Skip to main content

Record Administrator Logins

Session Recording Overview

Hitachi ID Privileged Access Manager can be configured to record screen, keyboard and other data while users are connected to privileged accounts. The recording may be of just the window launched to connect a user to a privileged account or of the user's entire desktop.

The session recording system is tamper resistant -- if users attempt to interrupt recording, their login sessions to privileged accounts are disconnected and an alarm is raised.

Session recordings may be archived indefinitely and may serve a variety of purposes, ranging from knowledge sharing and training to forensic audits. Access to recorded sessions is secured through a combination of access control policies and workflow approvals, designed to safeguard user privacy.

Multiple mechanisms are included to launch and record sessions:

  1. Direct form the user's Windows PC to the managed endpoint, using IE/ActiveX. The ActiveX component may be previously installed or downloaded on demand.
  2. Direct form the user's Windows PC to the managed endpoint, using Chrome, Firefox or Opera and a browser extension. The browser extension may be previously installed (e.g., via software push) or installed by the user on demand.
  3. By prompting the user to launch a downloadable, personalized (per session) executable file onto his Windows PC. This is a single-use download.
  4. By asking the user to first connect via RDP or similar to a Windows/Remote Desktop Services, Citrix or similar intermediate server, and (a) sign into Privileged Access Manager and then (b) launch a session from this proxy server. The same mechanisms as described above are available, but run on the proxy server, rather than the user's PC. The user's PC can run any OS in this case.
  5. By opening a second browser tab to an HTML5 proxy server (running Linux/Tomcat/Guacamole), The session UI is rendered as an HTML canvas on the user's browser, which could be any browser on any OS. The actual SSH or RDP session is established from this proxy onwards to the managed system.

In the first four cases, any Windows-compatible client admin tool can be launched, with credentials injected. Screen capture, copy buffer, window metadata and keylog data are streamed from the system running the admin tool (which may be the user's PC or Windows RDS proxy) to the Privileged Access Manager server(s).

In the last case, only SSH and RDP are currently supported. Screen capture, copy buffer, window metadata and keylog data are streamed from the Linux/Tomcat proxy server to the Privileged Access Manager server(s).

The Privileged Access Manager session monitoring infrastructure is included at no extra cost. Both direct and proxied connections may be deployed. No software is deployed on the managed endpoint. There are no fees per proxy server.

In a typical deployment, admin tools including SSH clients, RDP clients, hypervisor admin consoles (e.g., vSphere), DBA tools (e.g., SQL Management Studio) and more may be launched and monitored. Video capture may be of the user's entire desktop or just the launched window.

Monitoring Technology

ActiveX/IE Recording Architecture

There are multiple session capture technologies included in Privileged Access Manager. The most common approach is to instrument the Windows PC or Windows proxy server where a user runs an admin program. This is done by launching an ActiveX component from IE when a login session is established to a privileged account. Starting with the 10.0 release, browser extensions for FF, Opera and Chrome are also supported (instead of IE/ActiveX).

The ActiveX component or browser extension, in turn, launches the administration tool the user wishes to use -- terminal services client (MSTSC), PuTTY/SecureCRT or similar for SSH sessions, SQL Management Studio, vSphere, etc. and passes a target system address, login ID and password into that client.

While the user is connected, the ActiveX component or browser extension captures session data -- video, key-log, etc. and stream that back to an Privileged Access Manager server. It also regularly checks with the server, to find out whether the user's session should be terminated, for example if the allotted time has run out or if the user's access is being terminated intentionally.

Using an ActiveX component or browser extension means that the installation footprint of Privileged Access Manager session monitoring is minimal.

Non-ActiveX/Non-IE Recording Architectures

Starting with the 10.0 release (Q2/2016), there are two additional options for single sign-on and session recording:

  1. Launch from the user's endpoint, via a browser extension to FF or Chrome (no IE, no ActiveX required). Session capture and credential injection work just like with ActiveX, but from a different client browser.
  2. HTML5 session proxy. The user's browser renders a login session using an HTML canvas where AJAX code injects a series of small PNG images, reflecting session activity. A proxy server terminates the HTML5 connection and initiates an SSH, RDP or other connection to the managed system. The proxy is what captures keystrokes and screen video, rather than the user's client, which is only a browser.

Types of Recorded Data

The session monitoring infrastructure in Privileged Access Manager is designed to capture any combination of the following data types:

  1. Video capture: either the display window of the program launched on behalf of the authorized user (e.g., RDP, SSH, vSphere, etc.) or that user's entire desktop (could span multiple monitors).
  2. Keystrokes -- either just those entered when the launched window has focus, or all keystrokes for the duration of the login session.
  3. Snapshots from the user's web cam (of the user, presumably).
  4. Contents of the user's copy buffer -- useful if the user pastes text into an input field, such that the text would not appear in key-log data.
  5. Meta data about processes running on the user's PC, including process name and ID, window title, etc.
  6. Meta data about user interface elements on the user's screen, such as text prompts and the content of input fields.

Indefinite Retention

Session recordings may be archived indefinitely and may serve a variety of purposes, ranging from knowledge sharing and training to forensic audits of administrator actions. Access to recorded sessions is secured through a combination of access control rules and workflow processes, to protect user privacy.

Tamper Proofing

The session recording system is tamper resistant -- if users attempt to interrupt recording, their login sessions to privileged accounts are disconnected and an alarm is raised.

Privileged Access Manager can be configured to make a recording of a user's PC for the duration of a login session to a privileged account. This includes either video capture of either the full screen or just the login window, key logging, recording of the contents of the copy buffer and even snapshots from the user's webcam.

Full screen and web cam capture

Capturing the full screen gives context for administrator actions. For example, if a user downloads a file from a privileged account to his PC, a recording of just his login window will not show what happens next, but a full screen recording may show the file being copied to a USB drive or uploaded to a web site.

Capturing web cam snapshots reliably links the session to the user in question. In the event of a forensic audit, if the user claims that actions recorded and associated with his profile were performed by someone else, perhaps after stealing his password, there will be clear evidence that it was the user in question who performed.

Network and storage impact

The session monitor ActiveX component can generate up to about 10 kBytes/second of data, most of which is video. On a modern PC, it will consume no more than 2% to 3% of the user's CPU and only a very small amount of memory.

A single Privileged Access Manager server can collect about 100 concurrent session recording data streams. This means that a load balanced arrangement of 3 Privileged Access Manager nodes can capture sessions from 300 IT workers simultaneously and probably more than 500 users total, 24x7.

The data volume from a single administrator session, assuming a constant stream of data for 8 hours/day, 220 days/year, amounts to about 60GB/year. 100 concurrently active administrators whose every action is recorded will generate about 6TB/year of data.


Watch a Movie

Request, approve, and playback recorded session


Play movie

Content:

  • Recorded sessions may contain sensitive of private data. They are protected in Hitachi ID Privileged Access Manager by a combination of access controls and workflow approvals. An auditor must first request the right to perform a search of recorded sessions. Once this has been approved, he must select a session and request access to the recording. Only when this second request is approved can he download and play back the session.

Key concepts:

  • Securing access to recorded sessions.
  • Search using meta data and keyboard input.
  • Approvals for both search and play-back.

Read More:

  • Randomize Privileged Passwords:
    Privileged Access Manager periodically randomizes passwords on privileged accounts.
  • Launch Privileged Login Sessions:
    Privileged Access Manager launches login sessions to privileged accounts subject to access control policies and/or workflow approvals.
  • Limit Concurrent Administrator Logins:
    Privileged Access Manager controls how many people can sign into the same privileged account at the same time using a checkout/checkin process.
  • Record Administrator Logins:
    Privileged Access Manager can record the login sessions it launches for users to sign into privileged accounts. These recordings are both a forensic audit trail and a knowledge sharing resource.
  • Password History:
    Privileged Access Manager captures a full history of passwords for privileged accounts. This is useful when recovering servers and databases from backup media.
  • Audit Logs and Reports:
    Login sessions to privileged accounts are logged by Privileged Access Manager and visible in reports. This makes administrators accountable for changes they may make to systems and applications.
  • Eliminate Embedded Passwords:
    Privileged Access Manager allows organizations to eliminate static, plaintext passwords embedded in applications. An API allows applications to secure acquire credentials to other applications on demand.
  • Change Service Account Passwords:
    Privileged Access Manager periodically changes passwords for accounts used to run Windows services and notifies appropriate OS components, such as service control manager and scheduler, of the new password value.
page top page top