add the ability to audit login failures/successes for logging in to the web interface
add the ability to audit login failures/successes for logging in to the web interface
Welcome to our community!
Duplicates 4
Notification on failed and successful logins
Log site logins with notification capabilities
From CW#7590390:
Would like to be able to audit when users login to ScreenConnect instance, including failures. Would also like to be able to receive email notifications when failed login attempts occur on site.
Audit logs of when someone logs on (successfully or failure) into the web interface?
Hello
When someone logs on to the web interface, Id like to log it and send it to a syslog ( more specifically Elastic Stack ) to not only keep logs but to meet certain compliance requirements.
We have ScreenConnect ( or ConnectWise ) installed on Windows on prem.
Where are these audit logs located?
Thank you
log user login history
Please add this feature that can log user login history for audit and investigation.
Replies 78
Renaming/not using "administrator" (admin, root, user, owner etc) as the username has been best practices recommendations in the computer industry for decades. Microsoft windows domain setup guides are the first I was exposed to the practice in the late 90's. They even have a GPO for auto-renaming computer "administrator" accounts on first joining the domain.
Using/having default usernames is bad.
Developers carving exception out of security features to allow uninformed admins to do bad security is worse and not much better than hidden backdoor passwords/access. Hackers will find, and exploit them.
Could Screenconnect have better onboarding/setup wizard to guide new installs on the path to better security? Yes. As we all know this is a product that has been around for long time now. I've already written up a different feature request about enhancing the "status" section so that best practice testing can be done at any time because in terms of hacker targets: Remote access/RMM system are priority one targets. Recent Solarwinds hacks show the best in the world hackers are on constant attack at those juicy targets.
Renaming/not using "administrator" (admin, root, user, owner etc) as the username has been best practices recommendations in the computer industry for decades. Microsoft windows domain setup guides are the first I was exposed to the practice in the late 90's. They even have a GPO for auto-renaming computer "administrator" accounts on first joining the domain.
Using/having default usernames is bad.
Developers carving exception out of security features to allow uninformed admins to do bad security is worse and not much better than hidden backdoor passwords/access. Hackers will find, and exploit them.
Could Screenconnect have better onboarding/setup wizard to guide new installs on the path to better security? Yes. As we all know this is a product that has been around for long time now. I've already written up a different feature request about enhancing the "status" section so that best practice testing can be done at any time because in terms of hacker targets: Remote access/RMM system are priority one targets. Recent Solarwinds hacks show the best in the world hackers are on constant attack at those juicy targets.
David,
you are absolutely, 100% correct: I SHOULD have renamed "Administrator" from the beginning, and/or created another admin account to use as my normal ID - "live and learn", indeed. Still, we can hope for better logging, monitoring and self-defense features to appear in SC in the (near?) future...
Thanks again for all the enlightening posts in this thread. You *really* know your stuff...
See this thread and upvote: https://control.product.connectwise.com/en/communities/1/topics/65-add-the-ability-to-audit-login-failuressuccesses-for-logging-in-to-the-web-interface
"It has just hit QA. I expect that it will be available in a release in early Q2, barring any setbacks."
feature has been implemented in the newer stable release versions of control.
logging is available via the audit tab.
feature has been implemented in the newer stable release versions of control.
logging is available via the audit tab.
Thanks Cody - I see it in the web GUI - is there a API method created and documented to be able to call the audit query programmatically yet?
Thanks Cody - I see it in the web GUI - is there a API method created and documented to be able to call the audit query programmatically yet?
Hey Steve,
Not sure if I follow what it is you're trying to accomplish.
If you're looking to have this information easily accessible/searchable my suggestion will be utilize the syslog from Control & pipe the logs into your SIEM. potentially even set alarms for patterns of behavior.
Trying to figure a method to be able to query login events directly for quick and dirty reporting, rather than through a 3rd party (a la Syslog as you laid out).
Trying to figure a method to be able to query login events directly for quick and dirty reporting, rather than through a 3rd party (a la Syslog as you laid out).
You might be able to do it via API but that's nothing I've any experience with personally.
Next steps with this from Control's end developmentally would likely be add into the reporting the ability to show authentication failures/successes, as well as via the dashboard visualize on successful/failed logon attempts (with the ability for it to just from the dashboard click and tell ya what you need/want)
Good luck!
Partner stated that he would like a email notification when there is a successful or failed login