Network Security Compromised (Need Advice) VPN, VNC, XP

Question

I'm running a small LAN with no WiFi. 2 XP machines, 1 Vista, 2 printers, and a DVR for security cameras.

Last week I set up RealVNC (the personal version, with no encryption) so that I could Remote view the computers within the network.

I also setup a VNC with LogMeIn Hamachi so that I can access the LAN from the internet.

I opened port 5900 on my firewall.

Also I turned off Authentication in RealVNC figuring that the security through Hamachi would be sufficient.

I was planning on closing port 5900 and checking to see if the setup would still work.

Lo and behold, this morning someone accessed my computer via VNC while I was sitting in front of it. I saw the program start up and the mouse move.

Before thinking I disconnected my modem. However I am now unable to find any log of Incoming IP addresses. I checked Windows Firewall and the option for logging incoming connections was not enabled.

I figured my setup would be safe because I was using a password protected VPN.

• Where did I go wrong?
• How can I protect myself?
• Am I being specifically targeted?
• How can I find out who it was?
• Where should I go from here?

Right now I'm afraid to even connect my LAN to the internet again.

Please Advise!

Answer 1

Here are some steps to improve the configuration:

Well, now we need these safety mechanisms to protect XP more than ever. There should be one administrator account per machine, maximum, and this should not be the default “Administrator” account that comes with Windows out of the box – it should an account name only you, the machine owner knows. That way if something malicious gets onto the box it’ll only be able to potentially destroy your profile, not the whole OS.

Your accounts need to look like this – default Administrator account disabled with another user created for admin tasks, with a strong password.

Finally, make sure you disable enumeration of the computer accounts for anonymous users so nobody can/could query the XP machine for what accounts there are without authentication. Given all the changes we’ve made above this would be very difficult anyway but good security is a layered-cake approach, not any silver-bullet.

Windows XP needs to respond to zero traffic sent to it as that’s a huge vector for attack even on a good day. This means no listening services as we’ve done above but we’re going to double-tap this problem by activating the firewall and setting it to block all inbound traffic with no exceptions.

There’s no outbound firewall restrictions in XP so this is about as good as we’re going to get. I’d strongly recommend doubling-up the firewall with something external too and configuring outbound restrictions too.

References

• Securing Windows XP After April 2014

• Windows XP SP2 Study notes

Answer 2

Since someone else just answered this ... unencrypted VNC is like leaving your front door open, using XP is like locking a flimsy door, and Hamachi, eh, its a lazy man's VPN but not THAT bad.

It sounds like you haven't actually locked VNC to the VPN, and it's still openly accessible over the internet. What you need to do if you want passwordless VNC (eugh, just use RDP) on your LAN is to block the VNC port on your internet gateway but leave it open on the machine itself. This means that in order to attempt VNC access, one would need to be on the local network (I.E. VPN'd in).