I needed a secure remote access to manage a small business server (Server 2K8 Std). I chose UltraVNC for encryption capability and here is interesting issue:
UltraVNC viewer to Public ip on Comcast 8014 (combo router/modem). Port forward 5900 to LAN router (Cisco RV042). Port forward 5900 to Server 2K8 at 192.168.1.xxx.
Works perfectly, can connect to Server log in screen with encryption active. If I send C-A-D I can log in to server as admin or user and do what I need to do. HOWEVER, even if I do NOT log in beyond the VNC connection, I can activate VNC File Transfer and move any file on server to remote client. That seems like a security issue. It happens whether I set VNC Server to require MS login or not!
Is this supposed to happen or do I not understand the connection? I was surprised to see I could access file directories without final server log in.
Thanks.
Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: https://forum.uvnc.com/viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864
Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864
Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc
Is this a security issue UltraVNC to Server 2008?
Re: Is this a security issue UltraVNC to Server 2008?
It's working exactly as it's supposed to, I think.
Please don't assume that the Windows login is somehow inherently integrated with what UltraVNC does -- it's not.
Think about this -- you are remotely controlling a privileged service on that machine. It allows to remote control the screen, keyboard, and mouse. One of the things you can do from that point is log in to Windows. (But it doesn't have to be that way -- many people remotely control Windows and other OS sessions WITHOUT requiring an OS-specific login, especially if a user is already logged in.)
But one thing the UltraVNC developers added is file transfer -- that relies on the already-privileged WInVNC service and your authentication <b>to that service</b> from the viewer. So it absolutely <b>is</b> and end-run around Windows security, pretty much <b>by design</b>.
You could easily argue that this should <b>not</b> be the case, and that the security should be more closely integrated with that of the Windows machine and/or domain to which you're attaching. Maybe some of the more knowledgeable people here will let you know whether there are already some settings available to make that happen.
Please don't assume that the Windows login is somehow inherently integrated with what UltraVNC does -- it's not.
Think about this -- you are remotely controlling a privileged service on that machine. It allows to remote control the screen, keyboard, and mouse. One of the things you can do from that point is log in to Windows. (But it doesn't have to be that way -- many people remotely control Windows and other OS sessions WITHOUT requiring an OS-specific login, especially if a user is already logged in.)
But one thing the UltraVNC developers added is file transfer -- that relies on the already-privileged WInVNC service and your authentication <b>to that service</b> from the viewer. So it absolutely <b>is</b> and end-run around Windows security, pretty much <b>by design</b>.
You could easily argue that this should <b>not</b> be the case, and that the security should be more closely integrated with that of the Windows machine and/or domain to which you're attaching. Maybe some of the more knowledgeable people here will let you know whether there are already some settings available to make that happen.
Re: Is this a security issue UltraVNC to Server 2008?
I really appreciate your explanation as an end run around windows security. I was surprised to see that and suspected I did not fully understand how the VNC worked. There is still the security of encrypted VNC login and to be successful viewer needs an id and passwd. I would be interested if there are ways to increase security with multiple login levels but perhaps that is not needed. Thanks again. cf