Stepping Up to Windows XP:
What to Expect at Your Firewall
by David M. Piscitello, President, Core Competence, Inc.
Default installations of Windows XP (Home and Professional Editions)
boot with a number of services that are not necessary for correct
operation in home and many enterprise offices. These excess services can
cause a few problems:
- Some of these pose security problems because they advertise services
or solicit connections from anonymous, or "unauthenticated, and
potentially hostile" hosts.
Some of the protocols these services use are
not secure, and security experts have demonstrated that several have
Some Windows XP services might not be used
by, or be appropriate or useful for, your business LAN, so they add
unnecessary traffic to your LANs.
Unless explicitly disabled, Windows services
start during the power on process, and reside in memory: if you are not
using them, you are wasting RAM while they remain enabled.
I recently described
how passive monitoring of broadcast traffic using a LAN analyzer could
help you identify and prune unnecessary traffic. Similarly, tracking down
"overhead services" in Windows XP offers you some security benefits, minor
performance enhancements -- plus an excellent excuse to hone your sniffing
skills. This article helps you find and disable some XP services you might
be better off without.
How your firewall keeps XP honest
If such sleuthing sounds daunting to you, it might not be as difficult
as it sounds. If you administer a firewall, and you have blocked all
outbound services except those you authorize, and you are logging
denied outbound packets, you can often bypass the process of sniffing LAN
traffic by reviewing your firewall logs instead.
If you are officially introducing Windows XP to your network (or
suspect that it's present, officially or not), review your firewall log
files. Search for the value "1900" in the Destination Port field, and you
might see entries like this one:
firewalld deny out eth1 161 udp 20 1
172.16.0.1 27770 1900 (Outgoing)
Next, search for the value "5000" in the Destination Port field. You
might see entries like this one:
firewalld deny out eth1
161 tcp 20 1
172.16.0.4 172.16.0.1 27770 5000 (Outgoing)
What's UDP port 1900? TCP Port 5000? Who are these guys and what are
they trying to do? You could conclude, "Omigod, we've been hacked!" But
chances are, you've bumped into another in the regrettable string of
default installation settings based on ease of use, rather than
Don't Let It Get You Down... It's Only SSDP Burning (Your Bandwidth
You can examine the contents in detail to be absolutely convinced, but
packets that contain these destination port numbers usually signal that
Windows XP OS has made its way into your organization. Windows XP runs a
service, Simple Service Discovery, which uses (naturally) the Simple
Service Discovery Protocol to gather information about Universal Plug
and Play (UPnP)
devices. UPnP allows network printers, cameras, home entertainment, and storage
devices to automatically configure TCP/IP settings when they are plugged
in and powered on. UPnP also allows discovery of Internet gateways that
thereby enabling NAT traversal by applications that otherwise don't work
through NAT. Once configured, a UPnP device announces to other networked
devices its availability for use by issuing SSDP packets. XP PCs can
access and manage the device through a Web interface. (Details: Microsoft
Knowledge Base Article 323713.)
SSDP provides lots of useful information about devices plugged into
your network, but the service and protocol also provide vectors for server
compromise and DDOS attacks. (For
more on the subject, read this Xforce Advisory, and
simply Google "UPnP vulnerabilities").
UPnP appears to be popular within the "Connected Home" community.
Microsoft conveniently provides a hint about whom they designed the
service for, in the description field of the SSDP Discovery Service
("Enables discovery of UPnP devices on your home network"). If your
office doesn't have way-kewl HiFi and video, and you know for certain your
network printers aren't UPnP devices, you can safely disable SSDP
Discovery Service from XP's Computer Management.
Right-click the My Computer icon on your desktop, choose Manage.
Double-click Services & Applications, then Services.
Scroll down to SSDP Discovery and double-click. From Startup type,
choose Disable to eliminate port 1900-directed traffic, and save some RAM
in the process. You must disable, rather than Stop, the service:
Stop is a temporary setting, and any service that is enabled but stopped
will start during the next boot.
TCP 5000: Port number, or the number of servers using the port?
If you disable SSDP, you can also disable the companion UPnP Device
Host service. This service supports the UPnP peer-to-peer exchanges over
TCP Port 5000. By choosing port 5000, Microsoft has unfortunately kicked a
cow pie. This port assignment collides with a Remote Administration Tool
(a RAT, a form of Trojan program) called Sockets
de Troie. If you disable UPnP Device Host service on all your XP PCs
and still see TCP Port 5000 traffic in your firewall logs, investigate
There's more. Port 5000 appears to have some unique appeal. Remarkably,
many Internet chess services use TCP Port 5000. No matter: whether
attacker or cyber-slacker UPnP, you do want to block this port at your
firewall, and you do want to nip these port users in the bud.
I've discussed SSDP/UPnP in the context of Windows XP, but Windows Millenium
Edition also "offers" this service, and patches exist to add it to
If you have teleworkers, especially ones with broadband connections,
and they are not using SOHO firewalls, be certain they disable
SSDP/UPnP services. Use a software firewall like ZoneAlarm, and block
these ports. (Consider documenting this in your security and acceptable
use policies.) If users object, presumably on the basis that they do
indeed have way-kewl home entertainment gear and use UPnP, these are
probably the appropriate candidates for SOHO firewalls.
UPnP is not the same OS function as Plug and Play, the service that
manages device discovery of things directly connected to your PC. If you
don't need UPnP, disable it. This single act of service pruning saves a
bit of RAM, a fair amount of noise on your LAN, and improves your risk
If I've whetted your appetite and you want to learn more ways to
prune-and-tune your Windows XP Operating System, visit Black Viper and download Windows XP
Home and Professional Services Configurations. (Navigation tip once
you reach his page: OS Guides in left nav => Windows XP Services
Configuration Page => scroll down to the table.) Black Viper not only
explains what all 89 Windows XP services are and do, but gives you advice
on how to tune your OS for optimum performance. He explains some scenarios
where, out of 89 services, you might require as few as 8.
So if you prefer to run a lean, efficient network, you know where to
look next: at SSDP, UPnP, and who-knows-how-many other XP services you
might not need. After all, bloatware is in the eye of the beholder. ##
Copyright© 2003, WatchGuard Technologies, Inc. All rights
reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks
or registered trademarks of WatchGuard Technologies, Inc. in the United
States and other countries.