It looks like our good old friend Steve Gibson has decided to get into the mix, with the recent UPnP fiasco for Windows XP (and below) by releasing a program "UnPlug n'Pray", which as Steve plainly puts it, "Instantly and Easily Control Windows' Insecure, Exploit-Prone and Probably Unnecessary Universal Plug and Play Network Support".
What, exactly, does UnPnP do?
- Under Windows XP, the Universal Plug & Play system is supported by two service processes, the "SSDP Discovery Service" (SSDPDS) and the "Universal Plug and Play Device Host" (UPNPDH). Although both services are started upon demand, the SSDP service is started when Windows XP is booted. The SSDPDS service is the Internet server component which opens and exposes Windows XP to the global Internet. The UPNPDH service is only started when needed and its operation is dependent upon SSDPDS.
- To disable the Universal Plug & Play system: UnPnP first stops the UPNPDH service if it is running, then disables its future operation. After this is done the SSDPDS service is stopped and also disabled. This shuts down Windows XP's external Internet server to prevent exposure to any presently known or later discovered UPnP vulnerabilities.
- To re-enable the Universal Plug & Play system: UnPnP simply reverses the process. The SSDPDS service is set to start on demand, and it is then started. Then, the UPNPDH service is also set to start on demand, but it is not started. With the SSDPDS service running the Windows XP system will have TCP port 5000 open and accepting remote connections and UDP port 1900 listening for inbound datagrams.
- UnPnP's actions are completely benign and reversible. There are no known negative side effects caused by disabling the Universal Plug & Play components when they are not needed. They may easily be re-enabled if they are ever needed at any time in the future.
[UPDATED] unPnP has been updated to v1.2... Steve Says:
- A number of Fortune 500 (judging from their impressive eMail domains) IT administrators have asked for a non-GUI scriptable version of UnPnP so that they can deploy it throughout their domains through login scripts.
Use commands: UnPnP disable or UnPnP enable
Download: UnPnP.exe v1.2, Dec 28, 2001 at 23:22 (WOW, a whopping 22kb Ed!)