https://community.cisco.com/t5/network-security/csa-udp1900/m-p/608034#M94865 <P>Hello, I realise that this is generated by windows machines for SSDP/MSN. How can I stop these machines from generating this / what is the easiest way to stop these events from coming accross -I seem to get +-100 / day for a 15 user network</P><P></P><P>81 17/05/2006 11:35:43 TK01</P><P>&lt;<A class="jive-link-custom" href="https://192.168.50.16/csamc45/webadmin?page=host_view&amp;id=119" target="_blank">https://192.168.50.16/csamc45/webadmin?page=host_view&amp;id=119</A>&gt; Alert The process 'C:\WINDOWS\system32\svchost.exe' (as user NT AUTHORITY\LOCAL SERVICE) attempted to communicate with 192.168.50.14 &lt;javascript:resolveIPAddress('192.168.50.14');&gt; on UDP port 1900. The attempted access was to accept a connection as a server (operation = ACCEPT). The operation was denied. </P><P></P><P>TIA</P><P>Shervan</P> Sun, 10 Mar 2019 10:01:15 GMT Shervan Singh 2019-03-10T10:01:15Z https://community.cisco.com/t5/network-security/csa-udp1900/m-p/608034#M94865 <P>Hello, I realise that this is generated by windows machines for SSDP/MSN. How can I stop these machines from generating this / what is the easiest way to stop these events from coming accross -I seem to get +-100 / day for a 15 user network</P><P></P><P>81 17/05/2006 11:35:43 TK01</P><P>&lt;<A class="jive-link-custom" href="https://192.168.50.16/csamc45/webadmin?page=host_view&amp;id=119" target="_blank">https://192.168.50.16/csamc45/webadmin?page=host_view&amp;id=119</A>&gt; Alert The process 'C:\WINDOWS\system32\svchost.exe' (as user NT AUTHORITY\LOCAL SERVICE) attempted to communicate with 192.168.50.14 &lt;javascript:resolveIPAddress('192.168.50.14');&gt; on UDP port 1900. The attempted access was to accept a connection as a server (operation = ACCEPT). The operation was denied. </P><P></P><P>TIA</P><P>Shervan</P> Sun, 10 Mar 2019 10:01:15 GMT https://community.cisco.com/t5/network-security/csa-udp1900/m-p/608034#M94865 Shervan Singh 2019-03-10T10:01:15Z https://community.cisco.com/t5/network-security/csa-udp1900/m-p/608035#M94866 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>UDP 1900 is used by the Windows, e.g Windows XP, for SSDP Discovery Service. This is to enable discovery of UPnP devices in the network.</P><P></P><P>You can stop a machine from activating/running this service from the Control Panel - Administrative Tools - Services. Look for "SSDP Discovery Service". Double-clik and set the 'Startup type' either as manual or disabled. BY default, SSDP is enabled.</P><P></P><P>Before you stop this service, check the service status from MSDOS prompt using 'netstat -a' command. If this service is running, you should see something like "UDP <HOSTNAME>:1900 *:*".</HOSTNAME></P><P></P><P>Stop the service, and run the netstat command again to verify whether the 1900 service is still running or disabled.</P><P></P><P>Hope this helps.</P><P></P><P>Rgds,</P><P>AK</P></BODY></HTML> Thu, 18 May 2006 02:53:32 GMT https://community.cisco.com/t5/network-security/csa-udp1900/m-p/608035#M94866 a.kiprawih 2006-05-18T02:53:32Z https://community.cisco.com/t5/network-security/csa-udp1900/m-p/608036#M94867 <HTML><HEAD></HEAD><BODY><P>If you don't want to turn the service off, you can create another rule that is set to deny (not high priority deny) svchost.exe accepting connections on UDP 1900, set to not log and set to take precedence over other deny rules. </P><P></P><P>The only time this will log is when machines are in test mode and then the only place you see messages is on the MC. </P><P></P><P>Tom S</P></BODY></HTML> Thu, 18 May 2006 04:14:18 GMT https://community.cisco.com/t5/network-security/csa-udp1900/m-p/608036#M94867 tsteger1 2006-05-18T04:14:18Z