Tips and tricks for securing your ConnectWise ScreenConnect endpoints
According to various studies conducted by IBM, up to 70% of successful data breaches and 90% of successful cyberattacks originate from endpoint devices. Why? Endpoints often contain sensitive and valuable data, including personal information, financial records, intellectual property, and confidential business data.
ConnectWise ScreenConnect™ offers fast, flexible, and secure remote desktop and mobile support solutions to meet the cybersecurity needs of every industry, simplifying the process of protecting your clients’ endpoints. However, bad actors can use your remote support tool maliciously, and it’s important to configure additional settings to supplement the cybersecurity designs and features automatically enabled in ScreenConnect.
How do bad actors exploit remote support software?
1. Hacking an administrator or technician’s email
Two-factor authentication (2FA) has been available for configuration within ScreenConnect for years. By the end of 2019, the ScreenConnect cloud environment enabled email 2FA by default for cloud account administrators and local ScreenConnect users.
On-premises administrators are encouraged to configure 2FA for their users by following our documentation. However, to protect the security of the ScreenConnect instance, it is imperative that the ScreenConnect administrator ensures the credentials and paths to users’ email accounts are also secure.
If a company’s email account is hacked, a bad actor can potentially gain access to the one-time passcodes that are required to sign into ScreenConnect. The ScreenConnect administrator should review their cybersecurity setups and determine whether alternative methods of 2FA, such as Google Authenticator, should be implemented.
2. Hacking an unprotected local account
Local user accounts—accounts that are created within the ScreenConnect database—are especially vulnerable if they are not secured with an additional layer of protection, such as 2FA. For on-premises installations, it is imperative that the ScreenConnect administrator secures their local user accounts by requiring unique, complex passwords and adding 2FA.
Otherwise, a bad actor can run a brute-force attack by trying different username and password combinations. If sufficiently motivated, a bad actor could identify employees of the organization to narrow down possible usernames, or they could run through lists of credentials found in other leaked exploits.
ConnectWise ScreenConnect out-of-the-box cybersecurity
Getting started with ScreenConnect in the cloud is easy and secure. First, let’s discuss the cybersecurity measures that are already enabled to protect your clients’ endpoints when you create a ScreenConnect cloud instance. Because they are already enabled, these measures should require no further configuration.
256-bit AES encryption
All ScreenConnect traffic is encrypted with AES-256 block encryption and Rivest-Shamir-Adleman (RSA) provided by the Microsoft® RSA/Schannel Cryptographic Provider. These particular implementations of the AES-256 and RSA algorithms have been designated as FIPS-compliant for ScreenConnect servers on Windows. For more information, see Microsoft’s documentation on FIPS 140 validation.
Secure sockets layer (SSL)
ScreenConnect cloud instances are secured with a secure sockets layer (SSL) certificate and enabled with an HTTP-to-HTTPS redirect. SSL certificates create a foundation of trust by establishing a secure connection.
SOC2
ConnectWise passed an independent and comprehensive security operations center (SOC) type 2 audit, which covers the security, availability, and confidentiality principles of the AICPA trust services criteria (TSC). These reports are designed to determine the suitability of an organization’s cybersecurity systems and processes.
Brute force attack
ScreenConnect provides login protection against brute-force attacks. If someone enters eight incorrect password attempts within ten minutes, the cloud administrator account will lock. The account will automatically unlock after ten minutes, so you will not be locked out.
For more information on automatically enabled cybersecurity measures, please visit the ScreenConnect Hardening Guide by ConnectWise.
ScreenConnect additional cybersecurity measures: action required
ScreenConnect administrators can create an even more secure environment for their clients. As an administrator, some actions you can take to protect the portal to your endpoints and prevent unwanted access include:
Two-factor authentication (2FA)
2FA requires users to submit two forms of identification to access their accounts. This can help protect against stolen passwords. 2FA codes can be delivered via email, or they can be generated with an app such as Google Authenticator or a device such as the YubiKey.
The ScreenConnect administrator can configure 2FA for their organization however it makes most sense. We’ve proudly offered this functionality for cloud instances and on-premises installations since 2013 and enabled 2FA by default for cloud instances since 2019.
Page idle timeout
Changing how long a technician can be idle in the portal before they’re automatically logged out will protect against unauthorized access to endpoints in the case a technician forgets to log out
Administrators can also take measures to secure the client side of endpoints. Some examples include:
Lock on disconnect
Disconnecting a technician from an endpoint after a certain amount of time is critical. As an administrator, you can turn on “lock on disconnect” or “lock on connect,” which locks a guest machine when a host disconnects. This will force a technician to enter login credentials when connecting to the endpoint.
Consent-to-connect prompt
This allows the end user to consent to a connection. If the guest refuses control, the host cannot control the machine.
Revoke user access to machines
From the security page, the administrator can force all logged-in users to disconnect from endpoints and log out of the portal.
Security toolkit
The security toolkit extension, available for on-premises and cloud instances, includes cybersecurity tools to help secure your endpoints with controls to remove queued commands, server headers, and more.
Embracing a cybersecurity-first approach
When choosing a remote access solution, it’s imperative that the product is built with a security mindset and its operational environment is configured correctly so you and end users are protected.
Cybersecurity is a joint responsibility between ConnectWise and our customers, and we are committed to providing world class solutions that are secure, easy to use, and meet your functional requirements.