VNC Blocking — Enterprise Remediation

PRJ ID

PRJ-2026-05-vnc-blocking

Owner

Evan Rosado

Priority

P1

Category

Network Security / Access Control

Status

Active — Phase 0 (Discovery & Scoping)

Due

Mid-June 2026

Purpose

Block and eliminate VNC usage across the enterprise environment. VNC presents an unacceptable risk surface — unencrypted by default, weak authentication, no centralized access control, and frequently exploited for lateral movement.

Prior Art

AQL query executed January 2026 to identify VNC traffic patterns — results to be incorporated into Phase 0 discovery.

Approach

Phased: discover current VNC footprint via SIEM/firewall logs, identify legitimate use cases requiring migration to approved alternatives, implement blocking controls (firewall ACLs, ISE policy, endpoint controls), validate enforcement, document exceptions.

0: Discovery

Identify all VNC usage — AQL queries, firewall logs, ISE profiling data

🟡 In progress

January AQL query provides baseline

1: Impact Assessment

Classify VNC endpoints — legitimate vs unauthorized, identify migration candidates

❌ Not started

Coordinate with clinical engineering, research, facilities

2: Alternative Provisioning

Ensure approved remote access tools available for legitimate use cases

❌ Not started

Identify approved alternatives (e.g., RDP with NLA, jump hosts)

3: Blocking Implementation

Deploy firewall rules, ISE policy, endpoint restrictions

❌ Not started

FTD ACLs, ISE AuthZ policy, GPO/endpoint agent

4: Validation & Enforcement

Confirm VNC traffic eliminated, monitor for circumvention

❌ Not started

Sentinel/Monad alerting rules post-migration

PRJ ID

PRJ-2026-05-vnc-blocking

Author

Evan Rosado

Created

2026-05-11

Last Updated

2026-05-11

Status

Active — Phase 0 (Discovery & Scoping)

Category

Network Security / Access Control

Priority

P1

Due

Mid-June 2026

Scope

Enterprise-wide VNC protocol blocking