Real-VNC Security Issues & General Info

semmes used Ask the Experts™
I am thinking of using RealVNC to remotely access computers.  However, what are the experts opinions regarding its security, is its use going to make users more vulnerable.

Also, what is the programs reliability like?

And finally, do hardware / software firewalls have to be configured for the use of RealVNC (and programs alike).


(I will split points between the best responses).
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
First, I woud probably use TightVNC instead of realVNC.  It tends to perform better, while still beig compatible and OS.


RealVNC "out of the box" supports only a very basic authentication mechanism, a password, which is only hashed.  You can use it in conjunction with SSH for better security.

here are variant versions available that supoprt use of MS Windows authentication.


It tends to have some problems with screen painting, requiring you to request a full screen refresh manually to correct. It occassionally has problems with full page scrolling, also requireing manual refresh.  if you are trying to access a fast-switch XP box, forget it.  Multiple simultaneous logins will blow its mind.

Firewalls have to be configued to let the correct ports through; usually, 5900 is sufficient ina default setup.  As with any port listener, your software firewall will haveto be set to recognize teh VNC daemon as a legitimate object.

Unix server version does not give you access to teh current screen.  It has its own x-windows space.


No file transfer built in.

Certain keysroke combinaions difficult or impossible

Cannot trap system keystrokes

Screen scaling is terrible.
I agree with qwaletee about tightvnc vs realvnc.

My overview of remote-control:

Regardless of how you go, almost any remote-control software is a vulnerability added to your system.  The questions you need to answer, and weight according to the relative importance to your organization, are

1)  Cost  - What is my exposure, dollars and cents, to get this working out of the box?

2)  Performance - How fast will this respond?  What kind of overhead will this add to my network?  How efficiently does it use the bandwidth I have available?

3)  Security - What methods can be used to secure remote-control?  Are there any known vulnerabilities or exploits?  Are there ways to avoid those vulnerabilities or exploits?

Only you can decide the cost/benefit of any solution in this area.  For my dollars, the price/performance of any VNC solution beats any commercial product.  If you want double-blind multiply-secured and encrypted remote control, you can pay for the GoToMyPC service, which is actually a tad better response-wise than VNC, but will have ongoing costs for the service.

There are specific firewall ports that VNC uses (I will not go into that here) but it is easier to use VNC over a firewall or through a VPN than many other remote-control packages.

If you need firewall transparency, high security and features like file transfer and remote reboot, you're better off paying for GoToMyPC, in my opinion.
Oh, also, GoToMyPC has remote print capability that is much easier to configure and use that that provided by pcAnywhere.   VNC doesn't do remote printing, AFAIK.
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Most *VNC don't support file transfers, but TightVNC is developing one (although most of it is in the CVS), and UltraVNC has a limited working solution (limited that there's no deleting remotely or resuming yet).

It has the ability to use some plugins for encryption (but so far I haven't got any of them to work), and the MS Windows authentication sucks at the moment because I don't know how to get it to block incorrect/blank passwords. Falling back to the single password authentication is as secure as what qwaletee said.

As for the reliability of UltraVNC, it comes with a video hook driver that determines exactly which parts of the screen has changed so that the server can only send that particular part to the client. I haven't had any screen refresh problems with this setup, although the performance is very sluggish when accessing from the Internet. However, the developers claim that it feels like you're actually sitting at the computer's console with this driver.

The firewall port depends on what display number you're using and is always 5900 + display number. But like qwaletee said, the default setup is on 5900.
VNC is very reliable, and I have used it to remote-support desktops over a VPN WAN.  Depending on whose version you choose, it has moderate-to-good security.  If you don't need file transfer or remote print, I would have no problems recommending any VNC.  Performance only suffers, from my experience, when the host PC has high-graphics set (16-bit color or higher) and is running some photographic-type wallpaper like WebShots.  

Man, that really p'd me off when users ran WebShots.  But that's another topic...

Now that would really suck.

However, I think all of them have the ability to not send the wallpaper info to the client, although it depends on which flavour of VNC for the accessibility of that option (only registry editing for the original VNC, I can't remember what TightVNC has, and UltraVNC has a checkbox right with the properties in the server config dialog box).

> Man, that really p'd me off when users ran WebShots.
If you leave the wallpaper on and tell the client to switch to 256 colors, you can see it turn ugly right before your very eyes. Now go get some revenge on it! ;)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial