Your plan is pretty typical and is pretty much what I advise to my clients. Keep it off when it's not being used and change the password often. On secured local LANS, it's ok to leave it running 24/7 as long as the remote server has the desktop locked or logged off. This is the REalVNC, though. I'm not sure the UltraVNC file transfer function is still functional if the workstation is locked. I'll have to try that and see. If it is still functional, I'd suggest not usng that on any server that you want to leave VNC running 24/7 on at all.
-----Original Message----- From: Bart Crijns [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 19, 2005 5:15 PM To: Andy Bruce - softwareAB Cc: Steve Bostedor; security-basics@securityfocus.com; vnc-list@realvnc.com Subject: Re: VNC Security Andy Bruce - softwareAB wrote: > 5. Tell them to turn off port forwarding from the router (if they > could grok it), or just have them connect their PC back to the router > and their router back to the cable/dsl modem. In either case, 5900 > isn't available to the outside world so there's no risk even if they > were running VNC in service-mode. Another (very easy) way to make these connections more secure with those users is the following: I'm using UltraVNC, so I'm not certain that everything is possible in other VNC variants. - set a very long and very difficult password for the server (it will never be used anyway in this approach) - disable the 'accept socket connections' checkbox in the server properties (may be UltraVNC only) - when the users need assistance let them start the server, and instead of connecting to their PC, you start the viewer in listen mode - tell them your IP, and have them add a client throug the system tray icon's menu, and have them enter your IP when requested. You'll need to have your router setup for port forwarding to the ports for the listening viewer... That way noone needs to know their password, and with UltraVNC the server isn't even accepting connections in the unlikely event that the password is known by someone. No password is transmitted, and the only thing that could be captured is the data sent during the VNC session, which isn't too much of a problem in most cases when helping someone out. Furthermore, no incoming ports need to be opened on their router, because most users aren't really capable of changing that themselves. Of course, when connecting to my own PC via VNC, I use a SSH tunnel. > Am I missing something here? Other than the fact that in the unlikely event of someone malignant actually taking over their PC, you'll be the one who's blamed... no :-) I think the method I described is a bit safer, and also very easy to explain to the person at the other end of the line. If I may have missed something in my plan, please correct me. Kind Regards, Bart Crijns _______________________________________________ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
