Re: Remote control
From: John Vincent (john@Math.Princeton.EDU)Date: 06/18/02
- Previous message: Gustavo.Ferrero@uy-tcs.com: "RE: don't deserve to be hacked?"
- In reply to: Steve Littleford: "Re: Remote control"
- Next in thread: Aditya: "Re: Remote control"
- Next in thread: Rich Henning: "Re: Re[2]: Remote control"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "John Vincent" <john@Math.Princeton.EDU> To: <security-basics@security-focus.com> Date: Tue, 18 Jun 2002 03:33:09 -0400
I don't believe VNC keeps the password clear text in the registry.
It keeps an encrypted password in the registry at
"HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3\Default\Password". Check it out if
you want. If VNC is keeping it somewhere else I would like to know what the
key.
I would recommend using it as a service not set to start at startup. Then
you can use the administrator password to turn the service on when you want
to access the server, and turn it off when you are done. You can also
SSH(or VPN) to tunnel VNC. That would encrypt the whole connection.
I hope this information is useful.
John Vincent
IT Manager PACM / Mathematics
Princeton University
http://www.math.princeton.edu/~john
----- Original Message -----
From: "Steve Littleford" <slittleford@ntelos.net>
To: "Calhoun, Heath" <CalhounH@gsci.state.ms.us>
Cc: "Tom Geldner" <tom@xor.cc>; <security-basics@security-focus.com>
Sent: Monday, June 17, 2002 7:04 AM
Subject: Re: Remote control
> I like VNC, but it is a little slow and I don't like the cleartext
> password in the registry. We also found that Windows NT machines won't
> come out of screensaver under VNC. However, I also know that the code
> is freely available and that these details will be addressed eventually.
> If they really bothered me, I'd fix them.
>
> > We used to use VNC on some systems on our network, but found it to be to
> > slow and very unsecure.
>
> I find VNC to be plenty fast over a network. It is over a modem that
> Remotely Possible shines. Just don't set VNC for full screen updates.
>
> > we found a tool anyone can download to crack the vnc password.
>
> Let me see... Brute force attack over a local LAN. Aren't there other
> ways an attacker can brute force password attack a Windows box?
> Granted, there is no username in VNC. But the console *can* be locked
> underneath, too.
>
> > go into the registery searching for vnc and guess what... There is the
> > password in clear text.
>
> I agree, password in plain text on the local machine is not secure.
> Even if your registry is locked down, you might have copies of it
somewhere.
>
> > Guess you get what ya pay for...
>
> Every tool has its uses. You want a full blown commercial remote
> control, file copy, and chat program? Buy one (for every machine in
> your school). If you need something that runs on anything, fits on a
> floppy and doesn't require installation, or can be run slowly from a web
> browser, then VNC is worth a lot (a lot of saved trips back to the
> server room).
>
> This guy wants to control his servers from the same location. I'd tell
> him to buy Remotely Possible because file copy over VNC isn't
> straightforward. It is also faster over a WAN connection. But, if cost
> were an issue he could install VNC and an ssh daemon. Then putty and
> iExplore to control the box. You can get a free ssh daemon in the
> CygWin project. He could even tunnel your VNC over SSH as many have
> already suggested.
>
> -Steve
>
- Previous message: Gustavo.Ferrero@uy-tcs.com: "RE: don't deserve to be hacked?"
- In reply to: Steve Littleford: "Re: Remote control"
- Next in thread: Aditya: "Re: Remote control"
- Next in thread: Rich Henning: "Re: Re[2]: Remote control"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
