VNC Blocking — Action Items

Incorporate January 2026 AQL query results — VNC traffic patterns, source/destination IPs, ports (5900-5999, 5800-5899)

Run updated AQL query against current QRadar data — compare footprint drift since January

Query ISE profiler data for VNC-capable endpoints (profiled attributes, OUI, DHCP fingerprint)

Pull FTD/FMC logs for VNC port activity (TCP 5900-5999)

Check Sentinel for VNC-related events if connector ingestion covers relevant sources

Identify all VLANs and subnets with VNC traffic

Document VNC server versions observed (RFB protocol fingerprinting if available)

Classify endpoints: clinical devices, research workstations, facilities/BMS, administrative

Identify endpoints with legitimate remote access needs — coordinate with department leads

Cross-reference with BMS Device Inventory project (PRJ-2026-04-bms-device-inventory) — BMS systems frequently use VNC

Assess Medigate/Claroty visibility for IoT/OT devices running VNC

Document exception candidates with business justification

Confirm approved remote access alternatives (RDP+NLA, jump hosts, vendor-specific tools)

Coordinate migration plan for legitimate VNC users

Ensure alternatives are deployed and tested before blocking

Draft FTD ACL rules blocking TCP 5900-5999, 5800-5899

Draft ISE AuthZ policy denying VNC traffic where applicable

Coordinate with endpoint team for GPO/agent-level blocking

Write CR per STD-005 for CAB approval

Schedule maintenance window for implementation

Build Sentinel/KQL alert for any VNC traffic post-blocking

Monitor for circumvention (non-standard ports, tunneling)

Validate zero VNC traffic in SIEM for 7-day window

Close project — final report to leadership

Add to carryover tracker if not completed by mid-June

Cross-reference with Mandiant remediation findings (if VNC flagged)