No.
VNC client to/from server traffic is not encrypted and can be intercepted
and replayed. VNC has very weak authentication (it's reversible), and the NT
4.0 registry permissions are atrocious. VNC uses well known ports. It
doesn't log adequately. It is not possible to determine who is using the VNC
connection as there's one password for all users on Win32, therefore
auditing. It doesn't indicate via a audio or other method (a small change in
systray color on Win32 hosts is all) that remote activity is going on.
There is the VNC-SEC-L that was announced here the other day that is working
on some of these issues. It may be a while before all the issues are
addressed. Some can't be fixed easily and may take a fair amount of time.
Some issues require a small rev in the RFB protocol. Some efforts are not
worth pursuing, with the inclusion of TermSrv by default in >=Pro in Windows
XP, which is far more secure and faster than VNC.
Now... if you establish a strongly authenticated encrypting VPN (ie IPsec,
established using SecurID or similar) to the perimeter of your network, and
you are the only one with the VNC administrator password, then this is fine.
Otherwise, I'll strongly advise against using VNC over the Internet.
Andrew
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, July 03, 2001 4:40 PM
Subject: Secure VNC sessions
> Hi all,
>
> I'm new to VNC and need a little input from all you experienced guys (and
girls)
> out there:
>
> My scenario: Large corporate network behind Firewall-1, lots of NT4
servers (and
> W2K servers in the near future), VPN and RAS authenticated by SecureID.
>
> Is it possible to establish secure VNC sessions from the outside in order
to
> remotely administer the servers without compromising network security? I
would
> love to be able to use eg. the Nokia 9110/9210 Communicator for this
purpose.
>
> -Jens Bruun ([EMAIL PROTECTED])
> ---------------------------------------------------------------------
> To unsubscribe, send a message with the line: unsubscribe vnc-list
> to [EMAIL PROTECTED]
> See also: http://www.uk.research.att.com/vnc/intouch.html
> ---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to [EMAIL PROTECTED]
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
