Skip to main content

Record Administrator Logins - Hitachi ID Privileged Access Manager

Session Recording Overview

Where Hitachi ID Privileged Access Manager launches a user's login session, it can be configured to record screen, keyboard and other data while users are connected to privileged accounts. The recording may be of just the window launched to connect a user to a privileged account or of the user's entire desktop.

The session recording system is tamper resistant -- if users attempt to interrupt recording, their login sessions to privileged accounts are disconnected and an alarm is raised.

Session recordings may be archived indefinitely and may serve a variety of purposes, ranging from knowledge sharing and training to forensic audits. Access to recorded sessions is secured through a combination of access control policies and workflow approvals, designed to safeguard user privacy.

The Privileged Access Manager session monitoring infrastructure is included at no extra cost. It works using ActiveX components and does not require software to be permanently installed on user PCs. There is no footprint on managed systems and no proxy servers are used.

Session monitoring is compatible with all administration programs and protocols, as it instruments the administrator's PC, rather than network traffic. Recordings can be made of SSH, RDP, vSphere, SQL Studio and any other administrative sessions launched via Privileged Access Manager. Recordings can include key-logging, video, webcam, copy buffer and more, based on policy settings and without regard to the type of session (protocol, client tool) that was launched.

Monitoring Technology

ActiveX/IE Recording Architecture

Session monitoring in Privileged Access Manager works by launching an ActiveX component when a login session is established to a privileged account.

The ActiveX component, in turn, launches the administration tool the user wishes to use -- terminal services client (TSC), PuTTY or similar for SSH sessions, SQL Studio, vSphere, etc. and passes a target system address, login ID and password into that client.

While the user is connected, the ActiveX component can capture session data -- video, key-log, etc. and stream that back to an Privileged Access Manager server. The ActiveX component also checks with the server, to find out whether the user's session should be terminated, for example if the allotted time has run out or if the user's access is being terminated intentionally.

Using an ActiveX component means that the installation footprint of Privileged Access Manager session monitoring is minimized -- there is no software to install on user PCs and no proxy server for users to connect through.

Non-ActiveX/Non-IE Recording Architectures

Starting with the 10.0 release (Q2/2016), there are two additional options for single sign-on and session recording:

  1. Launch from the user's endpoint, via a browser extension to FF or Chrome (no IE, no ActiveX required). Session capture and credential injection work just like with ActiveX, but from a different client browser.
  2. HTML5 session proxy. The user's browser renders a login session using an HTML canvas where AJAX code injects a series of small PNG images, reflecting session activity. A proxy server terminates the HTML5 connection and initiates an SSH, RDP or other connection to the managed system. The proxy is what captures keystrokes and screen video, rather than the user's client, which is only a browser.

Types of Recorded Data

The session monitoring infrastructure in Privileged Access Manager is designed to capture any combination of the following data types:

  1. Video capture: either the display window of the program launched on behalf of the authorized user (e.g., RDP, SSH, vSphere, etc.) or that user's entire desktop (could span multiple monitors).
  2. Keystrokes -- either just those entered when the launched window has focus, or all keystrokes for the duration of the login session.
  3. Snapshots from the user's web cam (of the user, presumably).
  4. Contents of the user's copy buffer -- useful if the user pastes text into an input field, such that the text would not appear in key-log data.
  5. Meta data about processes running on the user's PC, including process name and ID, window title, etc.
  6. Meta data about user interface elements on the user's screen, such as text prompts and the content of input fields.

Indefinite Retention

Session recordings may be archived indefinitely and may serve a variety of purposes, ranging from knowledge sharing and training to forensic audits of administrator actions. Access to recorded sessions is secured through a combination of access control rules and workflow processes, to protect user privacy.

Tamper Proofing

The session recording system is tamper resistant -- if users attempt to interrupt recording, their login sessions to privileged accounts are disconnected and an alarm is raised.

Privileged Access Manager can be configured to make a recording of a user's PC for the duration of a login session to a privileged account. This includes either video capture of either the full screen or just the login window, key logging, recording of the contents of the copy buffer and even snapshots from the user's webcam.

Full screen and web cam capture

Capturing the full screen gives context for administrator actions. For example, if a user downloads a file from a privileged account to his PC, a recording of just his login window will not show what happens next, but a full screen recording may show the file being copied to a USB drive or uploaded to a web site.

Capturing web cam snapshots reliably links the session to the user in question. In the event of a forensic audit, if the user claims that actions recorded and associated with his profile were performed by someone else, perhaps after stealing his password, there will be clear evidence that it was the user in question who performed.

Network and storage impact

The session monitor ActiveX component can generate up to about 10 kBytes/second of data, most of which is video. On a modern PC, it will consume no more than 2% to 3% of the user's CPU and only a very small amount of memory.

A single Privileged Access Manager server can collect about 100 concurrent session recording data streams. This means that a load balanced arrangement of 3 Privileged Access Manager nodes can capture sessions from 300 IT workers simultaneously, and probably more than 500 users total, 24x7.

The data volume from a single administrator session, assuming a constant stream of data for 8 hours/day, 220 days/year, amounts to about 60GB/year. 100 concurrently active administrators whose every action is recorded will generate about 6TB/year of data.

Watch a Movie

Request, approve, and playback recorded session

Play movie


  • Recorded sessions may contain sensitive of private data. They are protected in Hitachi ID Privileged Access Manager by a combination of access controls and workflow approvals. An auditor must first request the right to perform a search of recorded sessions. Once this has been approved, he must select a session and request access to the recording. Only when this second request is approved can he download and play back the session.

Key concepts:

  • Securing access to recorded sessions.
  • Search using meta data and keyboard input.
  • Approvals for both search and play-back.

Read More:

  • Randomize Privileged Passwords:
    Privileged Access Manager periodically randomizes passwords on privileged accounts.
  • Launch Privileged Login Sessions:
    Privileged Access Manager launches login sessions to privileged accounts subject to access control policies and/or workflow approvals.
  • Limit Concurrent Administrator Logins:
    Privileged Access Manager controls how many people can sign into the same privileged account at the same time using a checkout/checkin process.
  • Record Administrator Logins:
    Privileged Access Manager can record the login sessions it launches for users to sign into privileged accounts. These recordings are both a forensic audit trail and a knowledge sharing resource.
  • Password History:
    Privileged Access Manager captures a full history of passwords for privileged accounts. This is useful when recovering servers and databases from backup media.
  • Audit Logs and Reports:
    Login sessions to privileged accounts are logged by Privileged Access Manager and visible in reports. This makes administrators accountable for changes they may make to systems and applications.
  • Eliminate Embedded Passwords:
    Privileged Access Manager allows organizations to eliminate static, plaintext passwords embedded in applications. An API allows applications to secure acquire credentials to other applications on demand.
  • Change Service Account Passwords:
    Privileged Access Manager periodically changes passwords for accounts used to run Windows services and notifies appropriate OS components, such as service control manager and scheduler, of the new password value.
page top page top