VNC is a wonderfully open protocol, but 'open' cuts both ways: a basic VNC session is not strongly encrypted, and a weak password is an open door. The good news is that securing VNC Viewer is straightforward once you know the three layers that matter.
What you're protecting against
Two risks dominate: someone guessing or brute-forcing a weak password, and someone intercepting an unencrypted session on the network. Both are entirely preventable.
Layer 1: Strong, unique passwords
Set a long, unique server password — ideally a passphrase. Never reuse a password from another account. If your build supports it, set a separate view-only password for people who only need to watch.
Layer 2: Encrypt the session
VNC Viewer supports DSM encryption plugins that scramble session data so it can't be read in transit. Install the plugin on both the server and viewer and enable it before you connect. Without this, treat the session as visible to anyone on the path.
Layer 3: Tunnel or VPN for the internet
The safest way to reach a machine from outside your network is not to expose VNC at all. Instead, connect to your network over a VPN, or wrap the session in an SSH tunnel, then connect to the host as if you were local. Our internet-access guide shows how.
If you only remember one rule: never port-forward a raw VNC port to the open internet. Tunnel it.
Extra hardening steps
- Restrict which IP addresses may connect, where supported
- Keep VNC Viewer and Windows fully patched
- Disable the server when you don't need unattended access
- Log and review connections on sensitive machines