Setting Up Privileged Session Recording & Monitoring

You can record the various remote privileged sessions initiated by users from Securden PAM. The recordings can then be played back as a video. This can be used to track remote user activities and for audit purposes as and when required.

Enabling session recording is a two-step process.

First, you need to enable session recording and specify which type of sessions are to be recorded (RDP, SSH, SQL, Telnet, etc.). Then specify the location where the recorded files are to be stored.

In the second step, you need to switch on session recording either at the accounts level or at the folder level.

Note: Until these two steps are completed, sessions will not be recorded.

Prerequisite: Before proceeding with session recording configuration, you should have configured remote gateways for Windows and UNIX devices. You may designate a dedicated, hardened server (Windows or Linux) as the jump box for a select set of devices to route all remote operations originating from Securden through the remote gateway. Securden will route remote connections through the respective jump box and start recording sessions. If you haven’t configured it yet, navigate to Admin >> Remote Sessions and Recordings >> Remote Gateway and configure it.

How to Set up Session Recording?

The steps to configure session recording involve

  • Enabling session recording
  • Specifying the type of sessions to be recorded.
  • Indicating the location where the recordings are to be stored.
  • Finally, switching on session recording for the required accounts and/or folders.

Step 1: Enable session recording

To enable session recording, navigate to Admin>>Remote sessions and recordings>>Configure Session recording and toggle the session recording slider to ON as depicted in the screenshot below.

Step 2: Specify the type of Sessions to be recorded

You can choose to record all or specific types of sessions alone. You can select any of the required sessions from the list displayed on the interface - RDP, SSH, SQL, and Telnet sessions.

Step 3: Select the file storage location

You can browse and choose a location on your device, network, or a shared drive where you want the recorded files to be stored. Securden PAM will access this location to playback the recorded sessions.

This is the default location that Securden will access to playback sessions:
C:\Program Files\Securden\Privileged_Account_Manager\session_recordings

Note: If you manually move the recorded files to another location, Securden will not be able to playback those moved sessions.

Clicking ‘Click here for more information’ in the GUI will allow you to store the files on a shared drive.

If you are using multiple application servers, you need to ensure that the folder where recorded files are stored, is accessible to all the application servers. If you choose to store them on a shared drive, ensure that the user accounts used to run Securden PAM Service on all application servers have read/write access to the folder. To do this, in services.msc, search for Securden PAM Service and Securden PAM Web Service, go to the 'Log On' tab, and enter the account which has read/write permission to the shared folder. Do this for all application servers as needed. Services can be opened right from your Windows search.

How to Purge Recorded Sessions?

You can choose to delete recorded sessions periodically. This can be done by enabling the purge option and then choosing a purge interval to automatically purge the files. For example, if 15 days is chosen as the interval, recorded files will be deleted from the system after every 15 days.

If you want to keep the recorded files forever, select the option Never'. If you choose this option, you need to monitor the storage space availability. It may lead to a quick depletion of your machine storage space.

Step 4: Enable session recording at the account level or at folder level

You have the option to select only the specific accounts whose sessions are to be recorded. Navigate to Accounts, select the required account from the panel on the left. To select it, click the square checkbox.

Then click ‘More’ and scroll down to select ‘Configure session recording’.

On clicking ‘Configure Session Recording’ , you will be directed to a screen, where you can enable session recording for that specific account. If you want to disable session recording in the future for this specific account, you can disable it by deselecting the option. Click ‘Save’.

Enable session recording for a folder

Similarly, you can configure session recording for all accounts of a folder. To do this, first navigate to Folders.

  • Select a Folder or Sub-Folder
  • Move to the RHS and click ‘Settings’
  • Select ‘Session recording’ from the bottom right
  • You will have the option to switch session recording on for this folder, enable that by clicking the toggle. If you need to stop session recording in that folder, deselect the toggle.

How to Manage and Access Sessions?

Under Sessions you can access both the Active remote sessions and Recorded sessions tabs.

How to Playback Recorded Sessions?

You can playback the recorded sessions anytime as needed. The list of all recorded sessions are listed in Sessions>>Recorded Sessions. You can search and select the required session and then click the ‘Playback’ button located at the right hand side. There are no prerequisites needed for playback. Securden provides its own player.

Search keystroke activity

You can also search for specific keystroke activities of the users and playback those sessions. A keystroke is the press of a single key on the keyboard. If a user has used a specific Keystroke during the session, the action will be listed on the search.

For example, if the user has keyed in ‘pass’ from his keyboard during his connection. Then on entering the same text in the search, the details of the session will be displayed.

Monitor active remote sessions

While the playback option is helpful in forensic analysis, you can use the real-time monitoring too. This can be used to terminate sessions over any suspicious activity immediately.

You can monitor and shadow the ongoing remote sessions launched by the users using Securden PAM. The list of sessions that are active at the moment will be shown in the Active Remote sessions tab under Sessions.

Note: Refresh the sessions page to see sessions in progress if it doesn’t show initially.

  • The ‘Monitor’ icon- Lets you view a session live
  • The ‘Terminate’ icon - Lets you end an active session if you have the privilege to do so

When you click ‘monitor’, you will be asked if you want to shadow the session, on clicking ‘Shadow the session’, you will be directed to a live screen where you can monitor the active session. The user active in the session will not be notified if he is being shadowed.

How to Deploy a Session Recorder on Windows Endpoints?

Securden offers an advanced option to record all sessions on specific machines (running Windows OS) irrespective of whether the sessions are launched from Securden PAM or even outside of it (directly connecting to the remote machine).

To do this, you need to deploy the session recorder utility on the remote machines whose sessions are to be recorded.

To do this, Navigate to Admin >> Remote sessions and recordings >> Windows Session Recorder.

Install manually on the machine

You can choose to download and install for 32 bit or the 64 bit MSI installer according to your system configurations.

Install using GPO

You may also install through GPO on multiple machines. The instructions to do that are provided in the GUI on clicking ‘Following the procedure detail here’.

You can deploy Securden session recorders on endpoints and servers. The recorders can be deployed on endpoints running Windows 7 and later; and Windows Server 2008 and later.

You can choose to download and install for 32 bit or the 64 bit MSI installer according to your system configurations.

The VB script recorder is an alternative to the msi software so it can run on older servers or computers which support VBScript.