add the ability to audit login failures/successes for logging in to the web interface
add the ability to audit login failures/successes for logging in to the web interface
Welcome to our community!
Duplicates 4
Notification on failed and successful logins
Log site logins with notification capabilities
From CW#7590390:
Would like to be able to audit when users login to ScreenConnect instance, including failures. Would also like to be able to receive email notifications when failed login attempts occur on site.
Audit logs of when someone logs on (successfully or failure) into the web interface?
Hello
When someone logs on to the web interface, Id like to log it and send it to a syslog ( more specifically Elastic Stack ) to not only keep logs but to meet certain compliance requirements.
We have ScreenConnect ( or ConnectWise ) installed on Windows on prem.
Where are these audit logs located?
Thank you
log user login history
Please add this feature that can log user login history for audit and investigation.
Replies 78
So after upgrading to 21.1... the code has changed a lot in Login.aspx. Any update to this??? I spent a lot of time trying to get an email when I login. Nice to see you guys doing a lot of work on stuff though. Good work.
Have y'all considered sending syslog data into a SIEM or utilizing a WAF like a FortiWeb which can protect against credential stuffing or block connections to it by poor IP rep?
I'm not excusing the fact that there is a lack of visibility by failing to add audit logs to it, right now we track sign-ins via Duo because we're using Duo for MFA & all authentication must be via MFA.
Unfortunately this isn't a find-a-workaround situation.
Legally speaking if you want to comply with HIPAA/FINRA/SOC/ISO compliance certification then:
If you want to use product x, it needs to do abc. If it doesn't, you can't use it. Audit trail with logs, held and maintained for 2+ years is part of that compliance.
If you use something not in compliance, your regulatory compliance is going fine you x dollars, hold you libel, and remove your compliance certification. No more business for you.
5 years old?
FIVE?
Is this serious? I'm setting up my cloud instance now, and this functionality still isn't available either by a trigger or integration?
What sort of nonsense is this?
FIVE!? come on ConnectWise - Trusted, world-class security that’s scalable? Really? its on your god dam home page!
Today (of all possibilities, on a PATCH TUESDAY morning), I woke up to the following response from my self-hosted SC installation: "Too many incorrect password attempts; you have been locked out". 6 YEARS with them, and it's the first time this happens...
Chat with a support rep, some rigmarole about needing to go through a back and forth Email exchange in which I confirm a COUPLE of times that I do, INDEED, want their assistance in resetting my Administrator password, which I am then instructed to perform myself by following these instructions: Forgot on-premises username or password
Then I ask, pretty reasonably IMHO, the following questions:
How can I determine WHEN those "incorrect password attempts" occurred, HOW MANY there were, and (if possible) which IP ADDRESSES they came from?
The response: "this is not possible as this would be a Feature Request", and I get the link to their Feature Request Portal, which quickly brought me HERE...
FIVE YEARS???!!! "Just Roadmapped" (but no timetable or delivery ETA)???!!! Grrrrr... As I expressed in my conclusion to the email support thread, I now feel EXTREMELY VULNERABLE...
I will set up a backup administrator account, probably implement a nightly SC folder backup to expedite recovery if this happens again, but I am extremely dismayed at the lack of attention this "feature request" has received over the last 5 years... :-(
Today (of all possibilities, on a PATCH TUESDAY morning), I woke up to the following response from my self-hosted SC installation: "Too many incorrect password attempts; you have been locked out". 6 YEARS with them, and it's the first time this happens...
Chat with a support rep, some rigmarole about needing to go through a back and forth Email exchange in which I confirm a COUPLE of times that I do, INDEED, want their assistance in resetting my Administrator password, which I am then instructed to perform myself by following these instructions: Forgot on-premises username or password
Then I ask, pretty reasonably IMHO, the following questions:
How can I determine WHEN those "incorrect password attempts" occurred, HOW MANY there were, and (if possible) which IP ADDRESSES they came from?
The response: "this is not possible as this would be a Feature Request", and I get the link to their Feature Request Portal, which quickly brought me HERE...
FIVE YEARS???!!! "Just Roadmapped" (but no timetable or delivery ETA)???!!! Grrrrr... As I expressed in my conclusion to the email support thread, I now feel EXTREMELY VULNERABLE...
I will set up a backup administrator account, probably implement a nightly SC folder backup to expedite recovery if this happens again, but I am extremely dismayed at the lack of attention this "feature request" has received over the last 5 years... :-(
You should be using two form authentication.. Lot's of horror stories of folks that don't use that...
They were using Connectwise Control without two form:
https://www.pcmag.com/news/ransomware-attack-hits-400-dental-offices-across-the-us
Justin - can we really attribute that ransomware to Screen Connect? or just to "not using 2FA" in general? Seems a little disingenuous.
Regardless if 2FA is implemented - auditing login attempts to the web port, and traffic to the relay port, is something we should all want, and not because of satisfying some compliance requirement - but because you should be reviewing all traffic and making firewall rules to prevent unwanted traffic - on a daily basis. Are we IT professionals here, or are we just a manager looking to check another box on the joke that is a compliance survey?
It's disappointing that after jacking the price of ScreenConnect up 1000 X all that's been accomplished under ConnectWise is a massive effort to sell the product as a cloud service, instead of real thoughtfulness to security. Auditing (at least logs) of connection attempts to the web and relay ports should be made available - somehow - and regardless if you're using the cloud service or an on-prem install. Don't get me started on all the things your missing by running in the cloud - on prem is still a requirement for some business that aren't drinking the cool-aid.
Partner stated that he would like a email notification when there is a successful or failed login