Hey folks,

I have a UPnP-capable router and am using MSN Messenger. I am supposed
to have an Internet Gateway Device icon in my network connections folder
with this router. It appears just fine with either a wired or wireless
connection in my laptop's network connections folder, but not for two of my
other wired desktops. I have a suspicion that this may be because of some
sort of security issue in XP Pro SP1 (on all machines), but don't know how
to verify this. Here's why I suspect this:

My laptop discovers the UPnP gateway device just fine and several xml files
get dumped into C:\WINDOWS\system32\config\systemprofile\Local
Settings\Temporary Internet Files\Content.IE5 as they should. However, on
the desktop computers that don't have the icon, these router-specific xml
files never appear in this folder. In addition to this, upon boot, the
laptop also gets a rootDesc.xml file in the user account temporary internet
files, but none of the problem desktop user account receive this file in
their temporary internet files folder.

Am I on the right track here and does anyone know how to resolve this issue?
I would like to be able to control and configure the UPnP-specific ports
using this tool in my desktops and not just the laptop, which is
infrequently connected to the router.

Thanks for any ideas,

Dave

Xref: kermit microsoft.public.windowsxp.security_admin:63385

On Fri, 09 May 2003 16:57:55 GMT, David Shorthouse wrote
>
> Hey folks,
>
> I have a UPnP-capable router and am using MSN Messenger. I am supposed
> to have an Internet Gateway Device icon in my network connections folder
> with this router. It appears just fine with either a wired or wireless
> connection in my laptop's network connections folder, but not for two of
my
> other wired desktops. I have a suspicion that this may be because of some
> sort of security issue in XP Pro SP1 (on all machines), but don't know how
> to verify this. Here's why I suspect this:
>
> My laptop discovers the UPnP gateway device just fine and several xml
files
> get dumped into C:\WINDOWS\system32\config\systemprofile\Local
> Settings\Temporary Internet Files\Content.IE5 as they should. However, on
> the desktop computers that don't have the icon, these router-specific xml
> files never appear in this folder. In addition to this, upon boot, the
> laptop also gets a rootDesc.xml file in the user account temporary
internet
> files, but none of the problem desktop user account receive this file in
> their temporary internet files folder.
>
> Am I on the right track here and does anyone know how to resolve this
issue?
> I would like to be able to control and configure the UPnP-specific ports
> using this tool in my desktops and not just the laptop, which is
> infrequently connected to the router.

The files in the Temporary Internet Files folder are normal.

To make use of the UPnP-capable router's NAT capabilities you need a UPnP
enabled client or OS. UPnP support is included by default in Windows XP.
UPnP support at the OS level of XP allows you to control the UPnP enabled
device through the Networking applet.

For most UPnP-capable router's, these UPnP enabled controls are merely a
subset of the controls you get using the Web Interface. Meaning, UPnP can
control many of the same NAT capabilities of the router as that which an
authorized user could accomplish with the web interface at (for default
Linksys)
http://192.168.1.1/Forward.htm
UPnP however does this NATting auto-magically.

The critical difference is that to use the Web interface requires a
username:password to access the UPnP-capable router and map ports to
machines (control NAT) with that Web interface. UPnP assumes all users and
machines and code running inside your LAN is trusted. The existing UPnP
protocol does not included authentication or authorization. That is the
security issue, not the presence of any TIF files. rootDesc.xml is available
to any machine on the LAN side that can reach the router at
http://192.168.1.1:5678/rootDesc.xml

I suspect the laptop is running Windows XP and the desktops are running some
other OS or have UPnP suport disabled. For transparent use of the NAT
capabilities for specific applications, Windows 98 users can add DirectX 9.x
and MSN Messenger for example. Or, Windows 98 users can add the Internet
Connection Sharing client and use a Windows XP machine as their Internet
Gateway. That still however may not add to Windows 98 all of the GUI and
networking capabilities you enjoy with Windows XP SP1.

Matt Scarborough 2003-05-09

Matt,

Thanks for the reply, but all machines are using XP Pro SP1. Only the
laptop receives the Internet Gateway Device icon in its network connections
folder, the other PCs do not even though all the Optional Networking
components (IGD Detection and UPnP) are installed on all machines and the
SSDP service is running in the background.

> The files in the Temporary Internet Files folder are normal.

I think this is not normal because the laptop communicates well with the
router via the IGD icon and the system tray UPnP icon, but none of the other
PCs do. All of them have Messenger installed and running. UPnP seems to work
because I can see that the appropriate ports are being forwarded properly in
the UPnP port forwarding page of the router. However, it's as if the PCs
without the IGD icon are not accessing the router on boot or after an
ipconfig /renew because the rootDesc.xml file is nowhere to be found in this
machines, including where one would expect to find it:
C:\WINDOWS\system32\config\systemprofile\Local
> Settings\Temporary Internet Files\Content.IE5. This is why I thought
perhaps there was some sort of security problem when an IP address is
obtained from the router and when UPnP devices are first detected. But, I
guess I now see that security issues are not the problem here and that
something else must be faulting (even though there is nothing in my error
logs that would indicate this).

Dave

> To make use of the UPnP-capable router's NAT capabilities you need a UPnP
> enabled client or OS. UPnP support is included by default in Windows XP.
> UPnP support at the OS level of XP allows you to control the UPnP enabled
> device through the Networking applet.
>
> For most UPnP-capable router's, these UPnP enabled controls are merely a
> subset of the controls you get using the Web Interface. Meaning, UPnP can
> control many of the same NAT capabilities of the router as that which an
> authorized user could accomplish with the web interface at (for default
> Linksys)
> http://192.168.1.1/Forward.htm
> UPnP however does this NATting auto-magically.
>
> The critical difference is that to use the Web interface requires a
> username:password to access the UPnP-capable router and map ports to
> machines (control NAT) with that Web interface. UPnP assumes all users and
> machines and code running inside your LAN is trusted. The existing UPnP
> protocol does not included authentication or authorization. That is the
> security issue, not the presence of any TIF files. rootDesc.xml is
available
> to any machine on the LAN side that can reach the router at
> http://192.168.1.1:5678/rootDesc.xml
>
> I suspect the laptop is running Windows XP and the desktops are running
some
> other OS or have UPnP suport disabled. For transparent use of the NAT
> capabilities for specific applications, Windows 98 users can add DirectX
9.x
> and MSN Messenger for example. Or, Windows 98 users can add the Internet
> Connection Sharing client and use a Windows XP machine as their Internet
> Gateway. That still however may not add to Windows 98 all of the GUI and
> networking capabilities you enjoy with Windows XP SP1.
>
> Matt Scarborough 2003-05-09
>
>
>

On Fri, 09 May 2003 19:52:42 GMT, David Shorthouse wrote
>
> Matt,
>
> Thanks for the reply, but all machines are using XP Pro SP1. Only the
> laptop receives the Internet Gateway Device icon in its network
connections
> folder, the other PCs do not even though all the Optional Networking
> components (IGD Detection and UPnP) are installed on all machines and the
> SSDP service is running in the background.

Ops, sorry I didn't see all boxes were XP SP1.

You can try running My Network Places | Network Setup Wizard. After
rebooting, browse to somewhere like www.microsoft.com from one of the boxes
that previously did not have the "Internet Connection - Internet Gateway"
icon in My Network Places. It should show right up. At least it did here.
Two XP SP1 machines here can both use the "Internet Connection - Internet
Gateway" properties icon inside the LAN behind a Linksys BFSR-41 if UPnP is
enabled under the Password tab of the Linksys Gateway. These two machines
happen to have an assigned IP address (not using DHCP) if that could matter.

Matt Scarborough 2003-05-09

> > The files in the Temporary Internet Files folder are normal.
>
> I think this is not normal because the laptop communicates well with the
> router via the IGD icon and the system tray UPnP icon, but none of the
other
> PCs do. All of them have Messenger installed and running. UPnP seems to
work
> because I can see that the appropriate ports are being forwarded properly
in
> the UPnP port forwarding page of the router. However, it's as if the PCs
> without the IGD icon are not accessing the router on boot or after an
> ipconfig /renew because the rootDesc.xml file is nowhere to be found in
this
> machines, including where one would expect to find it:
> C:\WINDOWS\system32\config\systemprofile\Local
> > Settings\Temporary Internet Files\Content.IE5. This is why I thought
> perhaps there was some sort of security problem when an IP address is
> obtained from the router and when UPnP devices are first detected. But, I
> guess I now see that security issues are not the problem here and that
> something else must be faulting (even though there is nothing in my error
> logs that would indicate this).
>
> Dave
>
> > To make use of the UPnP-capable router's NAT capabilities you need a
UPnP
> > enabled client or OS. UPnP support is included by default in Windows XP.
> > UPnP support at the OS level of XP allows you to control the UPnP
enabled
> > device through the Networking applet.
> >
> > For most UPnP-capable router's, these UPnP enabled controls are merely a
> > subset of the controls you get using the Web Interface. Meaning, UPnP
can
> > control many of the same NAT capabilities of the router as that which an
> > authorized user could accomplish with the web interface at (for default
> > Linksys)
> > http://192.168.1.1/Forward.htm
> > UPnP however does this NATting auto-magically.
> >
> > The critical difference is that to use the Web interface requires a
> > username:password to access the UPnP-capable router and map ports to
> > machines (control NAT) with that Web interface. UPnP assumes all users
and
> > machines and code running inside your LAN is trusted. The existing UPnP
> > protocol does not included authentication or authorization. That is the
> > security issue, not the presence of any TIF files. rootDesc.xml is
> available
> > to any machine on the LAN side that can reach the router at
> > http://192.168.1.1:5678/rootDesc.xml
> >
> > I suspect the laptop is running Windows XP and the desktops are running
> some
> > other OS or have UPnP suport disabled. For transparent use of the NAT
> > capabilities for specific applications, Windows 98 users can add DirectX
> 9.x
> > and MSN Messenger for example. Or, Windows 98 users can add the Internet
> > Connection Sharing client and use a Windows XP machine as their Internet
> > Gateway. That still however may not add to Windows 98 all of the GUI and
> > networking capabilities you enjoy with Windows XP SP1.
> >
> > Matt Scarborough 2003-05-09
> >
> >
> >
>

On Fri, 09 May 2003 20:39:27 +0000, Matt Scarborough wrote
t.com>
> On Fri, 09 May 2003 19:52:42 GMT, David Shorthouse wrote
> >
> > Matt,
> >
> > Thanks for the reply, but all machines are using XP Pro SP1. Only
the
> > laptop receives the Internet Gateway Device icon in its network
> connections
> > folder, the other PCs do not even though all the Optional Networking
> > components (IGD Detection and UPnP) are installed on all machines and
the
> > SSDP service is running in the background.

Also make sure Gateway has the latest firmware from the Mfgr., and is
certified.
http://www.upnp-ic.org/certification/default.asp

Tried your suggestions in the previous post just for kicks and it didn't
work. Still no IGD icon. Weird that it is visible on my laptop, but not any
of the other PCs. The router isn't listed by the UPnP group, but the
firmware is UPnP-ready and, like I mentioned, I have no issues with the
laptop.

Dave

> > > Matt,
> > >
> > > Thanks for the reply, but all machines are using XP Pro SP1. Only
> the
> > > laptop receives the Internet Gateway Device icon in its network
> > connections
> > > folder, the other PCs do not even though all the Optional Networking
> > > components (IGD Detection and UPnP) are installed on all machines and
> the
> > > SSDP service is running in the background.
>
> Also make sure Gateway has the latest firmware from the Mfgr., and is
> certified.
> http://www.upnp-ic.org/certification/default.asp
>