 Tom here from Warrant Systems and we're going to talk about Screen Connect. So if you want to learn more about me and my company, head over to launchsystems.com. And if you want to learn about Security Screen Connect, follow along here. So our entire Screen Connect just got compromised with ransomware, 1,000 endpoints, and 50 servers. Ransom is 400,000. Any suggestions for a recovery company? Screen Connect's been in news a few times. And obviously I did the video with about Bishofox and their findings and validated by the folks over at Hunter's Labs that, yes, there was some cross-site scripting and some cross-origin problems that were fixed in Screen Connect and ConnectWise has committed themselves and sent letter. And I followed that entire video up with that entire process that, yes, they're committed to security. Screen Connect is the big kid on the block. It is very popular in the MSP space. Therefore, it is going to make waves whenever there's a company that gets compromised. This was posted in a forum. I don't know the details of this particular incident. But many of the other incidents, and I've talked to people who've done the debriefs and incident response, they have found that two factor not being enabled in password reuse were huge problems. Now password reuse, don't do that. There's my advice for that. But two factor, let's talk about it because there's some nuances to it and little details about ConnectWise Control that I realized some people may not understand. Now, this part of it only applies to the cloud instance of it. And the parts where I'm on this tab here is going to be the ones that are both the cloud instance and the self-hosted version, which we're using a self-hosted version. So I set up this evaluation. That's why it says 14 days remaining. This is not my real Screen Connect. And ScreenConnect.orgSystem.com was a dummy email just created for this particular video and everything else. The company name is real. The passwords are not. And neither is in these two factor codes. That is our phone number, though, for our company. Anyways, it's on our website, too. The first problem I kind of have is enable ConnectWise Control Cloud Account to factor authentication. I have a talk about how to do this, and they do say yes. But here's the problem. They do say to do this, but can you tell which type of two factor I have enabled right now? What if I click this? Yeah. So tyranny of the default is the term I like because many people never change things from default. The default is it emails you. So if someone, a threat actor, were to get into your email and they wanted to get into your ConnectWise Control Account, they would be able to send out an email and get those codes sent over there. Obviously, that's a huge problem. The best way to do this is to set two factor authentication code using this, and this is like Google Authenticator, T-O-T-P-based authentication. T-O-T-based is time-based, means rolling numbers. You scan this with an app on your phone, Google Authenticator being a very popular app. There's other apps like Authenticator Plus and several others out there. Basically, they scan this QR code, they generate numbers based on time that expire and are, you know, rolling numbers. I won't dive too far into that, but that would mean that the bad actor not only would need access to the username password, they also need access to the phone with these numbers that are expiring and rolling on a time basis on here. So when you set this, this is where one of the other issues I found, set two factor authentication. One, it doesn't tell me what type I'm using now, default as email. When you do set the two factor, scan this with your phone and hit save, but it does not prompt you to verify that you have the right number saved, so be careful because you can, well, easily lock yourself out of the account. Also, every time you hit configure, it does that. Now, once you've done this, I was told by several people that ConnectWise had a issue where if you were to go through and try to do a password reset on the cloud.screenconnect.com to get into the cloud account, it would bring you back a link to the email. So they would have, the threat actor would also have to have access to the email, but it would allow them to bypass the TOTP. I did validate that this is not true. I went through a Screen Connect at laurencystem.com, went through, put the password reset, did the forgot password, and it did let me change the password because it does send a link to the email, but I was still stopped because the threat actor was still needed, that rolling number that's on the phone to make that work. So good news is that if that was a flaw before, it appears to be fixed right now. So the next part we're going to talk about is what is both for on-prem and the cloud instances here, and we have proof-of-concept.screenconnect.com. Like I said, set this up as a demo, so don't bother poking away at it if you're curious. And if someone says, aren't you showing the passwords of things? Yes, I am. They're going to be deleted when this video gets finished. So someuseratlaurencystems.com, username someuser, we set a password, and then we have the authentication options. OTP, one-time password, email, Google, UB, Lintop, and Duo. I'm using the Google Authenticator one, but like I said, this is actually TOTP, those rolling numbers. The way you do that is you type GOG colon, and then we generate a number. And we just pull this website up, and every time you pull it up or click regenerate, it regenerates another one. Once you've decided on the code that looks most secure to you, you scan it with the app on the phone for that particular user. Then that user now has access to those rolling numbers on there. Then we take this number, just this last digit, secret equals, copy it, and paste it right here. So it's GOG colon and that secret, and then you save that user. Now that particular user has two-factor, and this protects you from a couple problems. So the main one being, of course, that if they know the username, they can always click forgot password. So if they go to some user that will go to that username and send a reset link to their email. Now if that threat actor has access to said user's email, they would be able to get in unless it has some type of two-factor authentication turned on. So this is one of the reasons I'm really a big fan of it because, well, it's a little bit harder because they would have to acquire the phone that these are on. And these apps, some of them have the ability to put a password on top of an Authenticator Plus being an example of one. So that Authenticator Plus app will have to have a password on top of it again to even get in and show the rolling numbers. So that helps protect you from that. So now let's go back over here. Well, I'll just show it in action real quick to some user. Now I put in the trusted code on here. And this is what would have been stopped. So 1-5-0-0-6-3. Like I said, these numbers expire after so many seconds. And I typed it in wrong. 1-5-0-0-6-3. And now they're in. So like I said, this keeps them from being able to dive deeper into the system. Now I still wish there was a way. And I'm just going to throw it out there right now. Maybe this is a future thing they can fix. If you are self-hosting, you can do this if you're using a reverse proxy. You can filter out people's ability to hit the login page. But right now when you go to a screen connect, the login page is accessible to anyone no matter what restrictions you put. So they can always click the forget password part. And if they know your username, obviously they can become very annoying by doing that. You can see a self-hosted instance with a reverse proxy. If you're familiar with reverse proxies, they're able to filter URLs. And you can do things like only restrict, log into certain IP addresses. But what they do have is the advanced configuration editor. So I do recommend you load this. You go over here to extensions, browse the marketplace for extensions, advanced configuration editor. I've already loaded it. So the install button is missing. And that brings up these menu options here. I'll do a lot of things that you can do and customize it. Maybe I'll do a future video on customizing screen connector and talking about the product. I have an older video on it. There's a lot of options to pull up here. But what we're going to focus on is if there's an IP address you need to block because they're hammering away at things, you can put that in there. More importantly, restrict to IP addresses. You can restrict the host page and the admin page. So if you have maybe that's the same IP address or maybe you have more on here for the host page because you have more users logging in for more places. You can put all of them either in site or notation or comma separated each of the IP addresses. Maybe you have more than one site. So if you have static IP addresses, you can put those in there. Do heed the warning down here that says caution and correctly setting these IP restrictions can prevent you from logging into host admin pages. Obviously, if you can lock yourself out and then you're end up on the phone with connectivized support to get that fixed. Also, you can say require, require two factor authentication counts. So determines the minimum number of authentication factors. It must be associated with the user in order for a user to log in to the host administration page. That's another thing you can put on there as a restriction. Now, even putting these on here, if they have the username and password but they're not coming from an IP that you have authorized, they still get to do the login. So that doesn't stop them from hitting the login page or putting a restriction in it but it will stop them even if they were successfully to try to log in and they had someone's phone, for example. It will stop them from that because even if they have a successful username and password they will be on that not authorized list and it will block them in. So restricting two IP address, I think that's fairly important to throw in there. Last little thing I'll mention, security is about principles of least privilege. I made this user an admin that's probably a horrible idea. So when you're creating users, you probably don't want to have your daily user that you're using have administrator privileges. The reason for that that's really important is in the case of the cross-origin that to my knowledge was fixed. Cross-origin means another tab while I'm logged in on this tab can understand a different origin and inject something in there. And if this user's logged in as administrator, then you could then flip a setting. And that was one of the demos that they had done like, hey, you could change a setting in here, for example, turn off 2FA in there. If these users don't need admin and generally speaking for day-to-day uses they don't, you generally don't want to have them have admin privileges. And you just create a admin user that's separate that you log into when you need to change something, which from a day-to-day basis of usage isn't very often. So you're keeping the permission for a restrictive on here. And that's one more way to help mitigate any potential issues. So hopefully this helps. Hopefully this adds some layers of security. I've had people reach out that said they weren't really clear on the two factor. Yeah, hopefully this cleared that up to TP is my preferred way to do this. It's much better than things like, you know, sending SMS messages or using that. But of course they do have other options like Duo and UB Duo authentication is a great service. And UB keys are well known for security, but please just don't use email. Like I said, many of the briefs were not about something clever hack of how they got in. It was combination, sometimes a password reuse using the same passwords on emails as for other accounts. Not having two factor on email. And of course, not having two factor on screen connection. Once they do compromise email or having email as two factor or in some cases, there were instances one that I read about they didn't have any two factor at all. Just username and then weak passwords. And obviously that seemed like the pretty tragic and terrible results of that sometimes. So hopefully this helps someone and thank you. And thank you for making it to the end of the video. If you liked this video, please give it a thumbs up. If you'd like to see more content from the channel, hit the subscribe button and hit the bell icon. If you like YouTube to notify you when new videos come out. If you'd like to hire us, head over to laurancesystems.com fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on. If you want to carry on the discussion, head over to forums.laurancesystems.com where we can carry on the discussion about this video, other videos or other tech topics in general. Even suggestions for new videos that are accepted right there on our forums, which are free. Also, if you'd like to help the channel in other ways, head over to our affiliate page. We have a lot of great tech offers for you. And once again, thanks for watching and see you next time.