+64
Roadmapped

add the ability to audit login failures/successes for logging in to the web interface

Ryan 4 years ago updated by LukeF 3 weeks ago 23 2 duplicates

add the ability to audit login failures/successes for logging in to the web interface

Available in Version:

Duplicates 2

+1

He would also like a trigger that sends him an email in case of login success/failure

+2

I like this idea,

Would be nice to have something like this to know if someone is attempting to abuse the service we would be able to take action.

Email notification if there are X amount of failed login attempts over X period of time.

+1

This information should be able to be obtained on the client machine directly as well, in case the machine isn't connecting to the server to provide it's information to be seen in the web interface.

Under Review
+1

Additionally, to add on to what I listed above.

Will there be any options or plans in the future to also have an automatic block feature where if someone failed 5 logon attempts consecutively in a 30 minute time period it would deny connections from their IP address? From there you could determine if it will automatically lift the block after X amount of time or be a permanent block.

Side note we'd have to be careful with this because if lets say some internal person fat fingered their pass 5 times and they were at a client location trying to log on, would it deny connections from all clients at that location coming from that IP address?...

Just food for thought.





+1
Under Review
+1
Roadmapped
+1
Planning
+1
Under Review
+2
Considering for Future Release

Seems like a no-brainer.

We have no way, from Screen Connect server, to determine if we are getting brute forced or not. 

+2

Still pending on this one? Maybe this should be moved up in the list now that you're enforcing 2FA and strongly encouraging use because of all the MSP targeted hacking going on of late. 

+1

I second this.

We'd love to see a way that we can look through logs so we can block offenders that are attempting to abuse the system.

For some organizations this would be a dealbreaker not having audit logs for failed logon attempts.

+3

...an argument could be made that the lack of an audit log makes use of Connectwise Control in Healthcare (HIPAA regulated) and Financial Services (Sarbanes-Oxley regulated) illegal and in violation of their respective requirements of: Maintain and auditing access logs.

https://www.securitymetrics.com/blog/what-are-hipaa-compliant-system-logs

Event, audit, and access logging are required for HIPAA compliance. HIPAA requires you to keep logs for at least six years. These three HIPAA requirements apply to logging and log monitoring:

  • § 164.308(a)(5)(ii)(C): Log-in monitoring (Addressable). [Implement procedures] for monitoring log-in attempts and reporting discrepancies.
  • § 164.312(b): Audit controls (Required). Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
  • § 164.308(a)(1)(ii)(D): Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
+1

How is this not a thing yet? This is a feature I would have expected to be standard by now, especially with all of the MSP hijacking going on lately. Being able to track login attempts by IP I would consider essential, seems like it shouldn't be too difficult to implement given that we already get notified of successful sign-ins from new locations.

Yea, this has got to be an option ASAP! Otherwise we will have to move to a different solution!

+1

Are you guys going to take security seriously and implement this? I should know that clients are locked out of their accounts or an attack is underway before they do.

We are still waiting

Could not agree more!

We are using the Syslog extension to our SIEM tool which is working well, However this only seems to log information about authorised sessions and connections to remote machines. It should also log connections to the control web interface. Can you please look at this ASAP as like everyone else, we take security very seriously and currently it seems connectwise do not.