NIS firewall bug?

Hi,

 

The short rundown:

 

I used to RDP from my work machine to my home machine directly over the internet. After I installed NIS, I could no longer do that (which is totally normal, because firewalls should explicitly block all unknown connections by default).

 

After installing NIS on my home machine, I created custom traffic rules within the firewall to allow only the IP of my work machine - that worked.

 

In the meantime, I've decided to tunnel my RDP connection through a VPN. Because of that, I wanted to block access to RDP from the internet (as NIS intially did) and only allow it via the VPN.

 

In doing so, I deleted the custom rule I created, but that didn't work - I could still access my home machine from my work machine directly via the internet (I haven't yet tried connecting from other machines). After that, i thought that resetting the firewall settings might do the trick, but it didn't.

 

I then contacted Norton support who said that the firewall uses adaptive rules (which, afaik are actually app definitions for a whitelist, not for the traffic rules as well) and that the only option to fix the issue would be to either:

 

a) create a firewall rule that will explictly block the IP of my work machine

b) reinstall NIS altogether so that the firewall would return to the initial state

 

This means that deleting custom traffic rules does absolutely nothing (it should return to the default behaviour, which is block stuff from the IPs that were in the rules), and that raises some interesting security concerns.

 

Is this a bug or intended behaviour? Also, is there a way to fix this without having to reinstall NIS or explicitly block the IPs?

 

Thanks.

Yes, I did and the connection is still permitted.

Hi fauxpride

Is the computer listed in the trust control in the smart firewall you can check this by clicking the Norton icon, click settings, click network, click smart firewall, click trust control, click ok for the window on top then on the left hand side there is a plus and minus sign to add and remove devices.

 

Another access point is, click the Norton icon, click advanced, underneath Network protection, click network security map, click ok for the window on top then on the left hand side there is a plus and minus sign to add and remove devices.

 

 

ATB

 

intesec

 

Hi intesec,

 

 

Yes, the desktop is listed in the trust control list.

 

Strangely enough, after I've set up the VPN, my work computer is listed as well as "Protected" - might be this the cause of the problem?

 

LE: Actually, there's no device listed in Trust Control - I was mistakingly looking on the other networks (my VPN network).

See if you can find the original Remote Desktop Connection rule from Norton and delete it. Restart your computer and the default Remote Desktop Connection rule will be created next time your use RDP.

 

 

 

Hi Peter,

 

I can't find no application rule for mstsc.exe. Anyway, shouldn't resetting the firewall do just that - delete all application rules amongst other things?

 

Thanks for the help.


fauxpride wrote:

Hi Peter,

 

I can't find no application rule for mstsc.exe. Anyway, shouldn't resetting the firewall do just that - delete all application rules amongst other things?

 

Thanks for the help.


Yes, resetting the firewall will work. I was just trying to use a light handed approach before clearing everything.

 

BTW, I found the setting under Remote Desktop Connection.

 

 

 

I've already reset the firewall (see first post) and that didn't solve it.

 

Any other ideas?

 

I'm inclined to think that this is indeed a bug.

 

Thanks.

Did you try deleting the rule for Remote Desktop Connection?

 

It is possible that as you have allowed the connection through the VPN to that computer, that it is allowed outside the VPN also. I only know of VPNs, I do not know the details of how a firewall might handle them.

 

Are you able to access your system from any other computer outside your home, or just your work computer? This could test whether my last thought has anything to do with this.

 

 

 

Hi,

 

The short rundown:

 

I used to RDP from my work machine to my home machine directly over the internet. After I installed NIS, I could no longer do that (which is totally normal, because firewalls should explicitly block all unknown connections by default).

 

After installing NIS on my home machine, I created custom traffic rules within the firewall to allow only the IP of my work machine - that worked.

 

In the meantime, I've decided to tunnel my RDP connection through a VPN. Because of that, I wanted to block access to RDP from the internet (as NIS intially did) and only allow it via the VPN.

 

In doing so, I deleted the custom rule I created, but that didn't work - I could still access my home machine from my work machine directly via the internet (I haven't yet tried connecting from other machines). After that, i thought that resetting the firewall settings might do the trick, but it didn't.

 

I then contacted Norton support who said that the firewall uses adaptive rules (which, afaik are actually app definitions for a whitelist, not for the traffic rules as well) and that the only option to fix the issue would be to either:

 

a) create a firewall rule that will explictly block the IP of my work machine

b) reinstall NIS altogether so that the firewall would return to the initial state

 

This means that deleting custom traffic rules does absolutely nothing (it should return to the default behaviour, which is block stuff from the IPs that were in the rules), and that raises some interesting security concerns.

 

Is this a bug or intended behaviour? Also, is there a way to fix this without having to reinstall NIS or explicitly block the IPs?

 

Thanks.

OK, this is worse than I thought.

 

I've tried connecting from another machine and I get the RDP username and password prompt.

 

This means that the firewall isn't working AT ALL.

 

When I first created the rule for my work machine, I set it to log all activity when the rule is applied. I then started to get all sort of strange log entries - rule was applied when i was using firefox, for example or when lsass.exe wanted to connect to the internet.

 

peter, what do you mean by Norton Remote Desktop rule?

 

I'll try deleting that rule (if I find it). Otherwise, I will reinstall.

 

Any idea on how can I report bugs?

 

EDIT2: I am using a No-IP DUC client because I have a dynamic IP - may that be the cause (the firewall doesn't know how to resolve the requests coming from No-IP) ?

 

EDIT3: It's not because of No-IP - I've tried connection on my real IP address from another machine and I can still connect.

The firewall is working, it is just that by default Remote Desktop Protocol is allowed. When you find the rule I noted, Remote Desktop Connection is what it is called on my Win 7 system with NIS 3013, you can change the rule to Block.

 

 

 

Could you tell me where excatly to find that RDP rule?

 

I've looked for it in both the program and traffic rules and I can't find it.

 

Thx.

On my Win 7 Ultimate system with NIS v20 (2013) it is under Settings - Network - Smart Firewall. Click on Configure beside Program rules. Scroll down until you see Remote Desktop Connection.

 

 

RDP program rule.JPG

 

 

I don't have that rule - I'm guessing mstsc.exe is called only on the machine you connect FROM, not TO.

 

There's another binary that starts on the machine you're connecting to (I forgot the name), and AFAIK, there's also a svchost.exe instance through which the terminal services are started.

 

Anyway, I'll reinstall to see if that solves the problem because I don't see any other option.

 

Hope this gets recognized as a bug and gets solved in some future version, because it's pretty serious - I'll keep pushing their support until it gets solved.

 

I've reinstalled and still no luck - the firewall is permitting RDP from ANY IP.

 

The only way I managed to get the firewall to block it was if I added the machine to Trust Control and set the Trust Level to Restricted.

 

Surely this can't be how it's supposed to work - when I first installed NIS it blocked RDP by default...

Hi fauxpride

Using the Norton removal tool is the best way to completely remove the Norton product.  I don’t know if this will have any effect or if you have used the NRT.  You have mentioned that the Norton firewall worked correctly until the VPN was used, can I suggest that you uninstall the VPN client, and then restart the computer.  Then follow the process below and then check to see if the firewall works correctly, if it does then a different VPN client may be an option.

 

Download the NRT before doing the below.

Norton removal tool.

 

www.Norton.com/nrt

 

To uninstall any security software use the windows add/remove programme first.

Then restart the computer.

Then run the removal tool.

Then restart the computer. 

 

Reinstall Norton, run live updates as many times as it takes to get, no more live updates, restarting as required.

 

You might like to backup the personal data and you’ll need to backup or export in both formats your identity safe and any other users identity safe if it is used, before doing the above.

 

 

ATB

 

intesec

Go to settings/network/smart firewall/program rules/configure.

Find the entry labled "System" hit modify and find the Inbound Specific TCP rule there.

Modify shows it includes inbound TCP port 3389 (RDP). Change to block/allow log, etc.

 

Hi Peter,

 

 

These are the system rules I have after I've reinstalled:

 

systemapp.jpg

 

I have created an inbound rule for the custom RDP port I use - will test to see if it works when I get to another machine.

 

A question though - If I ever want to allow RDP again for a certain IP, will a custom traffic rule for that IP override this system rule?

 

Thanks.

RDP will get added to the System rule the first time a connection is established if no other rule applies as long as the rule has not been customized.

 

Traffic rules and trust settings are evaluated before program rules so yes it will override the System rule.