Pending Review

Allow the Access EXE to fingerprint a guest computer on first connection, so only that guest can connect with it

David N 6 years ago updated by Caitlin M Barnes (Product Manager) 6 years ago 1

I ran into an issue the other day that caused a lot of concern for myself and my client. My client got on an unmanaged laptop and logged in to my Control portal in order to view his work computer. Since he doesn't have Control installed on this laptop, the portal offers up a downloadable access exe to connect to his work computer only. As we know, this exe only connects to his work computer and has an expiring token built in, but there is no user/pass or other auth needed to use this exe. You run it and it connects. Once the token expires, the exe is useless.

This access exe was picked up by the unmanaged laptop's AV software. It was uploaded to a cloud testing service and was run as part of the testing. Since the token hadn't expired yet, the access exe connected a session from the client's work computer to the dummy VM that the AV scanner was using. It ran for a minute and then quit, ending the session.

While no human viewed that session, the implications are still pretty bad: Anyone with that exe can connect to the host computer without authentication until the token expires.

You could shorten the token life, but that would negatively impact the UX for clients who want to work on their work PC all weekend and not have to reauthenticate all the time. It also doesn't prevent remote access from someone who quickly exfiltrates that exe another way.

We propose that the access exe provides a fingerprint of the machine that runs it to the Control server. The Control server then stores this first access fingerprint, probably in the same place it stores the expiring token. On subsequent launches, if the fingerprint that the access exe provides matches what the server has, then it connects the session. If the exe has been launched from a different computer, the fingerprints won't match, and it won't be able to connect without reauthenticating. This would solve the exe exfiltration issue while not affecting token life or other UX.

Hi David, 

We are continuing to explore options for access installers. However, in the meantime, this is a known issue with AV; we have a tech bulletin here: https://docs.connectwise.com/ConnectWise_Control_Documentation/Technical_support_bulletins/Unknown_machines_appearing_in_list_of_access_sessions_on_Host_page