logo

The ConnectWise Control forum has moved to ConnectWise University! This forum has been locked and is in read-only mode. Click here for instructions on how to access the new forum.

Welcome Guest! You can not login or register.

Notification

Icon
Error

Options
Go to last post Go to first unread
Logharn  
#1 Posted : Wednesday, December 3, 2014 2:31:05 AM(UTC)
Logharn


Rank: Newbie

Joined: 5/10/2014(UTC)
Posts: 7
Italy

Thanks: 1 times
Hi!
I'm an happy one-year user of this great tool, but after a year of daily use I think there are some issues on security; let me explain.
I'm an IT tech and frequently I've to go to my customer's office for onsite support, sometimes, while I'm there, happen I've to do instant support to other customers through SC, obviously using the first free workstation I find.
Is in this scenario that I think there are major security holes, maybe there's a workaround customizing the web.config but I've found nothing about this.

1) When I login into my web page and then I close the browser, open it again and browse to my page I'm already logged in. Maybe there's a way to add the "Remember me" check box or set a short timeout (happened to be already logged also after some days)?
So when I'm on customer's workstation I don't have to remember to logoff before closing the browser...
I know that somewhere I can change this behaviour but I don't know where to look :(

2) Another thing I found a bit risky is when I connect to an unattended session from unknown workstations using Chrome/Firefox (but also IE, it's just a bit more hidden). With these browsers the client software is downloaded into the "Downloads" folder of the PC, but when I end the session and logoff from the browser, if I try to launch again the exe or Java applet downloaded before, I can reconnect to that unattended session without issues...
I think this is a major risk and I don't know if it can be avoided just playing with config files...
I thought about adding a sort of "Connect GUID" that will be automatically generated upon connect and blanked after a custom timeout upon host disconnect.

What do you think?
Just don't tell me to not use SC from customer's PC...

Bye

Paul Moore  
#2 Posted : Wednesday, December 3, 2014 11:51:05 AM(UTC)
Paul Moore


Rank: Advanced Member

Medals: Level 3: Shirt off your back! Received 25 Thanks!

Joined: 9/16/2011(UTC)
Posts: 334

Thanks: 5 times
Was thanked: 70 time(s) in 44 post(s)
You connect to client machines FROM client machines and occasionally forget to log off, then point out "major security holes" in the application which facilitates this ridiculous practice?

I rarely reply like this, but this angers me beyond words.
ScreenConnect Reporting - Collects live & historical information including session times.
http://goo.gl/nrF3e9
Logharn  
#3 Posted : Wednesday, December 3, 2014 12:39:14 PM(UTC)
Logharn


Rank: Newbie

Joined: 5/10/2014(UTC)
Posts: 7
Italy

Thanks: 1 times
:)
I know that you lock your workstation everytime you go to the bathroom or to lunch...
But even if you don't remember to do it there's a customizable timeout that locks the workstation for you...
What I find strange is that the session cookie never expire, like there's a hidden "Remember me" check box flagged, I don't know if this happens only to me or to everyone, I don't remember to have changed much into the web.config, so I think it's the standard behaviour.
Since this is a web app for sure I can configure it, but I don't know where to look. Or if it's not configurable I think it's a feature to add.

Probably I haven't explained well...

Anyway thanks in letting me know your anger.

Scott  
#4 Posted : Wednesday, December 3, 2014 2:05:03 PM(UTC)
Scott


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,862
United States

Thanks: 3 times
Was thanked: 351 time(s) in 303 post(s)
The Access token that's assigned to each file used to join a session is good for 24 hours by default. That means that if you use the .NET stub exe file to connect to a machine, that file can be re-used to access the same machine for 24 hours. This amount of time is controlled by the web.config setting AccessTokenExpireSeconds.

Also, as far as authentication, you can specify whether to use a persistent or a session cookie in the browser. In the same web.config file, the setting 'UsePersistentTicketCookie' accepts either true or false. Also, depending upon your version of ScreenConnect, the Host and Administration pages have separate timeouts. The web.config file specifies two sections for Host and Administration, and the setting 'MaxLongestTicketReissueIntervalSeconds' can set how long the auth ticket's reissue interval is.

You can find a list of the web.config settings and their behavior here: http://help.screenconnec...t_of_web.config_settings

Although I don't feel as passionate about it as Paul, I would not recommend logging into your ScreenConnect from a client's machine.
ScreenConnect Team
thanks 1 user thanked Scott for this useful post.
Logharn on 12/3/2014(UTC)
rmmccann  
#5 Posted : Wednesday, December 3, 2014 2:33:24 PM(UTC)
rmmccann


Rank: Advanced Member

Medals: Level 2: Lent a Helping Hand! 10 Thanks!

Joined: 12/16/2012(UTC)
Posts: 184
Location: MN, USA

Thanks: 17 times
Was thanked: 21 time(s) in 18 post(s)
Logharn - you might be better off picking up an iPad mini with either WiFi or a cell connection and using the SC app on there.

That's what I do as I consider it unprofessional to use a client's computer to support another client.
Logharn  
#6 Posted : Wednesday, December 3, 2014 6:11:02 PM(UTC)
Logharn


Rank: Newbie

Joined: 5/10/2014(UTC)
Posts: 7
Italy

Thanks: 1 times
@Scott
As usual, thank you for the detailed answer.
I already read that page but I misunderstood the behavior of those options, sorry. Now their meaning is much more clearer :P

@rmmccann
You are right, it's unprofessional to use customer's PCs and I think it too, but using an IPad or tablet to give support to a client while being at another customer doesn't seem less unprofessional... You just do it with style and design :)

Anyway this happens sometimes when connecting is faster then giving instructions by phone and now that Scott explained well what to modify I can set those timeouts as I like.
Since the features I was asking for were already there, you can move this topic into another section if you want...

Thanks!

rmmccann  
#7 Posted : Thursday, December 4, 2014 2:33:12 PM(UTC)
rmmccann


Rank: Advanced Member

Medals: Level 2: Lent a Helping Hand! 10 Thanks!

Joined: 12/16/2012(UTC)
Posts: 184
Location: MN, USA

Thanks: 17 times
Was thanked: 21 time(s) in 18 post(s)
Originally Posted by: Logharn Go to Quoted Post
@Scott
@rmmccann
You are right, it's unprofessional to use customer's PCs and I think it too, but using an IPad or tablet to give support to a client while being at another customer doesn't seem less unprofessional... You just do it with style and design :)


I don't consider it unprofessional to support another client while at another client's site. I consider it unprofessional to use another client's hardware to do it. Regardless, I didn't mean any offense and sounds like you've got a solution in place. Glad it's resolved. :)

Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.