disadvantages in disabling sspd and upnp

[jim]

My tray icons did now show on XP startup, so after reading some pages I
disabled
2 services, sspd and upnp, and now the icons show right away!

Some sites URGE you to disable these because they are a security risk!!!

however this may not let some programs use the upnp feature of my router...

what are the disadvantages in general with these disabled...

also... can I do the manual settings for my router instead of using upnp?


thanks

 

[Chuck]

My tray icons did now show on XP startup, so after reading some pages I
disabled
2 services, sspd and upnp, and now the icons show right away!

Some sites URGE you to disable these because they are a security risk!!!

however this may not let some programs use the upnp feature of my router...

what are the disadvantages in general with these disabled...

also... can I do the manual settings for my router instead of using upnp?

You can do manual setting for your router if you wish. But think a bit. On a
LAN with computers uncontrolled, running unknown software, opening UPnP on the
router would be bad. UPnP is an essential layer of security there. Then, you
would need to manually open a port when you want to run a program.

But what if you forget to close the port, when you should? On a LAN with a
properly designed layer security strategy, UPnP may be safer than manual
settings.
<http://nitecruzr.blogspot.com/2006/01/nat-routers-with-upnp-security-risk-or.html>
http://nitecruzr.blogspot.com/2006/01/nat-routers-with-upnp-security-risk-or.html

But UPnP is no substitute for proper security.
<http://nitecruzr.blogspot.com/2005/05/please-protect-yourself-layer-your.html>
http://nitecruzr.blogspot.com/2005/05/please-protect-yourself-layer-your.html

 

[jim]

very nice info there... can you answer some of these questions for me?

1) I thought you had to have upnp enabled both on router and on xp for upnp
to work,
however I saw that one application works with upnp with upnp disabled in
windows, and only enabled on the router. What is the significance of this?
2) what is the difference between upnp on the router and on XP?

3) If the router can do all the UPNP work, why do we need upnp on XP in the
first place?

thanks!

 

[Chuck]

very nice info there... can you answer some of these questions for me?

1) I thought you had to have upnp enabled both on router and on xp for upnp
to work,
however I saw that one application works with upnp with upnp disabled in
windows, and only enabled on the router. What is the significance of this?
2) what is the difference between upnp on the router and on XP?

3) If the router can do all the UPNP work, why do we need upnp on XP in the
first place?

Jim,

UPnP allows software running on a computer to discover, and to control,
hardware. Router UPnP is a subset of UPnP, and allows UPnP capable network
applications (like your IM program) to control a UPnP capable NAT router.

UPnP requires two components. The Hardware has to support UPnP, to be
controlled. The Software has to support UPnP, to do the controlling.

Unfortunately, it's easy to overlook the differences, and the similarities, and
focus on only one issue. That, I believe, is Steve Gibson's problem - he
focuses too narrowly on one issue, usually the one that gets him the most media
exposure.
<http://www.grc.com/unpnp/unpnp.htm>
http://www.grc.com/unpnp/unpnp.htm

 

[jim]

wow.. I am ashamed to say that I am ignorant about all this..

so what you are saying is that the xp upnp is only for hardware
and the upnp on the router is for software? In that case I need only the
upnp on the router!

thanks in advance

 

[Chuck]

wow.. I am ashamed to say that I am ignorant about all this..

so what you are saying is that the xp upnp is only for hardware
and the upnp on the router is for software? In that case I need only the
upnp on the router!

Let's try again.

The router has to support UPnP (not all do), and your applications (like MSN
Messenger) have to support UPnP (and not all Internet apps do, either), and you
have to enable UPnP on the router (which we're told not to do). If all 3 are
true, you can run multiple MSN Messengers on your LAN, each with audio and
video.

And don't confuse SSDP and UPnP. SSDP discovers compliant devices. UPnP
controls compliant devices. And both will work with devices other than routers.
But the scaredy cats have decided that UPnP is EVIL, and must be destroyed.

I think that computers are evil. Come to think of it, typewriters could be used
rather deviously too. Maybe we should all go back to paper and pencil.

 

[Guest]

I think the point here is that ANY application could in principle control
your router. AFAIK there is no signing-mechanism or the like to ensure that
the app controlling your router is approved by a recognised vendor.

Thus, a Trojan could open a port for itself to send spam. Or, a commercial
program could do so for skulduggerous purposes such as monitoring your
activities or remote-controlling your computer.

The issue is at more the router, not so much in XP, in that a router which
responds to UPnP requests effectively has low security.

For that matter, who is to say that the SSDP/UPnP services are necessary in
order to control a router? With the correct coding it may be possible to send
UPnP commands to it directly, bypassing Windows' system-level services
completely. That may be possible from pre-XP versions, too.

 

[jim]

hello thank you chuck and Ian....

I personally am very meticulous about what is happening on my computer...
I never have adware or spyware.... even viruses are very uncommon events
over the years.... so as long as the user (me) knows what he is doing then I
think its ok to
leave the UPNP on on the router... since this functionality is good...

 

[Chuck]

I think the point here is that ANY application could in principle control
your router. AFAIK there is no signing-mechanism or the like to ensure that
the app controlling your router is approved by a recognised vendor.

Thus, a Trojan could open a port for itself to send spam. Or, a commercial
program could do so for skulduggerous purposes such as monitoring your
activities or remote-controlling your computer.

The issue is at more the router, not so much in XP, in that a router which
responds to UPnP requests effectively has low security.

For that matter, who is to say that the SSDP/UPnP services are necessary in
order to control a router? With the correct coding it may be possible to send
UPnP commands to it directly, bypassing Windows' system-level services
completely. That may be possible from pre-XP versions, too.

That's right Ian. ANY application. But if you are letting ANY application run
on one of your computers, what are you doing owning a computer?

If you have some unknown application (ANY application) running on your computer,
and you don't know what it's doing, I submit to you that the LEAST of your
worries is it POSSIBLY opening a port in a UPnP enabled NAT router. You HAVE to
take control of your computers.

Which is why I continually state that depending upon application layer filtering
of outbound traffic, as Zone Alarm does, is not adequate security by itself.
You CANNOT depend upon detecting / preventing malware by logging / restricting
its actions at the perimeter (personal firewall on one computer, or NAT router
on the LAN). You have to prevent malware from operating, by using layered
security.
<http://nitecruzr.blogspot.com/2005/05/please-protect-yourself-layer-your.html>
http://nitecruzr.blogspot.com/2005/05/please-protect-yourself-layer-your.html

And if you depend upon manually opening and closing a port (manual port
forwarding), or semi automatically opening a port (port triggering), how is that
any better? If you're going to have an Internet server on your LAN, you have to
control your LAN. You cannot let it get to the point where having ONE unknown
application, that's UPnP capable, jeopardises your LAN.

Defend against the problem, not the symptom.

 

[jim]

you are a wise man chuck... I agree with everything you said

 

[Hans-Georg Michna]

Jim,

a little more info on the missing systray icons can be found at
http://winhlp.com/WxSystray.htm . With luck you could use a
workaround other than disabling the two services.

Hans-Georg

 

[Harry Johnston]

If you have some unknown application (ANY application) running on your computer,
and you don't know what it's doing, I submit to you that the LEAST of your
worries is it POSSIBLY opening a port in a UPnP enabled NAT router. You HAVE to
take control of your computers.

Obviously what Chuck is saying doesn't make sense if your computer has
non-administrative users. But beyond this, there is a more subtle problem with
this attitude ... ironically enough Chuck mentions it himself:

You have to prevent malware from operating, by using layered
security.

Layered security. Exactly. The basic idea here is that multiple layers of
protection are better than just one - and the more layers the better.

Having UPnP enabled on your router removes a layer of protection, which is
undesirable. How undesirable depends on your exact circumstances. How
desirable UPnP is also depends on your circumstances - although I'm not sure
under what circumstances (if any) it is actually useful.

Harry.

 

[jim]

wow... this page is full of information....

I have concluded that I want upnp and sspd off but I read the page and saved
if for future reference

thank you very much

 

[Chuck]

Obviously what Chuck is saying doesn't make sense if your computer has
non-administrative users. But beyond this, there is a more subtle problem with
this attitude ... ironically enough Chuck mentions it himself:


Layered security. Exactly. The basic idea here is that multiple layers of
protection are better than just one - and the more layers the better.

Having UPnP enabled on your router removes a layer of protection, which is
undesirable. How undesirable depends on your exact circumstances. How
desirable UPnP is also depends on your circumstances - although I'm not sure
under what circumstances (if any) it is actually useful.

Harry.

Put it simply, Harry. If you get to the point where UPnP is a threat, then all
other layers of security have already been violated. Your computer, and your
LAN, is now 0wn3d. Pack your computer up, and send it back to the vendor.

If all other layers of security have not been violated, then this won't be a
threat.

If your other layers of security are that weak, then again you shouldn't own a
computer. And you don't, really. Your computer has been owned, but not by you.

 

[Harry Johnston]

Put it simply, Harry. If you get to the point where UPnP is a threat, then all
other layers of security have already been violated.

... but not necessarily in a way that can be exploited if your router blocks
access.

If your other layers of security are that weak, then again you shouldn't own a
computer.

Don't be naive. It isn't possible to secure a computer to the point where you
can prevent all possible attacks - the best you can do is make a successful
attack unlikely.

Harry.

 

[almih]

Jim,

a little more info on the missing systray icons can be found athttp://winhlp.com/WxSystray.htm. With luck you could use a
workaround other than disabling the two services.

Hans-Georg

Hi All

I wrote little utility that solves the problem with missing icons...
Not sure that it will work on all systems but you can try (it free)

http://am.vghost.ru/

Alex.

 

[Hans-Georg Michna]

Chuck wrote:

Put it simply, Harry. If you get to the point where UPnP is a threat, then all
other layers of security have already been violated.

[...]

Don't be naive. It isn't possible to secure a computer to the point where you
can prevent all possible attacks - the best you can do is make a successful
attack unlikely.

Harry,

but Chuck is right. If UPnP is a serious threat, then what about
the millions of users, including myself, who happily use it?
UPnP is a really nice convenience, and it even improves security
a bit, because it opens ports only when needed.

If you have malware on your computer that uses UPnP for its
purposes, then it is even easier for the malware to bore holes
into the firewall and control the security of the operating
system.

Since UPnP is controlled from the computer's software, it is not
normally possible to use it to gain access to the computer from
the outside.

Hans-Georg