Device access
-
Only people you invite in to your team can sign in to VNC Viewer and discover your computers (so only invite people you trust!). Note with a Professional or Enterprise subscription you can further restrict discovery by assigning permissions on the Computers page of your RealVNC® account to precisely match computers with people.
If a person cannot discover your computers then they cannot possibly establish cloud connections to them; there’s no way to bypass our discovery service.
Note that if you have an Enterprise subscription and intend to establish direct connections, it is possible for a malicious entity to sniff the port you’ve opened in the remote computer’s firewall (5900 TCP by default). It’s much safer to use cloud connectivity over the Internet!
-
Only people in your team with permission to discover computers can sign in to VNC Viewer and attempt to connect to them.
To complete a connection, a team member must still enter the credentials expected by VNC Server running on that computer.
So computers are protected twice, by independent password mechanisms: the RealVNC® account system controls discovery, and the VNC Server authentication scheme polices connectivity.
-
VNC Server has a unique digital signature designed to help keep you safe online. This is a hexadecimal representation of a 2048-bit RSA public key hash, which (in the real world) means it’s a six-word memorable catchphrase, for example “Omega Chris Chicago. Alabama arrow network”. Download our whitepaper for the technical details.
When you connect, the RealVNC® services automatically verify this identity, and VNC Viewer additionally prompts you to check it yourself. If you’re subsequently warned that the catchphrase has changed, it might indicate that someone has tampered with the computer, or is trying to intercept your connection (a ‘man-in-the-middle’ attack).
Note that if you have an Enterprise subscription and establish a direct connection, then the RealVNC® services cannot perform this automatic check, so you should do so yourself.
-
Yes. VNC Server password-protection is turned on permanently.
VNC Server's authentication scheme is completely separate from your RealVNC® account, so even if a malicious entity learns your account credentials and signs in to VNC Viewer as you, they still cannot connect. And if they try to guess the VNC Server password (a 'brute force' or 'dictionary' attack), they’ll be blacklisted.
Note you can ask VNC Viewer to remember VNC Server passwords for you as a convenience. If you do, we recommend setting a master password on VNC Viewer's Preferences > Privacy page.
-
If you have a Home subscription, there’s only one VNC Server authentication scheme. Make sure the password you’re prompted to create when you install VNC Server is difficult to guess, and keep it safe. You must specify at least 6 case-sensitive letters, numbers, and special characters such as
!@*#&,
though we recommend more (the maximum is 255).If you have a Professional or Enterprise subscription, then by default VNC Server is integrated into the credentialing mechanism of the remote computer, so you don’t have to create or remember yet another password. Simply connect using the same user name and password you normally use to log on to your user account on that computer. You can register other users with VNC Server so they can connect using their own familiar system account credentials if you wish.
If you have a Professional or Enterprise subscription, you can change the default system authentication scheme to specify multi-factor authentication for VNC Server.
If you have an Enterprise subscription and a suitable corporate network, you can set up single sign-on (SSO) for VNC Server.
-
The first time you use VNC Viewer to connect to a computer, you must enter the password expected by VNC Server.
Subsequently, you can ask VNC Viewer to remember this password so you don’t have to enter it each time. If you do, we additionally recommend setting a master password for VNC Viewer in case you lose or share your device:
VNC Viewer stores passwords locally and never syncs them to other devices via our cloud service (so you’ll have to remember them on each device you connect from). Download our whitepaper for the technical details.
Note you can sign out remotely from all VNC Viewer devices if you think your account has been compromised. Sign in to your RealVNC® account and navigate to the Security page.
-
Yes. VNC Server automatically logs audit information, so you have a complete record of who’s connected, when, from where and, if the user successfully authenticated, the time of disconnection (so you can calculate session length).
The storage destination for this information differs depending on the platform and VNC Server mode. General information about logging is available here.
Note you can quickly dial up the logs to debug level if you need.
-
Yes. If you will be physically present at the computer when people connect, you can configure VNC Server to notify you and approve or reject each connection:
Please note: The Connection Request dialog box will not be shown in the VNC Server UI when a user with admin rights to that computer connects to it.
To do this, turn on Show accept/reject prompt for each connection on VNC Server's Options > Connections page:
-
You can disconnect all users immediately:
...or individually from VNC Server's Information Center dialog.
By default, users can connect concurrently. You can specify that only one user connects at a time.
By default, if a connecting user fails to authenticate properly five times in a row, their computer is blacklisted. You can lower this threshold for additional protection from brute-force or port scanning attacks.
If you have an Enterprise subscription and establish direct connections, you can filter incoming computers to prevent connections from particular IP addresses:
-
Yes. You can make sessions view-only for everyone on VNC Server’s Options > Users & Permissions page:
If you have a Professional or Enterprise subscription, you can exercise more fine-grained control and make sessions view-only just for some.
Alternatively, VNC Viewer users can choose to make their own sessions view-only from VNC Viewer's Properties dialog or mobile app toolbar.
-
Yes, if you have a Professional or Enterprise subscription.
You can register any number of users or groups (perhaps from your corporate network) with VNC Server:
You can then grant specific permissions to each. So for example you could grant system administrators full remote access, members of the group ‘teachers’ sufficient permissions to control the remote computer but not to transfer files or print, and make members of the group ‘pupils’ view-only.
If you have a Home subscription, all connected users have the same global permissions, though you can turn individual features off for everyone, or make all connections view-only, if you wish. It will also apply to you though!
-
You can blank the screens of most Windows computers (up to and including Windows 10). This is "curtain mode" - equivalent to turning the monitor(s) of a remote computer off so people in the vicinity can't see what you're doing.
Screen blanking is hardware-dependent for Windows 8 and 10, so we recommend testing those systems first to make sure screen blanking will be effective:
For Windows 7 and earlier, most hardware should be supported. For Windows 8 and 10, most desktop screens manufactured after 2011 should be supported, including major manufacturers such as Dell and Samsung. Unfortunately, there is not as much support for laptop screens. Assuming your desktop screen was manufactured after 2011, try the following if the screen blanking test fails:
- Remove any base stations, splitters or repeaters used to connect your screens.
- Update your graphic card driver software to the latest version.
- If there is an option on the screen’s setup menu called MCCS or DDC/CI, enable that option.
-
You can prevent the keyboard and mouse of the remote computer being used by whoever wanders past while you're remotely connected to it:
-
You can configure VNC Server to automatically lock or log out from a Windows or Mac computer when you disconnect:
Of course, you can always lock or log out during your remote control session. Just don’t power the remote computer off, or you’ll be disconnected until someone turns it on again!
-
First, follow the general instructions for RealVNC® accounts here.
Then, follow the additional instructions below. Note you can perform bulk operations on computers remotely using policy, which has the additional security benefit of locking down those computers, preventing change by local users.
- In your RealVNC® account online, assign permissions on the Computers page to restrict discovery appropriately.
- On each remote computer:
- Install VNC® Connect in a secure location (such as
C:\Program Files
), and turn on update notifications. - Upgrade to 256-bit AES session encryption.
- Turn off direct connectivity. Only establishing cloud connections means no holes need be opened in firewalls.
- Enable multi-factor authentication for VNC Server.
- Restrict session permissions appropriately, perhaps to make particular users view-only.
- Harden blacklisting.
- Lower the idle timeout.
- If the owner will be physically present to approve connections, turn on query connect.
- Lock the remote desktop when the last user disconnects.
- Review connection logs on a regular basis.
- In your RealVNC® account online, assign permissions on the Computers page to restrict discovery appropriately.