Details

• ID: CM0020
• Version: 1.0
• Created: 14 March 2025
• Modified: 14 March 2025
• Type: Disable
• Status: Active

Intended Outcome

Disabling the Virtual Network Computing (VNC) desktop-sharing system blocks adversary lateral movement using VNC.

Introduction

Virtual Network Computing (VNC) is a graphical desktop-sharing system that uses the Remote Frame Buffer protocol (RFB) to remotely control another computer, relaying keyboard and mouse input to a server from a client. Implementers of this countermeasure can consult available documentation for different VNC implementations (LibVNC, TightVNC, UltraVNC, RealVNC).

Preparation

• Identify organizational components that use the VNC system to perform remote troubleshooting, server management, and remote work and inform them that the system will be disabled.
• Ensure access to critical endpoints will remain accessible before disabling VNC, particularly if operational technology for critical infrastructure is in use.
• Coordinate with administrators to determine the extent VNC is used for administrative tasking.

Risks

• This countermeasure can break legitimate functionality.
• Disabling VNC will limit remote access to endpoints (follow guidelines in Preparation section).
• This countermeasure may not stop all ongoing activity.
• Disabling VNC will not prevent remote access if other means of remote access, such as RDP, are still available and unsecure.

Guidance

Kill the VNC Service

• If VNC cannot be found but is being used by the adversary, hunt for suspicious processes that may be obfuscated VNC services. For guidance, see CM0023 Identify and Terminate Suspicious Process.

Block VNC traffic via Firewall

• By default, VNC uses TCP ports 5900 for the server, 5800 for browser access, and 5500 for a viewer in listening mode. Host and network inbound and outbound rules can be configured to deny VNC access.

Disable VNC Service via GPO

• Create a new Group Policy Object (GPO) or edit an existing GPO in the Group Policy Management Console to disable the VNC service.
• After establishing this GPO, link it to the appropriate Organizational Unit (OU) and apply the update to all relevant computers.

Block Execution of VNC.exe

• Third-party endpoint protection software can be used to define a rule to block the execution of vnc.exe.
• Windows Attack Surface Reduction (ASR) rules can also be used to block the execution of specific processes, including VNC.exe. For instructions on using ASR, see RM000X.

References

• Setting up VNC Connect for Maximum Security | https://help.realvnc.com/hc/en-us/articles/360002253278-Setting-up-VNC-Connect-for-Maximum-Security