LabTech Support Forums

ScreenConnect 5.6 , Security and Privacy Flaw

This forum is for discussion of redirector related issues.

Moderator: jware.connectwise

ScreenConnect 5.6 , Security and Privacy Flaw

Postby mmorales.bocatechforce » Mon Aug 01, 2016 1:39 pm

Im using a labtech hosted instance, the one you pay LT a monthly fee and they run on an AWS EC2 VM.
The instance comes with ScreenConnect integration, and thats what I have been using for remote control.

Originally, about 2 years ago when I started using LT, I expressed concerns over privacy so LT support advised me to change a setting on the ScreenConnect admin interface so the endpoint would get a "Request for Consent" every time a tech would try to remote in.
I have a particular customer that handle inventions, patents and other intellectual property on their PCs and they specifically requested that nobody has the ability to perform remote sessions unless each user grants permissions on case by case basis.

All the way to ScreenConnect 5.5 all that was good.
Turns out that labtech rolled out the 5.6 about two weeks ago and now the "request for consent" is gone.
The setting is still there, with the same documentation and the same description, but when you set it it works this way:
- User gets "request for consent" on the remote PC, the first time (first time after ScreenConnect tray app is installed on the target PC), and then it never get it again. Basically the support tech can connect, disconnect and connect again without permission every single time.

Labtech support has been giving me a run for two weeks, first they seems not to know the problem, later they check if this is a misconfiguration, later they implied I changed some setting, and eventually the say this is "by design", and later they finally said that on 5.6 the functionality changed because "many customers asked for it"

Im trying to figure out which customer would like to explain to their end users that the techs can now connect without permission, day or night, on their business PCs (those PCs from Lawyers, accountants, doctors, etc), that has tons of private information.

My Account Manager at LT told me this morning, the CTO say that this change was on purpose, and that if I want to have request for consent then the user needs to log out and log back in on their PC after each remote session!!!!!

I smell that LT made a huge mistake, and instead of taking ownership and fix it, they are buying time blaming customers.

I know is a ScreenConnect issue and not a LT integration issue, because I also own a ScreenConnect license in premise, that I use for supporting customers with no contract, and it is the same,, 5.5 works with request for consent every time, and as soon as I move to 5.6 the request for consent breaks.

I asked LT for solutions, they told me this is the way it is now and thats it, I asked them to roll back MY screenconnect hosted version to 5.5, I dont get an answer. I asked them to ask direct questions about the reasoning behind this to their CTO, they run around and give me excuses.

What you guys think on all this? have you experience similar issues?
How can I trust LT?, they can come and change any functionality that you already have deployed with your customers and then take no responsibility about it.
Posts: 2
Joined: Thu Apr 30, 2015 10:51 pm

Re: ScreenConnect 5.6 , Security and Privacy Flaw

Postby jerry.digitaltruss » Thu Aug 04, 2016 8:59 am

I don't recall how I did it, but when we started using LT in 2015 I disabled the prompt. We have a lot of situations where we want to remote into a computer that isn't in use, and the prompt at that time was setup such that if the user did not respond to the prompt, we couldn't get access. At that time LT told me the setting "Ask then Allow" was not applicable to ScreenConnect and would be removed in future versions. I haven't followed up on that in a while.

What we need is complete control over this on a client by client basis, and we need "Ask then Allow" as one of the options. Most of my clients do not seem to care about this issue and trust us (we're a very small shop), but I can foresee future clients wanting to have an approval mechanism. What we also desperately need is some sort of indicator that we are present. I think WebEx puts a green border around the computer screen. All ScreenConnect does is turn the background black, but most of the time the user doesn't notice this because their windows are full screen. If they could just add that we'd be pretty happy.

I just remembered something regarding this. We disabled "balloon notifications" because even if we weren't connected a balloon message appeared for every user every time they logged onto their computer. I forget what it said but people found it annoying and wanted it gone. At that time there was no way to remove THAT message but keep the balloon notification that we had connected. We had to turn balloons on or off. Maybe I need to revisit that....
Posts: 13
Joined: Sun Mar 15, 2015 11:55 am

Re: ScreenConnect 5.6 , Security and Privacy Flaw

Postby mmorales.bocatechforce » Thu Aug 04, 2016 1:49 pm

Hi Jerry

My customers trust me too, the problem is that on a lawsuit that judge wont trust anybody.
I have a customer that has inventions, some of them in the middle of patent approvals, they have invested a lot of money and effort on them and they dont feel easy about letting people to connect without consent.

I went for a meeting with a prospect yesterday, and I would love to describe here the face he put when I told him we have full remote control capabilities, day or night.
He told me he sometimes forget to lock is laptop at the end of the day, but he locks his personal office with keys, lock the whole access to the floor, the elevator wont allow anybody unless they have badges and the security guards are 24/7 on the lobby, but if we have remote capabilities on his laptop, that defeats the purpose of all the steps he has taken to protect the customer data he handles.

I dont mind LT offering a lot of combinations for security, what I mind is that they change one that offered a greater protection into one that leaves the door opens on the endpoint.
I think someone there needs to go a cybersecurity training class, or perhaps some common sense class.

Imagine you Jerry, leaving your PC with ScreenConnect installed, the same PC with your compensation plan for employees, investments, customer opportunities, banking information for you an your family, etc,, would you be ok that your Helpdesk people (or anybody that could get access to your ScreenConnect web admin after hours,) could see what you have?
We know, unless we have proximity badges for our laptops, one day we will forget to lock the screen or log out.

If everybody would trust everybody then we would not need file access control, user level access, passwords, policies etc.
Employees at all levels are inside those policies, but LT seems we as IT providers should have a greater degree of trust from the owners than they give to their own employees and be above all of them.

I dont give much time until a business owner file a suit agains a provider upon security breach.
I guess the liability will be ported back to LT and their security implementation of ScreenConnect.
Posts: 2
Joined: Thu Apr 30, 2015 10:51 pm

Re: ScreenConnect 5.6 , Security and Privacy Flaw

Postby teamits » Thu Aug 04, 2016 6:02 pm

One solution to not locking the screen is to enforce that via group policy. Point out if a burglar came it they would have access to the computer if it isn't locked.

Do techs know the user's password? Probably they know the domain admin password though which would still let them connect...enable Remote Desktop via registry change, open firewall ports, etc. Have the user encrypt the documents so the domain admin can't read them?

The techs could always take screenshots I suppose.

I get what you're asking for, just brainstorming...
Hero Member
Hero Member
Posts: 1578
Joined: Wed Dec 31, 1969 8:00 pm

Re: ScreenConnect 5.6 , Security and Privacy Flaw

Postby admin.mycomputingrx » Wed Dec 13, 2017 11:27 am

Remove ScreenConnect and do ad-hoc support sessions.
Posts: 1
Joined: Wed Dec 13, 2017 11:18 am

Return to Tunnels & Redirectors

Who is online

Users browsing this forum: No registered users and 0 guests