We wanted UltraVNC server (client) with encryption. Although UltraVNC currently supports unintended installs, it needs to download the mirror driver from the Internet durring the process. I found it easier to install it myself.
This guide will explain deploying it via Group Policy. While I have used a GPO for some settings (like the registry modifications), they could easily be put into the main script to use with a KACE appliance for example.
First let’s look at the main script. Here is the script with my comments.
REM Script to install UltraVNC with custom settings. Author: Duncan White (duncan.white@live.com.au)
REM Detect if UVNC is installed. Skip script if it is.
if not exist "%ProgramFiles%(x86)\UltraVNC\winvnc.exe" (
goto UVNCInstall
)
exit
:UVNCInstallREM COPY ULTRAVNC
robocopy \\server\softwareshare\ultravnc\runtime "%ProgramFiles(x86)%\UltraVNC"
- Note I am copying it to the 32-bit ‘Program Files’ directory on a 64-bit PC.
- Mine is shared in our domain’s ‘SYSVOL’ group policy share so it is replicated to all our domain controllers.
REM INSTALL MIRROR DRIVER (32-bit)
"%ProgramFiles(x86)%\UltraVNC\driver\setupdrv.exe" installs
- This installs the mirror driver. Use this for better performance.
REM INSTALL MIRROR DRIVER (64-bit) (WON'T WORK UNTIL THEIR DRIVER CERTIFICATE IS VALID)
\\server\softwareshare\ultravncserver\devcon.exe install "C:\%ProgramFiles(x86)%\UltraVNC\driver\x64\driver\mv2.inf" mv_hook_display_driver2
- As noted: not working at present (on 64-bit PCs only).
- Google Devcon.exe and download it.
REM IMPORT REGISTRY SETTINGS SO MSLOGONACL IMPORT WORKS
regedit /s \\server\softwareshare\ultravncserver\orl.reg
- This is annoying. The ACL command will not work until there are specific UltraVNC registry keys. See orl.reg below.
REM INSTALL AUTHENTICATION ACLS
"%ProgramFiles(x86)%\UltraVNC\MSLogonACL.exe" /i /o \\server\softwareshare\ultravncserver \acl.inf
- This imports an ACL file that I created earlier with the same program. You will need to install UltraVNC on a PC, get to the configuration screen and edit the Windows ACLs that you need. Then you can run MSLogonACL.exe from that PC with a ‘/o’ variable. The official documentation is at http://www.uvnc.com/docs/uvnc-server/58-ultravnc-server-ms-logon-authentication.html
REM INSTALL AS SERVICE
"%ProgramFiles(x86)%\UltraVNC\winvnc.exe" -install
REM START VNC SERVICE TO READ NEW SETTINGS
net start uvnc_service
My Group Policy Object then contains additional settings.
- I lock users out of C:\Program Files (x86)\UltraVNC via NTFS security.
- Unblock the port used via Windows firewall.
- Give Services permission for ‘Secure Attention Sequence’. This is needed be pre-logon remote access. The setting can be found in 'Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Logon Options\Disable or enable software Secure Attention Squence'. Set it to ‘Services and Ease or Access applications.
Orl.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\ORL]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ORL]
Comments