Hitachi ID Privileged Access Manager can be configured to record screen video, keyboard input and other data while users are connected to login sessions using privileged accounts. The recording may be of just the window launched to connect a user to a privileged account or of the user's entire desktop.
The session recording system is tamper resistant -- if users attempt to interrupt recording, their login sessions to privileged accounts are disconnected and an alarm is raised.
Session recordings may be archived indefinitely and may serve a variety of purposes, ranging from knowledge sharing and training to forensic audits. Access to recorded sessions is secured through a combination of access control policies and workflow approvals, designed to safeguard user privacy.
Multiple mechanisms are included to launch and record sessions:
- Direct from the user's Windows PC to the managed endpoint, using Chrome, Firefox or Opera and a browser extension. The browser extension may be previously installed (e.g., via software push) or installed by the user on demand.
- Direct from the user's Windows PC to the managed endpoint, using IE/ActiveX. The ActiveX component may be previously installed or downloaded on demand.
- By prompting the user to launch a downloadable, personalized (per session) executable file onto his Windows PC. This is a single-use download.
- By asking the user to first connect via RDP or similar to a Windows/Remote Desktop Services, Citrix or similar intermediate server, and (a) sign into Privileged Access Manager and then (b) launch a session from this proxy server. The same mechanisms as described above are available, but run on the proxy server, rather than the user's PC. The user's PC can run any OS in this case.
- By opening a second browser tab to an HTML5 proxy server (running Linux/Tomcat/Guacamole), The session UI is rendered as an HTML canvas on the user's browser, which could be any browser on any OS. The actual SSH or RDP session is established from this proxy onwards to the managed system.
In the first four cases, any Windows-compatible client admin tool can be launched, with credentials injected. Screen capture, copy buffer, window metadata and keylog data are streamed from the system running the admin tool (which may be the user's PC or Windows RDS proxy) to the Privileged Access Manager server(s). Where an administrative login screen is web based, an IE browser control is launched. IE exposes a stable API for automation, other browsers seem to change their API every few months, so an automated browser version upgrade is liable to break single sign-on to web UIs.
In the last case, only SSH and RDP are currently supported. Screen capture, copy buffer, window metadata and keylog data are streamed from the Linux/Tomcat proxy server to the Privileged Access Manager server(s).
The Privileged Access Manager session monitoring infrastructure is included at no extra cost. Both direct and proxied connections may be deployed. No software is deployed on the managed endpoint. There are no fees per proxy server.
In a typical deployment, admin tools including SSH clients, RDP clients, hypervisor admin consoles (e.g., vSphere), DBA tools (e.g., SQL Management Studio) and more may be launched and monitored. Video capture may be of the user's entire desktop or just the launched window.
Watch a Movie
Request, approve, and playback recorded session
- Recorded sessions may contain sensitive of private data. They are protected in Hitachi ID Privileged Access Manager by a combination of access controls and workflow approvals. An auditor must first request the right to perform a search of recorded sessions. Once this has been approved, he must select a session and request access to the recording. Only when this second request is approved can he download and play back the session.
- Securing access to recorded sessions.
- Search using meta data and keyboard input.
- Approvals for both search and play-back.