+23
Considering for Future Release

unattended access password prompt separate from AD Authentication

justin.mcivor 4 years ago updated by JaM 7 months ago 15 5 duplicates

TeamViewer, LogMeIn and BomGar have this and we would like this on ScreenConnect Side as well


Available in Version:

Duplicates 5

Pending Review
Under Review
+2

we are worried about our login page being hacked. and in this instance the hacker would have access to ALL our unattended access machines. E.g. if someone hacked our Administrator password. this is a MUST for us. we are already using ScreenConnect but it is a serious worry for us.

It appears SSAE16 requires this. We are awaiting our auditors to confirm but a per device password seems to be the consensus of what is required.

I know this topic shows under review but would like to add that the lack of this feature will likely be a game changer for us.

My company supports our products that are sold to hospitals (Private sector and US Gov related).

We are currently undergoing SSAE16 and may have to abandon ScreenConnect if we cannot get an idea of if/when this could be implemented.

I do NOT want to use any other product but other products out there are compliant.

+2

We are new to ScreenConnect, and coming from LogMeIn Rescue. the security for access connections, is simply to weak. an idea could be, add two factor authentication to the access connections. so the user connecting to the access connection has to type there google authenticator code before being able to connect. or like logmein, require username and password authentication for the access connection.


Because of the limited security on the access connections, i can't allow our techs to use this function.

+1

This is the one thing I miss from LMI. I liked the secondary auth using the Windows admin credentials that were always different from the LMI account credentials. I too worry about unfettered access to my client's systems should my self-hosted SC instance get hacked. I already use 2FA for login but that doesn't help much if a direct vulnerability is found in SC and exploited. Please add the feature as an optional one that can be turned on and by default allow any admin level account on the host to be used automatically.

Considering for Future Release

Ditto!  We must have this.  If we walk away from our computer while logged in, or if someone hacks me, they can get into any computer in my Access Groups.  LogMeIn has it, and you are much more feature-rich, but neglecting this important feature.  I see this has been requested for over 2 years?!?!?  I should have checked this before we purchased the year.  You guys just must write this in.

Simply have each computer with it's own password that must be typed after double-clicking it.

Thanks

we ended using a config i cant remember atm.

what is does is it locks the machine you are connecting to. in doing this you need at lease the password to one of the user accounts on the machine you are connecting to or any domain user account if domain join setup ofcourse.

by doing it this way, we dont risk outsiders accessing machines or servers we can access with our Connectwise Control. a work around for sure, but it gets the job done until someone at connectwise assigns this issue to a DEV.

+1

Thanks Lasse!  I appreciate the suggestion. But we can't lock the machines we're connecting to because they are being used at the sites all day.  Thanks though!  

Common, ConnectWise!!

+1

In case anyone at ConnectWise cares, this missing feature is literally the only thing preventing us from dumping LogMeIn Central and switching entirely to ConnectWise Control.  As others have pointed out, the screen lock thing is an inadequate alternative. For example, there are times we want to be able to supply one set of credentials to gain access to the computer in order to access the login session of a different user (e.g. authenticate with the domain admin, but view the desktop of the currently logged in user).

Yes, agreed George.  We have ScreenConnect, and it's the perfect product, except for this huge deficiency.  Come on guys, get with it!  Please!  

+1

We have a config setting, MaxLongestTicketReissueIntervalSeconds, that is designed to provide very tight security and we believe addresses this issue in most (if not all) situations.  MaxLongestTicketReissueIntervalSeconds will govern the longest period of inactivity since last login that is permissible to be able to perform an action.  It's set to 36000 seconds (10 hours) by default, so set this to something like 300 seconds (5 minutes) or less in order to provide the security you're seeking.  The benefit here is that it's not going to reprompt you upon joining each session as long as you've stayed active within the application.  And it will protect you from unauthorized actions in the web UI such as sending commands (which are potentially more damaging than anything you can do inside a session).

FYI, you'll also have to change TicketReissueIntervalSeconds from the default of 600 seconds (10 minutes) to something less than your MaxLongestTicketReissueIntervalSeconds so that your session is continually extended while you're active in the application.

Jake,

That does help a lot, so thanks for posting.  However, still not as convenient as what we all are asking for, where we could just type a PW to get in upon connection.  There is another reason for this, for example, I want my IT guy to have Admin access, but don't want him to be able to connect to my PC.

Thanks,

J