Security and compliance

With great power comes responsibility. VNC Connect is built from the ground up with security in mind, to balance the access and control you need with the complete privacy that regulations require.

Our fundamental security principles

Principle 1

You don't have to trust RealVNC as a company to trust our software and services

Principle 2

We do not record your sessions, and data cannot be decrypted now or in the future

Principle 3

Every connection is treated as though it is made in a hostile environment

Principle 4

The owner of the remote computer ultimately decides who is able to connect

Frequently asked questions

General questions

  • What security role does my RealVNC account play?

    You create a RealVNC account when you purchase VNC Connect, or take a trial.

    Your RealVNC account credentials (email address and password) are important; please do not share them with anyone! You need them them each time you:

    • Sign in online to manage your team, subscription and more.
    • Sign in to VNC Server to apply your subscription to remote computers (if you have device access).
    • Sign in to VNC Viewer to remotely access computers (both device access and instant support).

    Your account password must be at least 8 characters long and should not be the same as a VNC Server password, nor that of any other online service you use.

    Note that if you invite someone in to your team to share remote access, that person sets up their own RealVNC account in the process of accepting your invitation. They never need to know your RealVNC account credentials.

    We strongly recommend enabling 2–step verification on the Security page of your RealVNC account.

  • How are remote control sessions authenticated?

    Every remote control session must be authenticated before it can begin.

    • If you have device access, connecting users must authenticate to VNC Server, an app installed as part of VNC Connect on every remote computer. There are many different authentication schemes, and multi-factor authentication is available. More information.
    • If you have instant support, an end user enters a 9-digit code unique to the session, received from their support technician out-of-band. It's not possible for anyone else to connect in. More information.
  • Is multi-factor authentication (2FA) available?

    Yes. We recommend setting it up.

    Everyone should enable 2-step verification for their RealVNC account on the Security page. See how to do this.

    If you have device access, we also recommend enabling multi-factor authentication for VNC Server, an app installed as part of VNC Connect on every remote computer. See how to do this.

  • Are remote control sessions encrypted?

    Yes, always.

    If you have a Home or Professional subscription, connections are encrypted end-to-end using 128-bit AES, 2048-bit RSA keys and perfect forward secrecy, so sessions are entirely private to you now and in the future.

    If you have an Enterprise subscription, you have the option to upgrade to 256-bit AES. To do this:

    1. Open the VNC Viewer app, and navigate to File > Preferences > Expert.
    2. Search for the Encryption parameter and set the value to AlwaysMaximum.
  • How do I set up VNC Connect for maximum security?

    Follow the instructions below.

    1. Buy an Enterprise subscription.
    2. When creating your RealVNC account, choose a complex, unique password (not one you use for any other online service).
    3. Enable 2-step verification for your RealVNC account on the Security page online.
    4. If you wish to share remote access, only invite people you trust in to your team.
    5. Insist these people choose complex passwords for their own RealVNC accounts, and also turn on 2-step verification.
    6. If you have device access, additionally follow these instructions.
  • Are there any known security vulnerabilities?

    Security is at the heart of our business so we publish information about potential vulnerabilities as soon as we find them.

  • What data does RealVNC store in the cloud?

    We do not record your sessions, and never store remote computer passwords. We don’t store payment or credit card information either; that’s stored on our behalf by a PCI DSS-compliant vendor (Braintree).

    We do store certain data in the following circumstances:

    • If you enable analytics when installing VNC Viewer.
    • If you have device access and enable either analytics or update notifications when installing VNC Server.
    • If you have device access and sign in to VNC Viewer on multiple devices in order to sync your address book.
    • If you have instant support, note we automatically record certain session events for review purposes.

    See our privacy policy for what data is collected and where it is stored.

    If you don’t want RealVNC to store any data at all then you must:

    1. Buy an Enterprise subscription.
    2. Only enable device access (that is, install VNC Connect on computers you own or manage).
    3. Only establish direct connections to those computers.
    4. Disable analytics and update notifications for both VNC Viewer and VNC Server.
    5. Connect using VNC Viewer without signing in to it (your address book will not sync between devices).

Device access

  • Who can discover computers I own or manage?

    Only people you invite in to your team can sign in to VNC Viewer and discover your computers (so only invite people you trust!). Note with a Professional or Enterprise subscription you can further restrict discovery by assigning permissions on the Computers page of your RealVNC account to precisely match computers with people.

    If a person cannot discover your computers then they cannot possibly establish cloud connections to them; there’s no way to bypass our discovery service.

    Note that if you have an Enterprise subscription and intend to establish direct connections, it is possible for a malicious entity to sniff the port you’ve opened in the remote computer’s firewall (5900 TCP by default). It’s much safer to use cloud connectivity over the Internet!

  • Who can connect to computers I own or manage?

    Only people in your team with permission to discover computers can sign in to VNC Viewer and attempt to connect to them.

    To complete a connection, a team member must still enter the credentials expected by VNC Server running on that computer.

    So computers are protected twice, by independent password mechanisms: the RealVNC account system controls discovery, and the VNC Server authentication scheme polices connectivity.

  • How can I be sure I’m connecting to the right computer?

    VNC Server has a unique digital signature designed to help keep you safe online. This is a hexadecimal representation of a 2048-bit RSA public key hash, which (in the real world) means it’s a six-word memorable catchphrase, for example “Omega Chris Chicago. Alabama arrow network”. Download our whitepaper for the technical details.

    securitypage-faqsecurity-catchphrase.original.png

    When you connect, the RealVNC services automatically verify this identity, and VNC Viewer additionally prompts you to check it yourself. If you’re subsequently warned that the catchphrase has changed, it might indicate that someone has tampered with the computer, or is trying to intercept your connection (a ‘man-in-the-middle’ attack).

    Note that if you have an Enterprise subscription and establish a direct connection, then the RealVNC services cannot perform this automatic check, so you should do so yourself.

  • Is it mandatory to authenticate to VNC Server?

    Yes. VNC Server password-protection is turned on permanently.

    VNC Server's authentication scheme is completely separate from your RealVNC account, so even if a malicious entity learns your account credentials and signs in to VNC Viewer as you, they still cannot connect. And if they try to guess the VNC Server password (a 'brute force' or 'dictionary' attack), they’ll be blacklisted.

    Note you can ask VNC Viewer to remember VNC Server passwords for you as a convenience. If you do, we recommend setting a master password on VNC Viewer's Preferences > Privacy page.

  • What’s the strongest VNC Server authentication scheme available?

    If you have a Home subscription, there’s only one VNC Server authentication scheme. Make sure the password you’re prompted to create when you install VNC Server is difficult to guess, and keep it safe. You must specify at least 6 case-sensitive letters, numbers, and special characters such as !@*#&, though we recommend more (the maximum is 255).

    If you have a Professional or Enterprise subscription, then by default VNC Server is integrated into the credentialing mechanism of the remote computer, so you don’t have to create or remember yet another password. Simply connect using the same user name and password you normally use to log on to your user account on that computer. You can register other users with VNC Server so they can connect using their own familiar system account credentials if you wish.

    If you have a Professional or Enterprise subscription, you can change the default system authentication scheme to specify multi-factor authentication for VNC Server.

    If you have an Enterprise subscription and a suitable corporate network, you can set up single sign-on (SSO) for VNC Server.

  • If I choose to remember VNC Server credentials, can I protect VNC Viewer with a master password?

    The first time you use VNC Viewer to connect to a computer, you must enter the password expected by VNC Server.

    Subsequently, you can ask VNC Viewer to remember this password so you don’t have to enter it each time. If you do, we additionally recommend setting a master password for VNC Viewer in case you lose or share your device:

    securitypage-faqsecurity-masterpwd.original.png

    VNC Viewer stores passwords locally and never syncs them to other devices via our cloud service (so you’ll have to remember them on each device you connect from). Download our whitepaper for the technical details.

    Note you can sign out remotely from all VNC Viewer devices if you think your account has been compromised. Sign in to your RealVNC account and navigate to the Security page.

  • Does VNC Server record an audit trail of connection attempts?

    Yes. VNC Server automatically logs audit information, so you have a complete record of who’s connected, when, from where and, if the user successfully authenticated, the time of disconnection (so you can calculate session length).

    The storage destination for this information differs depending on the platform and VNC Server mode. General information about logging is available here.

    Note you can quickly dial up the logs to debug level if you need.

  • Can I approve people as they try to connect?

    Yes. If you will be physically present at the computer when people connect, you can configure VNC Server to notify you and approve or reject each connection:

    securitypage-faqprivacy-queryconnect1.original.png

    To do this, turn on Show accept/reject prompt for each connection on VNC Server's Options > Connections page:

    securitypage-faqprivacy-queryconnect2.original.png

  • How do I disconnect people, or prevent them connecting?

    You can disconnect all users immediately:

    securitypage-faqprivacy-disconnect1.original.png

    ...or individually from VNC Server's Information Center dialog.

    By default, users can connect concurrently. You can specify that only one user connects at a time.

    By default, if a connecting user fails to authenticate properly five times in a row, their computer is blacklisted. You can lower this threshold for additional protection from brute-force or port scanning attacks.

    If you have an Enterprise subscription and establish direct connections, you can filter incoming computers to prevent connections from particular IP addresses:

    securitypage-faqprivacy-disconnect2.original.png

  • Can I make remote control sessions view-only?

    Yes. You can make sessions view-only for everyone on VNC Server’s Options > Users & Permissions page:

    securitypage-faqprivacy-viewonly.original.png

    If you have a Professional or Enterprise subscription, you can exercise more fine-grained control and make sessions view-only just for some.

    Alternatively, VNC Viewer users can choose to make their own sessions view-only from VNC Viewer's Properties dialog or mobile app toolbar.

  • Can I restrict what connected people are able to do?

    Yes, if you have a Professional or Enterprise subscription.

    You can register any number of users or groups (perhaps from your corporate network) with VNC Server:

    securitypage-faqprivacy-permissions.original.png

    You can then grant specific permissions to each. So for example you could grant system administrators full remote access, members of the group ‘teachers’ sufficient permissions to control the remote computer but not to transfer files or print, and make members of the group ‘pupils’ view-only.

    If you have a Home subscription, all connected users have the same global permissions, though you can turn individual features off for everyone, or make all connections view-only, if you wish. It will also apply to you though!

  • Can I blank the screen of a remote computer while I'm connected to it?

    You can blank the screen of a Windows 7 computer while you’re remotely controlling it ("curtain mode"), so people in the vicinity can’t see what you’re doing:

    securitypage-faqprivacy-screenblanking.original.png

    This is equivalent to turning the monitor of the remote computer off and not allowing it to be turned back on again until you disconnect.

    Unfortunately, you can’t yet blank the screen of a Windows 10 or 8 computer, nor a Linux or Mac computer.

  • How do I prevent the remote keyboard and mouse being used?

    You can prevent the keyboard and mouse of the remote computer being used by whoever wanders past while you're remotely connected to it:

    securitypage-faqprivacy-keyboard.original.png

  • How can I protect a remote computer when I'm not connected to it?

    You can configure VNC Server to automatically lock or log out from a Windows or Mac computer when you disconnect:

    securitypage-faqprivacy-lock.original.png

    Of course, you can always lock or log out during your remote control session. Just don’t power the remote computer off, or you’ll be disconnected until someone turns it on again!

  • How do I set up device access for maximum security?

    First, follow the general instructions for RealVNC accounts here.

    Then, follow the additional instructions below. Note you can perform bulk operations on computers remotely using policy, which has the additional security benefit of locking down those computers, preventing change by local users.

    1. In your RealVNC account online, assign permissions on the Computers page to restrict discovery appropriately.
    2. On each remote computer:
    3. Review connection logs on a regular basis.

Instant support

  • How secure is a session code?

    VNC Viewer requests a session code each time a technician starts an instant support session, and RealVNC's services automatically generates a 9-digit code unique to the session.

    This code is valid for 10 minutes. In that time, the technician must communicate it out-of-band so the end user can start the session.

    The code expires either when it is used, or after 10 minutes, whichever comes first.

  • Can I monitor a session in progress?

    No. Only the technician generating a session code can connect to and control a computer that is owned by the recipient of the code.

    However, as soon as a session starts, session event data is logged and stored online. If you have an Enterprise subscription, you can drill down into an individual session in order to review chat transcripts, file transfer activity, whether the technician elevated to perform administrative operations, and whether the technician rebooted the remote computer. 

  • What session events are logged for review purposes?

    Every session is logged and a session history stored online.

    If you have an Enterprise subscription, you can drill down into an individual session on the Sessions page of your RealVNC account and review a detailed activity log. The following activity is recorded:

    • Session start and end times
    • File transfer operations
    • Elevation requests
    • Reboot attempts
    • Chat transcripts

    Note that chat transcripts are encrypted-at-rest on RealVNC’s servers. Privacy policy.

Resources

security-cropped

Security whitepaper

A complete overview of the features, policies and controls that keep your computers and data protected wherever you are.

Download PDF
mfa resource

Multi-factor authentication

Learn how to protect both your RealVNC account, and remote computers with VNC Connect installed, using as many authentication factors as you need.

Find out more
rfb test

RFB 5 security analysis

An analysis of the security aspects of the latest version of the RFB protocol, from our in-house Security team.

Download PDF
privacy resource

RealVNC privacy policy

Our privacy policy makes it clear what data we collect, where it's stored, how it’s protected and when it’s used.

Find out more

Regulatory compliance

VNC Connect supports PCI DSS compliance

Download PDF

VNC Connect supports HIPAA compliance

Download PDF

Need more information?

If you want more details or wish to speak with a member of our Security team, let us know.

Get in touch
×