Is allowing UPnP worth it?

If UPnP opens up a security risk, and Windows Live Messenger seems to operate
the same with or without it (at least to me), why is it suggested that we
allow UPnP?

UPnP will allow you to transfer files, use Sharing Folders, use webcam/voice
chat; as well as do anything that's not just text chatting.

--
Edward Chow [1067064]
Windows Live Butterfly - Messenger

"thebigdintexas" <> wrote in message
news:40B9EA0E-FA75-4943-A11D-...
> If UPnP opens up a security risk, and Windows Live Messenger seems to
> operate
> the same with or without it (at least to me), why is it suggested that we
> allow UPnP?

I'm not transfering any files, I don't use the sharing folders, and my
webcam/voice chat seems to work the same with or without UPnP......




"Edward Chow [Windows Live B'fly-M'sgr]" wrote:

> UPnP will allow you to transfer files, use Sharing Folders, use webcam/voice
> chat; as well as do anything that's not just text chatting.
>
> --
> Edward Chow [1067064]
> Windows Live Butterfly - Messenger
>
> "thebigdintexas" <> wrote in message
> news:40B9EA0E-FA75-4943-A11D-...
> > If UPnP opens up a security risk, and Windows Live Messenger seems to
> > operate
> > the same with or without it (at least to me), why is it suggested that we
> > allow UPnP?
>
>
>

Greetings,

The only "risk" with UPnP is that a rogue (read as worm) application opens and forwards a
port without your knowledge.

There are no known worms, viruses or trojans with exploit this. Also, if you have such an
application on your machine already, you already have a bigger security issue than UPnP.

The only other UPnP exploit wasn't in UPnP at all, it was in the SSDP service has never been
exploited in the wild and was fixed in November of 2001.

The big "security issues" surrounding UPnP are nothing but FUD created by third-parties who
benefit financially from such ideas (Symantec, Mcafee, Steve Gibson, etc.).

--
Jonathan Kay
Microsoft MVP - Windows Live Messenger/MSN Messenger/Windows Messenger
Associate Expert
http://www.microsoft.com/windowsxp/expertzone/
Messenger Resources - http://messenger.jonathankay.com
All posts unless otherwise specified are (c) 2006 Jonathan Kay.
You *must* contact me for redistribution rights.
--


"thebigdintexas" <> wrote in message
news:40B9EA0E-FA75-4943-A11D-...
> If UPnP opens up a security risk, and Windows Live Messenger seems to operate
> the same with or without it (at least to me), why is it suggested that we
> allow UPnP?

I agree with you, but if that is true, then I dont understand why MS dropped
UPnP support in Windows 2003 Server (UPnP via ICS)?


"Jonathan Kay [MVP]" <> wrote in message
news:%...
> The big "security issues" surrounding UPnP are nothing but FUD created by
> third-parties who benefit financially from such ideas (Symantec, Mcafee,
> Steve Gibson, etc.).

Hi,

Unfortunately UPnP is considered a consumer-grade technology and as such was removed from the
Server platform.

For instance, if a business used Windows Server to share their Internet connection, their
users could use all this Messenger functionality and whatever other software they decided to
use that supported UPnP which may bypass any other security measures that were in place to
prevent such usage.

--
Jonathan Kay
Microsoft MVP - Windows Live Messenger/MSN Messenger/Windows Messenger
Associate Expert
http://www.microsoft.com/windowsxp/expertzone/
Messenger Resources - http://messenger.jonathankay.com
All posts unless otherwise specified are (c) 2006 Jonathan Kay.
You *must* contact me for redistribution rights.
--

"Dinko Deranja" <> wrote in message news:...
>I agree with you, but if that is true, then I dont understand why MS dropped UPnP support in
>Windows 2003 Server (UPnP via ICS)?
>
>
> "Jonathan Kay [MVP]" <> wrote in message
> news:%...
>> The big "security issues" surrounding UPnP are nothing but FUD created by third-parties
>> who benefit financially from such ideas (Symantec, Mcafee, Steve Gibson, etc.).
>
>

To be clear, UPnP is not entirely necessary to make these features work. It
helps in some cases (for example, if in the connection settings, you are
detected behind a Symmetric NAT).

"Edward Chow [Windows Live B'fly-M'sgr]" wrote:

> UPnP will allow you to transfer files, use Sharing Folders, use webcam/voice
> chat; as well as do anything that's not just text chatting.
>
> --
> Edward Chow [1067064]
> Windows Live Butterfly - Messenger
>
> "thebigdintexas" <> wrote in message
> news:40B9EA0E-FA75-4943-A11D-...
> > If UPnP opens up a security risk, and Windows Live Messenger seems to
> > operate
> > the same with or without it (at least to me), why is it suggested that we
> > allow UPnP?
>
>
>

Well, about bypassing - a single checkbox named "Allow UPnP" would be
enough.


"Jonathan Kay [MVP]" <> wrote in message
news:...
> Hi,
>
> Unfortunately UPnP is considered a consumer-grade technology and as such
> was removed from the Server platform.
>
> For instance, if a business used Windows Server to share their Internet
> connection, their users could use all this Messenger functionality and
> whatever other software they decided to use that supported UPnP which may
> bypass any other security measures that were in place to prevent such
> usage.

Hi,

I don't disagree but getting such things added in can be, difficult. I'm not quite sure what
the story is for Longhorn server.

--
Jonathan Kay
Microsoft MVP - Windows Live Messenger/MSN Messenger/Windows Messenger
Associate Expert
http://www.microsoft.com/windowsxp/expertzone/
Messenger Resources - http://messenger.jonathankay.com
All posts unless otherwise specified are (c) 2006 Jonathan Kay.
You *must* contact me for redistribution rights.
--

"Dinko Deranja" <> wrote in message news:...
> Well, about bypassing - a single checkbox named "Allow UPnP" would be enough.
>
>
> "Jonathan Kay [MVP]" <> wrote in message
> news:...
>> Hi,
>>
>> Unfortunately UPnP is considered a consumer-grade technology and as such was removed from
>> the Server platform.
>>
>> For instance, if a business used Windows Server to share their Internet connection, their
>> users could use all this Messenger functionality and whatever other software they decided
>> to use that supported UPnP which may bypass any other security measures that were in place
>> to prevent such usage.
>
>