In previous days, I have been working quite a bit to get UltraVNC to work in my environment. I love the way it works, but after a lot of tinkering, I realized that it is still open source, and does not support everything without a lot of tweaking. My final decision was to jump to Dameware, as we already owned licensing for it. This could possibly be another article on how I implemented it. However, I didn’t want my efforts in getting VNC to work in an enterprise wasted, so I decided to create this guide on setting up VNC, and some of the pitfalls that I ran into, and how to avoid them.
In this guide, the goal would be to create an UltraVNC package, and distributing it using a script: we will be using Kixtart. The operating systems that this has been tested with are Windows XP SP2, SP3 and Windows 7. (Windows Vista would also work). The CPU architecture targeted is 32Bit. I have had some success in 64bit OS as well, but not thoroughly tested. We will be using the latest version of UltraVNC. (at the time of this writing, 22.214.171.124). There are tons of ways to install UltraVNC, as well as tons of ways to have encryption, authentication, etc … I have tried most of them, and my final product was what I found to be the most integrated solution.
- UltraVNC 126.96.36.199
- Admin access on a workstation (XP and Windows 7).
- UAC turned off on Vista and Windows 7 OS. (This was a big challenge, and proved to be too problematic in pushing software.
- A share, accessible to the script, as well all the users.
- Active Directory domain (if planning to use any LDAP Authentication)
- Kixtart Engine on workstation
Before getting into the process, here are a couple of questions regarding VNC that I had to research:
Earlier version (than 188.8.131.52) of UltraVNC used the cad.exe, which was a proprietary file to send the ctrl-alt-del.
Version 184.108.40.206 started using the native windows DLL that sends the command. Also, in Windows 7, the software Secure Attention Sequence (SAS) is enabled only for Easy Access Applications, but not for services. uvnc_service would require SAS to be enabled for services as well.
To do this, you can either change the registry: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SoftwareSASGeneration and set it to 3.
Or, you can do it through GPO. the policy can be found in Administrative Templates\Windows Components\System\Windows Logon Options and enable the Software Secure Attention Sequence, and choose both Easy Application Access, and Services.
Posted in: UltraVNC FAQ
There are 2 options for the mirror driver: the mirror driver and the hook driver. I have tried both in different scenarios, and I can’t say that it’s been a very good experience, from a silent, unattended installation perspective.
The mirror driver is a kernel driver, which means that the first installation would work ok, but subsequent installations would require a reboot.
I have not seen a whole lot of performance increase, or decrease by using the mirror driver. This would be your choice to decide whether to use it. Even though there are separate installers for the mirror driver and the hook driver, you are able to add it to the installation components during the UltraVNC installer.
Posted in: UltraVNC FAQ
Every time you run the UltraVNC installer, some components seem to download from the internet. Unfortunately, as of the current version (220.127.116.11), there is no way that I know off to remove that. Of course, that means that if you don’t have any provisions to hide that from showing up, the downloading items pop up will still be visible to the user. Read on in the implementation process to find a solution for this issue.
Posted in: UltraVNC FAQ
One of the questions I had was whether to use the ultravnc.ini file for retaining settings, or the registry. After tinkering with both, I decided that the settings are better off retained in the registry. Some would argue that the ultravnc.ini is more portable, and depending on your environment, if users are completely locked out, the ultravnc.ini may be a better option.
Though I’m not sure for a fact, whether the ultravnc.ini can contain all the settings for the ACL and the encryption information for the SecureVNCPlugin. I do, however, know for a fact that if using the registry, then there is no need to do additional steps to import the ACLs, using the MSLogonACL.exe. Again, look in the procedure to find out how.
Posted in: UltraVNC FAQ
Since there are files that will be needed that will pertain to your own settings, the first step should be to create an install of UltraVNC as it will be deployed in your environment. There will probably be 2 instances that you will want to have installed: UltraVNC Server, and UltraVNC including the Viewer. UltraVNC Server: This will be on the user’s workstations, which would mean that you want to lock it down as much as possible. UltraVNC Server with the Viewer: This will be the version that would be installed on workstations that will also require the viewer. (for administrators, helpdesk staff, etc …) The installation process for both pieces are exactly the same. So I will list the steps for one (UltraVNC Server) , and the steps would have to be repeated with the different options for the second version of UltraVNC Server with the Viewer.
- Run the installer for UltraVNC, and do not install the viewer, choose to install the service, and start it. (you can also choose to add the mirror drivers, though be aware that this will cause an internet download pop up, that you will not be able to to easily integrate in the unattended install)
- The first file to save through the installer is the inf which determines the settings and components to install. To do this, run the setup with a /saveinf argument like so:
UltraVNC Setup 18.104.22.168 /saveinf=”path/to/inf/file”
- When the installation is over, there are 2 ways to enable saving the settings in the registry:
- Open the “Edit Settings” from the Programs menu, and go to the “Misc” tab, and enable the registry settings
- The second option, which I would go for, would be to open up C:\Program Files\UltraVNC\ultravnc.ini and make sure the first lines are like the following:
- After the registry is changed the service needs to be stopped and restarted: net stop uvnc_service && net start uvnc_service
- At this point, the registry entries should’ve moved over to the registry, and you can delete all the remaining lines from ultravnc.ini. (make sure you do keep the “UseRegistry=1” though.
- Note: For some reason, the settings don’t actually get set when you switch to the registry; so the settings page will pop up immediately after changing the setting and bouncing the service. Go ahead and change the settings, and set it up exactly like you’d want it, including the Authentication, and the Encryption plugin.
When everything is set, and the Ok, or Apply button are pressed, the registry will be populated with the new settings.
- Once the registry is all set, we now need to export it. Navigate to HKLM\SOFTWARE\ORL , and export that into a REG file.
- If you’re using the SecureVNCPlugin.DSM, then there are multiple options. We won’t discuss all of them, but rather just one that will implement a fairly strong encryption in the VNC connection. To do this we need to create a keypair with the SecureVNCPlugin.dsm.
- Open up the config of the plugin, and click on “Generate Client Authentication Key”
- Create both the private key (pkey) and the public key (pubkey)
- The private key needs to be kept, well, private, and only installed on the workstations that have the viewer installed.
- The public key needs to be copied to all the workstations that only have the UltraVNC server installed.
- After the above steps, you should end up with the following files: UltraVNC Setup 22.214.171.124, ultravnc.inf, ultravnc.reg, ultravnc.ini, viewer.pkey, server.pubkey.
(Note that the names of the files can be whatever you decided to name them).
- The much talked about acl.txt along with the MSLogonACL.exe /e and MSLogonACL.exe /i /o acl.txt is not needed in the scenario where the settings are exported to the registry. The ACLs are integrated within the registry.
- At this point, all that is needed is to place the corresponding files in the correct locations, in the correct order, and execute the VNC installer with the appropriate inf.
- I have included an example KIX script that will perform the installation for you, once you’ve setup the files shares and the ACLs on these shares. There are a few items that may not be obvious from going through the script, so I’ll give you some pointers regarding what I did in my environment.
- The downloadable KIX script included is merely the very last step in the process I have implemented.
- In order to include the installations to be silent and unattended within a login script, you need to create some processes that will figure this out upon user login.
- you will notice that the script is referring to some registry entries. Assuming that the user has admin access on their workstation, or if you can proxy the script to run in an elevated user privilege, then, you can do some checks to figure out whether the service exists (uvnc_service), and that c:\program files\UltraVNC\winvnc.exe exists. If those don’t exist, then a custom registry entry would be written in HKLM\SOFTWARE\CORP\VNC\VNCInstalled (REG_SZ = 0)
- the login script would then check that registry entry upon login, and if it is set to 0, then the script would create a scheduled task on the local workstation to kick off the “InstallVNC.KIX” script (Attached to this article).
- I have not included these steps that I have in my environment because a setup of such a process really depends on what kind of environment and security policies you have in place, but this process should get you started If you need a kick start, or ideas on how to get that accomplished, contact me and I could attempt to help or try to guide you in the right direction.
UltraVNC 126.96.36.199: http://www.uvnc.com
SecureVNC Plugin: http://adamwalling.com/SecureVNC
UltraVNC Kix Install Script: http://www.foreignkid.com/public/KIX/BLOG_InstallVNC.kix