How to securely set up user accounts
Today’s workforces look a lot different than in the past. With more employees working remotely, many organizations have either gone fully remote or have a hybrid structure. In either case, a disbursed user base can bring in new risks and vulnerabilities as well as user downtime and loss of productivity that can’t be left unattended.
ConnectWise ScreenConnect can help you reduce these risks by providing a behind-the-scenes help desk and secured remote user support with security as a top priority. We also provide many security features our partners can implement to secure their installations.
In this post, we’ll dive into account security and offer some new user configuration tips for ScreenConnect remote support. We also offer many security features our partners can implement to secure their installations. Let’s get started.
One of the best ways to ensure user security is with authentication best practices. Administrators can use a combination of internal or external authentication sources to secure user accounts. When using an internal authentication source, passwords and multi-factor authentication are handled in ScreenConnect. If you opt to use an external authentication source, the source is responsible for passwords and additional layers of authentication. User roles and permissions, session groups, and temporary host passes are additional security features within ScreenConnect.
- Create a new internal account with Administrator permissions. The default user is the Cloud Account Administrator, which is a super-user account that should only be used when you are managing your instances or your account.
- Configure one or more user sources for authentication into your instance. Use existing users from different sources or define them yourself within the application. (Source options include internal, LDAP, ConnectWise SSO, SAML, and OAuth2.)
- Use the password complexity options to require your internal users to use more secure passwords.
- Each colleague should have a separate account tied to their required permissions. The sharing of accounts and credentials is discouraged. If hackers gain entry, shared passwords make it easier to access other parts of the network. With separate accounts, if you experience an account breach or terminate an employee, you can quickly suspend the affected account.
- Multi-factor authentication adds an extra layer of protection to user accounts. With MFA, cybercriminals who get access to credentials will not be able to use them unless they also have the additional authentication factor. (Authentication methods include email & SMS, Google Authenticator, YubiKey, Microsoft Authenticator, LinOTP, and Duo Security "push" alerts.)
- Implement role-based security to assign permissions at a granular level. Each employee should have an account with a specified role. We suggest using the least-privilege approach, which is the practice of restricting access rights for users to only those resources absolutely required to perform their job. Roles can be used in conjunction with the session groups to permit whether users can connect to a single machine or a group of machines.
- For users needing temporary access to a session, a host pass can be granted with a set expiration time and limits on permissions. A host must have the role permission CreateDelegatedAccessToken to generate a host pass. This may be useful if a vendor needs one-time access to a machine.
There are other policies and restrictions you should have in place to limit unauthorized access. Features such as timeouts, authentication factors, blocking or restricting IP addresses, token expiration, idle times, and more are configurable via the Advanced Configuration Editor extension.
- Page Idle Timeout – If a user idles on the host or admin page for a certain amount of seconds, they will be logged out.
- Minimum Authentication Factor Count – Determines the minimum number of authentication factors that must be associated with a user in order for the user to log into the Host and/or Administration page.
- Block IP Addresses – Blocks IP addresses from the web interface.
- Restrict to IP Addresses – Allows only certain IP addresses to access the web interface.
- Host Client Device Fingerprint Validation Level – Rejects incoming connections if the IP address doesn't match the value in the ScreenConnect client's access token. This can be useful to prevent unknown machines from connecting to your instance.
- Access Token Expire Seconds – Specifies the period before a Host will have to relaunch a session.
- Should Revalidate Time Seconds – Will automatically disconnect the Host from your sessions after Access Token Expire Seconds have expired.
- Input Idle Disconnect Time Seconds – Disconnects a host from a session if they have idled for a set number of seconds.
- Lock Machine on Connect – Automatically locks the guest machine when a host connects.
- Lock Guest Machine – Locks the guest machine when the host disconnects.
- "Trust this device" Duration – Specifies the number of days to skip the 2FA prompt after authentication when "Trust this device" is checked.