Our internal security team has identified that the Control portal is not currently compliant with OWASP (Open Web Application Security Project) Top 10 Application Security Risks.  Per the ticket I opened we are submitting this feature request, which is actually to limit the response dialog to only "Login failed; Invalid userID or password"

Details:

Authentication and Error Messages

Incorrectly implemented error messages in the case of authentication functionality can be used for the purposes of user ID and password enumeration. An application should respond (both HTTP and HTML) in a generic manner.

Authentication Responses

An application should respond with a generic error message regardless of whether the user ID or password was incorrect. It should also give no indication to the status of an existing account.

Incorrect Response Examples (All Currently Present in Control)

"Login for User foo: invalid password"

"Login failed, invalid user ID"

"Login failed; account disabled"

"Login failed; this user is not active"

Correct Response Example

"Login failed; Invalid userID or password"

Reference:

The standard from OWASP is A2:2017 Broken Authentication - https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

From their cheat sheet section 1.1.8 Authentication and Error messages - https://www.owasp.org/index.php/Authentication_Cheat_Sheet

It would be nice to pre-populate CustomProperty fields within the Access Build+ menu to let new Screenconnect Access users know which terms they need to type in.

For example, I created a Tier 1 session group, and edited properties to say CustomProperty2 LIKE 'Tier 1'. Whenever someone creates a new Build+, and adds the term Tier 1 to the CustomProperty2 field, it automatically places that session into their Access group. The Tier 1 security group limits their access to only these machines.

Currently, if the value has already been used before, it shows up in a dropdown. But, for new Screenconnect Access users, they don't know that need to be typing in Tier 1 in order to view Access sessions. 

This could be accomplished by including a dropdown, an editable text overlay on the CustomField box, or by including a "Notes" Custom Property without a field that can filled out. (For example, I could add a note that says "Please enter Tier 1 into the box"

Optional, possibly 2nd feature request: Make CustomProperty fields mandatory. This prevents Access sessions from being created without being assigned to a certain Session Group.

Screenshot example: https://imgur.com/a/xOlmLlV,  https://imgur.com/a/x90QE52

Need to have the ability to turn off local to remote copy with in the session.

When moving are sums of files on the remote system (remote network system to remote network system) like TB and High amount of GB this tends to lock up sessions when copy to session is enabled and having the ability to turn this off on the fly would be a great help with out always modifying the config and reinstalling.

Include an option to suspend Bitlocker when sending Reboot command

When a support session is closed from the control plugin, the user that the API token belongs to, to connect Control to Zendesk shows as the user, instead of the actual user that created and end the session.

The way the client program displays monitors is really unconventional. 

Instead of setting up the displays like you would in a security camera monitor, they're just put next to each other and minimized the more monitors there are. Yes you can zoom in and scroll across to each monitor, but it's a hassle to do on PC's, especially if there's 3 or more monitors, and useless whilst on mobile/tablet.

I'd suggest the ability to either; move the displays manually to set areas, that way you can have them set out the way you feel most comfortable with, or have them set out to use the entire window and split them evenly amongst the entire space.

Lastly, if I'm being an idiot and this is already possible, feel free to call me out and point me towards the options.

Cheers.

Keyboard shortcut in the Mac app to cycle through the options in view > select monitors

I'd like to see in the official documentation how Control chooses to use a print driver.  It appears that it will use the same driver that the computer local to the printer uses if that exact driver is installed on the remote computer. 

We worked on a ticket for a long time about printing issues over a remote connection (#10780644).  Installing the same driver on both PCs allowed us to fix our issue ourselves.  CWC support didn't know how to help us on it although their effort was good.  Our issue was that the Microsoft XPS Class Driver (used on Windows 10) would not handle narrow margins but the OEM printer driver does.

Example: Customer uses a Brother MFC-8810DW printer in their Branch office on PC2. 

Connects to Main Office PC1 to print documents located on PC1, sending the print jobs to the Branch Office PC2 Brother printer.

By default, ScreenConnect will use the 'Microsoft XPS Class Driver'

If the same driver used on PC2 for the MFC-8810DW is installed on PC1, ScreenConnect will use that driver instead

Printer will then behave identically to how it prints locally.

It just an idea. I don't know much about android system, but if it is a way to get a full package of remote commands, as we can inject to pc from Command Tab, that would be awesome. I just tripped over this question: "How do I reboot an android remotely, since I need to push buttons physically?" Well partially i fixed it by adding an App to do it, but it won't be a way to do things professionally speaking.

Add a warning "session will disconnect due to inactivity" message so that user can make input before screen disconnects.