Discussions

Alternative to Norton Internet Security in AD LAN environment.

+
0 Votes
Locked

Alternative to Norton Internet Security in AD LAN environment.

lstone
I've been handling IT at a small business for about 6 months. 25 XP workstations, Exchange 2003, business application on Server 2003 that is run via Terminal Server, 2 domain controllers.

When I arrived they didn't even have a firewall. Every node was using a public IP address. All desktops and laptops are running Norton Internet Security 2006 and many of the licenses are expiring in a few weeks.

The Active Directory was so messed up that it was essentially non-functioning. After installing a firewall and moving to private IP addresses I had to resolve dozens of problems related to Active Directory and resource access security. Norton has been a real pain and it is my opinion that it isn't suited for an Active Directory environment that is already protected by firewall devices.

Since I am now faced with renewing these licenses I would like some opinions on protection for LAN workstations that are behind a company firewall. Does anyone feel that good virus protection in combination with Windows firewall is sufficient?

I would love to hear some expert opinions.
  • +
    0 Votes

    Wow, you have some work on your hands..As for the windows firewall i would not take a chance and have it on if you have a firewall from Norton. Go with the new licences and see if you can get a discount from Norton. Is there anyway you can add Active directory to the firewall of Norton.

    +
    0 Votes
    lstone

    Thanks for the reply. The configuration you suggest is what I have now. This is how I view the problem after working with it for many months: Norton Internet Security embeds itself within the Windows OS at a deep level. It doesn't seem to know to configure itself properly for a computer that is a member of an Active Directory domain. Consequently, Norton blocks much normal and necessary Active Directory communication. I have proven this many times by simply turning Norton off and watching problems disappear. I have even configured all installations of Norton to allow all traffic on my LAN network number, which did resolve some problems, but many problems remain - for example, certain machines are incapable of properly using WINS and are constantly challenging the domain PDC emulator to an election which should never occur in an Active Directory domain with a WINS server. The PDC is always automatically the domain master browser. It should NEVER be challenged, especially by an XP Pro domain member.

    If Norton has a documented method to configure their product for an Active Directory environment then I can't find it. Which makes me believe they don't have such documentation because their product wasn't designed to run in an Active Directory environment.

    Either I find some straightforward instructions real soon or Norton Internet Security is "out the door." I just would like some other administrators to share what products or combination of products they use on workstations in an Active Directory environment when a corporate firewall is already installed.

    +
    0 Votes
    lstone

    So much for collaboration. I just pulled myself up by my bootstraps (no pun intended - just in case any of you know what a bootstrap is - back in the day we used to manually load via switches machine language code to get a computer started) and made my own decision. In the old fashion spirit of computer field engineering I thought I would share my experience.

    I stumbled across Windows Live OneCare in a discussion thread elsewhere. 99% of what was being said was so negative that I strongly sensed prejudiced opinions (which are very common in these times). The only way to find out if it would solve my problem was to try it.

    Lots of installation problems at first. After working my way through several of these I began to realize that OneCare wasn't the problem, it was just exposing the problem. Rather than being an application that simply "rides on top of" Windows, OneCare has as its foundation the existing security mechanisms of Windows. My installation problems were really Windows update problems that I didn't even know I had. Before I could get a smooth installation of OneCare I had to first get Windows/Microsoft update running flawlessly (which is a good thing).

    Things like my vague understanding of the update service taking 99% of cpu cycles and making the machine unusable had to become very well understood with my documented steps to perform on each machine before beginning installation of OneCare. My pre-installation check list takes about 90 minutes. But, OneCare now installs flawlessly.

    ALL of the logged events on servers and workstations concerning normal domain communication not succeeding has ceased, which proves my earlier belief that Norton Internet Security should never be used in an Active Directory environment.

    Microsoft specifically recommends that OneCare should only be used on "small" networks so I'm probably pushing the limit with 25 workstations. However, I now have 25 XP Pro machines that are in better condition than they have ever been, thanks to OneCare.

    I highly recommend Windows Live OneCare for home and small business, but I also recommend it be installed and configured by a knowledgable person.

    +
    0 Votes
    vicentec

    I faced a similar problem as yours, and plan to take your advice to consider Live OneCare. After discovering that if I allow the Norton anti-virus subscription on any windows machine to expire, that that machine is no longer protected from *any* threats, I decided Norton has disappointed me for the last time. I have decided to replace it at all costs.
    Thank you for taking the time to post your solution and advice.

    +
    0 Votes
    CG IT

    Funny how all these old posts are showing up

  • +
    0 Votes

    Wow, you have some work on your hands..As for the windows firewall i would not take a chance and have it on if you have a firewall from Norton. Go with the new licences and see if you can get a discount from Norton. Is there anyway you can add Active directory to the firewall of Norton.

    +
    0 Votes
    lstone

    Thanks for the reply. The configuration you suggest is what I have now. This is how I view the problem after working with it for many months: Norton Internet Security embeds itself within the Windows OS at a deep level. It doesn't seem to know to configure itself properly for a computer that is a member of an Active Directory domain. Consequently, Norton blocks much normal and necessary Active Directory communication. I have proven this many times by simply turning Norton off and watching problems disappear. I have even configured all installations of Norton to allow all traffic on my LAN network number, which did resolve some problems, but many problems remain - for example, certain machines are incapable of properly using WINS and are constantly challenging the domain PDC emulator to an election which should never occur in an Active Directory domain with a WINS server. The PDC is always automatically the domain master browser. It should NEVER be challenged, especially by an XP Pro domain member.

    If Norton has a documented method to configure their product for an Active Directory environment then I can't find it. Which makes me believe they don't have such documentation because their product wasn't designed to run in an Active Directory environment.

    Either I find some straightforward instructions real soon or Norton Internet Security is "out the door." I just would like some other administrators to share what products or combination of products they use on workstations in an Active Directory environment when a corporate firewall is already installed.

    +
    0 Votes
    lstone

    So much for collaboration. I just pulled myself up by my bootstraps (no pun intended - just in case any of you know what a bootstrap is - back in the day we used to manually load via switches machine language code to get a computer started) and made my own decision. In the old fashion spirit of computer field engineering I thought I would share my experience.

    I stumbled across Windows Live OneCare in a discussion thread elsewhere. 99% of what was being said was so negative that I strongly sensed prejudiced opinions (which are very common in these times). The only way to find out if it would solve my problem was to try it.

    Lots of installation problems at first. After working my way through several of these I began to realize that OneCare wasn't the problem, it was just exposing the problem. Rather than being an application that simply "rides on top of" Windows, OneCare has as its foundation the existing security mechanisms of Windows. My installation problems were really Windows update problems that I didn't even know I had. Before I could get a smooth installation of OneCare I had to first get Windows/Microsoft update running flawlessly (which is a good thing).

    Things like my vague understanding of the update service taking 99% of cpu cycles and making the machine unusable had to become very well understood with my documented steps to perform on each machine before beginning installation of OneCare. My pre-installation check list takes about 90 minutes. But, OneCare now installs flawlessly.

    ALL of the logged events on servers and workstations concerning normal domain communication not succeeding has ceased, which proves my earlier belief that Norton Internet Security should never be used in an Active Directory environment.

    Microsoft specifically recommends that OneCare should only be used on "small" networks so I'm probably pushing the limit with 25 workstations. However, I now have 25 XP Pro machines that are in better condition than they have ever been, thanks to OneCare.

    I highly recommend Windows Live OneCare for home and small business, but I also recommend it be installed and configured by a knowledgable person.

    +
    0 Votes
    vicentec

    I faced a similar problem as yours, and plan to take your advice to consider Live OneCare. After discovering that if I allow the Norton anti-virus subscription on any windows machine to expire, that that machine is no longer protected from *any* threats, I decided Norton has disappointed me for the last time. I have decided to replace it at all costs.
    Thank you for taking the time to post your solution and advice.

    +
    0 Votes
    CG IT

    Funny how all these old posts are showing up