[GH-ISSUE #1679] Security Policy of disabling inactive accounts or ones that have not enrolled 2FA yet automatically. + MeshCentral user isolation intergation. #2994

New issue

Open

opened 2026-03-14 06:10:43 +03:00 by kerem · 0 comments

kerem commented 2026-03-14 06:10:43 +03:00

Owner

Copy link

Originally created by @n3ptune-cpu on GitHub (Nov 14, 2023).
Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/1679

The reason for this request

Recently, a friend of mine who had access to my RMM, noticed something quite odd. They noticed that a user account had been created out of the blue without their notice. We looked into logs and had discovered that a user account had not yet setup 2FA or logged in a while had recently logged in and executed a few scripts onto the system. It appears that someone had managed to find the password of that account and had basically logged in and set up 2FA for themselves only to find machines to exploit on. We think that the account had been brute forced, which could be how they had managed to access the unused account, knowing that there is no attempt limit.

Describe the solution you'd like

A solution that could be done to issue this issue is to have accounts expiring and be disabled until they log in again. This could be after a set amount of period, the account gets disabled due to no recent logins and thus once logging in, requires a password change to access the RMM. Another thing that can be done is that if the user has an account created but has not logged in and setup 2FA for a while, the account gets disabled until the user requests for it to be enabled again and so they can once again set 2FA up for their account. As well as this, feature that could temporarily lock out an account if there are too many incorrect attempts, to prevent brute forcing.

Describe alternatives you've considered

All though proper permissions and consideration on the security of the RMM has to be focused on by the user, I also feel like there should be a feature of having MeshCentral accounts isolated with in the RMM to further enhance the permission system. This is because an account with MeshCentral access enabled can easily access all the systems as it uses the same account for everything that is in the Tactical RMM group. This defeats the purpose of permissioning agents and clients as it is very easy to access them all from Mesh. The only way to prevent this is to disable access to MeshCentral and create accounts solely to use Mesh alone.

Additional context

Context for what has been described above:

The commands being ran by an external user who is not supposed to have access.

The random account appearing on the login screen which was created from RMM as seen above.

The account that has not logged in after a while.

Separate accounts and groups are created on Mesh to allow isolation but no integration with RMM.

Originally created by @n3ptune-cpu on GitHub (Nov 14, 2023). Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/1679 ### ***The reason for this request*** Recently, a friend of mine who had access to my RMM, noticed something quite odd. They noticed that a user account had been created out of the blue without their notice. We looked into logs and had discovered that a user account had not yet setup 2FA or logged in a while had *recently* logged in and executed a few scripts onto the system. It appears that someone had managed to find the password of that account and had basically logged in and set up 2FA for themselves only to find machines to exploit on. We think that the account had been brute forced, which could be how they had managed to access the unused account, knowing that there is no attempt limit. ### **Describe the solution you'd like** A solution that could be done to issue this issue is to have accounts expiring and be disabled until they log in again. This could be after a set amount of period, the account gets disabled due to no recent logins and thus once logging in, requires a password change to access the RMM. Another thing that can be done is that if the user has an account created but has not logged in and setup 2FA for a while, the account gets disabled until the user requests for it to be enabled again and so they can once again set 2FA up for their account. As well as this, feature that could temporarily lock out an account if there are too many incorrect attempts, to prevent brute forcing. ### **Describe alternatives you've considered** All though proper permissions and consideration on the security of the RMM has to be focused on by the user, I also feel like there should be a feature of having MeshCentral accounts isolated with in the RMM to further enhance the permission system. This is because an account with MeshCentral access enabled can easily access all the systems as it uses the same account for everything that is in the Tactical RMM group. This defeats the purpose of permissioning agents and clients as it is very easy to access them all from Mesh. The only way to prevent this is to disable access to MeshCentral and create accounts solely to use Mesh alone. ### **Additional context** Context for what has been described above:  The commands being ran by an external user who is not supposed to have access.  The random account appearing on the login screen which was created from RMM as seen above.  The account that has not logged in after a while.  Separate accounts and groups are created on Mesh to allow isolation but no integration with RMM.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

master

1.0.0

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.20.1

v0.20.0

v0.19.4

v0.19.3

v0.19.2

v0.19.1

v0.19.0

v0.18.2

v0.18.1

v0.18.0

v0.17.5

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.5

v0.16.4

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.12

v0.15.11

v0.15.10

v0.15.9

v0.15.8

v0.15.7

v0.15.6

v0.15.5

v0.15.4

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.8

v0.14.7

v0.14.6

v0.14.5

v0.14.4

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.4

v0.13.3

v0.13.2

v0.13.1

v0.13.0

v0.12.4

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.3

v0.11.2

v0.11.1

v0.11.0

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.2

v0.9.1

v0.9.0

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.32

v0.4.31

v0.4.30

v0.4.29

v0.4.28

v0.4.27

v0.4.26

v0.4.25

v0.4.24

v0.4.23

v0.4.22

v0.4.21

v0.4.20

v0.4.19

v0.4.18

v0.4.17

v0.4.16

v0.4.15

v0.4.14

v0.4.13

v0.4.12

v0.4.11

v0.4.10

v0.4.9

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.23

v0.2.22

v0.2.21

v0.2.20

v0.2.19

v0.2.18

v0.2.17

v0.2.16

v0.2.15

v0.2.14

v0.2.13

v0.2.12

v0.2.11

v0.2.10

v0.2.9

v0.2.8

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.8

v0.1.7

v0.1.6

v0.1.5

v0.1.4

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels   

In Process

  

bug

  

bug

  

dev-triage

  

documentation

  

duplicate

  

enhancement

  

fixed

  

good first issue

  

help wanted

  

integration

  

invalid

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

requires agent update

  

security

  

ui tweak

  

wontfix

No labels

In Process

bug

bug

dev-triage

documentation

duplicate

enhancement

fixed

good first issue

help wanted

integration

invalid

pull-request

question

requires agent update

security

ui tweak

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/tacticalrmm#2994

No description provided.