Implementing TightVNC and SSH on a Windows NT server

How one member used SSH to strengthen security

The TightVNC enhancement to the original VNC freeware application from AT&T research labs in the UK adds secure communication channels for remote administration sessions. TightVNC secures these communication channels using Secure Shell (SSH).

UNIX and Linux administrators have used SSH for years, and now Windows administrators can take advantage of it using TightVNC. To demonstrate how it works, I'll show you how to implement TightVNC and SSH on a Windows NT server. You can use the same logic to secure communications on other TightVNC supported systems.

Need a primer on SSH?
Click here to read a brief explanation of SSH and how it works.

In terms of licensing, noncommercial use of SSH is generally free. But if you're going to use SSH commercially, you should buy the software. There are various vendors including SSH Communications Security and VanDyke Software.

Although it's outside of the scope of this article, installing an SSH daemon onto an NT box is pretty straightforward—you can refer to the vendor's documentation for this. Once you have the SSH NT server host up and running, you'll also need an SSH client on the administration workstation you'll use to access the remote sites.

Securing the link
Start off by installing the TightVNC server on your target server or workstation and the TightVNC client on your administration workstation. For details about how to do this, see the article “Don't give up security when using VNC.” Test the communications on an unsecured channel between the server and workstation to make sure that VNC works properly.

After you’ve confirmed that everything works, you must make a change to TightVNC's Advanced Properties. Double-click the TightVNC icon in the system tray. When the dialog box opens, select the Advanced button. In the Advanced Properties dialog box, be sure to check the Allow Loopback Connections and Allow Only Loopback Connections check boxes, as shown in Figure A. This ensures that TightVNC works through only the SSH secure pipe.

Figure A
Set loopback connections to allow TightVNC to use secure channels.

Once you’re up and running with TightVNC in loopback mode, and both the SSH daemon and client are installed, you can initiate a secure session. When you do this, a dummy server will be created on your client machine that listens on the VNC port and moves all connections to that port into the SSH tunnel. The SSH tunnel in turn transports the connections to the remote server. Because you’ve selected the loopback mode above, TightVNC will think that the connection is a local one and allow a secure session to be built. Your remote admin traffic will then be secure.

Final thoughts
SSH can be used through firewalls, and you can also use it to protect FTP, POP, and IMAP sessions going through a firewall. Most SSH sessions through a firewall use port 22, but you can change this to go through another open port on the firewall, such as SSL port 443, which is usually open anyway.


Editor's Picks