Index

Features

VNC Server Enterprise Edition builds on the same established VNC core as VNC Server Free Edition, adding improved authentication, session security and logging support.

System Requirements

Requirements:

Key:

  1. These platforms do not support NT Authentication
  2. These platforms do not support secure settings
  3. Service Pack 3, 4, 5 or 6a is required on these platforms
  4. NT Authentication can be configured only via the VNC Deployment Tool on these platforms
  5. Fast User Switching & Remote Desktop must not be used
  6. NT Authentication can only be used when running in Service-Mode on these platforms

Licensing & Trial Use

The VNC Enterprise Edition for Windows Licensing page contains instructions on using the 7-day trial of VNC Server Enteprise Edition for Windows.

The Licensing page also contains instructions for applying new license keys to existing installations, and details of the licensing and support terms for the software.

Installation

VNC Server Enterprise Edition for Windows is installed as an optional component of the setup package. If VNC Server has been installed then a number of icons will be created for it under the Start Menu, at the location specified during installation (usually RealVNC).

The final stage of installation of VNC Server Enterprise Edition is entry of a valid license key, if one was not already installed on the host computer. Alternatively, a 7-day trial license key can be installed on a machine, provided that VNC Server Enterprise Edition has not been used on that machine before. If no valid license key is entered then VNC Server will reject all incoming VNC connections. A valid license key can be supplied at a later time via the Set License Key item in the VNC Server 4 (Service-Mode) section of the Start menu.

VNC Server for Windows is designed to run either in User-Mode, as a personal per-user server, or in Service-Mode, as a system service available whether or not there is a user logged in. Note that the enhanced authentication features may not be available on some platforms from User-Mode VNC Servers.

The logged-on user can also choose to run their own personal User-Mode server alongside an existing Service-Mode server installed on the machine, provided that the two servers are configured to operate on different network port numbers.

Upgrading from VNC Server Free Edition

VNC Server Enterprise Edition retains full compatibility with VNC Server Free Edition, with respect both to command-line parameters and to registry configuration options. When installed on a system that has already been fully configured for VNC Server Free Edition, VNC Server Enterprise Edition will use the existing settings, without the need for reconfiguration.

Certain features of VNC Server Enterprise Edition, such as support for VNC Password Authentication passwords of more than eight characters or for session encryption, are not supported by VNC Server Free Edition and so may require reconfiguration of VNC Server if a system is downgraded.

Using VNC Server in User-Mode

If you are just trying out VNC, or wish to provide access to your desktop infrequently for support or collaboration purposes, then you may find it best to run VNC Server in User-Mode.

During the installation, leave the tickboxes which refer to the VNC Server System Service unticked, to prevent VNC Server being installed in Service-Mode on your system.

winvnc startmenu

When you want to use VNC Server, go to the VNC Server (User-Mode) program group (usually found under RealVNC in the Start Menu), and click on Run VNC Server. The VNC Server icon will appear in the system tray, to indicate that VNC Server is running.

winvnc traymenu

At this point, you probably want to configure your personal VNC Server settings for User-Mode. Right-click on the tray icon and select Options..., change the settings you want and click Apply or Ok. Note that you must at least configure the Authentication tab, otherwise you won't be able to connect in to your server - this is deliberately the case, to avoid accidentally opening up your computer to attacks.

When you are finished with VNC Server, simply select Close VNC Server from the tray icon's menu.

Using VNC Server in Service-Mode

If you intend to use VNC to provide remote access to a computer, you will probably prefer to install VNC Server in Service-Mode. In Service-Mode, VNC Server can allow remote connections even while the computer is locked or logged off. The server is configured once, rather than per-user, and the settings are secured if the host platform supports it.

During the installation, tick each of the boxes which refer to the VNC Server System Service. This will cause the installer to present the VNC Server Options dialog, and to register and run the VNC Server Service.

Note that you must at least configure the Authentication tab, otherwise you won't be able to connect in to your server - this is deliberately the case, to avoid accidentally opening up your computer to attacks.

At this point, your VNC Server is running and you should be able to connect to it from a connected computer using VNC Viewer.

If you need to reconfigure or stop your Service-Mode server, you will find links in the VNC Server (Service-Mode) program group of the Start Menu to achieve this. The VNC Server Properties dialog can also be accessed by right clicking on the VNC Server (Service-Mode) tray icon and selecting the Options... menu item.

Configuring VNC Server

VNC Server provides a number of options allowing its behaviour to be tailored to your needs. These are usually configured via the Options... dialog, although they can also be specified directly on the command-line of the WinVNC4 executable if required.

The Options... dialog consists of a number of pages of options, grouped according to their function. The following documentation describes each option and the equivalent command-line parameters.

When the Ok or Apply buttons of the Options... dialog are pressed, any changed settings are saved to the registry. Unless otherwise specified, changed settings take effect immediately.

Connections

winvnc connections

Accept connections on port
PortNumber=(port number)

VNC Server accepts incoming connection requests from clients on a particular TCP port. The standard VNC Display numbers, 0-99, correspond to TCP ports 5900-5999. VNC Server will accept connections on port number 5900 by default, which equates to VNC display number 0 (zero). The port number for VNC Server to use can be set to any other available port number, even ones outside the 5900-5999 range.

Disconnect idle clients after
IdleTimeout=(seconds)

An idle client is one which has transmitted no keyboard or pointer events for more than a certain length of time. The VNC Server can be configured with a threshold, expressed in seconds, after which idle clients will be disconnected to conserve resources. If the threshold specified is zero seconds then connections will never timeout. The default idle timeout is one hour.

Note that pointer and keyboard events received from clients will prevent their connection timing out even if the VNC Server is configured to otherwise ignore those events (see below).

Serve Java viewer via HTTP on port
HTTPPortNumber=(port number)

If the port number specified is non-zero then VNC Server will accept incoming HTTP requests, allowing the Java VNC Viewer to be downloaded by a Java-aware web browser. The Options... dialog will attempt to adjust the HTTP port to match changes made to the VNC port number. This means that the HTTP and VNC ports are set to the same value then changing the VNC port will update both.

Only accept connections from the local machine
LocalHost=true|false

The LocalHost option tells VNC Server to only accept incoming connections from Viewers running on the local host computer. This is only normally used when connections are to tunnelled through a custom transport (e.g. serial line, custom wireless, etc) and will therefore appear to the TCP stack to originate from the local host. If VNC Server is configured to accept connections only via local loopback then the Hosts option is ignored.

Access Control
Hosts=(pattern)

VNC Server can filter incoming connection attempts based upon the apparent IP addresses of their originators. Which IP addresses are allowed to connect and which are not is determined by the Hosts pattern. The pattern consists of a comma-separated list of IP address specifications. Each specification starts with an action, gives an IP address, and a subnet-style mask. The first specification to match the address of the new connection determines the action that will performed.

e.g. Hosts=+192.168.0.1/255.255.255.255,+192.168.1.0/255.255.255.0,-

The pattern given above allows the computer with address 192.168.0.1 to connect, as well as any computer in the 192.168.1 subnet. All other connections are rejected by the - term, which is actually redundant in this case - a connection will always be rejected if it doesn't match anything in the Hosts pattern.

Note that IP addresses and masks are specified in Type-A (xxx.yyyyyyyyy), Type-B (xxx.yyy.zzzzzz) or Type-C (xxx.yyy.zzz.www) form. The specification 192.168 will therefore be interpreted as 192.0.0.168 rather than 192.168.0.0 as one might expect.

The Hosts pattern can be edited more easily through the Access Control interface, which allows IP address specifications to be edited individually and moved up (to match first) or down (to match last) the list.

Security

winvnc security

The Security page allows you to configure the required mode of authentication and level of security of VNC connections. VNC Server Enterprise Edition for Windows supports unauthenticated connections, classic VNC Password Authentication and native Windows NT authentication. Connections can also be encrypted if required, to ensure secure operation even over untrusted networks.

No Authentication
SecurityTypes=...,None,...
UserPasswdVerifier=None

If your VNC Server is operating in a protected environment, such as a secure LAN or firewall-protected network, then you may wish to configure VNC Server to accept connections without requiring a username or password to be specified. This might be useful when tunnelling VNC over a secure protocol such as SSH, for example, to remove one redundant level of authentication.

We advise extreme caution when disabling authentication. Do not disable it unless you are absolutely sure that the host network is completely secure.

VNC Password Authentication
SecurityTypes=...,VncAuth,...
UserPasswdVerifier=VncAuth

VNC Password Authentication allows a single password of up to 255 characters to be stored by VNC Server, which remote users must supply when prompted in order to authenticate. This authentication scheme is also compatible with older VNC Viewers, with the limitation that only the first 8 characters of the password are considered when authenticating legacy viewers, for compatibility reasons. Legacy Viewers will not be able to connect if Encryption is set to Always On.

The password to use can be configured by selecting Set Password and typing the new password twice. On platforms which support it, the password (and all other configuration options) are protected using native operating system security methods, so that the password cannot be read or tampered with by other users.

NT Logon Authentication
SecurityTypes=...,RA2,...
SecurityTypes=...,RA2ne,...
UserPasswdVerifier=NtLogon

VNC Server Enterprise Edition supports native Windows authentication of a supplied username and password. This is known as the NtLogon authentication method.

NtLogon allows different access rights to be granted to different users or groups of users. NtLogon can be configured by selecting Access Control and using the standard Windows security interface to assign the required access rights to each user or group.

The username and password supplied to NtLogon will be encrypted regardless of whether or not the session is to be encrypted.

Encryption: Prefer Off / Prefer On / Always On

VNC Server Enterprise Edition includes the new RA2 secure session protocol. RA2 is a purpose-designed protocol based on established security techniques including AES encryption and RSA public-key cryptography.

  • 128-bit AES encryption using EAX-mode for data authentication

    Using RA2, all session data is encrypted using the Advanced Encryption Standard (AES), preventing eavesdroppers from gaining access to sensitive data exchanged during the VNC session. AES is used in EAX-mode, a well-defined and provable system for ensuring that session data cannot be tampered with by an intermediary.

  • 2048 (default) / 1024-bit (minimum) RSA-based server authentication

    RSA assymetric cryptography is used to establish session keys for use with AES. New session keys are generated fro each session. By caching the RSA public keys of servers to which they have previously connected, VNC Viewers can verify the identity of the server before exchanging sensitive data with it. This verification is required to prevent server spoofing and other man-in-the-middle attacks.

The required RSA keys can be generated by selecting Generate Keys. This can be used to generate an initial set of keys for a host, or to replace an existing set of keys. The user will be prompted before keys are replaced, and before generating keys. Note that replacing existing keys will cause Viewers that have previously connected to the Server to warn the user when they next attempt to connect.

The Encryption setting determines when VNC Sessions will be encrypted, and when they will not.

  • Prefer Off indicates that the VNC Server should allow both encrypted and unencrypted sessions, but should not use encryption unless the VNC Viewer requests it.
  • Prefer On indicates that the VNC Server should use encryption unless the VNC Viewer specifically requests not to.
  • Always On ensures tha all VNC sessions are encrypted, regardless of any preference exeressed by VNC Viewers.
Prompt local user to accept connections
QueryConnect=true|false

By default, VNC Server allows Viewers to connect as long as the correct username and password are supplied. QueryConnect allows an extra level of protection to be applied, requiring a local user to explicitly accept incoming connections.

When QueryConnect is enabled, incoming connections are first authenticated in the normal way. If the connecting user has the Connect without accept/reject prompt access right then the connection proceeds normally. If not then a dialog is then presented on the server's desktop, displaying the IP address and username of the incoming connection, and requiring a local user to accept the connection.

If the user does not accept the connection within a specified timeout then it is rejected. If an incoming connection requiring acceptance by the local user is received while an earlier connection is being queried then the second connection is automatically rejected, for security reasons.

QueryTimeout=(seconds)

If QueryConnect is enabled then the Query Connection dialog will be displayed by default for ten seconds before automatically rejecting the connection. The timeout value can be modified by setting QueryTimeout accordingly.

NtLogon Access Control

To connect to a VNC Server configured to use NtLogon authentication, the user must supply a suitable username and password. If the user wishes to use a domain account then the username must be of the form name@domain or domain\name.

winvnc ntlogon

The NtLogon authentication method allows different access rights to be assigned to different users or groups. The available access rights are as follows:

View display contents
Allow the remote user to see the contents of the VNC Server desktop.
Send pointer events
Send keyboard events
Allow the remote user to interact with applications running in the VNC Server desktop.
Send and receive clipboard contents
Allow the clipboard contents to be sychronised between the viewer and server.
Default access
Allow the default level of access, equivalent to that granted via the VNC Password Authentication method (View display contents, Send pointer & keyboard events, Send and receive clipboard contents). When new access rights which are enabled by default become available, users and groups previously configured with Default access will automatically have access to them.
Connect without accept/reject prompt
Allow the remote user to connect without a local user having manually accepted the connection. This allows the QueryConnect feature to be bypassed by particular users or groups, for emergency access to servers.
Full access
Grant all available access rights. When new access rights become available, users with Full access will automatically have access to them, regardless of whether they are granted by default.

The default access rights granted to users and groups are as follows:

Full access
Members of the local Administrators group.
Members of the local or domain VNC Admins group, if available.
Default access
Members of the local or domain VNC Users group, if available.
View display content
Members of the local or domain VNC View-only group, if available.
NtLogon Session Logging

In addition to the default logging of connection attempts by VNC Server, the NtLogon authentication method independently logs successfully authenticated sessions. Sessions' log events are stored in the Application Event Log of the machine that authenticated the session.

If a VNC session is made using local user account credentials then the session will be logged in the host computer's event log.

If a VNC session is made using domain-based credentials then the session will be logged with one of the domain's controllers.

Inputs

winvnc inputs

Accept pointer events from clients
AcceptPointerEvents=true/false

If this option is unticked then incoming pointer movements from all clients will be ignored, preventing any remote VNC Viewer from affecting the pointer of the VNC Server's desktop. This can be used to configure a server to become effectively view-only.

Note that a client will still be deemed active for the purposes of the IdleTimeout setting if it is sending pointer events to the server, whether or not they are accepted.

Accept keyboard events from clients
AcceptKeyEvents=true/false

If this option is unticked then incoming keystrokes from all clients will be ignored, preventing any remote VNC Viewer from typing into the VNC Server's desktop. This can be used to configure a server to become effectively view-only.

Note that a client will still be deemed active for the purposes of the IdleTimeout setting if it is sending keyboard events to the server, whether or not they are accepted.

Accept clipboard updates from clients
AcceptCutText=true/false

If this option is unticked then incoming clipboard updates will be ignored from all clients. This option should be used when making a VNC Server effectively view-only, but may also prove useful to prevent clipboard changes made by clients from overriding the VNC Server's local clipboard when this would be undesirable or confusing.

Send clipboard updates to clients
SendCutText=true/false

This option, if unticked, prevents the VNC Server from informing clients of changes to its local clipboard contents. This can be useful when untrusted clients are to be allowed to connect to the VNC Server, since it prevents any private data being accidentally leaked via the clipboard.

Allow input events to affect the screen-saver

This option determines whether keyboard and mouse events received from VNC Viewers can cause the screen-saver to be hidden. This option is actually a system-wide setting and is not implemented by VNC Server itself, so there is no equivalent command-line option. Some older Win32 platforms do not support this option. It is recommended that this check-box be ticked, so that the screen-saver can be disabled by VNC Viewer input.

Disable local inputs while server is in use
DisableLocalInputs=true/false

The mouse and keyboard physically attached to the server computer can be disabled for the duration of a remote connection, preventing local users from interacting with the computer.

Sharing

winvnc sharing

Always treat new connections as shared
AlwaysShared=true

If this option is set then all incoming connections will be treated as shared, and thus not disconnect any existing connections, regardless of whether the connecting VNC Viewer requested that the connection be shared.

Never treat new connections as shared
NeverShared=true

If this option is set then all incoming connections will be treated as non-shared. VNC Server will therefore either disconnect any existing connections, or refuse the incoming connection, depending on whether non-shared connections are configured to replace existing ones (see below).

Use client's preferred sharing setting
AlwaysShared=false, NeverShared=false

When connecting, VNC Viewer specifies whether the connection should be shared or non-shared. If this setting is configured then the VNC Viewer's preference will be respected.

Non-shared connections replace existing ones
DisconnectClients=true/false

If an incoming connection is to be shared (either by choice or because AlwaysShared is set) then existing connections remain active. If a connection is non-shared (either by choice or because NeverShared is set) then either the new connection must be rejected, or existing clients disconnected.

If this setting is configured then existing clients will be disconnected when a new non-shared connection is made. Otherwise, they will remain, and the new connection will fail.

Hooks

winvnc hooks

Use VNC Hooks to track graphical updates
UseHooks=true/false

VNC Server is designed to support a variety of techniques for tracking changes to the local desktop. This release supports the classic VNC Hooks technique. VNC Server can either be configured to use VNC Hooks, or to continually poll the screen for changes.

Poll console windows for updates
PollConsoleWindows=true/false

The VNC Hooks hooking technique cannot track console windows because of limitations in the operating system. Instead, console windows may be polled for changes. If this option is set then VNC Server will track the visible parts of console windows and poll those areas for changes.

Note that if you choose to disable VNC Hooks then the entire display will be continually polled for changes, removing the need for separate polling of console windows.

Capture alpha-blended windows
UseCaptureBlt=true/false

This option selects between two screen capture methods. If UseCaptureBlt is false then the faster of the two methods is used, which may in some cases cause alpha-blended windows and tool-tips not to be visible remotely. If UseCaptureBlt is true then these windows will be visible remotely but the VNC Server overhead will be increased.

CompareFB=true/false

Heuristic change tracking techniques, such as those used by VNC Hooks, often report changed areas that have changed very little. Even fully accurate tracking systems can report areas have changed even when they have simply been re-drawn and hence have not actually changed.

Disabling this option prevents VNC Server from detecting and transmitting only those parts of the screen which have actually changed to viewers. Disabling this option is not advised.

Legacy

winvnc legacy

Import VNC 3.3 Settings

If you have configured WinVNC 3.3 on a machine then you can automatically have VNC Server 4 configure itself to match your existing 3.3 settings as closely as possible. VNC Server 4 will warn you when it cannot match existing settings completely, or if they are no longer relevant.

If you choose to import settings to configure a User-Mode VNC Server then VNC Server will attempt to import your personal WinVNC 3.3 settings. If you choose to import settings to configure a Service-Mode VNC Server then the WinVNC 3.3 Default settings on the local machine will be used.

Note that you must separately uninstall the WinVNC 3.3 service if you import the settings into VNC Server 4, or configure VNC Server 4 to operate on a different port number.

Only use protocol version 3.3
Protocol3.3=true/false

VNC Server 4 supports both the original VNC version 3.3 protocol, and the new VNC protocol version 3.7. Some third-party VNC software use non-standard version numbers which may cause incompatibility issues. VNC Server 4 can therefore be configure only ever to use the original VNC protocol version, ensuring compatibility even with non-standard VNC Viewers.

Note that this option applies to all VNC connections and reduces the functionality available to connecting VNC Viewers.

Compatibility Notes

Windows 3.11 / Windows NT 3.51 / Windows 95

VNC Enterprise Edition is not designed to operate on Windows 3.11 or older, Windows NT 3.51 or Windows 95.

Windows 98 / Windows Me

VNC Enterprise Edition is designed to operate on both Windows 98 and Windows Me. Because these platforms are inherently insecure, it is not possible to use the NtLogon authentication method with them. Encrypted sessions are supported, for use with the VNC authentication method.

Windows NT 4.0

Although VNC Enterprise Edition is designed to operate on Windows NT 4.0, the NtLogon access control dialog is not available on this platform. Settings may instead be applied using the VNC Deployment Tool, or copied from the registry of a configured Windows 2000/XP/2003 computer to an NT 4.0 computer in order to configure NtLogon access control. If NtLogon access control settings have not been applied then the defaults described previously will apply.

Windows XP

The Fast User Switching and Remote Desktop features of Windows XP can prevent VNC Server from operating correctly, due to limitations in the Windows Service mechanism. We recommend avoiding use of Fast User Switching and Remote Desktop facilities in Windows XP.

A compatibility extension is in development.

Windows 2003 Server

VNC Server 4 and above are designed to be compatible with Windows 2003 Server.

Problems?

If you have difficulties which are not covered by this document, try reading the Knowledge Base. There are also some pages to help with troubleshooting.

If that doesn't help then try subscribing to the mailing list and ask your question there.