Thoughts on using VNC for remote assistance?
Posted by SynergizeTheNeedful@reddit | sysadmin | View on Reddit | 52 comments
Is there any way to make VNC more secure on a LAN? as in avoid the same password on all clients etc.. it's such an amazing tool, free, checks all the boxes except the whole pesky security shitshow that it seems to be. Tight, Turbo, Tiger... is there any flavor that can be secured better?
I have dozens of buildings connected with site to site VPN, having remote assistance capability is an absolute life saver for helpdesk tasks on endpoints.
arkmtech@reddit
VNC is a decent enough tool for small offices, or as a band aid in certain situations, but I would seriously encourage you to take a look at NinjaOne.
Not only an insanely good remote assistance tool, but as an overall IT management tool as well. Once you've tried it you'll ask yourself how you survived without it.
Cost for our organization of 5,000+ workstations was exceptionally reasonable (i.e. almost $1 per computer) and their support has been among the best I've worked with.
Disastrous_Recipe424@reddit
Seconded for NinjaOne - we recently switched-up for device management, ticketing, all sorts.
So far (6mo) can't fault it
jcpham@reddit
Msra works fine for me but domain and gpos
siedenburg2@reddit
While yes, it's a nice tool, most of the time it's outdated and not really secure.
What can be a somewhat good alternative is a local rustdesk. With that you get stuff similar to teamviewer, but with the addition that the user needs to confirm the remote session (for some companies/areas that's mandatory), also it's easier to get the users rdp session with that.
And instead of vnc for servers think about a ip kvm solution in a dedicated and protected network.
bluegrassgazer@reddit
This should be the main reason to stay away from it or replace it.
ipsirc@reddit
In what sense is it not secure?
bruhgubgub@reddit
It's outdated, it's like using telnet
ipsirc@reddit
Which ciphers does SSH support that TigerVNC does not?
PaintDrinkingPete@reddit
I setup a local rustdesk server around the time Covid hit and never looked back.
once setup, it's dead simple to use, is compatible with just about everything, and performance, even when connecting to PCs on another continent, is great. it definitely made troubleshooting while everyone was teleworking much easier...and still works great for our remote and hybrid workers.
users appreciate having to give permission to connect, and being able to see that I'm connected during the session.
sryan2k1@reddit
Use a proper tool like Bomgar
SynergizeTheNeedful@reddit (OP)
The cost is unaffordable
stufforstuff@reddit
NoMachine - hands down the best solution.
PrettyFlyForITguy@reddit
Its relatively easy to set up IPSec in windows advanced firewall control panel, or through GPO. Just have kerberos handle the key exchange. I set it to force IPSec for port 5800 or 5900, and only allow connections to certain IP's.
Once its wrapped in IPSec, its very secure. If you set up the windows firewall rules to require a secure connection, nothing can get to that port (assuming you have no other allow rules). You can go even further from here, and limit certain users and computers via the kerberos authentication...
It works very well to secure the protocl
E__Rock@reddit
Look into Solarwinds Dameware Remote connect.
narcissisadmin@reddit
I was an early adopter in the 2000s but they lost their damned minds with the pricing.
E__Rock@reddit
Well in 2000 they were not owned by Solarwinds so that checks out.
taxigrandpa@reddit
Ultra VNC supports end to end encryption
KandevDev@reddit
if security is the concern, just do not expose VNC. tunnel it over SSH (-L 5900:localhost:5900 from a jump host) or wireguard from outside. the protocol itself is the wrong place to add security, the network layer is. internally, x2go or rustdesk are way better answers than trying to harden VNC.
ADynes@reddit
We use TightVNC. Settings pushed through GPO (registry) and access restricted only from a single network subnet. It works fine but eventually we will move onto something more robust. Hard to get away from free and works well though.
SynergizeTheNeedful@reddit (OP)
how are you restricting the network access? windows firewall rules? I didn't think that was built into VNC, if I could have it only accept connections from my PC that would at least make me feel better.
ADynes@reddit
It's definitely a setting in vnc. What we did was set one client up exactly how we wanted it set up, with an access password and a different admin password, and the subnet we wanted to access it from and then just went into the registry on that machine, copied those settings (passwords are encrypted), and then push them with GPO.
SynergizeTheNeedful@reddit (OP)
cool, worth checking out, thank you!
bitcraft@reddit
VNC can be a good solution, but it requires delicate handling and it’s often just not “production ready” unless you bend your environment to fit it. The performance is trash and uses a lot of bandwidth compared to modern solutions built on compressed video tech. Deployment and monitoring is a pain.
I’d say it can be a great fit for some situations, but just implementing it on a whim could be a disaster.
javierdapear@reddit
trying to copy paste with any vnc is terrible
Flabbergasted98@reddit
ugh at the point where you're considering VNC, quick assist might be the way to go.
I guess it really depends on the OS you're working with.
ipsirc@reddit
Using pam?
SynergizeTheNeedful@reddit (OP)
help me out here, what does that mean?
ipsirc@reddit
https://en.wikipedia.org/wiki/Pluggable_Authentication_Module
- https://manpages.debian.org/unstable/tigervnc-standalone-server/vnc.conf.5x.en.html.gz
SynergizeTheNeedful@reddit (OP)
interesting, I'll read up on that, thank you
zqpmx@reddit
RustDesk?
Kind_Ability3218@reddit
rustdesk, guacamole are roll your own solutions. screenconnect has been the rock solid saas solution recommendation for this use case for a long time because of agent pricing.
SynergizeTheNeedful@reddit (OP)
yeah I just looked, at like $600/year that seems like a great deal for screenconnect.
Viper896@reddit
Not sure why all the hate for VNC. It’s very possible to use radius authentication and MFA for VNC connections. We use it have all connections tied to user accounts with MFA being required and users have to accept the request.
SynergizeTheNeedful@reddit (OP)
which flavor are you using?
Viper896@reddit
RealVNC
Rawme9@reddit
We did it at the first company I worked at. Much worse experience than an actual RMM but usable
strongest_nerd@reddit
Terrible idea. Why not just use your RMM?
SynergizeTheNeedful@reddit (OP)
cost? I'm not aware of any free ones
SmartDrv@reddit
Not affiliated. Action 1 is free for up to 200 endpoints. It's remote access isn't as robust as say Screenconnect but it is usable. Has endpoint patching as well.
SynergizeTheNeedful@reddit (OP)
ty, I had no idea, I will check them out
strongest_nerd@reddit
This is for a business right? RMM is a pretty standard tool for IT. If your company won't buy one then your company is not serious about their operations.
SynergizeTheNeedful@reddit (OP)
these types of comments are completely pointless, hell I've made them myself, I'm no better, but seriously... it's a waste of keystrokes man 😄
eriqjaffe@reddit
Action1 is free for up to 200(?) endpoints.
SynergizeTheNeedful@reddit (OP)
ooh, I did not know that, I will take a look. Thanks!
publicdomainadmin@reddit
Too annoying, it's hard to be a proper tool with a console. I prefer Screenconnect and just be done with it.
SynergizeTheNeedful@reddit (OP)
idk much about that, locally deployed agent? cloud or local console?
publicdomainadmin@reddit
It supports both.
osxdude@reddit
RealVNC's paid options are the only business competent option in terms of good ol' VNC. RealVNC allows domain authentication, permissions, etc
srekkas@reddit
Used it all the time, it was ok. Tightvnc with mirror driver. Some VNC can ask for user oermission to connect, be on safer side.
bruhgubgub@reddit
Fuck no
jlipschitz@reddit
What about remote assistance?
wezelboy@reddit
Ssh port forwarding?