Yes, I wholeheartedly agree. However, I have worked with numerous "silly" people who later question why their respective machines were broken into and tampered with, and eventually turned over to "the dark side". If VNC is to be used, suitable passwording is an absolute, along side the securing of a desktop environment. Without these basis security requirements in place, the ability for an innocent users workstation to be used for "dark" purposes is made even easier. As we all know, Win95, 98, 98SE, ME etc do not have fully securable environments as a standard function within.
Those who do not understand security principals of a desktop environment need to be even more vigilant when it comes to what is made available through a VNC connectable workstation. Windows 95, 98 & ME etc. are extremely vulnerable, as is NT4 and WIN2K, without the necessary security patches. The point of my E-Mail was to make people aware of how easy it is to open yourself to problems, and in many cases without knowing that they have done so. Cable Internet is the prime issue here in Australia. It is basically a large Thinnet / Thicknet LAN environment, and DSL fits in here as well. Unless people introduce a firewall of their own, or various other means of protection, how many people in this world understand how open they are making themselves?? A very small percentage from what I have witnessed to date. I have been in the IT business since 1979 and have seen people creating their own security risks. I have also seen people attempt to blame whatever tools and Server Services for their specific incidents. The point is don't blame a tool for what people may have not know about in the first place. VNC is not designed to be a high security remote control tool. If it was there would be encryption at various levels, at the very minimum. I like VNC, and have used it for some time. I do not want to see people opening themselves to problems of their own making, without being aware of what the risks are in the process. An audit trail is OK when you are in a semi-controlled environment or better. It would be nice to be able to establish user lists within VNC so that an audit trail would become more meaningful. However, as long as their is only a single user account that people authenticate to within VNC, where the connectivity came from is academic and meaningless. It is not who logged in or where. It is how and why, and a requirement to assist a VNC Manager in closing the potential loophole that may have presented itself. Don't stop using VNC!! Use it more because it is an excellent product. Just beware of the risks that are produced when the utilization of such a product is upheld. Secure your platforms (HPUX, SCO, Linux, Win32 etc). VNC is a portal to a particular desktop. Make it difficult for a cracker to penetrate a workstation, not easy. Rather than closing the barn door after a horse has bolted, close and lock it before. This is an excellent policy that all companies should uphold. An Audit trail is sometimes good after the fact, when the environment permits. The internet does not allow for this, even if you are the CIA. We are human and we regularly screw up. But it is so easy to protect yourself as well, when you know how. Sincere regards...... -----Original Message----- From: Paul Gleave <[EMAIL PROTECTED]> To: Catelyn Hearne <[EMAIL PROTECTED]> Date: Sat, 9 Feb 2002 09:47:02 +0000 Subject: Re[2]: Who Is Connected > Surely this negates the whole point of running VNC? > > On 09 February 2002 you wrote: > > > My recomendation is that you do not leave such a machine freely > connectable > > on the Internet, as this IS going to happen again. With a Win98 > workstation, > --------------------------------------------------------------------- > To unsubscribe, mail [EMAIL PROTECTED] with the line: > 'unsubscribe vnc-list' in the message BODY > See also: http://www.uk.research.att.com/vnc/intouch.html > --------------------------------------------------------------------- --------------------------------------------------------------------- To unsubscribe, mail [EMAIL PROTECTED] with the line: 'unsubscribe vnc-list' in the message BODY See also: http://www.uk.research.att.com/vnc/intouch.html ---------------------------------------------------------------------
