Back

Disable SSDP/UPnp unless SSDP/UPnP is absolutely necessary.


CONTROL ID
04315
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Disable all unnecessary services unless otherwise noted in a policy exception., CC ID: 00880

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Table F-3: For Windows 2000 Professional, the organization must configure the permissions for SSDP Discovery Service to Administrators: Full Control; System: Read; and System: Start, Stop, and Pause. Table F-4: For Windows XP Professional, the organization must configure the permissions for SSDP Dis… (Table F-3, Table F-4, CMS Business Partners Systems Security Manual, Rev. 10)
  • The Simple Search and Discovery Protocol (SSDP) Discovery Service should be Disabled, unless absolutely necessary. If it is Enabled, there should be a documented and justified reason. (ยง 5.2.2.1, DISA Windows XP Security Checklist, Version 6 Release 1.11)
  • Pg 69 This service allows the Universal Plug and Play host the ability to locate and identify UPnP network devices. The SSDP Discovery service should be Disabled. Pg 80 Even if the UPnP service is Disabled, some applications, such as Windows Messenger, will still use the SSDP discovery service. To e… (Pg 69, Pg 80, NSA Guide to Security Microsoft Windows XP)