logo

The ConnectWise Control forum has moved to ConnectWise University! This forum has been locked and is in read-only mode. Click here for instructions on how to access the new forum.

Welcome Guest! You can not login or register.

Notification

Icon
Error

Options
Go to last post Go to first unread
LogMeInIsEvil  
#1 Posted : Thursday, February 26, 2015 1:06:26 PM(UTC)
LogMeInIsEvil


Rank: Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 1/31/2015(UTC)
Posts: 14
United States

Was thanked: 1 time(s) in 1 post(s)
While working locally on a customer's computer, I used ScreenConnect to access my office PC remotely. I got what I needed, CLOSED the connection, LOGGED OFF the SC server, and even closed the web browser.

I noticed, however, that a ".jnlp" (Java Network Launch Protocol) file remained in the user's downloads folder. Out of curiosity, I executed the file and BOOM! I was reconnected remotely to my office PC!!! No credentials were required!!!

To me, this seems to be a VERY, VERY SERIOUS SECURITY HOLE.

Can someone at ScreenConnect please respond ASAP? Is this expected behaviour and by design? What am I missing here?

Scott  
#2 Posted : Thursday, February 26, 2015 2:31:43 PM(UTC)
Scott


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,862
United States

Thanks: 3 times
Was thanked: 351 time(s) in 303 post(s)
That is intended behavior, the stub files used to connect to sessions are valid for a specific amount of time, defaults to 24 hours. You can change this amount of time from the web.config setting AccessTokenExpireSeconds.

You can also use other session joining methods such as the WindowsSelector which don't function in quite this same way.
ScreenConnect Team
LogMeInIsEvil  
#3 Posted : Thursday, February 26, 2015 11:29:10 PM(UTC)
LogMeInIsEvil


Rank: Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 1/31/2015(UTC)
Posts: 14
United States

Was thanked: 1 time(s) in 1 post(s)
Thanks for the quick response Scott.

I must admit, I am surprised that I seem to be the only one who considers this to be a problem. Perhaps I am being paranoid? From my perspective, this may mean that I can only use ScreenConnect from machines I own and control - doable, but limiting.

With regards to setting the timeout, is there any reason I shouldn't set this to something very short, such as 5 minutes? Will an active connection be lost when the token expires? Or is it just that new sessions cannot be created?

omgoozles  
#4 Posted : Saturday, February 28, 2015 6:36:47 PM(UTC)
omgoozles


Rank: Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 2/28/2015(UTC)
Posts: 28
Location: Behind YOU!

Thanks: 5 times
Was thanked: 3 time(s) in 3 post(s)
Originally Posted by: LogMeInIsEvil Go to Quoted Post
Thanks for the quick response Scott.

I must admit, I am surprised that I seem to be the only one who considers this to be a problem. Perhaps I am being paranoid? From my perspective, this may mean that I can only use ScreenConnect from machines I own and control - doable, but limiting.

With regards to setting the timeout, is there any reason I shouldn't set this to something very short, such as 5 minutes? Will an active connection be lost when the token expires? Or is it just that new sessions cannot be created?



I would also be interested in hearing the outcome of this question.
Scott  
#5 Posted : Monday, March 2, 2015 3:15:23 PM(UTC)
Scott


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,862
United States

Thanks: 3 times
Was thanked: 351 time(s) in 303 post(s)
Setting it to 5 minutes won't automatically disconnect you except in a few specific circumstances in which the token is revalidated. For example, say you set it to 5 minutes and you are connected to a session for 5 minutes and 5 seconds. At that point, the server will not automatically attempt to validate the token but if there is a service restart on the server, it will kick you out.

If it does kick you out, you can just rejoin the session from the Host page.
ScreenConnect Team
Users browsing this topic
Similar Topics
Unattended Installation Security Concerns (General Information)
by dudemcdudedude 5/26/2013 7:29:49 PM(UTC)
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.