Sorry to always have multiple posts, I will stay on this post for ANYTHING related to this issue
Thanks All
Software firewalls will block port 3389 by default. Check your firewall rules and make sure something has not caused this port to be opened. Most of us were either never familiar with the NAV 2008 firewall or have forgotten everything we ever knew about it. AllenM is almost certainly correct that once you replace this "Firewall" with a full Firewall in NIS this port will be stealthed.
SendOfJive wrote:Software firewalls will block port 3389 by default. Check your firewall rules and make sure something has not caused this port to be opened. Most of us were either never familiar with the NAV 2008 firewall or have forgotten everything we ever knew about it. AllenM is almost certainly correct that once you replace this "Firewall" with a full Firewall in NIS this port will be stealthed.
Thanks, but then here is where I come full, though convoluteed circle.
I understand that when a port is listening, it is listening because of one of the services needing to listen on the port
So when I run netstat -ano, I see on of the svchost.exe process listening. When I check the services associated with this particular svchost.exe, I see the following services:
Cryptographic services
DNS client
network location awareness
KtmRm for distributed transaction coordination
telephony
terminal services
Seeing as how Terminal Services uses port 3389, I ssume that it is the culprit and thus thought If I disabled it, the port would not be listening, which proved true. But if I need Terminal services on for Norton, then I best keep it enabled
SendofJives,
I've set the terminal services for "manual" and it doesn't run automatically upon bootup. I assume it will only run when needed. I didn't encounter any problems. Please advise.
According to BlackViper, Terminal Services should be left at the default, which is Manual in XP and Automatic in Vista. He doesn't even show this service listed for Windows 7, and I am unfamiliar with that OS still, so I can't give you an answer. Does the service show as "Started?"
No it doesn't. It's not started
Windows Terminal Services implements Windows' ability to have multiple users logged in concurrently. This can be through fast user switching, remote desktop or remote access. As indicated previously, the Norton products require this to work properly under these scenarios.
Follow the instructions in this article, in reverse, to disable remote desktop and remote assistance.
You may wish to try these instructions to change the Remote Desktop port. I don't know if deleting the entry will make it stop listening altogether or not.
How about if you do not use remotee access. Can I set it to manual? I didn't encounter any errors or see any error logged in the NIS product
Hello Tywin7,
It's best to leave it at the default setting.
NVM found out that in Win7, termanal service is renamed remote desktop service and is manual by default
Thanks all for you help
when I research around on the microsoft site and other sites, get all sorts of conflicting info about Terminal services and port 3389 being open automatically, then others saying its closed etc.
This issue is important for me in regard to NIS 2010 and the pending installation of such.
Wondering if we might do a little test/poll?
For those using Vista Home Premium 32 bit with vista SP 2:
1. Is Terminal Services shown as started and start up type automatic?
2. When you run netstat -ano, does port 3389 show as "listening" status with a svchost.exe process
and one of the services Terminal services?
3. When you run Shields Up specific to port 3389, does it show port 3389 as open?
just think it would be interesting to see what we see for other Visat Home Premium users
SendOfJive wrote:Hi Calls,
If you do a Windows search of your PC for any file with "Remote Desktop" in the name, what comes up?
when I did a windows search for any item with "remote desktop" in it's anme, the only thing that came up was
remote desktop connection shortcut
C:\ProgramData\Microsoft\Windows\StartMenu\Program\Accessories\
reese_anschultz wrote:Windows Terminal Services implements Windows' ability to have multiple users logged in concurrently. This can be through fast user switching, remote desktop or remote access. As indicated previously, the Norton products require this to work properly under these scenarios.
Follow the instructions in this article, in reverse, to disable remote desktop and remote assistance.
You may wish to try these instructions to change the Remote Desktop port. I don't know if deleting the entry will make it stop listening altogether or not.
thanks Reese-
On my system Vista Home Premuim with Vista SP 2, When I go
right click on computer>select properties> click on remote settings I only have the option for
Remote assistance and that box is UNCHECKED, so I think that remote assistance is not on,
or I assume so
Reese- when you say
Windows Terminal Services implements Windows' ability to have multiple users logged in concurrently. This can be through fast user switching, remote desktop or remote access. As indicated previously, the Norton products require this to work properly under these scenarios.
1. are you refeering to when and if one needs remote help from Norton techs? So would Terminal Services need to be on otherwise?
Also in the past you helped me with the port 3389 issue. At the time you said the port will close if we close down the service that uses it. I wasn't aware at that time what service was using it. But as I stated in earlier posts, if Terminal Services is disabled, then netstat does not show any process/service listening on that port.
2.So wouldn't it be safe to say that it is Terminal Services keeping this port open?
Calls:
He has apparently advised twice, at least, that Norton requires terminal services to work properly. Regardless of what component needs it, the fact is that it needs it.
Just because a port is listening does not mean that it allows anything in that it is not supposed to. Listening is not the same as gaping open. If it isn't listening, it can't do its job. Six times already we have been over the same thing. Why don't you just grit your teeth and get on with it??
You have to remember, that for some of us this is like a completely forgeign language. And sometimes even when we ask and get an answer, we don't completely grasp it
But what I will take from this, and correct me if I'm off base, is that port 3389 may show listening, and it may even allow other IP addresses to make contact with it, AND it might even let there be an exchange of some bytes..... But that doesn't necessarily mean that it is open and allowing maliciousness to come in and then that is where the other parts of NIS come in
so am I on target?
Hi Calls,
Yes - that is correct.
Please note that we have advised you that Terminal Services should remain on, and that you shouldn't make any of the lower level modifications to the port settings. This is the OFFICIAL response.
On a side note: It's best for users who are novices at settings or even certain areas of the computers to leave those areas which you are not familiar with alone. Changing settings that you are not 100% familiar with can cause issues in your system, but leaving them at default settings avoids those problems. Most systems come preconfigured the way they need to be. The default NIS settings are set in a way that they are generic enough for novice users to install the program and not need to make any settings adjustments. For the most part, Windows is the same way. Many settings do not need to be changed, but are there so that advanced users can make the tweaks if they see fit.
You'll likely disturb yourself if you dig around at settings/configurations/logs/events that are intended only for advanced users. For the most part, computers with Norton protection installed work completely fine without settings needing to be tweaked. We've worked hard to ensure that the ease of installation works for everyone.
Calls wrote:
thanks Reese-
On my system Vista Home Premuim with Vista SP 2, When I go
right click on computer>select properties> click on remote settings I only have the option for
Remote assistance and that box is UNCHECKED, so I think that remote assistance is not on,
or I assume so
Reese- when you say
Windows Terminal Services implements Windows' ability to have multiple users logged in concurrently. This can be through fast user switching, remote desktop or remote access. As indicated previously, the Norton products require this to work properly under these scenarios.
1. are you refeering to when and if one needs remote help from Norton techs? So would Terminal Services need to be on otherwise?
Also in the past you helped me with the port 3389 issue. At the time you said the port will close if we close down the service that uses it. I wasn't aware at that time what service was using it. But as I stated in earlier posts, if Terminal Services is disabled, then netstat does not show any process/service listening on that port.
2.So wouldn't it be safe to say that it is Terminal Services keeping this port open?
Norton Support doesn't use the Remote Assistance feature of windows. As you discussed previously, this probably got enabled a long time ago when you used Microsoft's Remote Assistance. Remote Assistance requires your permission to do anything, so, a Microsoft technician might be able to connect to your machine and 'ask' to assist you but before they can do anything else, you have to give them permission. Since you've disabled the feature they won't be able to ask.
Terminal Services is a core set of functionality to enable multiple logins. Remote Desktop allows additional logins from remote locations. Remote Assistance is a specialized version of Remote Desktop that allows helpers to assist you on your machine. I don't know where Microsoft chose to implement the code that listens on the Remote Desktop port but it certainly can be closely related to Terminal Services. Ultimately it's the Remote Assistance feature that is keeping the port open waiting for unsolicited offers of assistance.
MUCH THANKS REESE
reese_anschultz wrote:
Norton Support doesn't use the Remote Assistance feature of windows. As you discussed previously, this probably got enabled a long time ago when you used Microsoft's Remote Assistance. Remote Assistance requires your permission to do anything, so, a Microsoft technician might be able to connect to your machine and 'ask' to assist you but before they can do anything else, you have to give them permission. Since you've disabled the feature they won't be able to ask.
Terminal Services is a core set of functionality to enable multiple logins. Remote Desktop allows additional logins from remote locations. Remote Assistance is a specialized version of Remote Desktop that allows helpers to assist you on your machine. I don't know where Microsoft chose to implement the code that listens on the Remote Desktop port but it certainly can be closely related to Terminal Services. Ultimately it's the Remote Assistance feature that is keeping the port open waiting for unsolicited offers of assistance.
Thanks Reese, that helps me understand
A few last questions:
1. So once port 3389 is open, then it doesn't seem to be able to close?
2. Since you've disabled the feature they won't be able to ask
Is that why sometimes I see unsolicited connection sending small bytes to and from (when the port is not blocked)?
it is someone trying to make connection, reaching the port, asking, but only getting a reply that the port is there but remote assistance is NOT enabled?
3. So the port being open is a slight security risk in that, as you said
that is keeping the port open waiting for unsolicited offers of assistance.?
4. So after I install NIS 2010, will that port still be opened?
5. And if so, should I just recreate the same block rule that I have had in place for awhile now?
This part causes me great security worry:
Ultimately it's the Remote Assistance feature that is keeping the port open waiting for unsolicited offers of assistance.
and any steps I can take, if indeed there are any, to make this not be a security vulnerability, please let me know ( or is there were the multiple layers of security come into play?)
Calls wrote:
[...]Thanks Reese, that helps me understand
A few last questions:
1. So once port 3389 is open, then it doesn't seem to be able to close?
2. Since you've disabled the feature they won't be able to ask
Is that why sometimes I see unsolicited connection sending small bytes to and from (when the port is not blocked)?
it is someone trying to make connection, reaching the port, asking, but only getting a reply that the port is there but remote assistance is NOT enabled?
3. So the port being open is a slight security risk in that, as you said
that is keeping the port open waiting for unsolicited offers of assistance.?
4. So after I install NIS 2010, will that port still be opened?
5. And if so, should I just recreate the same block rule that I have had in place for awhile now?
This part causes me great security worry:
Ultimately it's the Remote Assistance feature that is keeping the port open waiting for unsolicited offers of assistance.
and any steps I can take, if indeed there are any, to make this not be a security vulnerability, please let me know ( or is there were the multiple layers of security come into play?)
1. You have to figure out which process has it open and configure that process to not open it. It could be the terminal services process or some other process related to remote desktop/assistance.
2. Yes
3. Because remote assistance won't let the user have access without you first granting it, this isn't much of a risk.
4. I'm not positive about the behavior in the 2010 products. You probably will see an open port with netstat but shouldn't be able to access it from a remote machine due to the firewall.
5. Your best course of action is to talk to Microsoft and ask them how to make remote assistance stop listening. I just spent some time and couldn't get my Vista image to open that port. It doesn't hurt to recreate the block rule but I suspect that it's not necessary, especially since the service can't be used without your permission.
Thanks again Reese
I'm trying to get a good grasp as I'm installing NIS tomorrow. I want to set it up and then not worry, but I think a few minor tweaks are needed
What I do know is that if I diusable terminal services, then port 3389 does not show as listening
But as I now know, Terminal Services should not be disabled. So I will leave it alone
1. So if port 3389 is in listening status, then does that mean it would allow something to use it as a point of entry?
Maybe if I use this analogy
let's say there is a door to some part of my house, say a work room. So anyone who needs the work room would enter my house through that door. But can they use that door to enter my house to then run through different rooms of my house?
2. Is port 3389 on listening status by default on all Vista Home Premium systems?
I know people on here have tried to help me, and I APPRECIATE THEM ALL VERY MUCH.
3. I know it is not good to close a port or make any modifications to the firewall, but if I create a block rule for port 3389 against outside computers, will that cause any harm? I mean if port 3389 is just used for remote help, then blocking it should only effect that right? I mean it shouldn't cause any other problems right?
One other question and this revisists another issue you helped me with ( I tried to jsut repy to that post but I was not able too)
I just ran netstat -ano and I see port 49152 in a "listening" status and the process is wininit.exe
I know port 49152 is for torrent sharing and all and I DO NOT DO THAT
4. So should that port be open if I'm not engaing/dont want to engage ins such activity??
5. Should that wininit.exe be listening out on the internet for connections?
6. would it be safe to block port 49152 anyway since I don't do p2p sharing, torrent stuff anyway?
I mean keeping that port blocked also should not cause problems for me right?
as I say, I want to install NIS, make these two modifications to the firewall and then not worry anymore