tight-vnc viewer and Zone Alarm

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

tight-vnc viewer and Zone Alarm

H.S.

Hello,

Just wanted to share this little experience. While viewing a remote
desktop using tightvncviewer, I was not able to control Zone Alarm (free
version) windows. I could only bring up the Zone Alarm control center,
but then I could do nothing to it from the client (mouse and keyboard
had no effect). The only way to get rid of it, or to interact it, was to
get a person on the vnc server do the actions directly on that computer.

In other words, keyboard and mouse inputs from the VNC client side were
blocked.

The solutions was to set a preference in Zone Alarm so that this is
possible:
Overview->Preferences->Protect the ZoneAlarm client (uncheck it)

Once this preference is unchecked, I was able to control the ZoneAlarm
remotely via VNC. Not sure what impact it may have on security though.

regards,
->HS



-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
___________________________________________________________
TightVNC mailing list, [hidden email]
To change your subscription or to UNSUBSCRIBE, please visit
https://lists.sourceforge.net/lists/listinfo/vnc-tight-list
Reply | Threaded
Open this post in threaded view
|

Re: tight-vnc viewer and Zone Alarm

Gerard Seibert-2
On Sun, 13 Jan 2008 19:46:20 -0500
"H.S." <[hidden email]> wrote:

> Just wanted to share this little experience. While viewing a remote
> desktop using tightvncviewer, I was not able to control Zone Alarm
> (free version) windows. I could only bring up the Zone Alarm control
> center, but then I could do nothing to it from the client (mouse and
> keyboard had no effect). The only way to get rid of it, or to
> interact it, was to get a person on the vnc server do the actions
> directly on that computer.
>
> In other words, keyboard and mouse inputs from the VNC client side
> were blocked.
>
> The solutions was to set a preference in Zone Alarm so that this is
> possible:
> Overview->Preferences->Protect the ZoneAlarm client (uncheck it)
>
> Once this preference is unchecked, I was able to control the ZoneAlarm
> remotely via VNC. Not sure what impact it may have on security though.
If I were the owner/user of the PC in question, I can assure you that I
would be highly agitated. You have opened a potentially huge security
hole. An attacker would now be able to totally disable ZoneAlarm,
making the system susceptible to attack.

Why, night I ask, do you need to access ZoneAlarm remotely anyway? I
believe the 'commercial version' has password protection. I use it but
have never investigated that function. If it doesn't, I think I will
suggest it to the ZoneAlarm.

--

Gerard
[hidden email]

Anti-trust laws should be approached with exactly that attitude.


-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
___________________________________________________________
TightVNC mailing list, [hidden email]
To change your subscription or to UNSUBSCRIBE, please visit
https://lists.sourceforge.net/lists/listinfo/vnc-tight-list

signature.asc (202 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: tight-vnc viewer and Zone Alarm

H.S.
Gerard wrote:

>
> Why, night I ask, do you need to access ZoneAlarm remotely anyway? I

I have a family friend who is learning how to use basic stuff on Windows
XP and I often remotely help him out (and maintain his machine).
Whenever a new program is updated or a new one installed, Zone Alarm
kicks in and asks for permission. Sometimes, to debug, I need to browse
ZoneAlarm's firewall to see what could be wrong. Such a mixture of
conditions made me disable that option in ZA.

->HS



-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
___________________________________________________________
TightVNC mailing list, [hidden email]
To change your subscription or to UNSUBSCRIBE, please visit
https://lists.sourceforge.net/lists/listinfo/vnc-tight-list
Reply | Threaded
Open this post in threaded view
|

Re: tight-vnc viewer and Zone Alarm

Tyran Ormond
On 11:59 AM 1/14/2008 -0500, it would appear that H.S. wrote:

>Gerard wrote:
>
> >
> > Why, night I ask, do you need to access ZoneAlarm remotely anyway? I
>
>I have a family friend who is learning how to use basic stuff on Windows
>XP and I often remotely help him out (and maintain his machine).
>Whenever a new program is updated or a new one installed, Zone Alarm
>kicks in and asks for permission. Sometimes, to debug, I need to browse
>ZoneAlarm's firewall to see what could be wrong. Such a mixture of
>conditions made me disable that option in ZA.

Not to mention that when one is remotely maintaining servers and ZA
pops up and refuses to allow VNC access to the dialog, having to
drive to the remote site (or worse, wait for someone at the remote
site to actually be available) is a nightmare.

One note, there is NO OPTION to disable ZA's mouse and keyboard
protection in the commercial version.  I would point you to the forum
page on the ZA site that gives directions for doing this but it has
been deleted.

1.  Backup your ZA settings (Overview|Preferences|Backup).
2. Open the XML backup file in a text editor, search for
disableKeyboardMouseProtection="false" and set it to true.
3. Restore you ZA settings (Overview|Preferences|Restore) using the
updated XML file.
4. Restart ZA (not always required).

To address the security concerns, to a degree, of Gerard:  One should
never allow VNC to have server access to the Internet.  In ZA, you
should ALWAYS set the Internet access of the VNC server to DENY.  If
you need remote access, ALWAYS use a VPN.  Hamachi (www.hamachi.cc)
is an exceptionally easy to use VPN.  For the truly concerned, you
should be using the Allow only loopback connections along with
Stunnel (http://www.securityfocus.com/infocus/1677).


Tyran Ormond
Programmer/LAN Administrator
Central Valley Water Reclamation Facility
[hidden email]



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
___________________________________________________________
TightVNC mailing list, [hidden email]
To change your subscription or to UNSUBSCRIBE, please visit
https://lists.sourceforge.net/lists/listinfo/vnc-tight-list
Reply | Threaded
Open this post in threaded view
|

Re: tight-vnc viewer and Zone Alarm

H.S.
Tyran Ormond wrote:

> On 11:59 AM 1/14/2008 -0500, it would appear that H.S. wrote:
>> Gerard wrote:
>>
>>> Why, night I ask, do you need to access ZoneAlarm remotely anyway? I
>> I have a family friend who is learning how to use basic stuff on Windows
>> XP and I often remotely help him out (and maintain his machine).
>> Whenever a new program is updated or a new one installed, Zone Alarm
>> kicks in and asks for permission. Sometimes, to debug, I need to browse
>> ZoneAlarm's firewall to see what could be wrong. Such a mixture of
>> conditions made me disable that option in ZA.
>
> Not to mention that when one is remotely maintaining servers and ZA
> pops up and refuses to allow VNC access to the dialog, having to
> drive to the remote site (or worse, wait for someone at the remote
> site to actually be available) is a nightmare.
>
> One note, there is NO OPTION to disable ZA's mouse and keyboard
> protection in the commercial version.  I would point you to the forum
> page on the ZA site that gives directions for doing this but it has
> been deleted.
>
> 1.  Backup your ZA settings (Overview|Preferences|Backup).
> 2. Open the XML backup file in a text editor, search for
> disableKeyboardMouseProtection="false" and set it to true.
> 3. Restore you ZA settings (Overview|Preferences|Restore) using the
> updated XML file.
> 4. Restart ZA (not always required).
>
> To address the security concerns, to a degree, of Gerard:  One should
> never allow VNC to have server access to the Internet.  In ZA, you
> should ALWAYS set the Internet access of the VNC server to DENY.  If
> you need remote access, ALWAYS use a VPN.  Hamachi (www.hamachi.cc)
> is an exceptionally easy to use VPN.  For the truly concerned, you
> should be using the Allow only loopback connections along with
> Stunnel (http://www.securityfocus.com/infocus/1677).

Wonderful observations and suggestions!

I myself use VNC via SSH tunneling, and the ports of VNC (5900 or later)
are blocked at the firewall on the remote machine. In fact, the scenario
I mentioned earlier, only port 22 is allowed, I have cygwin installed on
the remote machine and open a tunnel via ssh (port 5900). Then by
connecting to 5900 via tightvncviewer gives me the remote machine
desktop ... all encrypted via an SSh tunnel.

->HS



>
> Tyran Ormond
> Programmer/LAN Administrator
> Central Valley Water Reclamation Facility
> [hidden email]
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> ___________________________________________________________
> TightVNC mailing list, [hidden email]
> To change your subscription or to UNSUBSCRIBE, please visit
> https://lists.sourceforge.net/lists/listinfo/vnc-tight-list
>


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
___________________________________________________________
TightVNC mailing list, [hidden email]
To change your subscription or to UNSUBSCRIBE, please visit
https://lists.sourceforge.net/lists/listinfo/vnc-tight-list
Reply | Threaded
Open this post in threaded view
|

RE: tight-vnc viewer and Zone Alarm

James Weatherall
In reply to this post by Tyran Ormond
> To address the security concerns, to a degree, of Gerard:  
> One should never allow VNC to have server access to the
> Internet.  In ZA, you should ALWAYS set the Internet access
> of the VNC server to DENY.  If you need remote access, ALWAYS
> use a VPN.  Hamachi (www.hamachi.cc) is an exceptionally easy
> to use VPN.  For the truly concerned, you should be using the
> Allow only loopback connections along with Stunnel
> (http://www.securityfocus.com/infocus/1677).

Or, alternatively, use a version of VNC with in-built session security, or
which can handle secure tunnelling for you. :)  In either case, running
things on non-standard ports also helps in protecting you from remote
attacks trying to exploit flaws in Internet-accessible services.

Cheers,

--
Wez @ RealVNC Ltd


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
___________________________________________________________
TightVNC mailing list, [hidden email]
To change your subscription or to UNSUBSCRIBE, please visit
https://lists.sourceforge.net/lists/listinfo/vnc-tight-list
Reply | Threaded
Open this post in threaded view
|

NX vs VNC: WAS Re: tight-vnc viewer and Zone Alarm

Harry Fearnley
In reply to this post by H.S.

> I myself use VNC via SSH tunneling, and the ports of VNC (5900 or later)
> are blocked at the firewall on the remote machine.

Surely, these can be changed quite easily?

 > In fact, the scenario
> I mentioned earlier, only port 22 is allowed, I have cygwin installed on
> the remote machine and open a tunnel via ssh (port 5900). Then by
> connecting to 5900 via tightvncviewer gives me the remote machine
> desktop ... all encrypted via an SSh tunnel.

This may be the wrong place to discuss this ... :-)

I use both VNC and NX in different contexts.

... had you considered using NX --
http://en.wikipedia.org/wiki/NX_technology ?

Many NX clients, but NX server available for Linux & Solaris only.

NoMachine -- http://www.nomachine.com/ -- provide free clients.

They also provide a free (but limited functionality) server.
There is a free, unlimited, server available from FreeNX --
http://freenx.berlios.de/ (Linux various; Solaris)

NX uses only port 22; is more efficient than VNC (and therefore
better over limited bandwidth -- claimed OK over Dialup!); and is
very easy to use/configure client-side ...

In the context of Linux/Unix/Solaris servers what are the
advantages of VNC over NX?


Harry

+-+-+-+-+.+-+-+-+-+.+-+-+-+-+.+-+-+-+-+.+-+-+-+-+.+-+-+-+-+.+-+-+-+-+7+-+-+-
Harry Fearnley           http://www.eng.ox.ac.uk/~syshf
Dept Engineering Science, Parks Rd, Oxford, OX1 3PJ, UK
Tel: +44 (0)1865 273928   --    Fax: +44 (0)1865 273010

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
___________________________________________________________
TightVNC mailing list, [hidden email]
To change your subscription or to UNSUBSCRIBE, please visit
https://lists.sourceforge.net/lists/listinfo/vnc-tight-list
Reply | Threaded
Open this post in threaded view
|

Re: NX vs VNC: WAS Re: tight-vnc viewer and Zone Alarm

astrand (Bugzilla)
On Wed, 16 Jan 2008, Harry Fearnley wrote:

>  > In fact, the scenario
> > I mentioned earlier, only port 22 is allowed, I have cygwin installed on
> > the remote machine and open a tunnel via ssh (port 5900). Then by
> > connecting to 5900 via tightvncviewer gives me the remote machine
> > desktop ... all encrypted via an SSh tunnel.

If you want a "packaged" TightVNC-based solution which includes
SSH-encryption and much more, you might want to take a look at our
ThinLinc product. Free for one concurrent user.


> NX uses only port 22; is more efficient than VNC (and therefore
> better over limited bandwidth -- claimed OK over Dialup!); and is
> very easy to use/configure client-side ...
>
> In the context of Linux/Unix/Solaris servers what are the
> advantages of VNC over NX?

The performance of the NX protocol, just like X11, depends very much upon
which application you are using. With some applications, things works
great. With others, say Java-based apps, the performance is really bad.

The NX technology is impressing, but I don't think the architecture is
very good, or "thin". X11 isn't really well suited for todays thin clients
and mobile world, and NX suffers from this. For example, having to deal
with fonts on the client side is a pain. The fact that applications cannot
survive if the Xserver is gone also means that running the Xserver on the
server (such as when using Xvnc) is more practical. (I believe NX has
solved this by, in essence, having a Xserver both on the server and on the
client, but this is not very elegant either.)

When accessing, say, Windows Terminal Servers, NX does this by having a
specialized "hacked" version of rdesktop, which translates RDP to NX. This
is not very practical either. By using Xvnc, you can use a standard
rdesktop version (or any other X11 RDP client).

Best regards,
---
Peter Åstrand ThinLinc Chief Developer
Cendio AB http://www.cendio.se
Wallenbergs gata 4
583 30 Linköping Phone: +46-13-21 46 00
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
___________________________________________________________
TightVNC mailing list, [hidden email]
To change your subscription or to UNSUBSCRIBE, please visit
https://lists.sourceforge.net/lists/listinfo/vnc-tight-list