Those are good questions to ask at the beginning of the process Sara - most people wait until after deployment to do so.
The methodology you use for setting up your remote control system is actually what will determine how easy it is to manage VNC centrally - which is what it sounds like your central concern is ( I consider the security a part of the management system). VNC is definitely a "roll your own" style solution, with solutions to the problems you mention being implemented by network administrators in a Unixish fashion. The crucial issue is whether you have the infrastructure to correctly do it. I'm going to go over some points: (a) What your concerns are;(b) Some technical solutions to the specific questions you raised; and (c) some general points to think about as you look at answerrs. (a) Your concerns With VNC, once you have an initial product rollout done, your primary concern is keeping systems secure but accessible to network admins. (b) Technical issues and resolutions There are two things to consider here. The first is the ongoing password maintenance (to ensure there is a valid passowrd for amdins to use) and the second is securing the systems so that unauthorized users cannot access them. For part 1, automated update of the passwords is no problem. The password is stored in HKLM and in HKU in the registry in encrypted form. That encrypted form can be exported readily and then deployed to everyone automatically either via a line in the network logon scripts or through group policies. This ensures that the systems are passworded and that end users do not face a mysterious VNC server dialog popping up at awkward moments and asking for a valid password to be specified for their systems. You can also just use adistributed change to HKLM and HKEY_DEFAULT_USER to avoid the per-user settings in general. For part 2, there are solutions which can be used to effectively control connection. Some of them make part 1 irrelevant! Here's a few things you should know. Most are documented at http://www.uk.research.att.com/vnc/winvnc.html - For a situation where you have another method of security implemented, you can DISABLE the password storage (see AuthRequired). - As you are aware, you can restrict connections based on the client IP range (via AuthHosts). If you have centralized help desk support - say all of the help desk staffers work from the 10.10.24.x network - you can restrict the conections to them. Alternatively you can use a VNC gateway system with a static IP and have all Help Desk staff connect through it. There are some fairly quick though technical enhancements to that approach, also - you can tunnel through with SSH to customize authentication further. An even simpler trick if you have either a Citrix or Windows Terminal Server system is to put the VNC viewer applet on it and set up each Help Desk staffer with a shortcut which starts a TS session set to launch VNCViewer. Allow only them access to the app. Use AuthHosts to limit access to VNC servers so that ONLY someone connecting from the terminal server can get in. A staffer can then just open the connection to the terminal server, the Viewer dialog will pop up, and you have authorized login via the terminal server's security. - A solution which is not likely to be useful unless you have a solid UNIX system available which already uses CORBA or which someone will allow you to tweak is to simply use CORBA for authentication. There's no way you have that, though - I'm mentioning it for completeness' sake. In your case, should you decide you do want to use VNC, I suspect the simplest secure solution is to disable password storage and then use a gateway or the TS approach. (c) Other things to consider - You may want to pull in a consultant who is familiar with remote control solutions; they can be hard to come by though. - Remember every remote control solution has problems. VNC's largest drawback for Windows is that it was designed for UNIX. On the other hand, this has some compensating advantages because everyone knows the problem and can modify the software. - Attempting to examine comparative advantages ahead of time - and try things out yourself - is the best way to make sure you don't have usage problems. You're doing that now, which is good - I've seen enough nightmares from ill-considered steps in small companies; a multinational could get eaten alive from a poor deployment. - If you are attempting to do a broad cross-seciton check of available tools, here's a fairly long list of current ones. DOn't let pricing scare you off on commercial products; some of them drop like a rock in large volumes. Partial List of Remote Control Products Carbon Copy NetOp Remote Control NetSupport pcAnywhere RAdmin Remotely Possible Timbuktu Unicenter Remote Control (formerly ControlIT) VNC Windows Remote Assistance (WinXP only) ----- Original Message ----- From: "Hawkins, Sara" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday/2002 February 01 11:11 Subject: Security questions : Hello, : : I'm new to this mailing list and I'm a relatively new VNC user. The reason : I am writing is because I am looking for some suggestions and help to see if : VNC is capable of doing some of the security settings that I am looking for. : : : I work for a fairly large global company and we use mainly NT 4.0 and 2k : machines. We previously have used LANDesk for all our remote client needs, : however the version we have is not compatible with 2k... so we are looking : for alternative remote clients. : : I have done some searching in the archives and reading different websites : and I see some of my answers however they would not fit our needs. : : We have multi user computers and with VNC we don't believe that a password : is enough to protect the machine. We do not want our users to learn the : password and start remoting each other. If we have to secure the password : in the registry per user that is close to impossible. Then there was talk : about changing the password every few days and that would just not be : feasible with as little staff and as many users as we have. : : We are using a LAN with DHCP and I do not know if just securing the IP : addresses would work. : : Any comments or suggestions would be a great help. : : Thank you, : Sara Hawkins : --------------------------------------------------------------------- : To unsubscribe, mail [EMAIL PROTECTED] with the line: : 'unsubscribe vnc-list' in the message BODY : See also: http://www.uk.research.att.com/vnc/intouch.html : --------------------------------------------------------------------- --------------------------------------------------------------------- To unsubscribe, mail [EMAIL PROTECTED] with the line: 'unsubscribe vnc-list' in the message BODY See also: http://www.uk.research.att.com/vnc/intouch.html ---------------------------------------------------------------------
