July 23rd, 2003, 10:05 AM
windows VNC vulnerability on intranet
The company I work at currently uses a program called VNCviewer to allow remote use of some computers, mostly running Win2k Pro, with maybe a few running NT4 (not sure). These computers are all within the corporate intranet. I was wondering if this opened up any vulnerabilities, particularly from individuals outside the intranet. From Googling a bit, it looks like there are some hole w/ VNC, but I don't quite understand exactly what they mean, and who the holes are vulnerable to. Hope this was clear enough. Thanks in advance
My hobby: collecting US coins
July 23rd, 2003, 12:17 PM
If it was not accessible from the outside, it would be safe from people there too of course. The problem is, it is hard to tell if something is really not accessible from outside - you know: Browsers, Email, ActiveX... bring "the outside to the inside"
i.e. A haxxor, a virus/worm, anybody/-thing specifically looking for VNC could still own or kill your whole intranet.
How is your intranet connected to the internet? A firewall? You know that a firewall can be circumvented? Do people use dial-up to connect to the internet? Do you have an IDS? Do you have security guidelines regarding PC usage in your company? Are they really enforced or are they only there to have somebody to blame after things went wrong?
[...] (rest of dumb questions skipped... )
In other words: Security depends on the concept as a whole, not a SPOF.
Using IE / OE is IMO a much bigger problem than VNC. Though most people still use them anyway...
July 24th, 2003, 07:55 AM
I'm going to take that response to mean that if the firewall and security measures are set up properly, then running VNC will not introduce vulnerabilities to the internet. (Malicious insiders of course, could still do whatever). Since our group is not responsible for the setup of the firewall and other issues, I'm going to be cynical and say if something bad happens, it won't be our fault. Thanks for the help.
July 24th, 2003, 11:42 AM
hehe, I wish I could take that position too...
July 24th, 2003, 07:17 PM
I'm just the intern, they never listen to me anyway