Apple Remote disable unencrypted access

Question

Apple Remote disable unencrypted access

I recently go a remark from a security audit our Mac mini is using unencrypted vnc access. According to the info, Apple Remote Desktop is actually using encryption to send authentication info, keystrokes, etc to the ARD Agent. ARD is enabled on the server machine using System Preferences > Remote login.

But when connecting using eg VNC Viewer, I get a warning: insecure, unencrypted connection. So I suppose ARDAgent is offering encrypted and unencrypted access.

Is there a way to turn off the unencrypted 'mode' and keep only encrypted communication?

Mac mini, OS X El Capitan (10.11.6)

Posted on Jan 9, 2018 7:48 AM

Reply

Answer 1

BobHarris

Level 9

57,321 points

Jan 9, 2018 8:02 AM in response to Koen Van Hooreweghe

VNC Viewer would have to support that.

What are the source and destination systems? For example Mac, Windows, Linux, Solaris, AIX, HP-UX, etc...

If a Windows system, maybe try RealVNC client. It might know about Apple's secure connections.

Or you could start an ssh session with a VNC tunnel. That would give you a secure channel

ssh -L 25900:127.0.0.1:5900 username@remote.system

Start your VNC Viewer connection with the destination being 127.0.0.1:25900

Or it could be localhost:25900

Reply

Answer 2

BobHarris

Level 9

57,321 points

Jan 9, 2018 10:56 AM in response to Koen Van Hooreweghe

If it is Mac to Mac, then use Back-to-My-Mac (see System Preferences -> iCloud -> Back to My Mac). Both Macs must be using the same Apple ID to login to iCloud

Back-to-My-Mac will encrypted everything. Whether it is Screen Sharing or File Sharing.

You do NOT need to use Apple Remote Desktop. You can use Screen Sharing, which is included with your Macs, unless of course you are using ARD to do remote admin things (which MrHoffman has much more experience with).

If you use a generic VNC client, it may or may not encrypt anything. Typically generic VNC does not encrypt anything. Neither the username/password exchange, nor the traffic sent back and forth.

MrHoffman's VPN suggestion if you are going across the internet is one secure solution. Back-to-My-Mac should be another. The ssh tunneling suggestion is another, but it has a lot of setup work needed with routers and things like dynamic DNS names, not to mention getting the ssh command line correct. However, I do use it all the time for my remote VNC operations (after spending months figuring it out back in the '90's).

Reply

Answer 3

MrHoffman

Level 10

151,853 points

Jan 9, 2018 9:24 AM in response to Koen Van Hooreweghe

If you're exposing VNC/RDP/ARD to the 'net, that's... not what I'd do. I'd use a VPN into the firewall and a firewall with an embedded VPN server, and connect via VNC/RDP/ARD via the VPN. I'd not expose an open TCP port 5900 to the 'net. Exposing it internally? I'd firewall the server into a DMZ if the server is externally exposed and would restrict and isolate the server contents and access, but whether or not the internal network can access the server in the DMZ via VNC/RDP/ARD directly or via VPN, that's your call.

I'm guessing that the audit here probably involved a port scan performed on the external network, and was not an internal port scan.

Reply

Answer 4

Jan 9, 2018 8:14 AM in response to BobHarris

It is a Mac only setup.

I think I'm safe as long as I only user Apple Remote Desktop to control the remote Mac mini.

But when using another vnc client, I suppose passwords etc are sent unencrypted, which makes this kind of connection insecure.

Other people from the company might need access to the remote machine, I cannot control which client they will use.

I just want to disable unencrypted connections from whatever vnc client application.

Using a VNC tunnel might be a good idea, but the remote machine stays open for unsecured connections.

Reply