CSA UDP1900??

Shervan Singh · ‎05-17-2006

Hello, I realise that this is generated by windows machines for SSDP/MSN. How can I stop these machines from generating this / what is the easiest way to stop these events from coming accross -I seem to get +-100 / day for a 15 user network

81 17/05/2006 11:35:43 TK01

<https://192.168.50.16/csamc45/webadmin?page=host_view&id=119> Alert The process 'C:\WINDOWS\system32\svchost.exe' (as user NT AUTHORITY\LOCAL SERVICE) attempted to communicate with 192.168.50.14 <javascript:resolveIPAddress('192.168.50.14');> on UDP port 1900. The attempted access was to accept a connection as a server (operation = ACCEPT). The operation was denied.

TIA

Shervan

a.kiprawih · ‎05-17-2006

Hi,

UDP 1900 is used by the Windows, e.g Windows XP, for SSDP Discovery Service. This is to enable discovery of UPnP devices in the network.

You can stop a machine from activating/running this service from the Control Panel - Administrative Tools - Services. Look for "SSDP Discovery Service". Double-clik and set the 'Startup type' either as manual or disabled. BY default, SSDP is enabled.

Before you stop this service, check the service status from MSDOS prompt using 'netstat -a' command. If this service is running, you should see something like "UDP :1900 *:*".

Stop the service, and run the netstat command again to verify whether the 1900 service is still running or disabled.

Hope this helps.

Rgds,

AK

tsteger1 · ‎05-17-2006

If you don't want to turn the service off, you can create another rule that is set to deny (not high priority deny) svchost.exe accepting connections on UDP 1900, set to not log and set to take precedence over other deny rules.

The only time this will log is when machines are in test mode and then the only place you see messages is on the MC.

Tom S