Privileged Session Recording

20 minutes to read

Organizations depend on privileged accounts to manage critical resources, perform administrative tasks, and access sensitive systems, but this elevated access also introduces significant risks. Additionally, they often rely on web-based applications and services for critical operations. Unmonitored privileged sessions can result in unauthorized actions and security breaches. Additionally, many regulatory frameworks require proactive monitoring and auditing of privileged access to ensure compliance. In the event of security breaches, the absence of detailed session logs hampers effective investigation and remediation.

To address these issues, PAM360 offers the Privileged Session Recording feature, enabling organizations to view, record, and monitor user activities on privileged resources and sensitive web applications/services accessed from PAM360 via remote sessions. This feature ensures accountability and enhances security by maintaining a detailed audit trail of all interactions. Recorded sessions are stored securely and can be reviewed later for compliance, identifying potential security risks.

By providing a clear, auditable trail of privileged actions, the privileged session recording helps organizations mitigate security risks and meet compliance requirements efficiently. This help document covers the following topics in detail:

  1. How Secure is Session Recording?
  2. Configuring Privileged Session Recording
  3. Viewing Recorded Sessions
  4. Splitting Recorded Sessions
  5. Shadowing Active Privileged Sessions
  6. Deleting Recorded Sessions
  7. Configuring FFmpeg for Session Recording

1. How Secure is Session Recording?

PAM360 ensures the security of session recording by employing an advanced, browser-based remote login mechanism, which allows users to initiate secure, reliable, and fully emulated Windows RDP, SSH, Telnet, and website sessions directly from any HTML5-compatible browser. With a single click, users can establish privileged sessions without requiring additional plug-ins or agent software, reducing dependency on external components that could introduce vulnerabilities.

All remote connections are tunneled through the PAM360 server, eliminating the need for direct connectivity between the user’s device and the remote host. This architecture enhances security by ensuring that privileged credentials, such as passwords, are never exposed at the browser level. By isolating user access from direct host connections, PAM360 significantly reduces the attack surface while maintaining reliable session performance.

PAM360 comes bundled with RDP, SSH, and Telnet session gateways. These gateways enable users to initiate remote terminal sessions directly within their browser, eliminating the need to install additional software on endpoints. The only prerequisite is an HTML5-compatible browser, such as Internet Explorer 9 or later, Firefox 3.5 or later, Safari 4 or later, or Chrome.

2. Configuring Privileged Session Recording

Important Notes:

The recordings will be stored by default in the directory path <PAM360_Installation_Folder\PAM360\recorded_files>. This external location to store recordings can be changed at any time from the Session Configuration window. To access the session configuration window, navigate to Admin >> Connections >> Session Configuration.

Notes:
(Applicable from Builds 7400 and Above)

  1. To ensure smooth and uninterrupted website session recording in your environment, ensure the following prerequisites are met:
    1. The users initiating the website/HTTPS gateway session should have the PAM360 browser extension of version 2.1.0.0 or higher installed and logged in. Explore this link for the detailed steps to add the PAM360 extension to your browser.
    2. The FFmpeg should be properly installed and configured in your environment. Explore this section for the detailed steps to configure FFmpeg in your environment. Without FFmpeg,
      • The recordings played in Chromium-based browsers will not include a seek bar and duration indicator.
      • The recordings cannot be played in Firefox.
  2. Website sessions are recorded only if the user has an active PAM360 extension session while launching a website session to the configured URL.
  3. Users must be logged into the PAM360 extension to initiate an HTTPS gateway session from the PAM360 web interface if session recording is enabled.
  4. Even if the website and HTTPS gateway session recordings are enabled globally in the Session Configuration window, they must also be enabled at the resource level to record these sessions.
  5. Activities, such as copy-pasting will not be captured in the recording.
  6. We currently support website and HTTPS gateway connection recording only in the PAM360 primary server and connections launched using Google Chrome and Microsoft Edge browsers. We are yet to offer website and HTTPS gateway connection recording support for connections launched from the secondary server and connections launched via Firefox.

Caution: When a user launches a website or an HTTPS Gateway connection to a configured URL, they must select the appropriate session tab in the session consent window to record the connection. If the user selects the 'Entire Screen' option, the recording will capture not only the configured URL launched from PAM360 but the entire screen that may include personal information.

Privileged session recording in PAM360 can be configured at two different levels:

  1. Configuring Session Recording for specific Resources
  2. Configuring Session Recording Globally

2.1 Configuring Session Recording for Specific Resources

Administrators can enable session recording for selected resources or accounts that require closer monitoring. It is ideal for tracking privileged actions on critical systems, sensitive databases, or high-risk applications. By enabling session recording at the resource level, organizations can maintain precise control over what activities are captured, ensuring that only essential sessions are monitored. This granular approach minimizes unnecessary data collection while aligning with compliance and security policies. Follow these steps to configure privileged session recording for specific resources:

  1. Navigate to the Resources tab.
  2. Select the resources for which you want to configure session recording and click Resource Actions >> Manage >> Edit.
  3. In the Edit Resources window, switch to the Account Attributes tab, and modify the following drop-down fields as required: Record RDP sessions, Record SSH/Telnet sessions, Record website sessions, and Record HTTPS gateway sessions.

    Note: The Record website sessions and Record HTTPS gateway sessions checkboxes are available only from PAM360 builds 7400 and above.

  4. Click Preview and Save to save the configured changes.

2.2 Configuring Session Recording Globally

PAM360 allows administrators to configure session recording settings globally to ensure uniform oversight of RDP, VNC, web, HTTPS gateway, SSH, Telnet, and SQL sessions. These settings can be customized to suit organizational needs, providing flexibility, enhanced security, and compliance with regulatory requirements. Follow these steps to configure privileged session recording globally:

  1. Navigate to Admin >> Connections >> Session Configuration.
  2. On the Session Configuration window, you will find the following options you can configure as required:
    1. Record RDP sessions - Tick this checkbox to enable session recording for all remote desktop protocol sessions launched from PAM360.
    2. Record VNC sessions - Tick this checkbox to enable session recording for all VNC sessions launched from PAM360.
    3. Record website sessions - Tick this checkbox to enable session recording for all website sessions initiated using configured URLs. 
    4. Record HTTPS gateway sessions - Tick this checkbox to enable session recording for all the HTTPS gateway sessions launched using the configured URLs.

      5. Note: The Record website sessions and Record HTTPS gateway sessions checkboxes are available only from PAM360 builds 7400 and above. Only the website and HTTPS gateway connections launched to configured URLs with autofill and auto logon functions will be recorded if the Record Configured Resource URL checkbox is not enabled. For a more granular level configuration, configure session recording at the resource level while adding the resource or editing the resource.

    5. Record SSH, Telnet, and SQL sessions - Tick this checkbox to enable session recording for all the SSH, Telnet, and SQL sessions launched from PAM360.
    6. Display session recording status - Tick this checkbox to notify users that the remote session is being recorded.
  3. Under the External Location for Recorded Sessions section, you will find the following options:
    1. Directory for storing recorded sessions - Enter a valid path to store the privileged session recordings.
    2. Backup Directory for storing recorded sessions - Specify an additional directory to create a backup of the recordings, ensuring redundancy.
    3. Choose Date Format - Select your preferred date format for recorded session logs.
  4. Welcome Message - Enable the Show the welcome message at the commencement of the session checkbox to display a custom message at the start of every session. Enter the custom message (up to 4000 characters) you wish to display to the users in the provided text field. Inline CSS styles are supported to customize the appearance of the message.  
  5. Purge Recorded Sessions - You can automatically delete session recordings after a specified period. Specify the duration (in days) for which you wish to retain the session recordings in the Purge recorded sessions that are more than __ days old field. For example, entering 30 will automatically purge session recordings older than 90 days. Leave the field blank or set it to 0 to disable purging.
  6. Click Save to save the configured changes.

Note: For MSP, you should apply the above settings for each client ORG account individually.

3. Viewing Recorded Sessions

You can view the recorded privileged sessions from the Audit tab. To access the session recordings:

(Procedure Applicable from Builds 7400 and Above)
  1. Navigate to the Audit tab and select Recorded Server Connections to view the recorded RDP/SSH/Telnet/VNC/SQL sessions and Recorded Website Connections to view the recorded website connections.
  2. On the Recorded Server Connections page, you can view the list of all the privileged remote sessions launched from PAM360.
    1. By default, all the privileged sessions will be displayed on this page, which includes RDP, SSH, Telnet, VNC, and SQL sessions.
    2. Use the Filter drop-down in the top pane to view the sessions that belong to a particular category.
    3. Click the Activity Logs icon to view the list of actions performed by the user during the remote session, and the Chat Log icon to view the remote session chat history.
  3. On the Recorded Website Connections page, you can view the list of all the website connections launched from PAM360.
    1. By default, all the privileged sessions will be displayed on this page, which includes the website sessions launched directly from the PAM360 server and those via the HTTPS gateway server.
    2. Use the Filter drop-down in the top pane to switch between the Website and HTTPS gateway sessions.
  4. You can use the Search option to find the desired session recording.
  5. Once you find the desired session, click the Play icon to view the privileged session recording.
(Procedure Applicable till Builds 7301)
  1. Navigate to the Audit tab and select Recorded Connections on the left pane.
  2. Here, you can view the list of recorded RDP/SSH/Telnet/VNC/SQL sessions.
  3. You can use the Search or the Filter option to find the desired session recording.
  4. Once you find the desired session, click the Play icon to view the privileged session recording. While viewing a recorded session, use the seek bar to skip a part of the recording.

4. Splitting Recorded Sessions

PAM360 offers a robust provision to split recorded privileged sessions into several small files and encrypt them individually. This option applies to session recording files larger than 10 MB in size. By default, PAM360 encrypts all privileged session recordings in your local storage. However, for lengthy sessions resulting in large file sizes, there is a risk of encryption failure during storage. To mitigate this, PAM360 automatically splits the recordings into smaller segments, each not exceeding 10 MB, and ensures that every segment is securely encrypted. Despite being stored as multiple encrypted files, these recordings are merged seamlessly during playback, appearing as a single continuous file. This approach not only guarantees successful encryption but also optimizes playback performance, eliminating buffering delays and ensuring a smooth user experience.

For instance, if a session recording generates a file of 25 MB, PAM360 will split it into three segments: two of 10 MB each and one of 5 MB. By default, the session splitting feature is disabled in PAM360, meaning all session recordings are stored as a single file regardless of size. Follow the steps outlined in this document to enable session splitting and take advantage of this feature. Enabling this option ensures efficient encryption and optimized playback for large recordings.

Notes:

  1. PAM360 supports session splitting only for Legacy SSH and Telnet sessions.
  2. Session splitting will not work for RDP, VNC, and SSH session recordings, as these are video-based recordings, and PAM360 does not encrypt video-based files. Instead, these recordings are saved as video files in the configured external storage. However, you cannot play these files outside the PAM360 interface using standard media players.
  3. PAM360 does not support session splitting for website session recordings.

5. Shadowing Active Privileged Sessions

Effective oversight of privileged sessions is crucial to maintaining the security and integrity of IT resources. PAM360 addresses this need with Session Shadowing or Real-time Monitoring, empowering administrators to oversee active sessions on highly sensitive resources. This feature ensures accountability by enabling administrators to monitor user activities as they happen and allows them to intervene when necessary. Whether to mitigate potential security risks, terminate suspicious activities, or provide real-time assistance during troubleshooting, PAM360’s session shadowing offers a seamless way to maintain control and ensure compliance. With this capability, organizations can strengthen their security posture and enhance operational efficiency in managing privileged access. To monitor an active privileged session:

  1. Navigate to Audit >> Active Privileged Sessions.
  2. On the Active Privileged Sessions page, you will see a list of all the active privileged sessions in your organization.
  3. Identify the desired session you wish to monitor and click the Join button to join the privileged session. You can observe the user’s activities within the remote session in real time.
  4. If you find any suspicious behavior or wish to terminate the session, you can click the Terminate button beside the respective session. PAM360 will terminate the privileged session immediately, revoking the user's access to the remote resource.

Note: PAM360 does not support the Session Shadowing feature for active website sessions.

6. Deleting Recorded Sessions

Deleting a privileged session recording allows administrators to manage storage space and ensure compliance with data retention policies. This feature lets you permanently remove specific session recordings that are no longer needed, ensuring efficient management of recorded data while maintaining system security. To delete a privileged session recording,

  1. Navigate to the Audit tab.
  2. Identify the desired session recording you wish to delete and click the Delete icon. You will see the following options: Delete Chat Logs and Delete Session Recording.
    1. Delete Chat Logs - To delete all the chat logs associated with the privileged session.
    2. Delete Session Recording - To delete the session recording file.

      3. Note: Deleting a session recording from the PAM360 database requires approval from at least one other administrator in your environment. Therefore, two administrators are required to delete a recorded session.

  3. After choosing the desired option, you will see a confirmation window. Click Ok to confirm the operation.
  4. All other administrators in your environment will be notified about this operation, and it will appear as a request in the Pending Requests tab. Administrators can approve or reject this request. To delete a session recording permanently, you must obtain approval from at least one other administrator. If one administrator approves your request, the session recording will be deleted, regardless of other administrators' decisions.
  5. The deletion process for session recordings varies depending on where the files are stored.
    1. Scenario 1 - If the session recordings are stored locally on the server, PAM360 will delete the files immediately after an administrator approves the deletion.
    2. Scenario 2 - If the session recordings are stored on an external device and are not accessible in PAM360 at the time of approval, PAM360 will schedule the deletion. PAM360 will run a system scheduler to delete these files. The files will only be removed if the external device is connected to the PAM360 server during a scheduled deletion run.

      3. Note: In scenario 2, if a deletion request is approved by the administrator, but the process is pending due to device unavailability, PAM360 will temporarily restrict access to the session recordings. During this time, the recordings cannot be viewed, even by administrators, until the recording is deleted.

7. Configuring FFmpeg for Session Recording

Follow these steps to configure FFmpeg in your environment:

  1. Visit ffmpeg.org and download the appropriate version for your operating system.
  2. Extract the downloaded archive to a directory of your choice.
  3. Windows: Configure the FFmpeg path in the PAM360 system.properties file:
    • ffmpeg.path=D:\<path-to-ffmpeg>\bin\ffmpeg.exe
    • ffprobe.path=D:\<path-to-ffmpeg>\bin\ffprobe.exe
  4. Linux: Install FFmpeg using your package manager (e.g., sudo apt install ffmpeg) and ensure it is added to the system's PATH environment variable, allowing PAM360 to access it.
  5. Confirm FFmpeg is installed correctly by running the ffmpeg -version command in the command prompt or terminal.

    6. Note: Ensure the paths are accurately defined to avoid configuration errors.
Top
Back to Top