• Documentation
  • »
  • User Guide

Contents

About This Guide

Chapter 1: Introduction

Principles of VNC remote control

Getting the computers ready to use

Connectivity and feature matrix

What to read next

Chapter 2: Getting Connected

Step 1: Ensure VNC Server is running on the host computer

Step 2: Start VNC Viewer on the client computer

Step 3: Identify VNC Server running on the host computer

Step 4: Request an encrypted connection

Step 5: Connect to VNC Server

Troubleshooting connection

Chapter 3: Using VNC Viewer

Starting VNC Viewer

Starting Listening VNC Viewer

Configuring VNC Viewer before you connect

Connecting to a host computer

The VNC Viewer user experience

Using the toolbar

Using the shortcut menu

Using the VNC Viewer - Options dialog

Managing the current connection

Changing appearance and behavior

Restricting access to features

Chapter 4: Connecting From A Web Browser

Connecting to a host computer

The VNC Viewer for Java user experience

Working with VNC Viewer for Java

Chapter 5: Exchanging Information

Printing host computer files to a local printer

Transfering files between client and host computers

Copying and pasting text between client and host computers

Communicating securely using chat

Chapter 6: Setting Up VNC Server

Licensing VNC Server

Starting VNC Server

Running multiple instances of VNC Server

Working with VNC Server

Configuring ports

Notifying when users connect

Preventing connections to VNC Server

Restricting functionality for connected users

Stopping VNC Server

Chapter 7: Making Connections Secure

Authenticating connections to VNC Server

Relaxing the authentication rules

Bypassing the authentication rules

Changing the encryption rules

Preventing particular connections to VNC Server

Restricting features for particular connected users

Uniquely identifying VNC Server

Protecting privacy

Appendix A: Saving Connections

Saving connections to VNC Address Book

Using VNC Address Book to connect

Managing connections using VNC Address Book

Saving connections to desktop icons

Previous Next Chapter 7, Making Connections Secure

Authenticating connections to VNC Server

By default, users must authenticate in order to connect to VNC Server. Note this is not the same as logging on to the host computer (though the same credentials may be used for both).

By default:

•  VNC Server (Enterprise) and VNC Server (Personal) specify system authentication. This means that a user must supply the credentials of a host computer user in order to connect. See Authenticating using host computer user credentials.

•  VNC Server (Free) specifies VNC authentication. This means that a user must supply a password specific to VNC in order to connect. See Authenticating using a VNC password.

You can relax the authentication rules, or allow particular users to bypass them altogether, if you consider it safe to do so. For more information, start with Relaxing the authentication rules.

Authenticating using host computer user credentials

By default, VNC Server (Enterprise) and VNC Server (Personal) specify system authentication, which means that VNC Server is integrated into the credentialing system of the host computer. This mechanism is typically both secure and convenient; system administrators commonly force the adoption of complex user names and passwords in enterprise environments, and users with their own accounts on the host computer can authenticate using already-familiar credentials.

Note: VNC Server (Free) does not support system authentication. Upgrade the host computer to VNC Server (Enterprise) or VNC Server (Personal) if security is important to you.

Note that in some circumstances, the primary user account on the host computer might not have a password set (likely for friends and family only). If so, the authentication mechanism must be changed to VNC authentication, or turned off altogether. A user cannot specify a blank password in order to connect.

By default, the user name and password of a host computer user with administrative privileges must be published to prospective users. Once connected, users:

•  Acquire a set of privileges (that is, access rights) on the host computer enabling particular operations to be performed. Note this is not necessarily administrative privileges, even if the credentials of such a user were entered in order to connect.

•  Are granted a Full set of VNC permissions, permitting access to all RealVNC™ remote control features while the connection is in progress.

You can configure VNC Server in order to publish the credentials of a non-administrative host computer user if you wish to either obscure administrator credentials, restrict VNC permissions, or both. Consult the section appropriate to the operating system of the host computer below for more information.

Windows

Under Windows, system authentication is selected using the Windows password option in the Authentication dropdown of the VNC Server - Options dialog. More on this dialog.

By default, to connect to VNC Server:

•  In Service Mode, a user must supply the credentials of a member of the Administrators group.

•  In User Mode, a user must supply the credentials of the currently logged on host computer user (that is, the user starting VNC Server).

You can add different users or groups to the authentication list if you do not want to publish the credentials of members of the Administrators group. For more information, see Managing users and groups in the authentication list.

Note that the credentials supplied by a user in order to connect to VNC Server determine the VNC permissions granted to that user. VNC permissions control which RealVNC remote control features the user is allowed to use. By default, a Full set of VNC permissions is granted. For more information on what this means, and how to revoke VNC permissions in order to restrict access to RealVNC remote control features, see Restricting features for particular connected users.

Once connected, a user has the same privileges (that is, access rights) on the host computer as the currently logged on host computer user. This need not be a user with administrative privileges even if the credentials of one were supplied in order to connect to VNC Server. The opposite also holds true: a connected user has administrative privileges on the host computer if such a user is currently logged on. Note that if VNC Server is running in Service Mode and no host computer user is logged on, the connected user must log on to Windows in order to continue.

UNIX/Linux

Under UNIX/Linux, system authentication is selected using the UNIX password option in the Authentication dropdown of the VNC Server - Options dialog. More on this dialog.

This means, to connect to VNC Server in either User Mode or Virtual Mode, a user must supply the credentials of the host computer user starting VNC Server. You can add different users or groups to the authentication list if you do not want to publish the credentials of this host computer user. For more information, see Managing users and groups in the authentication list.

Note that the credentials supplied by a user in order to connect to VNC Server determine the VNC permissions granted to that user. VNC permissions control which RealVNC remote control features the user is allowed to use. By default, a Full set of VNC permissions is granted. For more information on what this means, and how to revoke VNC permissions in order to restrict access to RealVNC remote control features, see Restricting features for particular connected users.

Once connected, a user has the same privileges (that is, access rights) on the host computer as the host computer user starting VNC Server. This need not be a user with administrative privileges even if the credentials of one were supplied in order to connect to VNC Server. The opposite also holds true: a connected user has administrative privileges on the host computer if such a user started VNC Server.

Mac OS X

Under Mac OS X, system authentication is selected using the Mac password option in the Authentication dropdown of the VNC Server - Options dialog. More on this dialog.

This means, to connect to VNC Server:

•  In Service Mode, a user must supply the credentials of a member of the admin group.

•  In User Mode, a user must supply the credentials of the host computer user starting VNC Server.

You can add different users or groups to the authentication list if you do not want to publish the credentials of host computer users with administrative privileges. For more information, see Managing users and groups in the authentication list.

Note that the credentials supplied by a user in order to connect to VNC Server determine the VNC permissions granted to that user. VNC permissions control which RealVNC remote control features the user is allowed to use. By default, a Full set of VNC permissions is granted. For more information on what this means, and how to revoke VNC permissions in order to restrict access to RealVNC remote control features, see Restricting features for particular connected users.

Once connected to VNC Server:

•  In Service Mode, a user has the same privileges (that is, access rights) as the currently logged on host computer user. If no host computer user is logged on, then the user must log on to Mac OS X in order to continue.

•  In User Mode, a user has the same privileges as the host computer user starting VNC Server.

In either case, this need not be a host computer user with administrative privileges even if the credentials of one were supplied in order to connect to VNC Server. The opposite also holds true: a connected user has administrative privileges on the host computer if such a user either started VNC Server (User Mode) or is currently logged on (Service Mode).

Managing users and groups in the authentication list

By default, VNC Server (Enterprise) and VNC Server (Personal) specify system authentication, which means that a user must supply the credentials of a host computer user in order to connect to VNC Server. Under certain circumstances, this may be the credentials of a host computer user with administrative privileges.

If you want to use system authentication but do not want to publish the credentials of host computer users with administrative privileges, you can add host computer users or groups with less sensitive credentials to the VNC Server authentication list. (Alternatively, you could just choose a different authentication mechanism; for more information, see Relaxing the authentication rules.)

To manage users and groups in the authentication list, open the VNC Server - Options dialog. More on this dialog. On the Connections tab, click the Configure button. Providing Windows password (or platform-specific equivalent) is selected in the Authentication dropdown, the Permissions for VNC Server dialog opens:

To add a new host computer user or group, click the Add button. To remove an existing host computer user or group, select it in the list and click the Remove button. Note that a user can supply the credentials of any of the host computer users listed in Group or user names in order to connect to VNC Server.

Note: Artifacts in this dialog have slightly different names under UNIX/Linux and Mac OS X.

Note that when you add a new host computer user or group to the authentication list, a Default set of VNC permissions is granted to connecting users supplying those credentials, even if this host computer user or group has administrative privileges on the host computer. For more information on VNC permissions, see Restricting features for particular connected users.

Authenticating using a VNC password

By default, VNC Server (Free) specifies VNC authentication, which means that VNC Server has its own password, disassociated from the credentialing system of the host computer. Note this mechanism is only as secure as the complexity of the password chosen.

Note: You can specify VNC authentication as the mechanism for VNC Server (Enterprise) or VNC Server (Personal) if you wish.

To enable connections, a VNC Server password must be specified and published to prospective users. Once connected, users acquire a set of privileges (that is, access rights) on the host computer enabling particular operations to be performed. (The same privileges are granted as for system authentication. See Authenticating using host computer user credentials for more information.)

VNC authentication is selected using the VNC password option in the Authentication dropdown of the VNC Server - Options dialog. More on this dialog.

To specify a new password, or change an existing one, click the Configure button. The VNC Server - Password dialog opens:

Specify and confirm a password, and click the OK button. Publish this password to prospective users, and in addition notify that there is no need to enter a user name in the VNC Viewer Authentication Credentials dialog, even if its Username field is enabled. More on this dialog.

Specifying additional passwords

If you choose to use VNC authentication as the mechanism for VNC Server (Enterprise) or VNC Server (Personal), you can specify up to two additional passwords, enabling you to differentiate between basic, standard, and power users.

Note: VNC Server (Free) does not support additional passwords. Upgrade the host computer to VNC Server (Enterprise) or VNC Server (Personal) if flexibility is important to you.

Providing the Extended Configuration button is enabled, click it to open the VNC Server - Extended Passwords dialog:

To give connecting users:

•  The power to bypass connection prompts (if enabled), turn on Enable “Admin” user, and click the adjacent Set password button to specify and confirm an admin password. Publish this password to prospective users, and in addition instruct them to enter a user name of Admin. For more information on connection prompts, see Preventing particular users connecting.

•  View only access to the host computer, turn on Enable “ViewOnly” user and click the adjacent Set password button to specify and confirm a view only password. Publish this password to prospective users, and in addition instruct them to enter a user name of ViewOnly.