How to Fix: Locked out of ScreenConnect On-Prem v23.9+ (2024)
There are a few things to mention before we begin:
Since the ScreenConnect CVE-2024-1709 vulnerability was issued in late February 2024, bots have been attempting brute-force logins on both patched and non-patched versions of ScreenConnect. On newer versions of ScreenConnect, this will result in the 'Too many incorrect password attempts; you have been locked out." error message even if your password is correct.
Moreover, ConnectWise ScreenConnect doesn't use CAPTCHAs as part of their login procedure for Administrator users, which would prevent bots from brute-force hammering your on-premise version of ScreenConnect in the first place.
As such, I recommend you change the Administrator user to another name using random letters and numbers in it (example: Admin-j#8FGA458TxG). Additionally, create a secondary user with your name that also has admin access and uses the same naming convention (example: Fred-ZWYKg7$UC8o%) in order to avoid being locked out by bots again in the future. The naming conventions will make it next to impossible for bots to guess your login name and hence, you won't get locked out even if your password is correct.
Step-by-step Instructions
Note that you will need your ScreenConnect license in order to complete the steps below. It should have been sent to you via email when purchasing your on-premise version of ScreenConnect.
To reset your Administrator user's password of an on-premise ScreenConnect without losing your previous sessions (assuming the password reset function isn't working), do the following:
- Stop ScreenConnect from running so you can modify some configuration files. To do so: go to the machine that is running your on-premise ScreenConnect instance. Next, click Start and type in "cmd.exe" (no quotes); wait for CMD.EXE or Command Prompt to appear in the list; when it does, right click CMD.EXE or Command Prompt and (!important!) select "Run as Administrator".
- Now it's time to stop your ScreenConnect server. To do so, highlight the text below with your mouse:
net stop "ScreenConnect Session Manager"
net stop "ScreenConnect Relay"
net stop "ScreenConnect Web Server"
echo this is a dummy line
- Right click over top of the above highlighted text and select "Copy". Next, right click in the middle of the command prompt window you opened up in Step #1. The text in Step #2 should be output to the command prompt and your ScreenConnect instance should be stopped.
- Next, edit the user User.xml file using Notepad. To do so, highlight the text below:
cd /d "C:Program Files (x86)ScreenConnectApp_Data"
notepad user.xml
echo this is a dummy line
- Right click over top of the highlighted text and select "Copy". Right click in the command prompt window to paste. This should open the User.xml file in Notepad with administrative privileges (which are required to modify this file).
- Next, change the following three bolded values in your User.xml file, and then save it using Notepad:
<IsLockedOut>false</IsLockedOut>
<InvalidPasswordWindowAttemptCount>0</InvalidPasswordWindowAttemptCount>
<InvalidPasswordAbsoluteAttemptCount>0</InvalidPasswordAbsoluteAttemptCount>
- Now it's time to edit the web.config file. To do so, highlight the text below:
cd /d "C:Program Files (x86)ScreenConnect"
notepad web.config
echo this is a dummy line
- Right click over top of the highlighted text and select "Copy". Right click in the command prompt window to paste. This should open the web.config file in Notepad with administrative privileges (which are required to modify this file).
- Using Notepad, press CTRL + F and search for "issetup" (no quotes) in the web.config file. Change the value to "false", and then save it:
<add key="IsSetup" value="false" />
- Now it's time to start ScreenConnect. To do so, highlight the text below:
net start "ScreenConnect Session Manager"
net start "ScreenConnect Relay"
net start "ScreenConnect Web Server"
echo this is a dummy line
- Right click over top of the highlighted text and select "Copy". Right click in the command prompt window to paste. This will restart your ScreenConnect server.
- Access your ScreenConnect instance over the browser (example: connectwise.yoursite.com:8040/). Login with the Administrator user. Use any password you want. It will start through the Setup screen - click Continue. It will then ask for your ScreenConnect license. Enter it in. After that, you should be logged in to your ScreenConnect and you will have access to your old sessions. Yay!
- We're not done yet, however. Now it's time to create a secondary user with your name using the naming convention I mentioned earlier (example: Fred-ZWYKg7$UC8o%). After logging in to your ScreenConnect, click the cogwheel on the left side of the screen. This will take you to the "Administration" page; click the "Security" tab. Under the heading "User Sources," click the "Show User Table". Once the table is shown, click "Create User". Enter in your name (ex: Fred-ZWYKg7$UC8o%) with an equally strong password, supply your email in the "Email" field, and enter in an appropriate "Display Name" which will be shown to clients when you connect with them. To the right of the "Role(s)" heading, place a check mark next to "Control Administrator" and click "Save User".
- Before logging out of the current session, test to make sure your newly created user works. To do so: open a new browser tab and go to your ScreenConnect web page, then attempt to login as the user you just created. Assuming that it worked, close the browser tab; this will bring you back to the Security page you were on previously. Next, change the name of the Administrator user using the new naming convention (example: Admin-j#8FGA458TxG). Make sure to use a super strong password, change the "Display Name" to something appropriate, then save your changes.
- After renaming the Administrator account, open a new browser tab, navigate to your ScreenConnect web page, and attempt to login as the newly renamed Admin user. If you're able to login, all is good. If you can't, you can still login as the secondary user to make additional changes.
How do Get Into Screen Connect when locked out because of too many password attempts?
How to Fix: Locked out of ScreenConnect On-Prem v23.9+ (2024)
There are a few things to mention before we begin:
Since the ScreenConnect CVE-2024-1709 vulnerability was issued in late February 2024, bots have been attempting brute-force logins on both patched and non-patched versions of ScreenConnect. On newer versions of ScreenConnect, this will result in the 'Too many incorrect password attempts; you have been locked out." error message even if your password is correct.
Moreover, ConnectWise ScreenConnect doesn't use CAPTCHAs as part of their login procedure for Administrator users, which would prevent bots from brute-force hammering your on-premise version of ScreenConnect in the first place.
As such, I recommend you change the Administrator user to another name using random letters and numbers in it (example: Admin-j#8FGA458TxG). Additionally, create a secondary user with your name that also has admin access and uses the same naming convention (example: Fred-ZWYKg7$UC8o%) in order to avoid being locked out by bots again in the future. The naming conventions will make it next to impossible for bots to guess your login name and hence, you won't get locked out even if your password is correct.
Step-by-step Instructions
Note that you will need your ScreenConnect license in order to complete the steps below. It should have been sent to you via email when purchasing your on-premise version of ScreenConnect.
To reset your Administrator user's password of an on-premise ScreenConnect without losing your previous sessions (assuming the password reset function isn't working), do the following:
- Stop ScreenConnect from running so you can modify some configuration files. To do so: go to the machine that is running your on-premise ScreenConnect instance. Next, click Start and type in "cmd.exe" (no quotes); wait for CMD.EXE or Command Prompt to appear in the list; when it does, right click CMD.EXE or Command Prompt and (!important!) select "Run as Administrator".
- Now it's time to stop your ScreenConnect server. To do so, highlight the text below with your mouse:
net stop "ScreenConnect Session Manager"
net stop "ScreenConnect Relay"
net stop "ScreenConnect Web Server"
echo this is a dummy line
- Right click over top of the above highlighted text and select "Copy". Next, right click in the middle of the command prompt window you opened up in Step #1. The text in Step #2 should be output to the command prompt and your ScreenConnect instance should be stopped.
- Next, edit the user User.xml file using Notepad. To do so, highlight the text below:
cd /d "C:Program Files (x86)ScreenConnectApp_Data"
notepad user.xml
echo this is a dummy line
- Right click over top of the highlighted text and select "Copy". Right click in the command prompt window to paste. This should open the User.xml file in Notepad with administrative privileges (which are required to modify this file).
- Next, change the following three bolded values in your User.xml file, and then save it using Notepad:
<IsLockedOut>false</IsLockedOut>
<InvalidPasswordWindowAttemptCount>0</InvalidPasswordWindowAttemptCount>
<InvalidPasswordAbsoluteAttemptCount>0</InvalidPasswordAbsoluteAttemptCount>
- Now it's time to edit the web.config file. To do so, highlight the text below:
cd /d "C:Program Files (x86)ScreenConnect"
notepad web.config
echo this is a dummy line
- Right click over top of the highlighted text and select "Copy". Right click in the command prompt window to paste. This should open the web.config file in Notepad with administrative privileges (which are required to modify this file).
- Using Notepad, press CTRL + F and search for "issetup" (no quotes) in the web.config file. Change the value to "false", and then save it:
<add key="IsSetup" value="false" />
- Now it's time to start ScreenConnect. To do so, highlight the text below:
net start "ScreenConnect Session Manager"
net start "ScreenConnect Relay"
net start "ScreenConnect Web Server"
echo this is a dummy line
- Right click over top of the highlighted text and select "Copy". Right click in the command prompt window to paste. This will restart your ScreenConnect server.
- Access your ScreenConnect instance over the browser (example: connectwise.yoursite.com:8040/). Login with the Administrator user. Use any password you want. It will start through the Setup screen - click Continue. It will then ask for your ScreenConnect license. Enter it in. After that, you should be logged in to your ScreenConnect and you will have access to your old sessions. Yay!
- We're not done yet, however. Now it's time to create a secondary user with your name using the naming convention I mentioned earlier (example: Fred-ZWYKg7$UC8o%). After logging in to your ScreenConnect, click the cogwheel on the left side of the screen. This will take you to the "Administration" page; click the "Security" tab. Under the heading "User Sources," click the "Show User Table". Once the table is shown, click "Create User". Enter in your name (ex: Fred-ZWYKg7$UC8o%) with an equally strong password, supply your email in the "Email" field, and enter in an appropriate "Display Name" which will be shown to clients when you connect with them. To the right of the "Role(s)" heading, place a check mark next to "Control Administrator" and click "Save User".
- Before logging out of the current session, test to make sure your newly created user works. To do so: open a new browser tab and go to your ScreenConnect web page, then attempt to login as the user you just created. Assuming that it worked, close the browser tab; this will bring you back to the Security page you were on previously. Next, change the name of the Administrator user using the new naming convention (example: Admin-j#8FGA458TxG). Make sure to use a super strong password, change the "Display Name" to something appropriate, then save your changes.
- After renaming the Administrator account, open a new browser tab, navigate to your ScreenConnect web page, and attempt to login as the newly renamed Admin user. If you're able to login, all is good. If you can't, you can still login as the secondary user to make additional changes.