/build/static/layout/Breadcrumb_cap_w.png

UltraVNC Silent Deployment with Windows ACL security and transport encryption

We wanted UltraVNC server (client) with encryption. Although UltraVNC currently supports unintended installs, it needs to download the mirror driver from the Internet durring the process. I found it easier to install it myself.

This guide will explain deploying it via Group Policy. While I have used a GPO for some settings (like the registry modifications), they could easily be put into the main script to use with a KACE appliance for example.

First let’s look at the main script. Here is the script with my comments.

REM Script to install UltraVNC with custom settings. Author: Duncan White (duncan.white@live.com.au)

REM Detect if UVNC is installed. Skip script if it is.

if not exist "%ProgramFiles%(x86)\UltraVNC\winvnc.exe" (

       goto UVNCInstall

)

exit

:UVNCInstall

REM COPY ULTRAVNC

robocopy \\server\softwareshare\ultravnc\runtime "%ProgramFiles(x86)%\UltraVNC"

  • Note I am copying it to the 32-bit ‘Program Files’ directory on a 64-bit PC.
  • Mine is shared in our domain’s ‘SYSVOL’ group policy share so it is replicated to all our domain controllers.

REM INSTALL MIRROR DRIVER (32-bit)

"%ProgramFiles(x86)%\UltraVNC\driver\setupdrv.exe" installs

  • This installs the mirror driver. Use this for better performance.

REM INSTALL MIRROR DRIVER (64-bit) (WON'T WORK UNTIL THEIR DRIVER CERTIFICATE IS VALID)

\\server\softwareshare\ultravncserver\devcon.exe install "C:\%ProgramFiles(x86)%\UltraVNC\driver\x64\driver\mv2.inf" mv_hook_display_driver2

  • As noted: not working at present (on 64-bit PCs only).
  • Google Devcon.exe and download it.

REM IMPORT REGISTRY SETTINGS SO MSLOGONACL IMPORT WORKS

regedit /s \\server\softwareshare\ultravncserver\orl.reg

  • This is annoying. The ACL command will not work until there are specific UltraVNC registry keys. See orl.reg below.

REM INSTALL AUTHENTICATION ACLS

"%ProgramFiles(x86)%\UltraVNC\MSLogonACL.exe" /i /o \\server\softwareshare\ultravncserver \acl.inf

REM INSTALL AS SERVICE

"%ProgramFiles(x86)%\UltraVNC\winvnc.exe" -install

REM START VNC SERVICE TO READ NEW SETTINGS

net start uvnc_service

 

My Group Policy Object then contains additional settings.

  1. I lock users out of C:\Program Files (x86)\UltraVNC via NTFS security.
  2. Unblock the port used via Windows firewall.
  3. Give Services permission for ‘Secure Attention Sequence’. This is needed be pre-logon remote access. The setting can be found in 'Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Logon Options\Disable or enable software Secure Attention Squence'. Set it to ‘Services and Ease or Access applications.

 

Orl.reg

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\ORL]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ORL]


Comments

This post is locked

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ