Re: Remote control

From: John Vincent (john@Math.Princeton.EDU)
Date: 06/18/02


From: "John Vincent" <john@Math.Princeton.EDU>
To: <security-basics@security-focus.com>
Date: Tue, 18 Jun 2002 03:33:09 -0400

I don't believe VNC keeps the password clear text in the registry.

 It keeps an encrypted password in the registry at
"HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3\Default\Password". Check it out if
you want. If VNC is keeping it somewhere else I would like to know what the
key.

 I would recommend using it as a service not set to start at startup. Then
you can use the administrator password to turn the service on when you want
to access the server, and turn it off when you are done. You can also
SSH(or VPN) to tunnel VNC. That would encrypt the whole connection.

I hope this information is useful.

John Vincent
IT Manager PACM / Mathematics
Princeton University
http://www.math.princeton.edu/~john

----- Original Message -----
From: "Steve Littleford" <slittleford@ntelos.net>
To: "Calhoun, Heath" <CalhounH@gsci.state.ms.us>
Cc: "Tom Geldner" <tom@xor.cc>; <security-basics@security-focus.com>
Sent: Monday, June 17, 2002 7:04 AM
Subject: Re: Remote control

> I like VNC, but it is a little slow and I don't like the cleartext
> password in the registry. We also found that Windows NT machines won't
> come out of screensaver under VNC. However, I also know that the code
> is freely available and that these details will be addressed eventually.
> If they really bothered me, I'd fix them.
>
> > We used to use VNC on some systems on our network, but found it to be to
> > slow and very unsecure.
>
> I find VNC to be plenty fast over a network. It is over a modem that
> Remotely Possible shines. Just don't set VNC for full screen updates.
>
> > we found a tool anyone can download to crack the vnc password.
>
> Let me see... Brute force attack over a local LAN. Aren't there other
> ways an attacker can brute force password attack a Windows box?
> Granted, there is no username in VNC. But the console *can* be locked
> underneath, too.
>
> > go into the registery searching for vnc and guess what... There is the
> > password in clear text.
>
> I agree, password in plain text on the local machine is not secure.
> Even if your registry is locked down, you might have copies of it
somewhere.
>
> > Guess you get what ya pay for...
>
> Every tool has its uses. You want a full blown commercial remote
> control, file copy, and chat program? Buy one (for every machine in
> your school). If you need something that runs on anything, fits on a
> floppy and doesn't require installation, or can be run slowly from a web
> browser, then VNC is worth a lot (a lot of saved trips back to the
> server room).
>
> This guy wants to control his servers from the same location. I'd tell
> him to buy Remotely Possible because file copy over VNC isn't
> straightforward. It is also faster over a WAN connection. But, if cost
> were an issue he could install VNC and an ssh daemon. Then putty and
> iExplore to control the box. You can get a free ssh daemon in the
> CygWin project. He could even tunnel your VNC over SSH as many have
> already suggested.
>
> -Steve
>



Relevant Pages

  • Re: Looking for remote access software
    ... > port forward 3389 from the router to the host you wish to access. ... Remote sessions are NOT the same thing as remote control. ... Try out VNC first. ...
    (comp.security.firewalls)
  • Re: Tiger and remote control?
    ... > Apple Remote Desktop, and also the new open-source VNC. ... > files that are also stored on the same mac... ... I can't speak with authority about VNC or ARD, ... The remote Mac can be restarted, while allowing you to retain control ...
    (uk.comp.sys.mac)
  • Re: target computer locks itself when using RD
    ... > I've used VNC before and I'm fine with that. ... > interaction with a user via Terminal Services (ie, the Remote Control ... because windows xp is a 'single user' desktop operating system. ...
    (microsoft.public.win2000.networking)
  • Re: Local Remote Access
    ... Now we want to be able to control one from t'other, ... I am very familiar with the Windows approach (Remote Desktop), with VNC, ... Combine that with file sharing ...
    (uk.comp.sys.mac)
  • Re: tablet as "remote control"
    ... Remote Desktop? ... > could easily be used to let you control your Media Center PC remotely. ... > presumably) Tight VNC from www.tightvnc.com. ...
    (microsoft.public.windows.mediacenter)