Enterprise Software

Lock IT Down: Don't give up security when using VNC

Make sure youre not opening your network to attack when using VNC


As a support tech, you almost always need to be in two places at once. Of course, remote administration software, such as VNC, can help. Unfortunately, VNC isn’t the most secure solution. Hackers can use a sniffer to view information that flows over a VNC connection. But with TightVNC, you can have your cake and eat it too. Let's look at how you can use TightVNC to administer workstations and servers remotely without giving up security.

When is TightVNC a good option?
For Windows-only administrators dealing exclusively with Windows 2000 on both the server and workstations, VNC of any flavor might not be the best solution for your remote administration needs. In this case, Windows 2000 includes Terminal Services, which can act as a great remote administration tool as well as an application server, and this would be your better bet.

However, if you work in a mixed-OS environment, then Terminal Services won’t work for remote administration of your non-Windows 2000 workstations. Likewise, you may not want to load down your Windows 2000 servers and workstations with the overhead required to run Terminal Services. To get around these problems, you can use a third-party tool like TightVNC.

TightVNC will work on platforms other than Windows 2000, including all versions of Windows, Linux, and UNIX. TightVNC also offers a Java viewer so that you can connect via a browser if you wish. Some of the main differences between VNC and TightVNC are:
  • Support for two passwords, one for full control, the other read-only.
  • Optional JPEG compression to help speed up slower connections.
  • General compression levels can be modified depending on connection speed and CPU power.
  • Compression algorithms are new in TightVNC, which performs better over slower connections than the traditional compression algorithms in the standard version of VNC.
  • Local cursor handling means the local viewer processes remote cursor movements so you don’t see as many mouse trails.
  • The Java viewer has been improved to support 24-bit color.
  • TightVNC allows you to allocate arbitrary port numbers for TCP/IP connections.
  • The UNIX version of TightVNC can automatically tunnel connections via SSH using local and SSH/OpenSSH installation.

Obtaining and running TightVNC
You can download TightVNC directly from the TightVNC Web site. It's available as a self-extracting file that's just shy of 900 KB. Running a default installation will put the files in Program Files\TightVNC. You can run a default TightVNC setup from the command line by typing tightvnc-1.2.8-setup.exe /sp- /verysilent and pressing [Enter]. TightVNC’s installation is very simple and runs like most Windows Setup programs you’ve ever dealt with.

TightVNC has two parts, the server (WinVNC) and the viewer. You’ll run the server on the server or workstation you want to remotely control. You'll run the viewer on the administration workstation that you want to use to access the server.

TightVNC can run in Application mode or in Service mode. Application mode requires a user to be logged in to the server for a remote administration session to occur. Service mode runs the server as a service that starts automatically when a machine is rebooted. Service mode allows you to access a machine when there is no one logged in to it. One important note: If you want remote [Ctrl][Alt][Delete] to work, you must run TightVNC as a service on the target machine!

TightVNC installs with a default password, which, if security is not a great concern, can be replicated to other machines by copying over this registry key:
HKCU\Software\ORL\WinWNC3

When you first run the program, the Properties window will open to let you enter a password for access. Each user can have a different password—probably a good idea for security and accountability reasons.

TightVNC adds a little icon to the system tray when it’s running. This icon inverts its colors when sessions are in progress. Right-clicking the icon allows you to set the following options:
  • Add New Client—Outgoing connections can be made to a viewer on another viewer that is in Listen mode. This is basically the inverse of how you would normally use a remote administration application. The effect is a shared connection.
  • Kill All Clients—This option disconnects all TightVNC sessions immediately.
  • Disable New Clients—Using this option prevents client connections from being made to the TightVNC server.
  • About WinVNC—This option indicates the version number, etc.
  • Close—This option shuts down the WinVNC server.

On the viewer side, you can connect using three modes:
  • Best Compression—This mode is best for slow (i.e., 56 Kb modem) connections. All JPEGs are compressed. Compression and image quality can be tweaked.
  • Fast Compression—Use this mode over a high-speed 10/100 LAN or WAN.
  • Listen—This mode allows the viewer machine to accept reverse connections from the machine running WinVNC server, as explained above.

You can also connect to a TightVNC server through a Java-compatible browser. The WinVNC application comes with a small Web server built in, which listens on port 5800. I’ve tried this and there is a fair amount of latency (even with the compression enhancements offered in TightVNC), and if you’re using 56-Kb dial-up, the Java browser is probably not the best solution. Over dial-up, you should stick to the traditional VNCViewer.

The price is right
There are a few remote administration products in the market, such as Symantec's PC Anywhere, but they aren't free and the extra bells and whistles they offer probably aren’t needed in most remote administration situations. TightVNC is free and it's always benefiting from development, so it should keep getting better with time.

Editor's Picks