Hi there,
We have some thin clients that are used as a sign in terminal and their sessions keep getting interrupted by "Someone is trying to remote shadow..."
After looking into what is causing it, it is an application on our server that is trying to access port 5900. We do not have any applications on the server that were intended to do VNC requests and after looking more into it, it could be related to our anti-virus (Sophos endpoint 9.5). Another common anti-virus was also doing a similar behavior because it scanned the ports and one of the open ports is 5900.
My main question is, does Sophos have any port scanning behavior or can anyone else think of common applications (IE,Office...) that would attempt to access TCP 5900 on Windows Server 2008 R2 and Windows Server 2003? It only seems to happen when the thin clients are actually making a connection to the server, would it be safe to block inbound connections to port 5900 on the server with Windows firewall?
Thanks in Advance,
Brandon
This thread was automatically locked due to age.
