UPnP Security

Universal Plug and Play (UPnP) provides a discovery mechanism for unmanaged networks. It enables a variety of resources on simple networks. When UPnP is deployed in an unprotected network or in a network with a large number of devices, there are a number of configurations and deployment techniques that can help mitigate security vulnerabilities.

Best Practices

Limit deployment tcontrolled networking environment

Use UPnP in a private network that is protected by a firewall. For information about configuring the IP firewall to properly manage traffic destined for the internal network, see IP Firewall Reference.

Limit the download scope

Set the registry to limit services to specified URLs. UPnP verifies the URLs received from the network before making a request. For more information, see DownloadScope under the HKEY_LOCAL_MACHINE\COMM\UPnP registry key in UPnP Registry Settings.

Delay control point response

Set the registry to spread the time for requests from a control point. This prevents a storm of requests that can cause a denial of service when the device resources are depleted. For more information see MaxControlPointDelay under the HKEY_LOCAL_MACHINE\COMM\UPnP registry key in UPnP Registry Settings.

Limit the number of subscribers

Set the registry to limit the number of subscribers. This prevents a denial of service when the device resources are depleted by too many requests. UPnP rejects subscriptions when it reaches the maximum number. For more information, see MaxSubscribers under the HKEY_LOCAL_MACHINE\COMM\UPnP registry key in UPnP Registry Settings.

Limit service to adjacent networks

Set the registry to a small number of network segments that UPnP will service. You can limit the number of hops to decrease that possibility that advertisements will reach irrelevant networks, which limits the exposure of the device. For more information, see DiscoveryTimeToLive under the HKEY_LOCAL_MACHINE\COMM\UPnP registry key in UPnP Registry Settings.

Limit the document size and response size

Set the registry to an optimum document and response size. This prevents a denial of service when the device memory resources are depleted while processing a large network package that looks like a UPnP message. For more information, see MaxDocumentSize and MaxActionResponse values under the HKEY_LOCAL_MACHINE\COMM\UPnP registry key in UPnP Registry Settings.

Make sure UPnP is using a port that is blocked by the firewall

If you use port 80, a firewall may allow network traffic to reach your device. You can specify an alternate port to limit access to by modifying the Port registry value under the HKEY_LOCAL_MACHINE\COMM\UPnP registry key. In Windows CE the UPnP port is preconfigured to 5120 in the registry, but will default to 80 if this key is removed.

Note   If you change the default port, you must also change the HKEY_LOCAL_MACHINE\Services\HTTPD\Accept key for the Web server to listen on the new UPnP port.

For more information, see UPnP Registry Settings and Web Server Registry Settings.

Limit the number of network interfaces that are using UPnP

You can specify the network interfaces that should not use UPnP by modifying the Interfaces value under the HKEY_LOCAL_MACHINE\COMM\UPnP\Exclude registry key. For more information, see UPnP Registry Settings.

Default Registry Settings

You should be aware of the registry settings that impact security. If a value has security implications you will find a Security Note in the registry settings documentation.

For UPnP registry information, see UPnP Registry Settings.

Ports

The following table shows the ports that UPnP uses, for details see UPnP Registry Settings.

Port number Registry value
1900 Not configurable in the registry. UDP port used by SSDP protocol.
5120 Port

TCP port used for UPnP control and eventing.

 Last updated on Tuesday, May 18, 2004

© 1992-2003 Microsoft Corporation. All rights reserved.