A Privileged session manager is one of several equivalent terms that refers to a privileged access management system. This particular variant is somewhat limiting, because it focuses on the launching and recording of login sessions to privileged accounts, ignoring password randomization, access controls, approval workflows, service account password management, application-to-application password management and many other important features.
Hitachi ID Privileged Access Manager can be configured to record screen video, keyboard input and other data while users are connected to login sessions using privileged accounts. The recording may be of just the window launched to connect a user to a privileged account or of the user's entire desktop.
The session recording system is tamper resistant -- if users attempt to interrupt recording, their login sessions to privileged accounts are disconnected and an alarm is raised.
Session recordings may be archived indefinitely and may serve a variety of purposes, ranging from knowledge sharing and training to forensic audits. Access to recorded sessions is secured through a combination of access control policies and workflow approvals, designed to safeguard user privacy.
Multiple mechanisms are included to launch and record sessions:
- Direct from the user's Windows PC to the managed endpoint, using Chrome, Firefox or Opera and a browser extension. The browser extension may be previously installed (e.g., via software push) or installed by the user on demand.
- Direct from the user's Windows PC to the managed endpoint, using IE/ActiveX. The ActiveX component may be previously installed or downloaded on demand.
- By prompting the user to launch a downloadable, personalized (per session) executable file onto his Windows PC. This is a single-use download.
- By asking the user to first connect via RDP or similar to a Windows/Remote Desktop Services, Citrix or similar intermediate server, and (a) sign into Hitachi ID Privileged Access Manager and then (b) launch a session from this proxy server. The same mechanisms as described above are available, but run on the proxy server, rather than the user's PC. The user's PC can run any OS in this case.
- By opening a second browser tab to an HTML5 proxy server (running Linux/Tomcat/Guacamole), The session UI is rendered as an HTML canvas on the user's browser, which could be any browser on any OS. The actual SSH or RDP session is established from this proxy onwards to the managed system.
In the first four cases, any Windows-compatible client admin tool can be launched, with credentials injected. Screen capture, copy buffer, window metadata and keylog data are streamed from the system running the admin tool (which may be the user's PC or Windows RDS proxy) to the Hitachi ID Privileged Access Manager server(s). Where an administrative login screen is web based, an IE browser control is launched. IE exposes a stable API for automation, other browsers seem to change their API every few months, so an automated browser version upgrade is liable to break single sign-on to web UIs.
In the last case, only SSH and RDP are currently supported. Screen capture, copy buffer, window metadata and keylog data are streamed from the Linux/Tomcat proxy server to the Hitachi ID Privileged Access Manager server(s).
The Hitachi ID Privileged Access Manager session monitoring infrastructure is included at no extra cost. Both direct and proxied connections may be deployed. No software is deployed on the managed endpoint. There are no fees per proxy server.
In a typical deployment, admin tools including SSH clients, RDP clients, hypervisor admin consoles (e.g., vSphere), DBA tools (e.g., SQL Management Studio) and more may be launched and monitored. Video capture may be of the user's entire desktop or just the launched window.