Security Basics mailing list archives
Re: VNC Security
From: Bart Crijns <gorby () skynet be>
Date: Tue, 19 Apr 2005 23:15:22 +0200
Andy Bruce - softwareAB wrote:
5. Tell them to turn off port forwarding from the router (if they could grok it), or just have them connect their PC back to the router and their router back to the cable/dsl modem. In either case, 5900 isn't available to the outside world so there's no risk even if they were running VNC in service-mode.
Another (very easy) way to make these connections more secure with those users is the following: I'm using UltraVNC, so I'm not certain that everything is possible in other VNC variants. - set a very long and very difficult password for the server (it will never be used anyway in this approach) - disable the 'accept socket connections' checkbox in the server properties (may be UltraVNC only) - when the users need assistance let them start the server, and instead of connecting to their PC, you start the viewer in listen mode - tell them your IP, and have them add a client throug the system tray icon's menu, and have them enter your IP when requested. You'll need to have your router setup for port forwarding to the ports for the listening viewer...
That way noone needs to know their password, and with UltraVNC the server isn't even accepting connections in the unlikely event that the password is known by someone. No password is transmitted, and the only thing that could be captured is the data sent during the VNC session, which isn't too much of a problem in most cases when helping someone out. Furthermore, no incoming ports need to be opened on their router, because most users aren't really capable of changing that themselves.
Of course, when connecting to my own PC via VNC, I use a SSH tunnel.
Am I missing something here?
Other than the fact that in the unlikely event of someone malignant actually taking over their PC, you'll be the one who's blamed... no :-) I think the method I described is a bit safer, and also very easy to explain to the person at the other end of the line. If I may have missed something in my plan, please correct me.
Kind Regards, Bart Crijns
Current thread:
- VNC Security Steve Bostedor (Apr 19)
- Re: VNC Security Andy Bruce - softwareAB (Apr 19)
- Re: VNC Security Bart Crijns (Apr 20)
- Re: VNC Security Mark Owen (Apr 20)
- Re: VNC Security Zachary Mutrux (Apr 20)
- Re: VNC Security Scott C. Best (Apr 27)
- Re: VNC Security Mike Miller (Apr 26)
- Re: VNC Security Andy Bruce - softwareAB (Apr 26)
- Re: VNC Security Mike Miller (Apr 26)
- Re: VNC Security Alexander Bolante (Apr 20)
- Re: VNC Security Times Enemy (Apr 20)
- Re: VNC Security Zachary Mutrux (Apr 20)
- Windows Remote Access Tools Sagiko (Apr 28)
(Thread continues...)
- Re: VNC Security Andy Bruce - softwareAB (Apr 19)