Ultra VNC born (again)?
Thu Dec 12 12:34:00 2002
Your ability not to understand makes VNC in general an untrustworthy
product. Controls on a network is not on the users PC, but the network,
where the user has no ability to touch. If you have the ability on transfer files
and I have no ability to block that transfer EXTERNAL to machine transferring
it, then I will be force to take out all VNC. That is the problem.
Yes - a user can walk in with Linux box - and have it taken from them when
entering the building.
Yes - a user can bring in a Diskette - but can not gain access to the servers.
Yes - a lot of vectors to attack an internal system can be made. But
planning can block a lot or trap them.
One of the simplist is having software tools that allow network to be
configured to block user mistakes. By bundling multiple functions in a single
port - without the ability to externally control the use - then the port gets
closed, because you could not understand NO FILE TRANSFERS means
Oh do not get me wrong - file transfers are important - I personally would like
to VNC board created that plugs in a server offering to that server: video,
keyboard, mouse, diskette, cd-rom and power cycle. So I can have room full
of headless machines all controlled from a private secondary network, so I
power cycle and configure the bios and load an OS - without ever touching
the box. But the different here is the type of network... A limited internal
private network. And if that network is ever connected to main lan... all file
transfers functions would blocked.
I am done with this.
> > This is meaningless... If I restrict file transfer on my network, this
> > program can be running inside my network - because I have to close the
> > ports to try to prevent any file transfers.
> Maybe I didn't make the point quite well enough. What I meant was so long as
> you can disable any enhancement at the client end with a reg key / push button
> - security isn't always comprimised. There is a risk with every patch or bit of
> software you load on the computer (be it running Windows, Linux, Mac OS,
> On UltraVNC there's an option to disable File Transfer..... so..... if users can't
> get at that function to enable it and the UltraVNC server isn't accepting file
> transfer requests - the risk is where?
> The best thing about the numerous VNC clients is that you don't *have* to use
> any of them. If you don't what file transfer - don't use Ultra. If you want pure and
> simple VNC stick with Real.
> IMO there are more and greater security risks in unpatched Windows system
> than with VNC. I use Windows 99.9% of the time at work and home - it has
> some good points and some bad ones. No system is perfect, yet if you can
> disable features you don't want - you can reduce risk but never eliminate it.
> At work I know that a really smart user could read the reg key with the VNC
> password and crack it. That would mean that many PCs could then be
> comprimised, but then I also know that you can bring a linux boot disk in and
> get complete admin rights on any NT/2000 workstation.
> Thus endeth the lecture. :-D
> Richard Harris
> Environment IT, NCC
> Ext 4509
> "Service, price , quality: pick any two."
> VNC-List mailing list