Share via


UPnP Security (Windows Embedded CE 6.0)

1/6/2010

Universal Plug and Play (UPnP) provides a discovery mechanism for unmanaged networks. It enables a variety of resources on simple networks. When UPnP is deployed in an unprotected network or in a network with a large number of devices, there are a number of techniques that can help mitigate security vulnerabilities.

Best Practices

Limit deployment controlled networking environment

Use UPnP in a private network that is protected by a firewall. UPnP should not be used in any type of open network. For information about configuring the IP firewall to properly manage traffic destined for the internal network, see Windows Embedded CE topic IP Firewall Reference.

Limit the download scope

Set the registry to limit services to specified URLs. UPnP verifies the URLs received from the network before making a request. For more information, see DownloadScope under the HKEY_LOCAL_MACHINE\COMM\UPnP registry key in UPnP Registry Settings.

Delay control point response

Set the registry to spread the time for requests from a control point. This prevents a storm of requests that can cause a denial of service when the device resources are depleted. For more information, see MaxControlPointDelay under the HKEY_LOCAL_MACHINE\COMM\UPnP registry key in UPnP Registry Settings.

Limit the number of subscribers

Set the registry to limit the number of subscribers. This prevents a denial of service when the device resources are depleted by too many requests. UPnP rejects subscriptions when it reaches the maximum number. For more information, see MaxSubscribers under the HKEY_LOCAL_MACHINE\COMM\UPnP registry key in UPnP Registry Settings.

Limit service to adjacent networks

Set the registry to a small number of network segments that UPnP will service. You can limit the number of hops to decrease that possibility that advertisements will reach irrelevant networks, which limits the exposure of the device. For more information, see DiscoveryTimeToLive under the HKEY_LOCAL_MACHINE\COMM\UPnP registry key in UPnP Registry Settings.

Limit the document size and response size

Set the registry to an optimum document and response size. This prevents a denial of service when the device memory resources are depleted while processing a large network package that looks like a UPnP message. For more information, see MaxDocumentSize and MaxActionResponse values under the HKEY_LOCAL_MACHINE\COMM\UPnP registry key in UPnP Registry Settings.

Make sure UPnP is using a port that is blocked by the firewall

If you use port 80, a firewall may allow network traffic to reach your device. You can specify an alternate port to limit access to by modifying the Port registry value under the HKEY_LOCAL_MACHINE\COMM\UPnP registry key. In Windows Embedded CE the UPnP port is preconfigured to 5120 in the registry, but will default to 80 if this key is removed.

Note

If you change the default port, you must also change the HKEY_LOCAL_MACHINE\Services\HTTPD\Accept key for the Web server to listen on the new UPnP port.

For more information, see UPnP Registry Settings and Web Server Registry Settings.

Limit the number of network interfaces that are using UPnP

You can specify the network interfaces that should not use UPnP by modifying the Interfaces value under the HKEY_LOCAL_MACHINE\COMM\UPnP\Exclude registry key. For more information, see UPnP Registry Settings.

Consider potential UPnP audio/video security issues

The UPnP AV Framework enables creation of devices and control points that use the UPnP AV DCP. The UPnP security best practices that apply to general UPnP devices and control points also apply to UPnP AV devices and control points. The following list provides some specific issues to consider when using the UPnP AV DCP.

  • The ContentDirectory service optionally supports write access to the data it exposes. Before making write access available, ensure that this is necessary.
  • UPnP control points can control all UPnP AV devices on the network. Therefore, any control point can display any available media on any available renderer. If this flexibility is a potential issue in your situation, consider using other best practices to address specific issues.
  • Anyone who has access to the network has the opportunity to manage all media content made available using UPnP AV. Be sure to follow all applicable copyright and other laws when making media content available on a network.

Do not trust data returned by control points and devices without validation

Any code that uses data from a control point or device should not trust that the data is correct without performing its own validation.

For example, IContentDirectory::BrowseChildren and IContentDirectory::Search return the number of objects contained in pstrResult using the pNumberReturned parameter. The implementation of the ContentDirectory service determines the data returned in these parameters. Because a control point cannot guarantee that every ContentDirectory service is implemented correctly, it should not assume that the data returned by ContentDirectory actions is correct.

Therefore, code that calls BrowseChildren or Search should not assume without validation that the value returned in pNumberReturned is correct. Without validation, code that uses the data in a parameter like pNumberReturned, such as for a loop index, can overwrite memory incorrectly if the data in pstrResult actually contains more than the specified number of values.

This best practice should be applied to data returned by all control points or devices, not just to data accessed using BrowseChildren or Search.

Restrict UPnP service access to trusted applications

Since UPnP offers no authentication for its devices, the UPnP services installed with the Control Point and Device Host APIs can be limited to access by trusted applications. For any service, the DEVFLAGS_TRUSTEDCALLERONLY flag is set in the corresponding services root registry key. With this value set, only trusted applications are able to start, stop, or refresh the service. The following is an example of this type of setting, for the HTTPD service:

[HKEY_LOCAL_MACHINE\Services\HTTPD]
Flags=dword:10000

To remove the setting of the DEVFLAGS_TRUSTEDCALLERONLY flag for a service, you can set the corresponding Flags value to 0 in the registry. For more information, see Windows Embedded CE topic Services.exe Registry Settings.

Default Registry Settings

You should be aware of the registry settings that impact security. If a value has security implications you will find a Security Note in the registry settings documentation.

For UPnP registry information, see UPnP Registry Settings.

Ports

The following table shows the ports that UPnP uses, for details see UPnP Registry Settings.

Port number Registry value

1900

Not configurable in the registry. UDP port used by SSDP protocol.

5120

Port

TCP port used for UPnP control and eventing.

See Also

Other Resources

Universal Plug and Play (UPnP)
Enhancing the Security of a Device