RE: Remote Administration on W2K - VNC Security
From: Kevin Tierney (kevin46906@yahoo.com)Date: 08/02/01
- Previous message: Jonas Luster: "Re: E-mail filters"
- In reply to: Tom Geldner: "RE: Remote Administration on W2K - VNC Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <20010802115741.97346.qmail@web12304.mail.yahoo.com> Date: Thu, 2 Aug 2001 04:57:41 -0700 (PDT) From: Kevin Tierney <kevin46906@yahoo.com> Subject: RE: Remote Administration on W2K - VNC Security To: SECURITY-BASICS@securityfocus.com
Just the other day I set up a secure VNC using ssh on
my NT network. www.freessh.com has freeware, openssh
based ssh servers and clients. As per vnc's site I set
up an ssh server on the box I want to admin as well as
installing VNC.Then on my box I want to admin from, I
have the ssh client set to forward port 5902 through
the ssh to port 5900 on the server. Then all you do is
use vnc to connect to localhost:2 and you've got your
secure connection.
The only thing that was a little tricky is you have to
go into the registry on the server and go to
HKLM|software|orl|winvnc3
and create a dword value called "AllowLoopback" and
set it to "1". For extra security you can create a
dword value called "LoopbackOnly" in that same key and
set it to "1" so that only the local machine can
connect to the vnc server. This occurs because VNC
thinks the connection that was tunneled through SSH is
coming from the server itself, since ssh is
redirecting it to VNC
-- Tom Geldner <tom@xor.cc> wrote:
> >From the VNC FAQ
>
> How secure is VNC?
>
> Access to your VNC desktop generally allows access
> to your whole
> environment, so security is obviously important. VNC
> uses a
> challenge-response password scheme to make the
> initial connection: the
> server sends a random series of bytes, which are
> encrypted using the
> password typed in, and then returned to the server,
> which checks them
> against the 'right' answer. After that the data is
> unencrypted and
> could, in theory, be watched by other malicious
> users, though it's a bit
> harder to snoop a VNC session than, say, a telnet,
> rlogin, or X session.
> Since VNC runs over a simple single TCP/IP socket,
> it is easy to add
> support for SSL or some other encryption scheme if
> this is important to
> you, or to tunnel it through something like SSH or
> Zebedee.
>
> SSH allows you to redirect remote TCP/IP ports so
> that all traffic is
> strongly encrypted, and this can be combined with
> VNC. SSH can also
> compress the encrypted data - this can be very
> useful if using VNC over
> slow links. See the 'Using SSH with VNC' page.
> Zebedee is a similar
> system which can be sometimes simpler to use. You
> can find info here.
>
> While we're on the subject of security, you should
> also be aware that
> only the first 8 characters of VNC passwords are
> significant. This is
> because the 'getpass' call used in the Unix server
> to read a password
> has this restriction, and the other platforms have
> been made compatible
> with this.
>
> Wolfram Gloger < wmglo@dent.med.uni-muenchen.de> has
> built Xvnc with the
> TCP Wrapper library, allowing you more control over
> which hosts are
> allowed to connect. See the contribs page for
> details.
>
> -------------
>
> Tom Geldner
>
__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/
- Previous message: Jonas Luster: "Re: E-mail filters"
- In reply to: Tom Geldner: "RE: Remote Administration on W2K - VNC Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
