One approach that I almost always take these days with VNC setups for remote LANs is to make sure that they are only accessible via a VPN connection. This is a far from perfect security measure, but in terms of overall security for most Windows LANs it is a good technique to use. I can then do direct Windows-based connections to the network and the infrastructure is in place to do things for the clients which involved direct remote connections.
This still has huge security holes. It does not prevent internal hack attempts, and someone with VPN or internal access and admin rights could still do remote regreads and back out the password - but at least it introduces a single-point-of-administration choke point for control over remote VNC access. For tight VNC security, one would still want SSH2 and source address restrictions. ----- Original Message ----- From: "Coyle, Joe" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, 2002-05-31 14:26 Subject: RE: Security... > People are foolish if they do not use SSH2 tunneling with VNC. If you want > to employ good security measures then you should only have VNC set to "Allow > Loopback Connections" with "Only Allow Loopback" > > SSH2 adds another layer of security and encryption. Even if you do not > allow VNC connections from the outside world, it is still a good practice on > a LAN or WAN. > > SSH2 tunneling only adds a few extra steps to the process. > > I also recommend that you do not allow any SSH protocol 1 connections. This > is very easy to disable on any Unix or Windows type system. Of course this > means that you need to have an updated SSH2 compliant server installed. > > Happy VNCing > > Joe Coyle > Systems Administrator > Weather Services International > 978-670-5166 > > > > -----Original Message----- > From: Jacob Hoover [mailto:[EMAIL PROTECTED]] > Sent: Friday, May 31, 2002 2:37 PM > To: [EMAIL PROTECTED] > Subject: RE: Security... > > > I didn't see the post, but VNC only uses the first > eight characters of any given password. Working on the > whole security idea, it wouldn't be that difficult to > modify the server (Win version at least) to automatically > disable itself after a defined number of authentication > failures. This would keep out most brute force or word > list hackers, but it would also stop the authorized user > if the hacker triped the safe guard. > > Jacob Hoover > > > -----Original Message----- > From: Shing-Fat Fred Ma [mailto:[EMAIL PROTECTED]] > Sent: Friday, May 31, 2002 1:01 PM > To: [EMAIL PROTECTED] > Subject: Re: Security... > > > TightVNC requires that ssh be installed. It's a great > package, but security is an issue even with ssh. It > seems that a malicious person can repeatedly > attempt to connect to the server with new passwords. > Though it doesn't allow more than X number of attempts > (somewher around 5 or 7, I think), it's easy to "reset" > its "memory". I can't quite remember, but I think I just > tried connecting to a different server to reset the > memory; or perhaps, I tried connecting to the same > serve from another site. Also, I don't think there was > much delay between failed password attempts. > > The feature that prevents more than X attempts, > I'm not sure if it's built into the viewer or the server. > That code is publically accessible. There was a > recent post that pointed to a security hacker website > showing exactly how the viewer can be modified to > more effectively try connecting to a viewer (I think it > was by trying different passwords). I believe the > password is only checked for a small number of > characters in any case. > > Anyone remember this? > > Fred > ------------------------------------------- > Fred Ma > Department of Electronics > Carleton University, Mackenzie Building > 1125 Colonel By Drive > Ottawa, Ontario > Canada K1S 5B6 > [EMAIL PROTECTED] > =========================================== > _______________________________________________ > VNC-List mailing list > [EMAIL PROTECTED] > http://www.realvnc.com/mailman/listinfo/vnc-list > _______________________________________________ > VNC-List mailing list > [EMAIL PROTECTED] > http://www.realvnc.com/mailman/listinfo/vnc-list > _______________________________________________ > VNC-List mailing list > [EMAIL PROTECTED] > http://www.realvnc.com/mailman/listinfo/vnc-list _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] http://www.realvnc.com/mailman/listinfo/vnc-list
