RE: VNC Security

["Steve Bostedor" <Steveb () tshore com>]

Your plan is pretty typical and is pretty much what I advise to my clients.  Keep it off when it's not being used and 
change the password often.  On secured local LANS, it's ok to leave it running 24/7 as long as the remote server has 
the desktop locked or logged off.  This is the REalVNC, though.  I'm not sure the UltraVNC file transfer function is 
still functional if the workstation is locked.  I'll have to try that and see.  If it is still functional, I'd suggest 
not usng that on any server that you want to leave VNC running 24/7 on at all.

-----Original Message-----
From: Bart Crijns [mailto:gorby () skynet be]
Sent: Tuesday, April 19, 2005 5:15 PM
To: Andy Bruce - softwareAB
Cc: Steve Bostedor; security-basics () securityfocus com;
vnc-list () realvnc com
Subject: Re: VNC Security


Andy Bruce - softwareAB wrote:

> 5. Tell them to turn off port forwarding from the router (if they 
> could grok it), or just have them connect their PC back to the router 
> and their router back to the cable/dsl modem. In either case, 5900 
> isn't available to the outside world so there's no risk even if they 
> were running VNC in service-mode.

Another (very easy) way to make these connections more secure with those 
users is the following:
I'm using UltraVNC, so I'm not certain that everything is possible in 
other VNC variants.
- set a very long and very difficult password for the server (it will 
never be used anyway in this approach)
- disable the 'accept socket connections' checkbox in the server 
properties (may be UltraVNC only)
- when the users need assistance let them start the server, and instead 
of connecting to their PC, you start the viewer in listen mode
- tell them your IP, and have them add a client throug the system tray 
icon's menu, and have them enter your IP when requested.
You'll need to have your router setup for port forwarding to the ports 
for the listening viewer...

That way noone needs to know their password, and with UltraVNC the 
server isn't even accepting connections in the unlikely event that the 
password is known by someone. No password is transmitted, and the only 
thing that could be captured is the data sent during the VNC session, 
which isn't too much of a problem in most cases when helping someone out.
Furthermore, no incoming ports need to be opened on their router, 
because most users aren't really capable of changing that themselves.

Of course, when connecting to my own PC via VNC, I use a SSH tunnel.


> Am I missing something here?

Other than the fact that in the unlikely event of someone malignant 
actually taking over their PC, you'll be the one who's blamed... no :-)
I think the method I described is a bit safer, and also very easy to 
explain to the person at the other end of the line. If I may have missed 
something in my plan, please correct me.


Kind Regards,
    Bart Crijns