Using VNC (More) Securely...

Peter Bunn bunnz "at" mhtc.net
Sat Aug 9 21:59:01 2008 

Hello:

I now have a reliable RealVNC connection to my father's Windows machine 
from my Mac.

But at this point, it has become difficult for my father to remember to 
reliably click an icon to start the VNC server, so...

At the moment, I'm running the RealVNC server in Service Mode... using 
the default ports and (because my own IP changes from time to time) with 
Access Control set to accept any/all connections.

I'm aware that this is a security risk and am hoping to make changes to 
reduce that risk.  

But my understanding of 'how it all works' and how a computer can be 
exploited is minimal, so I throw myself at your mercy and hope that some 
few of the following questions might be answered here.

(By the way, I don't think, at this moment, I have enough skill to set up 
an SSH tunnel, so I am excluding that from consideration... even if it 
might be the most secure option.)

My questions are these:

- Do open ports - in and of themselves - constitute a security risk even 
if there is no program listening on them?  Or, stated another way, if the 
VNC server is *not* running is there a risk in having port 5900 open?  
This is pertinent because I could open ports via a web remote access 
service to initiate a VNC session, then close the ports at the end of the 
session - OR - I could start and stop the VNC server via the same web 
service.  But I don't know which - if either - would be an effective 
means of reducing risk.

- Would assigning VNC service to another port well outside the range of 
the normal default (5900) offer any additional protection from an 
'obscurity' standpoint?

- My father's IP changes with almost every reconnect.  Does this 
represent any advantage in terms of obscurity?

- My own IP changes at the discretion of my ISP also, but usually falls 
within a range of xxx.yyy.999.99, where xxx.yyy are pretty constant.  Can 
I configure Access Control to accept VNC connections only within that 
range without specifying the actual originating viewer IP?  The 
documentation isn't clear to me on this point.

- Finally, I would be happy to spend the money necessary towards the 
RealVNC 'Enterprise' version, but given all of the above, I'm uncertain 
it affords any more security 'between sessions' - that is, with ports 
open and the server running... which is what would be most convenient for 
me as the 'default' condition.  That when my father is simply using the 
computer normally, the VNC ports would be open and the server running so 
I could gain access readily at any time.

Sorry to be so windy... but I figure the answers to these questions are 
more likely to be here as anywhere else.

Thanks in advance for any or all of them.

Peter B.

--

PS - I am on a dialup at a max of 24K yet can still reliably access my 
Dad's PC and do 'useful work' there... which I find little short of 
amazing.  I'm grateful for the ability to do so.

-----