Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: viewtopic.php?t=37864

Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://twitter.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc

Lock Down Configuration Settings

Post Reply
s33k3r
8
8
Posts: 12
Joined: 2014-09-05 19:02

Lock Down Configuration Settings

Post by s33k3r »

From what I understand, the UltraVNC.ini file gets it's settings read first, and the registry get's its settings read only if the UltraVNC.ini file tells ultravnc to use the registry settings (please correct me if I am wrong here). Based on this I am trying to lock down the UltraVNC.ini settings file so that it can not be modified by end users (non-admins).

I did the following to try to circumvent users from modifying the configuration:

Made the file a system and hidden file (works good)

Code: Select all

UltraVNC.ini" +s +h
next..

The problem is after i do a silent install via (... with the service stoped and installed as a service)

Code: Select all

UltraVNC_1.1.9.6_32bit.exe /verysilent /norestart /loadinf="c:\UltraVNC.ini"
.. I overwrite the UltraVNC.ini in program files and with my config. Used CACL and ICALCS to change the permission of the UltraVNC.ini file and this works.

Code: Select all

echo "Y" | cacls "C:\Program Files\Uvnc bvba\UltraVNC\UltraVNC.ini" /e /g "DOMAINNAME\Domain Admins":F 
icacls "C:\Program Files\Uvnc bvba\UltraVNC\UltraVNC.ini" /inheritance:r /grant:r ADMINACCOUNTNAME:(OI)(CI)F /T
Takeown /f "C:\Program Files\Uvnc bvba\UltraVNC\UltraVNC.ini"
icacls "C:\Program Files\Uvnc bvba\UltraVNC\UltraVNC.ini" /Grant ADMINACCOUNTNAME:F 
icacls "C:\Program Files\Uvnc bvba\UltraVNC\UltraVNC.ini" /Grant DOMAINNAME\ADMINACCOUNTNAME:F 
icacls "C:\Program Files\Uvnc bvba\UltraVNC\UltraVNC.ini" /Grant USERS:R
icacls "C:\Program Files\Uvnc bvba\UltraVNC\UltraVNC.ini" /REMOVE:g Administrators
After I start the service and it freaks out asking for settings and a password (even though I am using mslogon groups 1 and 2). There is a password in the ini file too.

Is there a way around this prompt?
Top
User avatar
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6839
Joined: 2004-04-23 10:21
Contact:
Contact Rudi De Vos

Re: Lock Down Configuration Settings

Post by Rudi De Vos »

1) From Vista, only UAC admins can make changes to all files in "program files", this is a secure folder.
2) Pre Vista, i would et the file to view-only with admin as user.

VNC always require a vnc password even when it is NOT used.
Run setpasswd.exe myfullpasswd myreadonlypasswd to preset some vnc passwd
Top
s33k3r
8
8
Posts: 12
Joined: 2014-09-05 19:02

Re: Lock Down Configuration Settings

Post by s33k3r »

The layer of protection was also to prevent other administrators other than the ones I explicityly allow (such as patch management, security admins, or platform management) to have access to the files.

I found the solution was that the SYSTEM account needs explicit rights to the configuration file.

Once I added that the ACL restrictions worked great.
Top
Post Reply

Return to “Old messages”