Jump to content

MGreen

Administrator
  • Content Count

    253
  • Joined

  • Last visited

  • Days Won

    19

MGreen last won the day on June 23

MGreen had the most liked content!

Community Reputation

45 Excellent

3 Followers

My Information

  • Agent Count
    4000 - 6000 Agents

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. The OldSystemPassword is in the config table alongside the SystemPassword. If you don't recognize what I"m talking about then you shouldn't be messing with it and should stick with the official Connectwise Recommended methods (see https://docs.connectwise.com/ConnectWise_Automate/ConnectWise_Automate_Documentation/070/260/050) The specifics of the risks involved are not discussed for obvious reasons. Suffice it to say it is a security risk and the recommendation from Connectwise via an email to the partners who had suspected invalid compromised agents. If you didn't receive this email then you can make the decision yourself to either play on the safe side and change it anyways or assume you're okay and don't change it. I assure you there is a lot of chatter about the available public details regarding this on our Slack team. Feel free to join there and ask the questions you have if you still need further clarification. Please note that Darren has released the details of his Token generating script that will enable Temporary deployment passwords with LTPosh. @BlueToast the server password is stored in plain text in the MSI
  2. Recently Connectwise released a statement recommending Server Passwords for Agent Signup on their Automate be rotated two times. People obviously have concerns about this. This post will strive to answer all questions and concerns regarding this notice. Q: What happens when I change this password? A: To answer this you have to understand how Agent Communication works, the agent during signup uses the Server Password to create what's called an Agent Password. This Agent Password is unique to all agents that are communicating with the server, and is what is actually used for communicating. After signup the Server Password is never used again (although still stored in registry) unless a situation arises where the Agent Password is broken forcing the agent to perform a re-signup Q: What is this nonsense about rotating twice, do I need to? How long do I wait before rotating twice? A: The server password was designed much like the AD Computer Password for a Domain. When you rotate the password, all agents online are immediately updated with the new password however the old password is moved into the Config table under "OldSystemPassword". Agents with the old password are still allowed to signup therefore to be safe you want to change it twice to wipe out the previous possibly compromised password completely. Alternatively you can change the OldSystemPassword in SQL without rotating it twice, but really it does the same thing. Therefore you DO NOT need to wait before updating the password the second time, as agent communications work independently of the server password and will therefore update the latest password without having the "current" old password. Please note that agents that are offline at the time will still work when they come back assuming the agent password is correct and matches what's in the database for that agent. Q: What does this mean to re-install the Probe? A: The probe agent needs to be completely reinstalled. Yes the entire agent. This is only if you use the probe for agent deployment. If you don't or don't care about it then don't worry about. Please note running the Redo-LTService commandlet from the LTPosh Module does count as reinstalling the agent. Make sure you remove it from being a probe first. Q: WHAT LTPOSH WAIT HOW IS THAT SECURE? A: Just like any other agent installer, don't leave it lying around.You can use the -ServerPassword along with any of the install commands to install the Agent. Additionally for those people who like to feel extra warm under additional layers you can safely rotate the OldSystemPassword value in a script via SQL and then pass that into the -ServerPassword parameter. As explained above, the value in OldSystemPassword will still work for Agent Signup. That way you can safely rotate this signup password without breaking probes or legitimate agent re-signups all the time. Q: What should I make my new server password? A: The SQL Table is limited to 16 Characters max. You can go longer but its unlikely to actually keep anything beyond the first 16 Characters. Almost all characters are supported. While I haven't tested any, the special characters that I know have worked are listed below. ` ' " \ [ ] { } Please speak to Darren regarding testing alternative uses with LTPosh that will be merged into the main branch once testing is complete. This will involve using a temporary token instead of either current or old System Passwords. You can see more https://mspgeek.slack.com/archives/C1YPT4QT1/p1592842394495500?thread_ts=1592840762.450400&cid=C1YPT4QT1 assuming the Slack Overlords are nice to you.
  3. Your file is definitely missing things. Here is an example of a working ZIP file. Both 1.9.2 and 1.12.1 jquery-ui-1.12.1.custom.zipjquery-ui-1.9.2.custom.zip These were made from a secondary repo of the JQuery RollerUI as the main one has been offline for some time. https://jqueryui.templersmc.net/themeroller/ Note for 2020 Patch 5 you will need to use 1.12.x JQuery
  4. There's no guide written up per se. There will be a write up for Nginx soon (as a reverse proxy and disabling various areas). The /labtech/ IIS Application is one of the critical pieces in there you have Deployment.aspx, ControlCenter.asmx and Agent.aspx. Those three are critical for deploying agents, agent check-ins, and Control Center access (thick client).
  5. A couple of points specifically for the Consent part of the Agent template (although I'm not sure how much this part helps you), consent is controlled via a parameter being included in the URL to the CWC server that launches the session. When the template is checked to force Consent it does by passing that parameter in (&consent=true or something like that). Which indicates that 1) Automate could easily incorporate per user settings for this and 2) it was more thought out than we realize however I don't think that capability or level of flexibility exists. A side note, because this specific template setting is all on the Labtech side and not the agent, there's no need to update agent for these settings to take affect; however also keep in mind that this doesn't really help you at all. The only wait period would be from the agents themselves joining the group to have the template applied
  6. Hi @nocDan Can you be more specific about what you're talking about? Where you're talking about? Automate interface itself has a HOSTNAME and a DOMAIN NAME that will display the FQDN when the machine is domain joined. (For Domain controllers it'll be DC:<domain name>). Workgroups will be just a single Workgroup name as opposed to an FQDN.
  7. Hey @lgs Did you open a CW Support ticket for this? Were they the ones who split your server? What process was followed for the splitting? Did you recreate both servers or just dump and import the database and update the connection strings on the application server? Aside from the log errors are you noticing any actual issues with anything? Random agents going offline or heartbeat not functioning properly?
  8. woah how am i just finding this amazing things
  9. You know I'm suddenly seeing screenconnect on some linux servers and I have no idea how they got there
  10. I think my favorite part are the descriptions like "Crunchy" and "Exotic"
  11. erm for what? Windows XP lol Windows 7 which is out of support end of Jan? 😮 anyways pretty sure these would fall under MS Patching - Windows Updates
  12. Start using SHELL and something like this https://www.windowscentral.com/how-check-your-computer-uptime-windows-10 get the results returned directly into %shellresult% and then save it to a variable @uptime@ which you can then perform math on to make your logic. Everything you're asking about can be accomplished either in Powershell using Execute Script or Shell with labtech scripting logic.
  13. Even hosted Automate instances can still SQL Execute from within a labtech script....
×
×
  • Create New...