> Any machine with an external IP address is more at risk than a machine behind a NAT router
I think that's a fair point, but needs to be put in context.
Many systems administrators I know of work in a world where chaos reigns, to some degree, in terms of what might be happening _inside_ their network. They need to worry about chaotic, uncontrolled app installations, what unwise tricks users may get up to and about what kind of other machines might come to visit and live on a LAN for a while.
Now in this kind of world, things like firewalling and indeed NAT as opposed to no-NAT do definitely give an improvement in security, because in some small number of scenarios they place additional barriers in the way of getting evil apps or simply unwise apps to work.
If I lived in that kind of world, then I would have changed my remarks earlier, and would be saying something rather different. So I think kitz and the other posters have a point but they and I may be at cross purposes since I tend to keep talking from my own point of view based on the _highly controlled_ systems I work with, where random app _installation_ is made as near to impossible can be and only carefully vetted, well-behaved apps are in use.
So other posters' remarks are likely to be stemming from the more difficult situations that they have had to deal with, and their differing positions are to be respected because of the different assumptions that lie behind them.
Another point about no-NAT.
> As I say in the hands of professionals and people that know what they are doing then UPnP is not a risk.
And this is a fair point. About differing perspectives again. But I'd say that NAT is not the issue here. If an app needs NAT and UPnP and UPnP has been disabled, then that's a way of stopping that app from working and this breaking of the app might be a security measure if you should not have been allowing this app to run in the first place. So in a roundabout way, UPnP=off does amount to being a security measure, albeit indirectly.
Kitz comments about "making it harder to connect to a particular machine, without that PC first sending a request" was something I initially felt I was going to immediately disagree with as a stateful firewall will look to make sure inbound communications are "solicited", are happening as a result of earlier outbound messages initiating dialogue. But again I think it's about context. In one case I can think of, kitz has a point. What if a firewall is poorly configured. In the kitz scenario, NAT mapping has to be set up and this only happens if there has been an earlier sequence of action s originating from inside the LAN.
So a lot rather depends on your default assumptions. And I suspect that some of my defaults are not helpful to others! :-)