UltraVNC: The Guide

In previous days, I have been working quite a bit to get UltraVNC to work in my environment. I love the way it works, but after a lot of tinkering, I realized that it is still open source, and does not support everything without a lot of tweaking. My final decision was to jump to Dameware, as we already owned licensing for it. This could possibly be another article on how I implemented it. However, I didn’t want my efforts in getting VNC to work in an enterprise wasted, so I decided to create this guide on setting up VNC, and some of the pitfalls that I ran into, and how to avoid them.
Overview

In this guide, the goal would be to create an UltraVNC package, and distributing it using a script: we will be using Kixtart. The operating systems that this has been tested with are Windows XP SP2, SP3 and Windows 7. (Windows Vista would also work). The CPU architecture targeted is 32Bit. I have had some success in 64bit OS as well, but not thoroughly tested. We will be using the latest version of UltraVNC. (at the time of this writing, 1.0.9.5). There are tons of ways to install UltraVNC, as well as tons of ways to have encryption, authentication, etc … I have tried most of them, and my final product was what I found to be the most integrated solution.

Requirements

• UltraVNC 1.0.9.5
• SecureVNCPlugin.dsm
• Admin access on a workstation (XP and Windows 7).
• UAC turned off on Vista and Windows 7 OS.  (This was a big challenge, and proved to be too problematic in pushing software.
• A share, accessible to the script, as well all the users.
• Active Directory domain (if planning to use any LDAP Authentication)
• Kixtart Engine on workstation

Common Questions

Before getting into the process, here are a couple of questions regarding VNC that I had to research:

Process

Since there are files that will be needed that will pertain to your own settings, the first step should be to create an install of UltraVNC as it will be deployed in your environment. There will probably be 2 instances that you will want to have installed: UltraVNC Server, and UltraVNC including the Viewer. UltraVNC Server: This will be on the user’s workstations, which would mean that you want to lock it down as much as possible. UltraVNC Server with the Viewer: This will be the version that would be installed on workstations that will also require the viewer. (for administrators, helpdesk staff, etc …) The installation process for both pieces are exactly the same. So I will list the steps for one (UltraVNC Server) , and the steps would have to be repeated with the different options for the second version of UltraVNC Server with the Viewer.

• Run the installer for UltraVNC, and do not install the viewer, choose to install the service, and start it. (you can also choose to add the mirror drivers, though be aware that this will cause an internet download pop up, that you will not be able to to easily integrate in the unattended install)
• The first file to save through the installer is the inf which determines the settings and components to install. To do this, run the setup with a /saveinf argument like so:
  UltraVNC Setup 1.0.9.5 /saveinf=”path/to/inf/file”

  

  Allow Windows to install the driver

  

  Install the service, and allow it to start

  

  Install the Hook Driver

  
  

  

  Don’t install the Mirror Driver

  

  Install the Server only

  
  
• When the installation is over, there are 2 ways to enable saving the settings in the registry:
  • Open the “Edit Settings” from the Programs menu, and go to the “Misc” tab, and enable the registry settings
    

    Enable Registry Settings

  • The second option, which I would go for, would be to open up C:\Program Files\UltraVNC\ultravnc.ini and make sure the first lines are like the following:

  [Permissions]
[Admin]
UseRegistry=1

  • After the registry is changed the service needs to be stopped and restarted: net stop uvnc_service && net start uvnc_service
  • At this point, the registry entries should’ve moved over to the registry, and you can delete all the remaining lines from ultravnc.ini. (make sure you do keep the “UseRegistry=1″ though.
  • Note: For some reason, the settings don’t actually get set when you switch to the registry; so the settings page will pop up immediately after changing the setting and bouncing the service. Go ahead and change the settings, and set it up exactly like you’d want it, including the Authentication, and the Encryption plugin.
    When everything is set, and the Ok, or Apply button are pressed, the registry will be populated with the new settings.
    

    UltraVNC Settings

• Once the registry is all set, we now need to export it. Navigate to HKLM\SOFTWARE\ORL , and export that into a REG file.
• If you’re using the SecureVNCPlugin.DSM, then there are multiple options. We won’t discuss all of them, but rather just one that will implement a fairly strong encryption in the VNC connection. To do this we need to create a keypair with the SecureVNCPlugin.dsm.
  • Open up the config of the plugin, and click on “Generate Client Authentication Key”
  • Create both the private key (pkey) and the public key (pubkey)
  • The private key needs to be kept, well, private, and only installed on the workstations that have the viewer installed.
  • The public key needs to be copied to all the workstations that only have the UltraVNC server installed.

  

  SecureVNCPlugin Configuration

  

  Save the private key

  

  Save the public key

  
  
  
• After the above steps, you should end up with the following files: UltraVNC Setup 1.0.9.5, ultravnc.inf, ultravnc.reg, ultravnc.ini, viewer.pkey, server.pubkey.
  (Note that the names of the files can be whatever you decided to name them).
• The much talked about acl.txt along with the MSLogonACL.exe /e and MSLogonACL.exe /i /o acl.txt is not needed in the scenario where the settings are exported to the registry. The ACLs are integrated within the registry.
• At this point, all that is needed is to place the corresponding files in the correct locations, in the correct order, and execute the VNC installer with the appropriate inf.
• I have included an example KIX script that will perform the installation for you, once you’ve setup the files shares and the ACLs on these shares. There are a few items that may not be obvious from going through the script, so I’ll give you some pointers regarding what I did in my environment.
  • The downloadable KIX script included is merely the very last step in the process I have implemented.
  • In order to include the installations to be silent and unattended within a login script, you need to create some processes that will figure this out upon user login.
  • you will notice that the script is referring to some registry entries. Assuming that the user has admin access on their workstation, or if you can proxy the script to run in an elevated user privilege, then, you can do some checks to figure out whether the service exists (uvnc_service), and that c:\program files\UltraVNC\winvnc.exe exists. If those don’t exist, then a custom registry entry would be written in HKLM\SOFTWARE\CORP\VNC\VNCInstalled (REG_SZ = 0)
  • the login script would then check that registry entry upon login, and if it is set to 0, then the script would create a scheduled task on the local workstation to kick off the “InstallVNC.KIX” script (Attached to this article).
  • I have not included these steps that I have in my environment because a setup of such a process really depends on what kind of environment and security policies you have in place, but this process should get you started If you need a kick start, or ideas on how to get that accomplished, contact me and I could attempt to help or try to guide you in the right direction.

Resources

UltraVNC 1.0.9.5: http://www.uvnc.com

SecureVNC Plugin: http://adamwalling.com/SecureVNC

Kixtart: http://kixtart.org

UltraVNC Kix Install Script: http://www.foreignkid.com/public/KIX/BLOG_InstallVNC.kix

Related posts: