Category Archives: Technology

ScreenConnect (ConnectWise Control) Review

Written by William Roush on July 16, 2014 at 9:00 pm

Looking for remote support software that wont break the bank? Open to self-hosted alternatives? ScreenConnect is a viable feature-rich option with a very affordable price point.

ScreenConnect has changed their pricing from this article and so far I’m not recommending it anymore, please read updates here.

What Is ScreenConnect?

ScreenConnect is self-hosted remote support software, an alternative to to LogMeIn Rescue, GoToAssist, or TeamViewer. The largest difference between ScreenConnect and its competitors is that it is self-hosted, where you deploy it on your own private servers.

Why Self-Hosted

Self-hosting comes with a variety of benefits, first is complete control over your traffic and environment. You can lock administration to internal access only, put it behind a reverse proxy, require additional authentication. The sky is the limit.

However, the biggest benefit to self-hosted (at least in this case) is the price.

Licensing

The cost of ScreenConnect at the time of posting is $325.00 per license. Each license entities you to one connected support session. A support session is defined as an active connection between a host and a guest. This means this support session can float between a small team where any one person can be supporting another at a time. This also means multiple techs can be on with a single guest and still only consume one license.

Lets break down the cost for 3 years of ownership with some competitors:

Solution	Licensing Scheme	1st Year	2nd Year	3rd Year	3 year TCO
ScreenConnect	$325/seat + 20% support renewal/year.	$325	$65	$65	$455
TeamViewer	$749 one time (1 authorized workstation).	$749	$0	$0	$749
LogMeIn Rescue	$1,188/yr	$1,188	$1,188	$1,188	$3,564
GoToAssist	$660/yr subscription	$660	$660	$660	$1,980

Requirements

Full list of ScreenConnect requirements can be found here. One of the biggest benefits is that you can run ScreenConnect on a variety of server platforms, including Windows, OSX and Linux!

ScreenConnect achieves this by running a .NET application on top of the Mono platform. I’ve been weary about Mono before, but ScreenConnect’s performance and stability has changed my mind entirely about how commercially ready Mono is.

Download And Installation On Debian 7

Installation is easy, download the latest tar.gz file, unpack, run install, and follow the instructions:

root@screenconnect:~# cd /tmp
root@screenconnect:/tmp# wget http://www.screenconnect.com/Downloads/ScreenConnect_4.3.6563.5232_Release.tar.gz
root@screenconnect:/tmp# tar xvf ScreenConnect_4.3.6563.5232_Release.tar.gz
root@screenconnect:/tmp# cd ScreenConnect_4.3.6563.5232_Install/
root@screenconnect:/tmp/ScreenConnect_4.3.6563.5232_Install# ./install.sh

Welcome to the ScreenConnect Installer

The installer will do these things:
1) Prompt you for installation options
2) Display a list of actions to be taken
3) Prompt you for execution of the actions
4) Execute the actions

Where would you like to install ScreenConnect?
[/opt/screenconnect]

What would you like as the service name for this ScreenConnect installation?
[screenconnect]

The installation will perform the following actions:
- Install libavcodec-extra-53 with Advanced Package Tool (apt)
- Install libswscale2 with Advanced Package Tool (apt)
- Install libavutil51 with Advanced Package Tool (apt)
- Install libavformat53 with Advanced Package Tool (apt)
- Create service script at /etc/init.d/screenconnect
- Create startup links in /etc/rcX.d/ directories
- Copy files into /opt/screenconnect
- Initialize configuration files
- Start screenconnect service

Do you want to install ScreenConnect?
(Y/n): y

[[Removed installation output]]

Running 'Create service script at /etc/init.d/screenconnect'...
Running 'Create startup links in /etc/rcX.d/ directories'...
Running 'Copy files into /opt/screenconnect'...
Running 'Initialize configuration files'...
Running 'Start screenconnect service'...

Installation complete!

Trying to figure out the best URL for you to use...

To access your new ScreenConnect installation, open a browser and navigate to:
http://localhost:8040/Host

root@screenconnect:/tmp/ScreenConnect_4.3.6563.5232_Install#

Navigating to http://[your host’s IP]:8040/Host will present you a wizard which will walk you through the rest of the installation process, including setting up your primary administration account and configuring your licensing information (if you need a trial license visit http://www.screenconnect.com/Try-It-Now).

Hosting a Support Session

Hosting a support session is easy, click the plus button next to the “Support” header on the left, and you’ll be greeted with a list of options for sending your support request out.

Lots of options, easy to use.

I generally use invitation only and generate URLs to send to people over chat/e-mail, ScreenConnect supports plugging into a SMTP server and sending mail for you, or leveraging your locally installed mail client to send e-mails (I prefer this configuration for this method).

Active sessions are displayed in a list form, easy to tell status and who is connected.

Your end user will be presented with instructions on how to connect, ScreenConnect supports a variety of methods to attempt to get the end-user online, including leveraging ClickOnce and Java Web Start, standard methods you’ll see competitors using.

Easy to understand instructions for the end user.

From there it’s like any other remote desktop support software, with a large array of tools at the top of your screen.

Connection Information

Wide array of audio options, including listening and sending audio.

Screenshot capture and video capture.

Various file transfer options, nothing out of the ordinary.

Customizable toolbox, upload files that will be available between all sessions.

Display quality and management.

By far the biggest thing I love about ScreenConnect’s UI is how well it manages multi-monitor clients. In most other software switching between displays is always clunky or seems sort of “out of the way”, ScreenConnect makes it feel right.

Various additional features.

Nothing out of the ordinary in terms of rescue features, various blanking of devices, blocking of input, safe mode support. A bunch of “must haves” have all been checked.

Meetings

Meetings are kind of the inverse of support requests, a single presenter and multiple viewers. The UI is tweaked a bit to support this concept a bit more. I’ve had some minor UI workflow issues with handing presenter around being a little clumsy, but other than that it works well.

The only downfall about using it for meetings over GoToMeeting or something similar is that ScreenConnect doesn’t support plugging it into a phone system (though I understand this isn’t a trivial task from both the programming and logistics end), so you’ll either need to set up a conference room on your phone system or use the built-in VOIP functionality.

Administration

Administration is fairly straight-forward, everything is done with role-based access, though you can lock things down and prevent users from accessing specific groups of machines, the difficulty to do so leaves much to be desired on the UI (though this is currently being worked on as I understand it).

A nice server status screen showing general health of the application.

Funny enough the status screen shots “Windows Firewall Check” even though I’m on a Linux host…

ScreenConnect supports theming, allowing you to bring it inline with your company’s brand (be aware though, changing themes restarts the web site, so don’t expect uninterrupted service if you’re messing with that).

Additionally ScreenConnect keeps an audit log in the admin control panel, very useful if you need to track down changes or actions taken against the system.

Overall

ScreenConnect packs a ton of punch for a low cost with a wide range of platform options on a stable and rapidly developed software package. One of the most impressive things I’ve seen about ScreenConnect is the speed at which they’ve moved forward and provided more features, iterated on parts that were lacking and end up delivering a stable polished product every time.

In my opinion it is a must-have. With UPNP support it allows small-time technicians to purchase a copy, install it and run it on their home machines with no effort at all, but it includes the feature set and stability to be used at your SMB office (and probably beyond).

Passwordstate – Enterprise Password Management Review

Written by William Roush on May 30, 2014 at 4:40 pm

An end-user review of Passwordstate, a shared web-based password list software that gets you all the additional features you wanted over KeePass and other equivalents.

Before we start… Sorry about the large gap in posts, a mix of writer’s block and working on a reviews for a handful of things (Zultys PBX, ScreenConnect, etc.), there will be MUCH more to come soon!

I’d also love to write about more IT subjects in Chattanooga (locally developed software, startups, IT community, or businesses), if you have any suggestions feel free to throw them my way!

What is Passwordstate?

Passwordstate is a web-based password management tool written by Clickstudios. Think of it as KeePass on the web, but deployed inside your own private network.

Why Use it Over KeePass?

I personally love KeePass, I can’t talk about it enough, I wrote a post awhile ago all about it. However as much as I like it, it falls short on some management features that I feel I need when working in a team of diverse responsibilities and access levels. While we can create a lot of process and hoop jumping to resolve this issue, I’d rather not if it could be avoided (plus, we’re IT, we want software to do the hoop jumping and process for us! That is what it is there for).

Prerequisites For Install

The requirements for installation are pretty straightforward, IIS7+ and MSSQL 2005+, once these requirements are made the install for Passwordstate is easy. I’m deploying it on IIS8 and MSSQL 2012 Express on top of Windows 2012 R2 for this review.

Organization

Password state makes everything pretty easy to get to, unlike KeePass passwords are kept in “password lists”, imagine these lists as folders in KeePass. These lists can have a long list of permissions and customizations added to them (see later in this review for those options). On top of password lists you can create folders to store groups of password lists.

Navigating password lists is pretty simple.

In the example above we have a folder for development environment passwords, we could grant access to our storage admin to “Storage Arrays”, our DBA to “Database” and so on. Allowing fine control to lists. Additionally I have a personal password list named “William’s Password List”, more on personal password lists later. Creating and editing passwords is pretty straight forward, a handful of fields you’re pretty familiar with if you use a password vault. Nothing really too special here other than a very nice UX design.

Auditing

By far the biggest benefit over a system like KeePass is the ability to audit access to passwords. What to know who last updated the password on a service account? System admin scanned all passwords before leaving? KeePass won’t tell me any of that.

Simple UI, easy to grab a password or check recent audit events.

Audit reports can be sent at regular intervals to your e-mail so you can stay on top of what is going on.

Further details on the state of your password lists.

Personal Password Lists

Passwordstate has a different kind of password list for personal use, you can make a list for yourself that has additional security features (while you can password regular password list, I usually can justify additional passwords on personal lists a lot easier). In this case I’ve put a separate password on it from my account, requiring another step of authentication. These lists cannot be seen by administrators and stick with you.

Keeping personal passwords centralized have many benefits too.

The ability to keep your passwords in Passwordstate allows you to easily hand over all account passwords for various pieces of software (for example, if you hold a lot of licensing portal credentials on your personal e-mail account).

Password List Options

Another very powerful addition over Keepass is the customization behind your password lists.

A long list of configurable options to help make each list customized to it’s purpose.

You can have some lists sync with Active Directory, others have very strict password complexity requirements, some lists only available during work hours, and other lists have expiration dates.

Problems With Passwordstate

There are a handful of issues with Passwordstate, first and foremost is that everything has to be done via the web UI. While Passwordstate is configured for SSL upfront, I can understand the argument that browsers are one of the most exposed pieces of software we use on a daily basis, putting our passwords in that basket may not be the best idea.

Additionally if you lose your Passwordstate server, your passwords are unavailable. Passwordstate does provide high availability options (additional cost for that though), but I’d throw an export of your password list every once in awhile with a DB backup into a fire safe and offsite just in case things get really bad. Update: version 7 includes an ability to export to a KeePass database which will help if your network is down.

A small annoyance is I can’t do upgrades unless I set up a backup path, when I’m backing up the entire machine with Veeam and I do an upgrade after a snapshot, I really don’t care if I have to roll the entire VM back, but I don’t really have the option. Really minor gripe though, I know why they’ve done it (for those that don’t have good backups in place). Update: version 7 doesn’t enforce this allowing you to upgrade and rely on your own backups.

Overall

With it being free up to 5 users, I don’t see why not for small businesses! Even beyond that I’d say the additional safety and auditing is worth the relatively low price $37/user (that lowers as you add more users) and tops out at $4272 for unlimited user installs. This is by far not an exhaustive list of what Passwordstate can do (we’ve just skimmed the surface), so go grab a 5 user license and try it out today!

100% Qualys SSL Test A+

Written by William Roush on April 1, 2014 at 10:41 pm

Obtaining 100/100/100/100 on Qualys SSL Server Test

For fun we’re going to poke at what it takes to score 100 across the board with Qualys SSL Server Test — however impractical this configuration may actually be.

Qualys SSL Server Test… What Is It?

Qualys SSL Server Test is an awesome web based utility that will scan your website’s SSL/TLS configuration against Qualys best practices. It’ll run through the various SSL and TLS protocol versions, test all the cipher suites, and simulate negotiation with various browser/operating system setups. It’ll give you not only a good basis for understanding how secure your site’s SSL/TLS configuration is, but if it’s accessible to people on older devices (I’m looking at you Windows XP and older IE versions!).

Getting 100/100/100/100

Late at night I was poking at some discussions on TLS, and wondered what it really took to score 100 across the board (I’ve been deploying sites that scored 100/90/100/90), so I decided to play with my nginx configuration until I scored 100, no matter how impractical this would be.

server {
  ssl_certificate /my_cert_here.crt;
  ssl_certificate_key /my_cert_here.key;

  # TLS 1.2 only.
  ssl_protocols TLSv1.2;

  # PFS, 256-bit only, drop bad ciphers.
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDH+AESGCM256:DH+AESGCM256:ECDH+AES256:SH+AES256:RSA+AESGCM256:RSA+AES256:!aNULL:!MD5:!kEDH;

  # Enable SSL session resume.
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;out 10m;

  location / {
    # Enable HSTS, enforce for 12 months.
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
  }
}

Qualys wants only 256bit (or stronger) cipher suites.

This barely differs from our standard configuration (depending on if you chopse to mitigate BEAST instead of RC4 issues)

This barely differs from our standard configuration (depending on if you choose to mitigate BEAST instead of RC4 issues)

100/100/100/100 comes at a high price.

To get to having all 100s we drop pretty much all but the most modern browsers… oops!

100s Not Realistic

It seems you’ll want to aim for 100/90/100/90 with an A+. This configuration will give your users the ability to take advantage of newer features (such as Perfect Forward Secrecy and HTTP Strict Transport Security) and stronger cipher suites while not locking out older XP users, and without exposing your users to too many TLS vulnerabilities (when supporting XP, you have to choose between protecting against BEAST or use the theoretically compromised cipher RC4).

So we’ll want to go with something a little more sane:

server {
  ssl_certificate /my_cert_here.crt;
  ssl_certificate_key /my_cert_here.key;

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

  # PFS + strong ciphers + support for RC4-SHA for older systems.
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:RC4-SHA:HIGH:!aNULL:!MD5:!kEDH;

  # Enable SSL session resume.
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;out 10m;

  location / {
    # Enable HSTS, enforce for 12 months.
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
  }
}

10/24/2014 Update: Removed SSLv3 due to POODLE exploit for A+ example.

Dan Kaminsky – Black Ops Of PKI

Written by William Roush on March 26, 2014 at 7:58 pm

Amazing talk by Dan Kaminsky discussing what is broken with X.509 (SSL). It’s an amazing dive into how X.509 works, various exploits, and the impeding problem of the Verisign MD2 root certificate that may be open to preimage attack sometime in the near future.