jim" <1@1.1> wrote:
>>
>>>"Chuck" <(E-Mail Removed)> wrote in message
>>>news:(E-Mail Removed)...
>>>> On Tue, 30 Jan 2007 16:52:33 +0200, "jim" <1@1.1> wrote:
>>>>
>>>>>My tray icons did now show on XP startup, so after reading some pages I
>>>>>disabled
>>>>>2 services, sspd and upnp, and now the icons show right away!
>>>>>
>>>>>Some sites URGE you to disable these because they are a security risk!!!
>>>>>
>>>>>however this may not let some programs use the upnp feature of my
>>>>>router...
>>>>>
>>>>>what are the disadvantages in general with these disabled...
>>>>>
>>>>>also... can I do the manual settings for my router instead of using
>>>>>upnp?
>>>>
>>>> You can do manual setting for your router if you wish. But think a bit.
>>>> On a
>>>> LAN with computers uncontrolled, running unknown software, opening UPnP
>>>> on
>>>> the
>>>> router would be bad. UPnP is an essential layer of security there.
>>>> Then,
>>>> you
>>>> would need to manually open a port when you want to run a program.
>>>>
>>>> But what if you forget to close the port, when you should? On a LAN
>>>> with
>>>> a
>>>> properly designed layer security strategy, UPnP may be safer than manual
>>>> settings.
>>>> <http://nitecruzr.blogspot.com/2006/01/nat-routers-with-upnp-security-risk-or.html>
>>>> http://nitecruzr.blogspot.com/2006/0...y-risk-or.html
>>>>
>>>> But UPnP is no substitute for proper security.
>>>> <http://nitecruzr.blogspot.com/2005/05/please-protect-yourself-layer-your.html>
>>>> http://nitecruzr.blogspot.com/2005/0...ayer-your.html
>>
>>>very nice info there... can you answer some of these questions for me?
>>>
>>>1) I thought you had to have upnp enabled both on router and on xp for
>>>upnp
>>>to work,
>>>however I saw that one application works with upnp with upnp disabled in
>>>windows, and only enabled on the router. What is the significance of this?
>>>2) what is the difference between upnp on the router and on XP?
>>>
>>>3) If the router can do all the UPNP work, why do we need upnp on XP in
>>>the
>>>first place?
>>
>> Jim,
>>
>> UPnP allows software running on a computer to discover, and to control,
>> hardware. Router UPnP is a subset of UPnP, and allows UPnP capable
>> network
>> applications (like your IM program) to control a UPnP capable NAT router.
>>
>> UPnP requires two components. The Hardware has to support UPnP, to be
>> controlled. The Software has to support UPnP, to do the controlling.
>>
>> Unfortunately, it's easy to overlook the differences, and the
>> similarities, and
>> focus on only one issue. That, I believe, is Steve Gibson's problem - he
>> focuses too narrowly on one issue, usually the one that gets him the most
>> media
>> exposure.
>> <http://www.grc.com/unpnp/unpnp.htm>
>> http://www.grc.com/unpnp/unpnp.htm

>wow.. I am ashamed to say that I am ignorant about all this..
>
>so what you are saying is that the xp upnp is only for hardware
>and the upnp on the router is for software? In that case I need only the
>upnp on the router!

Let's try again.

The router has to support UPnP (not all do), and your applications (like MSN
Messenger) have to support UPnP (and not all Internet apps do, either), and you
have to enable UPnP on the router (which we're told not to do). If all 3 are
true, you can run multiple MSN Messengers on your LAN, each with audio and
video.

And don't confuse SSDP and UPnP. SSDP discovers compliant devices. UPnP
controls compliant devices. And both will work with devices other than routers.
But the scaredy cats have decided that UPnP is EVIL, and must be destroyed.

I think that computers are evil. Come to think of it, typewriters could be used
rather deviously too. Maybe we should all go back to paper and pencil.

--
Cheers,
Chuck, MS-MVP [Windows - Networking]
http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org.

I think the point here is that ANY application could in principle control
your router. AFAIK there is no signing-mechanism or the like to ensure that
the app controlling your router is approved by a recognised vendor.

Thus, a Trojan could open a port for itself to send spam. Or, a commercial
program could do so for skulduggerous purposes such as monitoring your
activities or remote-controlling your computer.

The issue is at more the router, not so much in XP, in that a router which
responds to UPnP requests effectively has low security.

For that matter, who is to say that the SSDP/UPnP services are necessary in
order to control a router? With the correct coding it may be possible to send
UPnP commands to it directly, bypassing Windows' system-level services
completely. That may be possible from pre-XP versions, too.

hello thank you chuck and Ian....

I personally am very meticulous about what is happening on my computer...
I never have adware or spyware.... even viruses are very uncommon events
over the years.... so as long as the user (me) knows what he is doing then I
think its ok to
leave the UPNP on on the router... since this functionality is good...


"Ian" <(E-Mail Removed)> wrote in message
news:EA4C2F1B-60CD-4505-BE76-(E-Mail Removed)...
>
> I think the point here is that ANY application could in principle control
> your router. AFAIK there is no signing-mechanism or the like to ensure
> that
> the app controlling your router is approved by a recognised vendor.
>
> Thus, a Trojan could open a port for itself to send spam. Or, a commercial
> program could do so for skulduggerous purposes such as monitoring your
> activities or remote-controlling your computer.
>
> The issue is at more the router, not so much in XP, in that a router which
> responds to UPnP requests effectively has low security.
>
> For that matter, who is to say that the SSDP/UPnP services are necessary
> in
> order to control a router? With the correct coding it may be possible to
> send
> UPnP commands to it directly, bypassing Windows' system-level services
> completely. That may be possible from pre-XP versions, too.
>
>

On Tue, 30 Jan 2007 23:46:01 -0800, Ian <(E-Mail Removed)> wrote:

>
>I think the point here is that ANY application could in principle control
>your router. AFAIK there is no signing-mechanism or the like to ensure that
>the app controlling your router is approved by a recognised vendor.
>
>Thus, a Trojan could open a port for itself to send spam. Or, a commercial
>program could do so for skulduggerous purposes such as monitoring your
>activities or remote-controlling your computer.
>
>The issue is at more the router, not so much in XP, in that a router which
>responds to UPnP requests effectively has low security.
>
>For that matter, who is to say that the SSDP/UPnP services are necessary in
>order to control a router? With the correct coding it may be possible to send
>UPnP commands to it directly, bypassing Windows' system-level services
>completely. That may be possible from pre-XP versions, too.

That's right Ian. ANY application. But if you are letting ANY application run
on one of your computers, what are you doing owning a computer?

If you have some unknown application (ANY application) running on your computer,
and you don't know what it's doing, I submit to you that the LEAST of your
worries is it POSSIBLY opening a port in a UPnP enabled NAT router. You HAVE to
take control of your computers.

Which is why I continually state that depending upon application layer filtering
of outbound traffic, as Zone Alarm does, is not adequate security by itself.
You CANNOT depend upon detecting / preventing malware by logging / restricting
its actions at the perimeter (personal firewall on one computer, or NAT router
on the LAN). You have to prevent malware from operating, by using layered
security.
<http://nitecruzr.blogspot.com/2005/05/please-protect-yourself-layer-your.html>
http://nitecruzr.blogspot.com/2005/0...ayer-your.html

And if you depend upon manually opening and closing a port (manual port
forwarding), or semi automatically opening a port (port triggering), how is that
any better? If you're going to have an Internet server on your LAN, you have to
control your LAN. You cannot let it get to the point where having ONE unknown
application, that's UPnP capable, jeopardises your LAN.

Defend against the problem, not the symptom.

--
Cheers,
Chuck, MS-MVP [Windows - Networking]
http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org.

you are a wise man chuck... I agree with everything you said



"Chuck" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Tue, 30 Jan 2007 23:46:01 -0800, Ian <(E-Mail Removed)>
> wrote:
>
>>
>>I think the point here is that ANY application could in principle control
>>your router. AFAIK there is no signing-mechanism or the like to ensure
>>that
>>the app controlling your router is approved by a recognised vendor.
>>
>>Thus, a Trojan could open a port for itself to send spam. Or, a commercial
>>program could do so for skulduggerous purposes such as monitoring your
>>activities or remote-controlling your computer.
>>
>>The issue is at more the router, not so much in XP, in that a router which
>>responds to UPnP requests effectively has low security.
>>
>>For that matter, who is to say that the SSDP/UPnP services are necessary
>>in
>>order to control a router? With the correct coding it may be possible to
>>send
>>UPnP commands to it directly, bypassing Windows' system-level services
>>completely. That may be possible from pre-XP versions, too.
>
> That's right Ian. ANY application. But if you are letting ANY
> application run
> on one of your computers, what are you doing owning a computer?
>
> If you have some unknown application (ANY application) running on your
> computer,
> and you don't know what it's doing, I submit to you that the LEAST of your
> worries is it POSSIBLY opening a port in a UPnP enabled NAT router. You
> HAVE to
> take control of your computers.
>
> Which is why I continually state that depending upon application layer
> filtering
> of outbound traffic, as Zone Alarm does, is not adequate security by
> itself.
> You CANNOT depend upon detecting / preventing malware by logging /
> restricting
> its actions at the perimeter (personal firewall on one computer, or NAT
> router
> on the LAN). You have to prevent malware from operating, by using layered
> security.
> <http://nitecruzr.blogspot.com/2005/05/please-protect-yourself-layer-your.html>
> http://nitecruzr.blogspot.com/2005/0...ayer-your.html
>
> And if you depend upon manually opening and closing a port (manual port
> forwarding), or semi automatically opening a port (port triggering), how
> is that
> any better? If you're going to have an Internet server on your LAN, you
> have to
> control your LAN. You cannot let it get to the point where having ONE
> unknown
> application, that's UPnP capable, jeopardises your LAN.
>
> Defend against the problem, not the symptom.
>
> --
> Cheers,
> Chuck, MS-MVP [Windows - Networking]
> http://nitecruzr.blogspot.com/
> Paranoia is not a problem, when it's a normal response from experience.
> My email is AT DOT
> actual address pchuck mvps org.