We cannot comment specifically on the security of other VNC-based remote access solutions; no two software solutions are the same. However, it’s paramount that IT teams implement a secure remote access strategy to ensure they have selected a properly configured solution. This needs to be supported by a well enforced IT policy, that meets the business’s security requirements.
Informed by our four security principles, VNC Connect is built to be secure by design, helping protect your company from malicious actors. For starters, a RealVNC VNC Server requires users to set a password.
Ensuring you have a secure solution out-of-the-box
All VNC Connect plans include cloud access control, where users – or groups of users – are granted access to devices. Without this access control granted, nobody can discover devices or attempt to connect to them.
Our VNC Connect paid plans are equipped with OS-based authentication by default, allowing users on Windows-based machines, for example, to authenticate remotely using their existing Windows / ActiveDirectory credentials. Remote access servers should never be configured for use with no authentication method, even on internal networks. It is important to note here that it is ultimately the device running RealVNC’s VNC Server that decides who can connect and with what permissions.
The article mentions, “If poorly secured servers whose passwords are easy to crack were included in the investigation, the number of potentially vulnerable instances would be much more significant.”
Even where public direct connections are in use, all RealVNC products include rate-limiting by default (also known as blacklisting). It strengthens security by blocking further connection requests after several failed attempts, hampering any authentication brute-force attacks. Your business can also configure rules to allow or deny connections at an IP address or subnet level.
The best line of defense is to enable multi-factor authentication. Several multi-factor authentication schemes are supported by VNC Connect – such as RADIUS, Duo, and smartcard/certificate. All these reduce the sole reliance on keeping your passwords from being compromised and force you to authenticate with something you know and have, meaning only valid users can connect.
Further on, the article says: “On that front, it is essential to remember that many VNC products do not support passwords longer than eight characters, so they are inherently insecure even when the sessions and passwords are encrypted.”
The 8-character password limit is restricted to the legacy VNC Auth authentication type and not enabled by default in VNC Connect. To enable this setup, a VNC Connect user would not only have to manually switch to this authentication type but also disable encryption.
If a user were to do this, they would be warned by an on-screen message warning them against proceeding with this setup.
We at RealVNC are proud of our security stance, and a recent external white-box security audit has verified our security claims for VNC Connect. Cure53, a Berlin-based IT security consultancy, had full access to the product source code, internal documentation/APIs, and a direct line to our developers, allowing them to verify our security and secure development practices. We’ll be talking more about the importance of security in remote access while exhibiting at Infosecurity World 2022 in September, which we’ll announce soon.
You can download the full report here.