Just make sure you are talking about the Enterprise version of RealVNC,
which does have AES, and authentication of server and viewer. The standard
VNC protocol is non-encrypted, and the password security is laughable. In
TightVNC implementations you type a password over 8 characters at the server
configuration, and you are nicely reminded that only the first 8 characters
will be used anyway.
I run TightVNC over SSH2, which benefits from the extra compression the
tunnel provides. I use strong auth at the SSH2 stage, with other filtering
added at lower layers, so it's pretty safe that way.
----- Original Message -----
From: "Stephane Auger" <stephaneauger () pre2post com>
To: "Brian Bemis" <brian_bemis () hotmail com>;
<security-basics () securityfocus com>
Sent: Wednesday, December 01, 2004 8:46 PM
Subject: RE: pcAnywhere question
I'm using Remote Desktop to manage my Windows XP clients and Windows
2000/2003 servers. It runs pretty good, but we have VPNs set up for
when we connect. The encryption in Terminal Services, in my opinion, is
good but a VPN's always the best solution, and adds almost no overhead.
A second nice solution is VNC (www.realvnc.com), which projects the
desktop as if you were locally connected, unlike Terminal Services which
is a remote session. I usually have both enabled. That way, I used
remote desktop, and if I need to do something "locally", or TS crashes,
VNC's available as a backdoor. VNC also has encryption and password