CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

5.30 (L1) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled' (Scored)

ProfileApplicability:

 Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:

Discovers networked devices and services that use the SSDP discovery protocol, such as UPnP devices. Also announces SSDP devices and services running on the local computer.

The recommended state for this setting is: Disabled .

Rationale:

Universal Plug n Play (UPnP) is a real security risk - it allows automatic discovery and attachment to network devices. Notes that UPnP is different than regular Plug n Play (PnP). Workstations should not be advertising their services (or automatically discovering and connecting to networked services) in a security-conscious enterprise managed environment.

Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV:Start

Remediation:

To establish the recommended configuration via GP, set the following UI path to: Disabled .

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\SSDP Discovery

Impact:

SSDP-based devices will not be discovered.

Default Value:

Manual

354 | P a g e