# Policy settings for VNC Server: Virtual mode daemon
# Version 7.9.0 (r51979)

# Uncomment a policy setting and edit the default value to set it.

# The authentication scheme(s) to offer for incoming connections (SingleSignOn 
# | SystemAuth | VncAuth | Certificate | Radius | InteractiveSystemAuth), or 
# None to turn off password protection (direct connections only, and not 
# recommended).
# 
#Authentication=SystemAuth

# The number of seconds allowed for authentication
# 
#AuthTimeout=900

# The number of unsuccessful authentication attempts that can be made before a 
# particular connecting computer is blacklisted for a timeout period.
# 
#BlacklistThreshold=5

# The initial number of seconds during which connections from a blacklisted 
# computer are rejected before the connecting user can attempt to authenticate 
# again.
# 
#BlacklistTimeout=10

# Connect to existing sessions if possible (the alternative is to start a new 
# one each time).
# 
#ConnectToExisting=0

# Port on which the daemon will accept connections.
# 
#DaemonPort=5999

# The level of encryption to offer for incoming connections (AlwaysMaximum | 
# AlwaysOn | PreferOn | PreferOff), or AlwaysOff to turn off encryption 
# (direct connections only, and not recommended).
# 
#Encryption=AlwaysOn

# Run in foreground (not as a daemon)
# 
#fg=0

# Filter connections by IPv4 address to allow, query, or reject particular VNC 
# Viewer computers, or + to allow connections from all.
#
# DEPRECATED in favor of IpClientAddresses.
#
# THIS IS A LEGACY POLICY SETTING. The corresponding parameter applies to 
# older versions of the software. It is ignored by the latest version, and 
# only needs to be set if policy is being deployed to computers running older 
# versions.
# 
#Hosts=+

# Filter connections by IP address to allow, query, or reject particular VNC 
# Viewer computers, or + to allow connections from all.
# 
#IpClientAddresses=+

# Comma-separated list of IP addresses on which to listen for TCP connections, 
# or empty to listen on all IP addresses. Note this parameter is ignored if 
# the localhost parameter is set to True.
# 
#IpListenAddresses=

# The 'host' service principal name as it is registered for the computer with 
# the domain controller, for use in single sign-on authentication.
# 
#KerberosServicePrincipalName=

# The client principal name for use when authenticating to network services 
# such as LDAP.
# 
#KerberosUserPrincipalName=

# The maximum size in bytes for downloaded CRLs.
# 
#LdapCertificateCrlLimit=26214400

# Optional URL containing intermediate certificates for user public keys.  
# "file://" and "ldap://" are supported, or "enterprise://" (Windows).
# 
#LdapCertificateIntermediateStore=ldap://GSSAPI@<YOUR-DC>/CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,<PATH-TO-CONFIGURATION>

# Choose 'ActiveDirectory' to perform LDAP name mapping using 
# userPrincipalName/sAMAccountName attributes, or 'RFC2307' to use POSIX 
# uid/uidNumber attributes (which may also be enabled in Active Directory)
# 
#LdapCertificateNameMapping=ActiveDirectory

# Choose 'Enforce' to strictly check revocation for user certificates fetched 
# from LDAP (or 'EnforceOcsp' to disallow fallback to CRLs if OCSP fetching 
# fails), 'CheckIfAvailable' to allow the certificate if downloading the 
# CRL/OCSP response fails, or 'Ignore' to bypass revocation checking.
# 
#LdapCertificateRevocation=Enforce

# URL containing the trusted root certificates for authenticating user public 
# keys.  "file://" and "ldap://" are supported, or "enterprise://" (Windows).
# 
#LdapCertificateTrustStore=ldap://GSSAPI@<YOUR-DC>/CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,<PATH-TO-CONFIGURATION>

# URL of the LDAP server used for authenticating user public keys, of the form 
# "ldap[s]://[credentials@][host]/[search-base]".  If the host or base is left 
# empty, the system default will be used.  Specify "GSSAPI@" for Kerberos 
# authentication, "binddn:password@" for a simple bind, or no credentials for 
# anonymous access.
# 
#LdapCertificateUserStore=ldap://GSSAPI@<YOUR-DC>/CN=Users,<PATH-TO-USERS>

# Choose LDAP security when not using LDAPS: use signatures with Kerberos and 
# StartTLS with simple binding (Auto), use StartTLS always (StartTLS), or no 
# encryption (None)
# 
#LdapSecurity=Auto

# Locale to use. Specify one of en_US, de_DE, es_ES, fr_FR, or pt_BR, or leave 
# empty to select the user or system locale as appropriate.
# 
#Locale=

# Record events in the format <log>:<target>:<level>[,...].
# 
#Log=*:syslog:10

# Directory in which to store log output directed to file.
# 
#LogDir=

# File in which to store log output directed to file.
# 
#LogFile=vncserver-virtuald.log

# Do not use nonces with OCSP requests (None), or request nonces but do not 
# mandate a nonce's presence (Request), or request and mandate a nonce 
# (Require, most secure).
# 
#OcspNonce=None

# Apply account as well as authentication rules when using system 
# authentication via PAM. Specify FALSE to apply just authentication rules.
# 
#PamAccountCheck=1

# Specify vncserver.custom to use a custom PAM setup for system 
# authentication, as defined in /etc/pam.d/vncserver.custom or, under older 
# systems, in /etc/pam.conf.
# 
#PamApplicationName=vncserver

# Apply PAM session rules to spawned sessions, whether authentication was 
# performed via PAM or GSS-API.
# 
#PamSessionSetup=1

# Register user accounts or groups with VNC Server so connecting VNC Viewer 
# users can authenticate using familiar, securely-managed credentials. Grant 
# permissions to these users to use remote control features while connections 
# are in progress.
# 
#Permissions=

# File in which to store the daemon's process ID.
# 
#PidFile=/var/run/vncserver-virtuald.pid

# The maximum version number of the RFB protocol to support, or empty for all.
# 
#ProtocolVersion=

# The address to bind to for sending RADIUS requests, or empty to use the 
# default route to the RADIUS server
# 
#RadiusAddress=

# The authentication protocol to use (CHAP | PAP).  Note that CHAP is 
# potentially more secure than PAP, but requires the server to have access to 
# plaintext credentials, so PAP is more widely supported.
# 
#RadiusAuthenticationProtocol=CHAP

# The 'Network Access Server' identifier to present to the RADIUS server, 
# which identifies this RADIUS client, or empty to send the IP address as the 
# identifier instead (RadiusAddress).
# 
#RadiusNasId=vncserver

# Strip the domain/realm component from usernames when contacting the RADIUS 
# server
# 
#RadiusNormalizeUsername=0

# The initial prompt to present to VNC Viewer users, or empty to send a blank 
# password to the RADIUS server initially
# 
#RadiusPrompt=RADIUS password:

# The RADIUS secret
#
# To obtain a password in the correct format, use the vncpasswd utility.
# 
#RadiusSecret=

# The RADIUS server to use for authentication (host/IP address with optional 
# port).  Fallback servers can be specified using a comma-separated list.
# 
#RadiusServer=

# The time spent waiting per RADIUS server; a few retries are sent at 1-second 
# intervals, then the rest of the timeout interval is spent waiting before 
# falling back to the next server.
# 
#RadiusTimeout=60

# File containing the RSA private key.
# 
#RsaPrivateKeyFile=$VNC_PROFILE_DIR/private.key

# Facility for the 'syslog' log destination to use, as an integer or name. 
# Supported names: user, daemon, auth, authpriv (if available), security (if 
# available), local0..local7
# 
#SyslogFacility=daemon

# Comma-separated list of IP addresses on which to listen for TCP connections, 
# or empty to listen on all available IP addresses. Note this parameter is 
# ignored if the localhost parameter is set to True.
#
# DEPRECATED in favor of IpListenAddresses.
#
# THIS IS A LEGACY POLICY SETTING. The corresponding parameter applies to 
# older versions of the software. It is ignored by the latest version, and 
# only needs to be set if policy is being deployed to computers running older 
# versions.
# 
#TcpListenAddresses=

# The security strength to enforce when making TLS connections. For 'Normal', 
# TLS 1.2 is mandated, no broken fallback ciphers are allowed, and key 
# strength is checked for security (no SHA-1 or small keys). Selecting 'High' 
# limits cipher choices to AES-256 with no legacy ciphers.
# 
#TlsProfile=Normal

# The authentication scheme to use.
#
# THIS IS A LEGACY POLICY SETTING. The corresponding parameter applies to 
# older versions of the software. It is ignored by the latest version, and 
# only needs to be set if policy is being deployed to computers running older 
# versions.
# 
#UserPasswdVerifier=UnixAuth

