On 02:18 PM 10/19/2006 +0100, it would appear that James Weatherall wrote:
Tyran,
> Regardless, if the current user can
> read the key, the current user has full access to the clear text
> password via SIW and likely other similar utilities.
The current user can only read the relevant keys if they are a member of the
Administrators group, in which case they have complete access to your system
anyway.
True but you're missing the point I was making: Group A are Domain
Admins and have access to all the machines across the network via
their own user account and via VNC. Group B are part of the
Administrators Group on their own machines only (due to idiot
software that can only be run under an administrative account) and
are restricted access to only their machines and have no VNC access
to any machines.
I really don't care if Group B has full access to their own machines
but they simply can't have access to any other machines via
VNC. However, if a company uses one VNC password for all machines
and the above scenario exists, then users in Group B have full VNC
access to any machine on the network. As the one password for all
machines is likely a common scenario, pointing this situation out is
probably a good idea.
That being said, there is a simple fix for this: Use different
passwords for those in Group B. This requires a bit more work on the
part of Group A but then it simply does not matter whether Group B
knows the VNC passwords to their own machine.
There is also a simple (in theory) permanent fix. Instead of simply
obfuscating the password in the registry, actually encrypt it. When
a client connects, provide two passwords. The first being the key to
decrypt the registry entry and the second being the actual VNC
password. With such a scheme, it doesn't matter who can read that
registry entry because without the decryption key, the entry is worthless.
Tyran Ormond
Programmer/LAN Administrator
Central Valley Water Reclamation Facility
[EMAIL PROTECTED]
_______________________________________________
VNC-List mailing list
[email protected]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
