How secure is real VNC?

Random · 30-04-2007 11:57pm #1

Alright, so how secure is Real VNC? It feels like I'm leaving my PC open to all sorts of web nasties and exploits every time I use it. It's like leaving a note on the door on how to find your keys in the garden.

If I have a secure password (15 chars/nums +). And I also have it set to Wink+L everytime a user disconnects ... am I safe?

Any thoughts?

Kali · 01-05-2007 6:54am

Running your server on a non-standard port will stop random port-sniffers picking it up in the first place, and should definitely be used as a starting measure.
As long as encryption is turned on you're 50% secure... otherwise all data is sent unenrypted and everything you look at/do available.
Finally a decent strength password should help as well.

None of these (bar the first to some extent) will stop exploits in the actual program itself, so always make sure you're using the very latest version.

Anti · 01-05-2007 7:25am

I find it always helps if both machines are behind the same firewall too.

JackKelly · 01-05-2007 7:46am

Someone will eventually say it,so i'll get it over with; it is best to tunnel VNC over ssh. I'm not very familiar with real VNC, but VNC in general is unencrypted which means anyone can see what you are doing. So you should use a secure shell to tunnel all the information through. This is a bit of a nuisance on a windows machine, so you are probably fine as you are.

As was mentioned, you should definitely use a different port to 5900/59001 thought as these would be commonly scanned.

Khannie · 01-05-2007 8:00am

If you're concerned with security, check out freenx from nomachine. It uses SSH encryption by default and is much more responsive than VNC over slow connections.

Random · 01-05-2007 2:39pm

Thanks for the suggestions lads. I'll take the usual precautions, but all this is in vain if the program itself is a dud. I've used it on my home LAN for a while but the ability to check it while I'm away on holidays or from work etc (provided I'm not in a dodgy internet cafe!) would be welcomed.

I'll also have a look at freenx.

_CreeD_ · 01-05-2007 3:10pm

UltraVNC can use DSM modules to add encryption, AES is supported which is a major plus. It's quite easy to implement, just copy down the DLL and selected it as the DSM module on the client and server.
RDP (Terminal Services) is also 128bit/RC4 encrypted by default. While not the strongest algorithm RC4 is reasonably secure.
On the LAN at work though I've started using Local IPSEC Policies to transparently encrypt/tunnel VNC and RDP traffic to our servers. I like the fact it's centrally configurable, just set through a GPO and assign to the relevant systems, after that you just use your clients as normal.

zilog_jones · 02-05-2007 10:14am

I've also heard about tunnelling through SSH, but is that even possible using Windows? Personally I'd do it over a VPN like Hamachi - it is encrypted too (i forget what with).

I'd also recommend Remote Desktop (aka RDP/Terminal Services as _CreeD_ said) as I usually find it faster than any VNC, and on a Windows level it's probably more secure (as you have to log in/out just like you would if you were physically at the PC). However you need WinXP Pro (not Home) or better for Remote Desktop server to exist.

Kali · 02-05-2007 8:39pm

zilog_jones wrote:

I've also heard about tunnelling through SSH, but is that even possible using Windows? Personally I'd do it over a VPN like Hamachi - it is encrypted too (i forget what with).

Yes use Putty.

How secure is real VNC?

Comments