Privileged Session Recording

  1. Overview

    1.1 How secure is session recording?

  2. Steps to configure session recording

    2.1 Through the Resources tab

    2.2 Through the Admin tab

  3. Viewing the recorded sessions
  4. Splitting of session recordings
  5. Session shadowing/real-time session monitoring

    5.1 Monitoring sessions in parallel

    5.2 Terminating a suspicious session

    5.3 Deleting selective session recordings

1. Overview

It is possible to record, playback, and archive privileged sessions launched from PAM360, to support forensic audits and allow enterprises to monitor all actions performed by the privileged accounts during privileged sessions. The session recording caters to the audit and compliance requirements of organizations that mandate proactive monitoring of activities, thereby enabling administrators to readily answer the ‘who,’ ‘what’ and ‘when’ questions of privileged access. You can use PAM360 to record Windows RDP, SSH/Telnet, and SQL sessions launched from PAM360's interface.

1.1 How Secure is Session Recording?

PAM360 employs first-in-class, browser-based remote login mechanism for the session recording process. From any HTML5-compatible browser, users can launch highly secure, reliable and completely emulated Windows RDP, SSH and Telnet sessions with a single click, without the need for an additional plug-in or agent software. Remote connections are tunneled through the PAM360 server, requiring no direct connectivity between the user device and the remote host. In addition to superior reliability, the tunneled connectivity provides extreme security as passwords needed to establish remote sessions do not need to be available at the user’s browser. The session recording capability is an extension of the robust remote login mechanism of PAM360.

From version 6500, PAM360 comes bundled with RDP, SSH and Telnet session gateways. This allows the users to launch remote terminal sessions from their browser that are tunneled through the PAM360 server. The remote terminal sessions are emulated in the browser screen itself and hence there is no need for installing any plug-in or agent in any of the end-points. The only requirement is that the browsers should be HTML 5 compatible (For example IE 9 or above, Firefox 3.5 or above, Safari 4 or above, and Chrome).

2. Steps to Configure Session Recording

There are two ways to configure remote session recording:

2.1 Through the Resources tab

2.2 Through the Admin Tab

2.1 Through the Resources Tab

  1. Navigate to the Resources tab and select the resources for which you want to configure session recording.
  2. Go to Resource Actions >> Configure >> Session Recording.
  3. In the pop-up form that opens, select the options Record RDP sessions and/or Record SSH, Telnet and SQL Sessions as required and click Save.

Note: The recordings will be stored by default in the path <PAM360_Install_Directory\PAM360\recorded_files>. This external location to store recordings can be changed at any time by navigating to Admin >> Configuration >> Session Recording.

2.2 Through the Admin Tab

  1. Navigate to Admin >> Configuration >> Session Recording.
  2. In the pop-up form that opens, select the options Record RDP sessions and/or Record VNC sessions and/or Record SSH, Telnet and SQL sessions as required.
  3. Enter a valid path to store the recorded sessions under External Location for Recorded Sessions. You can also set a backup directory for storing the recordings, in which case the recorded files will be stored in both locations.
  4. To purge the records that are older than a specified number of days, enter the number under Purge recorded sessions that are more than -- days old. You can disable purging by leaving the text field empty or by entering 0 as the value.
  5. Click Save to save the changes. Now, the session recording feature becomes available as soon as an administrator adds a resource that supports one of these remote terminal session types (RDP, SSH, Telnet).

3. Viewing the Recorded Sessions

View the recorded sessions from the Audit tab in the PAM360 interface by following the steps below. You can trace sessions using any detail such as the name of the resource, the user who launched the session, or the time at which the session was launched.

  1. Navigate to the Audit >> Recorded Connections.
  2. Click Play against the recorded session which you want to view. While viewing a recorded session, click the seek bar to skip a part of the recording and progress.

4. Splitting of Session Recordings

Starting from version 9902, PAM360 gives you the option to split larger session recording files from the SSH and Telnet remote sessions into several smaller files. This will ensure a smooth, uninterrupted session playback without a buffer time. By default, this option is disabled in PAM360.

To enable the feature:

  1. Go to Admin >> General Settings >> Miscellaneous.
  2. Select the option Enable splitting of SSH and Telnet session recordings into multiple files.

5. Session Shadowing/Real-time Session Monitoring
(Feature available only in the Enterprise Edition)

PAM360 lets administrators monitor the privileged sessions on highly sensitive IT resources. Shadowing allows admins to join active sessions, observe user activities parallelly, and terminate them in case of suspicious activities. Admins can also offer assistance to users while monitoring the users’ activities during troubleshooting sessions.

5.1 Monitoring Sessions in Parallel

  1. Navigate to Audit >> Active Privileged Sessions.
  2. Trace the session to be monitored through the name of the resource.
  3. Click the Join button.You will be able to view the session in parallel.

5.2 Terminating a Suspicious Session

  1. Navigate to Audit >> Active Privileged Sessions.
  2. Trace the session to be monitored through the name of the resource.
  3. Click the Terminate button. The remote session will be terminated and the user will lose connection with the remote resource.

5.3 Deleting Selective Session Recordings

  1. Navigate to Audit >> Recorded Connections.
  2. Choose the session you want to delete and then click the delete icon beside it under the Delete column.
  3. You can either choose to delete the recording of the session or the chat logs of a particular session as shown below:
  4. Note: In order to delete selective sessions from the PAM360 database, there should be at least two active administrators, including yourself. This is to ensure that no important session is deleted without proper confirmation.

  5. Once you have chosen to delete the chat log or the session recording, a dialog box will appear prompting you to confirm the action as shown below.
  6. The other administrator(s) will be notified and a request for approval will be sent to them. They can either approve or reject this decision. Note that the deletion process requires the consent of just two administrators, i.e., if an administrator apart from you approves, then the deletion will take place, irrespective of the approval of the other administrators (if any).
  7. Based on whether the session files are present in the system or in any external device, their deletion will take place as explained below:
  • Scenario 1: If the file is present in the system, PAM360 will delete the recording once the request has been approved by another administrator. 
  • Scenario 2: If the recordings are present in an external device and not in PAM360 during this process, PAM360 will run a system scheduler to delete these files. In this case, the file(s) will be deleted only if the external device containing the session recordings is connected to the PAM360 server when the scheduler runs. 

Note: Once the deletion of a recording has been approved but the action hasn't been carried out yet as explained in scenario 2 above, PAM360 will temporarily disable the video recording until deletion and it cannot be viewed by anyone including the administrators.

©2019, ZOHO Corp. All Rights Reserved.