How to Fix: Locked out of ScreenConnect On-Prem v23.9+ (2024)

Dennis Faas's picture

Infopackets Reader Fred J. writes:

" Dear Dennis,

Like you, I use an on-premise version of ConnectWise ScreenConnect to provide technical support to my clients. A recent security vulnerability (CVE-2024-1709) this past February forced me to upgrade ScreenConnect to their latest branch (currently version 23.9) in order to patch the system. Prior to that, I was using an old Linux version of ScreenConnect from 2016. A few weeks after the upgrade, however, the 'Administrator' user I use to log into my on-prem ScreenConnect is locked out because bots keep hitting my login page in order to guess my password.

The error I get is 'Too many incorrect password attempts; you have been locked out,' even though I'm entering the correct password. This is extremely frustrating. Worse yet, I have tried repeatedly to issue a password reset at the login page, but the password reset request never arrives in my inbox. I am effectively locked out!

After some research on how to reset a locked ScreenConnect account, I have also attempted to modify the user.xml file (located in C:\Program Files (x86)\ScreenConnect\App_Data) and changed the 'IsLockedOut' value from true to false, but that didn't work, either. I need to get back in and I don't want to lose all my sessions that I was previously managing. Surprisingly there are no documents on ConnectWise's website that explains how to do this. I can't believe ConnectWise would be so sloppy - surely they must have anticipated something like this happening. Can you PLEASE help? "

My response:

I asked Fred if he would like me to connect to his system to manage this issue using my remote desktop support service, and he agreed.

Below I will discuss my findings.

How to Fix: Locked out of ScreenConnect On-Prem v23.9+ (2024)

There are a few things to mention before we begin:

Since the ScreenConnect CVE-2024-1709 vulnerability was issued in late February 2024, bots have been attempting brute-force logins on both patched and non-patched versions of ScreenConnect. On newer versions of ScreenConnect, this will result in the 'Too many incorrect password attempts; you have been locked out." error message even if your password is correct.

Moreover, ConnectWise ScreenConnect doesn't use CAPTCHAs as part of their login procedure for Administrator users, which would prevent bots from brute-force hammering your on-premise version of ScreenConnect in the first place.

As such, I recommend you change the Administrator user to another name using random letters and numbers in it (example: Admin-j#8FGA458TxG). Additionally, create a secondary user with your name that also has admin access and uses the same naming convention (example: Fred-ZWYKg7$UC8o%) in order to avoid being locked out by bots again in the future. The naming conventions will make it next to impossible for bots to guess your login name and hence, you won't get locked out even if your password is correct.

Step-by-step Instructions

Note that you will need your ScreenConnect license in order to complete the steps below. It should have been sent to you via email when purchasing your on-premise version of ScreenConnect.

To reset your Administrator user's password of an on-premise ScreenConnect without losing your previous sessions (assuming the password reset function isn't working), do the following:

  1. Stop ScreenConnect from running so you can modify some configuration files. To do so: go to the machine that is running your on-premise ScreenConnect instance. Next, click Start and type in "cmd.exe" (no quotes); wait for CMD.EXE or Command Prompt to appear in the list; when it does, right click CMD.EXE or Command Prompt and (!important!) select "Run as Administrator".
     
  2. Now it's time to stop your ScreenConnect server. To do so, highlight the text below with your mouse:

    net stop "ScreenConnect Session Manager"
    net stop "ScreenConnect Relay"
    net stop "ScreenConnect Web Server"
    echo this is a dummy line
     
  3. Right click over top of the above highlighted text and select "Copy". Next, right click in the middle of the command prompt window you opened up in Step #1. The text in Step #2 should be output to the command prompt and your ScreenConnect instance should be stopped.
     
  4. Next, edit the user User.xml file using Notepad. To do so, highlight the text below:

    cd /d "C:\Program Files (x86)\ScreenConnect\App_Data"
    notepad user.xml
    echo this is a dummy line
     
  5. Right click over top of the highlighted text and select "Copy". Right click in the command prompt window to paste. This should open the User.xml file in Notepad with administrative privileges (which are required to modify this file).
     
  6. Next, change the following three bolded values in your User.xml file, and then save it using Notepad:

    <IsLockedOut>false</IsLockedOut>
    <InvalidPasswordWindowAttemptCount>0</InvalidPasswordWindowAttemptCount>
    <InvalidPasswordAbsoluteAttemptCount>0</InvalidPasswordAbsoluteAttemptCount>
     
  7. Now it's time to edit the web.config file. To do so, highlight the text below:

    cd /d "C:\Program Files (x86)\ScreenConnect"
    notepad web.config
    echo this is a dummy line
     
  8. Right click over top of the highlighted text and select "Copy". Right click in the command prompt window to paste. This should open the web.config file in Notepad with administrative privileges (which are required to modify this file).
     
  9. Using Notepad, press CTRL + F and search for "issetup" (no quotes) in the web.config file. Change the value to "false", and then save it:

    <add key="IsSetup" value="false" />
     
  10. Now it's time to start ScreenConnect. To do so, highlight the text below:

    net start "ScreenConnect Session Manager"
    net start "ScreenConnect Relay"
    net start "ScreenConnect Web Server"
    echo this is a dummy line
     
  11. Right click over top of the highlighted text and select "Copy". Right click in the command prompt window to paste. This will restart your ScreenConnect server.
     
  12. Access your ScreenConnect instance over the browser (example: connectwise.yoursite.com:8040/). Login with the Administrator user. Use any password you want. It will start through the Setup screen - click Continue. It will then ask for your ScreenConnect license. Enter it in. After that, you should be logged in to your ScreenConnect and you will have access to your old sessions. Yay!
     
  13. We're not done yet, however. Now it's time to create a secondary user with your name using the naming convention I mentioned earlier (example: Fred-ZWYKg7$UC8o%). After logging in to your ScreenConnect, click the cogwheel on the left side of the screen. This will take you to the "Administration" page; click the "Security" tab. Under the heading "User Sources," click the "Show User Table". Once the table is shown, click "Create User". Enter in your name (ex: Fred-ZWYKg7$UC8o%) with an equally strong password, supply your email in the "Email" field, and enter in an appropriate "Display Name" which will be shown to clients when you connect with them. To the right of the "Role(s)" heading, place a check mark next to "Control Administrator" and click "Save User".
     
  14. Before logging out of the current session, test to make sure your newly created user works. To do so: open a new browser tab and go to your ScreenConnect web page, then attempt to login as the user you just created. Assuming that it worked, close the browser tab; this will bring you back to the Security page you were on previously. Next, change the name of the Administrator user using the new naming convention (example: Admin-j#8FGA458TxG). Make sure to use a super strong password, change the "Display Name" to something appropriate, then save your changes.
     
  15. After renaming the Administrator account, open a new browser tab, navigate to your ScreenConnect web page, and attempt to login as the newly renamed Admin user. If you're able to login, all is good. If you can't, you can still login as the secondary user to make additional changes.

I hope that helps.

About the author: Dennis Faas is the CEO and owner of Infopackets.com. Since 2001, Dennis has dedicated his entire professional career helping others with technology-related issues with his unique style of writing in the form of questions-and-answers; click here to read all 2,000+ of Dennis' articles online this site. In 2014, Dennis shifted his focus to cyber crime mitigation, including technical support fraud and in 2019, sextortion. Dennis has received many accolades during his tenure: click here to view Dennis' credentials online DennisFaas.com; click here to see Dennis' Bachelor's Degree in Computer Science (1999); click here to read an article written about Dennis by Alan Gardyne of Associate Programs (2003). And finally, click here to view a recommendation for Dennis' services from the University of Florida (dated 2006).

Rate this article: 
Average: 5 (2 votes)