logo
Welcome Guest! To enable all features please Login or Register.

Notification

Icon
Error

Options
Go to last post Go to first unread
trenton.hord  
#1 Posted : Monday, March 20, 2017 10:56:58 PM(UTC)
trenton.hord


Rank: Newbie

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 10/2/2015(UTC)
Posts: 4
United States
Location: Houston, TX

Was thanked: 1 time(s) in 1 post(s)
It appears our Screen Connect Server may be experiencing a brute force attack. We have AD enabled as our "User Source". It is causing accounts to become locked throughout our domain.

Is there any way to enable logging of failed login attempts and what IP addresses these brute force attacks are coming from?

I've found a couple of articles but no solutions:
http://forum.screenconnect.com/yaf_postst3323_Is-there-a-way-to-monitor-failed-login-attempts.aspx
http://product.screenconnect.com/topics/65-add-the-ability-to-audit-login-failuressuccesses-for-logging-in-to-the-web-interface/
JM74  
#2 Posted : Monday, August 21, 2017 3:51:34 PM(UTC)
JM74


Rank: Guest

Joined: 8/14/2017(UTC)
Posts: 1

Did you ever get to the bottom of this as I have experienced the same thing, only we did not have AD enabled as "User Source".

trenton.hord  
#3 Posted : Tuesday, August 22, 2017 5:15:17 PM(UTC)
trenton.hord


Rank: Newbie

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 10/2/2015(UTC)
Posts: 4
United States
Location: Houston, TX

Was thanked: 1 time(s) in 1 post(s)
No, there is no solution that I am aware of for my AD lockout situation. Your situation may be different if you aren't using AD.

The machine we have SC running on is also a Domain Controller(DC). To prevent the constant lockouts from spreading across the domain I created a firewall rule that blocks LAN communication with our internal subnets. I have it set so that twice a day in off-hours (before 6am and after 6pm) the firewall rule is disabled so that traffic to our internal subnets is allowed and the DC can synchronize with the rest of our network.

It's definitely not an ideal setup and it's a shame Connect Wise doesn't care more about implementing a security log (so that brute-force attempts can be blocked with other software), or additional security features to rectify the issue within ScreenConnect itself.
tmekeel  
#4 Posted : Wednesday, September 6, 2017 1:47:10 PM(UTC)
tmekeel


Rank: Guest

Joined: 12/23/2016(UTC)
Posts: 1
United States

Thanks: 1 times
Originally Posted by: trenton.hord Go to Quoted Post
No, there is no solution that I am aware of for my AD lockout situation. Your situation may be different if you aren't using AD.

The machine we have SC running on is also a Domain Controller(DC). To prevent the constant lockouts from spreading across the domain I created a firewall rule that blocks LAN communication with our internal subnets. I have it set so that twice a day in off-hours (before 6am and after 6pm) the firewall rule is disabled so that traffic to our internal subnets is allowed and the DC can synchronize with the rest of our network.

It's definitely not an ideal setup and it's a shame Connect Wise doesn't care more about implementing a security log (so that brute-force attempts can be blocked with other software), or additional security features to rectify the issue within ScreenConnect itself.


The IP should show up in your Audit Logs on your DC? You can also enable debug logging and look in the netlogon log file in C:\Windows\debug. Follow that and you should see the malicious attempts.

Plenty of ways to troubleshoot account lockouts on TechNet.

Search nltest and debug logging.

HTH.
trenton.hord  
#5 Posted : Wednesday, September 6, 2017 1:57:13 PM(UTC)
trenton.hord


Rank: Newbie

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 10/2/2015(UTC)
Posts: 4
United States
Location: Houston, TX

Was thanked: 1 time(s) in 1 post(s)
Originally Posted by: tmekeel Go to Quoted Post


The IP should show up in your Audit Logs on your DC? You can also enable debug logging and look in the netlogon log file in C:\Windows\debug. Follow that and you should see the malicious attempts.

Plenty of ways to troubleshoot account lockouts on TechNet.

Search nltest and debug logging


Screen connect doesn't have its own login audit logs , does not pass along login information, and does not utilize iiis, etc.

Therefore, DC audit logs only show that the lockouts come from the screen connect server. Completely useless.
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.