Privileged Session Recording
- Overview
- Configuring session recording
- Viewing the recorded sessions
- Splitting of session recordings
- Session shadowing/real-time session monitoring
5.1 Monitoring sessions in parallel
1. Overview
It is possible to record, playback, and archive privileged sessions launched from PAM360, to support forensic audits and allow enterprises to monitor all actions performed by the privileged accounts during privileged sessions. The session recording caters to the audit and compliance requirements of organizations that mandate proactive monitoring of activities, thereby enabling administrators to readily answer the ‘who,’ ‘what’ and ‘when’ questions of privileged access. You can use PAM360 to record Windows RDP, SSH/Telnet, and SQL sessions launched from PAM360's interface.
1.1 How Secure is Session Recording?
PAM360 employs first-in-class, browser-based remote login mechanism for the session recording process. From any HTML5-compatible browser, users can launch highly secure, reliable and completely emulated Windows RDP, SSH and Telnet sessions with a single click, without the need for an additional plug-in or agent software. Remote connections are tunneled through the PAM360 server, requiring no direct connectivity between the user device and the remote host. In addition to superior reliability, the tunneled connectivity provides extreme security as passwords needed to establish remote sessions do not need to be available at the user’s browser. The session recording capability is an extension of the robust remote login mechanism of PAM360.
PAM360 comes bundled with RDP, SSH and Telnet session gateways. This allows the users to launch remote terminal sessions from their browser that are tunneled through the PAM360 server. The remote terminal sessions are emulated in the browser screen itself and hence there is no need for installing any plug-in or agent in any of the end-points. The only requirement is that the browsers should be HTML 5 compatible (For example IE 9 or above, Firefox 3.5 or above, Safari 4 or above, and Chrome).
2. Configuring Session Recording
There are two ways to configure remote session recording:
- Configuring session recording for specific resources
- Configuring session recording globally
2.1 Configuring Session Recording for Specific Resources
- Navigate to the Resources tab and select the resources for which you want to configure session recording.
- Go to Resource Actions >> Configure >> Session Recording.
- In the pop-up form that opens, select the options Record RDP sessions and/or Record SSH, Telnet and SQL Sessions as required and click Save.
Note: The recordings will be stored by default in the path <PAM360_Install_Directory\PAM360\recorded_files>. This external location to store recordings can be changed at any time by navigating to Admin >> Configuration >> Session Recording.
2.2 Configuring Session Recording Globally
- Navigate to Admin >> Connections >> Session Configuration.
- In the pop-up form that opens,
- Select the options Record RDP sessions and/or Record VNC sessions and/or Record SSH, Telnet and SQL sessions as required.
- Select the check-box - Show session recording status in the session tab if you wish to display the session recording status in the session window.
- Enter a valid path to store the recorded sessions under External Location for Recorded Sessions. You can also set a backup directory for storing the recordings, in which case the recorded files will be stored in both locations.
- To purge the records that are older than a specified number of days, enter the number under Purge recorded sessions that are more than __ days old. You can disable purging by leaving the text field empty or by entering 0 as the value.
- Select the check-box - Show the welcome message at the commencement of the session and enter the message that you want to display in the text field given below. This text field has a limit of 4000 characters and supports CSS in In-line styles. This way, you can enable and customize the welcome message as desired.
- Click Save to save the changes.
Note: For MSP, you should apply the above settings for each client ORG account individually.
- Now, the session recording feature becomes available as soon as an administrator adds a resource that supports one of these remote terminal session types (RDP, SSH, Telnet).
3. Viewing the Recorded Sessions
View the recorded sessions from the Audit tab in the PAM360 interface by following the steps below. You can trace sessions using any detail such as the name of the resource, the user who launched the session, or the time at which the session was launched.
- Navigate to the Audit >> Recorded Connections.
- Click Play against the recorded session which you want to view. While viewing a recorded session, click the seek bar to skip a part of the recording and progress.
4. Splitting of Session Recordings
PAM360 has a provision to split session recording files obtained from remote sessions into several small files and encrypt them individually. This option applies to session recording files that are larger than 10 MB in size. By default, PAM360 encrypts all session recordings stored in your local storage. For long recordings of huge file sizes, there is a chance of encryption failure. Hence, those recordings are split and stored in chunks whose size does not exceed 10 MB. PAM360 ensures that the split parts are encrypted successfully and saved. The recordings, though stored as multiple files, will be played as a single file only during playback. In addition to successful encryption, session splitting also ensures a smooth playback without buffer time.
Example:
Consider a session recording of 25 MB file size. PAM360 will split this into three files that are 10 MB, 10 MB, and 5 MB in size.
By default, the session splitting option is disabled in PAM360. Follow the steps detailed in the General Settings document to enable session splitting.
Remember, with this option disabled, PAM360 will save all session recordings as a single file only.
- Session splitting works only for Legacy SSH and Telnet sessions.
- This option will not work for RDP, VNC, and SSH sessions as they are video-based, and PAM360 does not encrypt video-based recordings. PAM360 saves these session recordings as video files in the external storage. However, you cannot play these files outside the PAM360 interface using standard media players.
5. Session Shadowing/Real-time Session Monitoring
PAM360 lets administrators monitor the privileged sessions of highly sensitive IT resources. Session Shadowing allows admins to join active sessions, observe user activities parallelly, and terminate them in case of suspicious activities. Admins can also offer assistance to users while monitoring the users’ activities during troubleshooting sessions.
5.1 Monitoring Sessions in Parallel
- Navigate to Audit >> Active Privileged Sessions.
- Trace the session to be monitored through the name of the resource.
- Click the Join button. You will be able to view the ongoing session in parallel.
5.2 Terminating a Suspicious Session
- Navigate to Audit >> Active Privileged Sessions.
- Trace the session to be monitored through the name of the resource.
- Click the Terminate button. The remote session will be terminated and the user will lose connection with the remote resource.
5.3 Deleting Selective Session Recordings
- Navigate to Audit >> Recorded Connections.
- Choose the session you want to delete and then click the delete icon beside it under the Delete column.
- You can either choose to delete the recording of the session or the chat logs of a particular session as shown below:
- Once you have chosen to delete the chat log or the session recording, a dialog box will appear prompting you to confirm the action as shown below.
- The other administrator(s) will be notified and a request for approval will be sent to them. They can either approve or reject this decision. Note that the deletion process requires the consent of just two administrators, i.e., if an administrator apart from you approves, then the deletion will take place, irrespective of the approval of the other administrators (if any).
- Based on whether the session files are present in the system or in any external device, their deletion will take place as explained below:
- Scenario 1: If the file is present in the system, PAM360 will delete the recording once the request has been approved by another administrator.
- Scenario 2: If the recordings are present in an external device and not in PAM360 during this process, PAM360 will run a system scheduler to delete these files. In this case, the file(s) will be deleted only if the external device containing the session recordings is connected to the PAM360 server when the scheduler runs.
Note: In order to delete selective sessions from the PAM360 database, there should be at least two active administrators, including yourself. This is to ensure that no important session is deleted without proper confirmation.
Note: Once the deletion of a recording has been approved but the action hasn't been carried out yet as explained in scenario 2 above, PAM360 will temporarily disable the video recording until deletion and it cannot be viewed by anyone including the administrators.