We are using LogMeIn Pro for a number of people in our organization, and just implemented 2FA from ManageEngine. LogMeIn has a "feature" where it can bypass the authentication option and from what it seems use the local hash to automatically login. To me this is a security breach and the company we use for security also agreed and said this should not be allowed.
I have spoken to ManageEngine and they do not know how LogMeIn is bypassing their 2FA, and LogMeIn will not answer my questions, and calls it a "feature". MangeEngine did give me an option to possibly stop this from happening, a registry setting, by LogMeIn has not.
Does anyone else have this issue, any ideas? I am recommending we cancel our accounts.
Wow, that is a serious problem. I am looking forward to the resolution you find!
Brand Representative for GoTo (formerly LogMeIn)
Hey StevenILA,
Appreciate your question today and wanted to provide some resources on how LogMeIn products ensure security. For some additional info, here is our white paper with an in-depth look at our security measures. Users are advised to enable one or more of LogMeIn’s extra security features to strengthen authentication. To setup two-factor authentication for your own account or to force this policy change for all users please consult this user guide beginning on page 13.
I hope this is helpful! Please let me know if you have any additional questions.
Tamara, thank you but I have been through that. And I do not want to enable 2FA within LogMeIn, I want & need to use what I have implemented across my Network.
I have noticed this happen with some other products periodically in various ways. It's likely something to do with the order in which authentication actions are taken. Think of it this way:
Scenario 1) You RDP into a site. Upon hitting connect, you're prompted for a Windows authentication. You enter your username and password and hit connect. You are connected and then prompted for a DUO connection. You hit accept and then you're logged in.
If you then installed LogMeIn onto the system you have RDPed into, disconnected, and connect with LogMeIn, you will be prompted for the LogMeIn authentication, but not the DUO authentication as LogMeIn is already authenticated with Windows and sitting resident.
Scenario 2) You RDP into a site. Upon hitting connect, you're prompted for a Windows authentication. You enter your username and password and hit connect. Your connection is then interrupted and you are prompted for a 2FA confirmation from Microsoft to verify yourself with your Azure AD. You validate and then get connection.
If you then install LogMeIn on that same system, when you RDP in again, LogMeIn need to send the authentication for your connection when you put in your password to validate against Microsoft Azure. This would then prompt you for 2FA from Microsoft. If you are denied, then you would be denied.
With this timing scenario in mind, you should consider that any access that LogMeIn is CAPABLE of granting should be considered to be "granted" if the firing sequence is capable of working as in Scenario 1. Thus, even if you do not WANT to use their 2FA, it should be enabled anyway because this is just a 'backdoor' into your system without using it. Doing proper 'penetration testing' of your setup is not just authenticating the way you want to, but "all possible ways".
Thank you for that explanation.
What does Managengine's MFA key off of? AD authentication? RDGateway? A widget installed locally on each device?
AD authentication
AD authentication
I can see it easily getting around MFA. The user account on the workstation is already authenticated to AD so no further AD authentication is needed when a Logmein connection is made. Same thing would happen with Splashtop, Teamviewer, etc. I would imagine.
I had the same issue with remote users - we use Duo to enforce MFA on RDGateway but installing Teamviewer, etc., on a workstation bypasses all that. My solution was to block those type apps at my firewall.
Splashtop actually goes through the authentication process and does not bypass it. I started using Splashtop as an alternative and it works just fine, and a lot cheaper.
That's a huge relief to hear this, thank you StevenILA for the update. We're rolling out privileged account MFA this Summer and Splashtop Business is our remote control tool for emergency admin jumpstation access.
Whew!
thelanranger gave the best answer. But in a broader sense, any program you install as a service that listens for incoming connections can bypass "regular" authentication if it wants to the extent that it has already been previously granted access. That's why it's important to know what you install and how it acts. On Windows, a program may or may not participate and call the normal Winlogon processes for authentication. But they don't have to. They can authenticate using their own proprietary coding, use their own authentication databases/stores (instead of the local SAM or AD), etc. For example, you can require anyone directly logging onto your Windows server to require MFA. But if you install Microsoft Internet Information Server (IIS), it contains its own authentication mechanisms in addition to the underlying Windows stuff (in IIS you can require that by enable Windows Integrated Authentication), but you can also enable/configure other methods, including purely Anonymous logons, which still run under particular service account contexts. Of course, if you want to contact a part of the Windows NTFS file system that is protected by Windows that the involved program doesn't already have access to, that program has to address the appropriate access controls and authentication prompts. A program or service can't just bypass built-in Windows security access controls for areas it hasn't already been granted access to. But any program, especially a service, is running under the security context of one or more user/service account contexts and can access whatever the security context they are running under can access; and the program involved can, if it chooses, simply allow anyone using or connecting to it to access all that it has access to with or without additional authentication. This is just a long way of saying that whatever access control a program or service has been given access to it can then grant or delegate to any other program or user in anyway that it wishes. You must always be aware, as luckily you already are, of this. Every additionally installed program and service is another potential hole in your security defense armor and should be analyzed and treated thusly. I've always wanted to say thusly in a sentence.
Splashtop actually goes through the authentication process and does not bypass it. I started using Splashtop as an alternative and it works just fine, and a lot cheaper.
I use splashtop as well but I have noticed that it will circumvent DUO and some other MFA authentication methods as well just simply due to the timing described above. I think they're aware of this though and splashtop has their own form of tokenized MFA enabled by default with your email though so at least there's that.
I actually just tested Splashtop and it is not bypassing my 2FA.
Splashtop (and others) can be configured to use Windows authentication or not. I bet if it's set to not use Windows authentication, it would bypass MFA.
It may do that. If it was configured to authenticate with Azure AD and you were relying on Microsoft MFA then it would likely have a token for that. Like I said, it will also bypass (through no real fault of its own) Windows Auth DUO because it's installed behind that.
Tamara for GoTo Your input here didn't really answer the question the OP posed. Does Logmein have a better answer for his question? That sounded like a canned response I would get from level 1 tech support on a support call. Not trying to bash here, but rather ask for better insight from your company. The OP already indicated that he received disappointing feedback from Logmein and the lack of clarity on this security topic from Logmein does not give me much confidence in the product.
To the OP: Out of curiosity. Why use LogMeIn when you have other better options? Was that a legacy implementation that you inherited or was it your choice?
IMO: That program give you one of the least pleasant GUI and use experience. Also it's one of the most expensive in relation of what you get.
LogMeIn will be my last choice for sure.
My first choice will always be RDP. If you cannot implement a RDS GATEWAY then you do RDP with MFA (there are many options for RDP/MFA). NOTHING can match the user experience with RDP. Microsoft got that right. I use Teamviewer when I cannot use RDP and I hate the scaling and the slowness of it all.
Here is a good tip: If you can and decide to give RDP a try you can use DDNS. DDNS subdomains are very cheap and you can get a ton for pennies. So in addition to MFA you can feel even more secure by using DDNS. It's a win win.
Take care
They were using Logmein before I joined this company, and they are so used to using it, that it is/was hard for me to change. Now I have a case...
They were using Logmein before I joined this company, and they are so used to using it, that it is/was hard for me to change. Now I have a case...
Good to know. Yes keep pushing it now that you have plenty of reasons. Also when the users see the difference in speed and the much transparent experience they will thank you. But please be careful. If you are not going to implement RDS with a Gateway you need to make sure you are securing RDP all the way down by doing MFA in combination with VPN or DDNS. I always try to avoid VPNs when possible for end users. (Too much power) so I try to use DDNS as much as possible. Just make sure you use a strong password for the client (hosts) and secure the admin user on the web portal with MFA.
Your daily dose of tech news, in brief. Welcome to Friday! It has been a big week here as we launched Spiceworks News & Insights a few days ago. Do you know who else had their sights set high? Kenneth Arnold. On June 24, 1947, civilian pilot Ken...
I have a win 10 pro machine with 21H2.Running chrome 102.0.5005.115. I will open a bunch of tabs during the day (right now, 49). And including other things that are running, there's 80% of the 12GB of RAM in the box.I've noticed that when I go into ...
HI Spiceworld,I was reading some discussions around the community and I see that here it’s like we’re all part of a family, so I venture to open this discussion, hoping that you can help me/understand me or at least bring your experiences. I am a c...
Compulsion: 1: a very strong urge to do something He felt a compulsion to say something. 2: a force that makes someone do something She was acting under compulsion. 3: an act or the state of forcing an action They ...
I have a situation where one of the offices is looking to sublet for 1 day a week. They want one port to put their firewall/router on and drive their network from there. My first notion is to say no and require them to pull in their own connection. I want...
