Okay, can someone definitively say that Norton antivirus 2008 or later requires Terminal Services to be running at all times?  I have installed Norton 2009 antivirus and if I go to the services snap-in and disable Terminal Services then immediately reboot Terminal Services is magically set to manual and is still running!!  Furthermore, if I uninstall Norton Antivirus 2009 and disable Terminal Services on the same machine, reboot, Terminal Services will then be stopped and disabled.

I have read forums on this site where people are having problems installing Norton Antivirus 2009 because Terminal Services is either not installed or started.  If the Norton product has a dependency on Terminal Services what in the world was Symantec thinking!!

One more thing, if Norton Antivirus does require Terminal Services to be running is there a way to configure the product so that it doesn't require the service?  I work for a rather large corporation whose software requires that Terminal Services to be disabled and stopped.

I’m sorry that we don’t have an answer for you yet.  I will mark your post to the attention of the Symantec staff for further information.

bard -

In researching some of the errors for 2009 products, it appears that the Terminal Services does have to be running for NAV / NIS / N360 to function properly.  Unfortunately, since your company needs the service to be disabled, I would say in this case that Norton is not for your situation.  Sorry.

I find it extremely distributing and aggravating that NAV, NIS, and N360 products require Terminal Services to be running; moreover, it is irresponsible for Norton to do it without clear and complete disclosure to the consumer.  I’ve read through the User License Agreement (ULA) and the only thing mentioned, that is even close, is found under the technical support section that states, “You may choose to access certain technical support features that may be offered from within the Software, which may include live chat with technical support agent and/or assistance from a technical support agent via remote computer access … “, which may or may not be the driving factor behind requiring Terminal Services to be running. 

While it could be argued that the average Norton home consumer probably does not know and does not care what Terminal Services is; thus, it is highly probable that the large majority will not deviate from the OS default and disable it. To the rest of us that do care about the possible security vulnerability created by running Terminal Services, and have taken measure to disable the service, it isn’t fair that Norton’s products would re-enable the service (without notification).  To people possibly reading this article and don’t know what Terminal Services is here is Microsoft’s description of the service: 

“Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.”

 In laymen’s terms, this means that if this service is running on your computer and is configured correctly a legitimate user (that has the permissions necessary) can connection to your computer and work on it as though they are sitting in front of your computer.  It seems an oxymoron, a software package that is suppose to make a computer more secure requires the opening of a possibly security exploit. 

For anyone interested I did find a way to keep Terminal Services from starting.  All features of NAV 2009 still appear to be working after I applied the workaround mentioned below.  In addition, I did this before I performed the installation.  After NAV was installed, I had to reboot the computer in order to get NAV to startup.   The same procedure below works just fine if you do it after the installation. 

Create a user account in computer management.

Disable the account

Go into the services snap-in and double click on Terminal Services.

Click on the ‘Log on’ tab click on the ‘This Account’ radio button and enter the account that you create in the 1st step above.  Then enter the password you set for the account above and click apply.

Go back to the ‘General’ tab and choose disable for the startup type.

 

After changing the Terminal Services startup-type to disabled reboot your computer. After following these steps you will get repeat errors in your system event viewer when you reboot or log into your computer; however, these can simply be ignored. Until I get an appropriate response from Symantec that addresses the following concerns I plan to be an advocate against ALL Symantec products, both professional and personally. 

What specific features of Symantec products require Terminal Services to be running, when was it introduced, and why?

Symantec must provide a way programmatically to disable the use of Terminal Services.

Symantec must make it abundantly clear that Terminal Services is required to use the product (by default).  This would include putting it in the minimum system requirements and explicit calling its uses out in the ULA.

bard,

Norton 2009 products (NIS/NAV/N360) require Terminal Services to be started to function correctly. The reason for this is we use Terminal Services to tell if a user is logged in or not. This tells us when to start our own services. If the Norton Service cannot start, none of our own functionality will work.

Also, Terminal Services is by default started on Windows installations (both XP and Vista), and is used to support Fast User Switching.

Oscar,

I appericate the reply, but I don't accept your reasoning. It tells me either your developers don't know how to write Windows applications appropriately, which further solidifies my banning of all Symantec products, or you have not been giving correct information.  Also, your product does appear to work without Terminal Services running as I indicated in my previous posting. 

As to the point you made about faster user switching and the default state of Terminal Services, yes all true, but again I don't WANT to use the OS defaults nor do I care if Fast User switching doesn't work (as I mentioned previously).

bard,

I understand your points and concerns but perhaps it would be better to run products developed for Corporate / Business environments (such as Symantec Endpoint Protection suite which seems a better fit to your company's policies and practices from what you have mentioned; more information is available this information paper and this web site ) than to try and modify consumer based products to meet corporate or company use?  In my ten plus years of corporate security (both inside offices and outside the office (mobile appliances)) this mix or modified usage of comsumer security products in the business / corporate environment never gives satisfactory results.