Republished with permission from WatchGuard Technologies, Inc.

WatchGuard


Stepping Up to Windows XP:
What to Expect at Your Firewall

by David M. Piscitello, President, Core Competence, Inc.

Default installations of Windows XP (Home and Professional Editions) boot with a number of services that are not necessary for correct operation in home and many enterprise offices. These excess services can cause a few problems:

  • Some of these pose security problems because they advertise services or solicit connections from anonymous, or "unauthenticated, and potentially hostile" hosts.
  • Some of the protocols these services use are not secure, and security experts have demonstrated that several have exploitable vulnerabilities.

  • Some Windows XP services might not be used by, or be appropriate or useful for, your business LAN, so they add unnecessary traffic to your LANs.

  • Unless explicitly disabled, Windows services start during the power on process, and reside in memory: if you are not using them, you are wasting RAM while they remain enabled.

I recently described how passive monitoring of broadcast traffic using a LAN analyzer could help you identify and prune unnecessary traffic. Similarly, tracking down "overhead services" in Windows XP offers you some security benefits, minor performance enhancements -- plus an excellent excuse to hone your sniffing skills. This article helps you find and disable some XP services you might be better off without.

How your firewall keeps XP honest

If such sleuthing sounds daunting to you, it might not be as difficult as it sounds. If you administer a firewall, and you have blocked all outbound services except those you authorize, and you are logging denied outbound packets, you can often bypass the process of sniffing LAN traffic by reviewing your firewall logs instead.

If you are officially introducing Windows XP to your network (or suspect that it's present, officially or not), review your firewall log files. Search for the value "1900" in the Destination Port field, and you might see entries like this one:

08/26/03 19:53:56
firewalld[103] deny out eth1 161 udp 20 1 
172.16.0.4 172.16.0.1 27770 1900 (Outgoing)

Next, search for the value "5000" in the Destination Port field. You might see entries like this one:

08/26/03 19:54:31
firewalld[103] deny out eth1 161 tcp 20 1 
172.16.0.4 172.16.0.1 27770 5000 (Outgoing)

What's UDP port 1900? TCP Port 5000? Who are these guys and what are they trying to do? You could conclude, "Omigod, we've been hacked!" But chances are, you've bumped into another in the regrettable string of default installation settings based on ease of use, rather than security.

Don't Let It Get You Down... It's Only SSDP Burning (Your Bandwidth and RAM)

You can examine the contents in detail to be absolutely convinced, but packets that contain these destination port numbers usually signal that Windows XP OS has made its way into your organization. Windows XP runs a service, Simple Service Discovery, which uses (naturally) the Simple Service Discovery Protocol to gather information about Universal Plug and Play (UPnP) devices. UPnP allows network printers, cameras, home entertainment, and storage devices to automatically configure TCP/IP settings when they are plugged in and powered on. UPnP also allows discovery of Internet gateways that perform NAT, thereby enabling NAT traversal by applications that otherwise don't work through NAT. Once configured, a UPnP device announces to other networked devices its availability for use by issuing SSDP packets. XP PCs can access and manage the device through a Web interface. (Details: Microsoft Knowledge Base Article 323713.)

SSDP provides lots of useful information about devices plugged into your network, but the service and protocol also provide vectors for server compromise and DDOS attacks. (For more on the subject, read this Xforce Advisory, and simply Google "UPnP vulnerabilities").

UPnP appears to be popular within the "Connected Home" community. Microsoft conveniently provides a hint about whom they designed the service for, in the description field of the SSDP Discovery Service ("Enables discovery of UPnP devices on your home network"). If your office doesn't have way-kewl HiFi and video, and you know for certain your network printers aren't UPnP devices, you can safely disable SSDP Discovery Service from XP's Computer Management.

Right-click the My Computer icon on your desktop, choose Manage. Double-click Services & Applications, then Services. Scroll down to SSDP Discovery and double-click. From Startup type, choose Disable to eliminate port 1900-directed traffic, and save some RAM in the process. You must disable, rather than Stop, the service: Stop is a temporary setting, and any service that is enabled but stopped will start during the next boot.

TCP 5000: Port number, or the number of servers using the port?

If you disable SSDP, you can also disable the companion UPnP Device Host service. This service supports the UPnP peer-to-peer exchanges over TCP Port 5000. By choosing port 5000, Microsoft has unfortunately kicked a cow pie. This port assignment collides with a Remote Administration Tool (a RAT, a form of Trojan program) called Sockets de Troie. If you disable UPnP Device Host service on all your XP PCs and still see TCP Port 5000 traffic in your firewall logs, investigate further!

There's more. Port 5000 appears to have some unique appeal. Remarkably, many Internet chess services use TCP Port 5000. No matter: whether attacker or cyber-slacker UPnP, you do want to block this port at your firewall, and you do want to nip these port users in the bud.

I've discussed SSDP/UPnP in the context of Windows XP, but Windows Millenium Edition also "offers" this service, and patches exist to add it to Windows 95/98.

If you have teleworkers, especially ones with broadband connections, and they are not using SOHO firewalls, be certain they disable SSDP/UPnP services. Use a software firewall like ZoneAlarm, and block these ports. (Consider documenting this in your security and acceptable use policies.) If users object, presumably on the basis that they do indeed have way-kewl home entertainment gear and use UPnP, these are probably the appropriate candidates for SOHO firewalls.

Rest Easy

UPnP is not the same OS function as Plug and Play, the service that manages device discovery of things directly connected to your PC. If you don't need UPnP, disable it. This single act of service pruning saves a bit of RAM, a fair amount of noise on your LAN, and improves your risk profile.

If I've whetted your appetite and you want to learn more ways to prune-and-tune your Windows XP Operating System, visit Black Viper and download Windows XP Home and Professional Services Configurations. (Navigation tip once you reach his page: OS Guides in left nav => Windows XP Services Configuration Page => scroll down to the table.) Black Viper not only explains what all 89 Windows XP services are and do, but gives you advice on how to tune your OS for optimum performance. He explains some scenarios where, out of 89 services, you might require as few as 8.

So if you prefer to run a lean, efficient network, you know where to look next: at SSDP, UPnP, and who-knows-how-many other XP services you might not need. After all, bloatware is in the eye of the beholder. ##


Copyright© 2003, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.



Copyright © 1996 - 2003 WatchGuard Technologies, Inc. All rights reserved.