My fault, upon looking again, even version 4 has the issue of only using the
first eight characters of the password and the fixed key length. Sorry for
indicating otherwise below.
Using a SSH tunnel for VNC secures you pretty much from anyone snooping in and
decrypting the password transmittal. A BFI attack against the password is still
possible. This can be alleviated in some circumstances by using the feature to
only allow connections from specified addresses.
--Moby
Did V4 fix the problems with the fixed key?
Tony Lyne
Senior Systems Engineer Computerland Central P O Box 1470 PALMERSTON NORTH
Telephone (+64) 06 3537300
Facsimile (+64) 06 3566800
Mobile (+64) 0274 720696
E-mail Tony.Lyne@xxxxxxxxxxxxxxxxxx
Internet http://www.computerland.co.nz
CAUTION: This e-mail message and accompanying data may contain information that is confidential and subject to privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this e-mail in error, please notify me immediately and delete all material pertaining to this e-mail. Thank you.
-----Original Message-----
From: Moby [mailto:moby@xxxxxxxxxxxxxx] Sent: Friday, 20 August 2004 9:19 a.m.
To: windows2000@xxxxxxxxxxxxx
Subject: [windows2000] Re: VNC
As always, workaround are available :)
- Version 4 does not have the limitation of using only the first eight characters of the password.
- Sessions are unencrypted because it is easy to run VNC in an SSH tunnel. Abundant documentation about this with almost step by step instructions can be had at their web site.
- Use the latest version, version 4
--Moby
They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin
First they came for the Jews and I did not speak out because I was not a Jew.
Then they came for the Communists and I did not speak out because I was not a Communist.
Then they came for the trade unionists and I did not speak out because I was not a trade unionist.
Then they came for me and there was no one left to speak out for me. -- Pastor Martin Niemöller
Tony Lyne wrote:
With regards to VNC there are a few security implications which you should be aware of before you install it.
- Passwords are easily brute forced. Apparently it only uses the first 8 characters for the password and discards the rest.
- By default, sessions are unencrypted so be careful. And the source code is apparently widely available on the web for VNC.
- The Some versions of VNC used a fixed key for its 3DES encryption. So it would be easy to figure out the password via a password cracker. Passwords are also stored in the registry so they are easy to extract.
Tony Lyne
Senior Systems Engineer Computerland Central P O Box 1470 PALMERSTON NORTH
Telephone (+64) 06 3537300
Facsimile (+64) 06 3566800
Mobile (+64) 0274 720696
E-mail Tony.Lyne@xxxxxxxxxxxxxxxxxx
Internet http://www.computerland.co.nz
CAUTION: This e-mail message and accompanying data may contain information that is confidential and subject to privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this e-mail in error, please notify me immediately and delete all material pertaining to this e-mail. Thank you.
-----Original Message-----
From: Daryl Ehrenheim [mailto:d.ehrenheim@xxxxxxxxxxxx] Sent: Friday, 20 August 2004 6:59 a.m.
To: 'windows2000@xxxxxxxxxxxxx'
Subject: [windows2000] Re: VNC
It doesn't work the same as PCanywhere that I am aware of. You don't quite
have the ability to lockout each user, however, you could assign each user a
password that is specific to their machine only. Each VNC server allows you
to assign a different password. Then just let that user know the password
and be sure that they don't give it away to someone else in the
organization.
I use RealVNC and it is working fine for my purposes.
Daryl
-----Original Message-----
From: Puetz, Christoph (TH USA) [mailto:christoph.puetz@xxxxxxxxxxx] Sent: Thursday, August 19, 2004 10:53 AM
To: windows2000@xxxxxxxxxxxxx
Subject: [windows2000] Re: VNC
What I am concerned about is that I would rather make sure I can specify by user who has logon privileges. I am not familiar with the app. But I remember from PCAnywhere that you can set logon privileges by even using domain authentication. Is something similar possible with VNC at all?
Christoph
-----Original Message----- From: windows2000-bounce@xxxxxxxxxxxxx [mailto:windows2000-bounce@xxxxxxxxxxxxx] On Behalf Of Jensen, Douglas Sent: Thursday, August 19, 2004 11:35 AM To: windows2000@xxxxxxxxxxxxx Subject: [windows2000] Re: VNC
The security will be provided by the VPN security you set up.
After that, the person has to know the computer name or IP address of the computer and the VNC password and then the network user name and password to log in to the computer.
Seems to me that as long as you allow a VPN into the network, you are not exposing much more risk.
It seems like the same security risk as allowing a VPN to the network and then a Terminal Server session.
Douglas Jensen Douglas.Jensen@xxxxxxxxxxxxx Voice (952) 402-9821 Fax (952) 402-9815 Network Administrator Scott Carver Dakota CAP Agency, Inc. 712 Canterbury Road Shakopee, MN 55379 www.capagency.org
-----Original Message----- From: Puetz, Christoph (TH USA) [mailto:christoph.puetz@xxxxxxxxxxx] Sent: Thursday, August 19, 2004 12:28 PM To: windows2000@xxxxxxxxxxxxx Subject: [windows2000] VNC
Some folks here want to use VNC for remote access to their machines (after
connecting to the network via VPN). I am concerned about security. And as I
am not that familiar with VNC - can it be locked down and controlled from an
administrative point of view?
Which version would be preferred from a security standpoint? As an example - I see TightVNC and VNC.
Any feedback would be appreciated.
Christoph ******************************************************** This Weeks Sponsor StressedPuppy.com Games Feeling stressed out? Check out our games to relieve your stress. http://www.StressedPuppy.com ******************************************************** To Unsubscribe, set digest or vacation mode or view archives use the below link.
http://thethin.net/win2000list.cfm ******************************************************** This Weeks Sponsor StressedPuppy.com Games Feeling stressed out? Check out our games to relieve your stress. http://www.StressedPuppy.com ******************************************************** To Unsubscribe, set digest or vacation mode or view archives use the below link.
http://thethin.net/win2000list.cfm
******************************************************** This Weeks Sponsor StressedPuppy.com Games Feeling stressed out? Check out our games to relieve your stress. http://www.StressedPuppy.com ******************************************************** To Unsubscribe, set digest or vacation mode or view archives use the below link.
http://thethin.net/win2000list.cfm ******************************************************** This Weeks Sponsor StressedPuppy.com Games Feeling stressed out? Check out our games to relieve your stress. http://www.StressedPuppy.com ******************************************************** To Unsubscribe, set digest or vacation mode or view archives use the below link.
http://thethin.net/win2000list.cfm
******************************************************** This Weeks Sponsor StressedPuppy.com Games Feeling stressed out? Check out our games to relieve your stress. http://www.StressedPuppy.com ******************************************************** To Unsubscribe, set digest or vacation mode or view archives use the below link.
http://thethin.net/win2000list.cfm
******************************************************** This Weeks Sponsor StressedPuppy.com Games Feeling stressed out? Check out our games to relieve your stress. http://www.StressedPuppy.com ******************************************************** To Unsubscribe, set digest or vacation mode or view archives use the below link.
http://thethin.net/win2000list.cfm