Auditing Terminal Services with ObserveIT

Auditing Terminal Services with ObserveIT

ObserveIT delivers one of the most awaited features in server based computing, namely session recording.  It is especially useful where you have confidential departments, and you need to audit all actions that users perform.  Another major advantage of session recording is in root cause analysis.  Imagine the ability to replay any action performed by privileged users or external vendors.  You becoming all-seeing and as result, you can audit who did what, on which server.

With ObserveIT you get a visual auditing tool that enables the administrator to discover precisely what was done on the servers.   Since the product is agnostic to protocol and software, it captures and stores activity coming from ALL methods of remote access to the server, including RDP, VNC, TS, Citrix, Netop and Damware.  See ObserveIT for your self

Installing ObserveITInstall ObserveIT

ObserveIT has four components: a database, an application server, an agent and a web console. The agent runs locally on every machine where the recording is necessary, and when it is installed, it does not create a service, but instead it is started the moment a user creates a session on that server. The application server and the web console are both based on IIS, and can be installed on the same machine or separately on different machines.

It makes sense for the database component to require Microsoft SQL Server 2000/2005, and again, it can be installed on the same server as the application and management web console, or on one of your existing SQL servers.

The installation can be done on two ways: the so called ‘one click installation’, or by using a custom installation. The single click installation is particularly suitable where the web console and the application server are installed on the same machine. If you need to change the defaults, then use the custom installation as described in the clear manual.

All that the installation wizards needs is the name of the server hosting the Microsoft SQL services, and the name of an account that can create the databases automatically.  Other than that, it’s just click to agree with the license agreement.

Next, install the agent on each server that you wish to monitor and record. This can be a regular server, which is a member of the domain, or on a standalone machine in your firewall’s perimeter network.  The ObserveIT agent is especially useful for Terminal Servers (including Windows 2008 TS features).  You can install the agent installation via an a MSI file, with unattended parameters.

Try a demonstration of ObserveIT

Guy Recommends : SolarWinds’ Free VM MonitorSolarwinds VM Console Free Download

The best feature of this new this new version of SolarWinds VM Monitor is that it checks Windows Hyper-V.  Naturally, it still works with virtual machines on VMware ESX Servers.  VM Monitor is a clever desktop tool that not only tests that your server is online, but also displays the CPU and memory utilization for each node.

It’s easy to install and to configure this virtual machine monitor, all you need the host server’s IP address or hostname and the logon info. Give this virtual machine monitor a try – it’s free.

Download your free copy of SolarWinds VM Monitor.

Configuring ObserveIT

After the installation is complete, all of the management and configuration tasks are performed through the web-based console.  Using the configuration tab you can add more operators/administrators, configure SMTP settings, and check the settings on the agents.  One key decision is which users should you monitor.   If you prefer to delegate particular administrator to particular types of server, then you could create groups of servers.  For example, Terminal Services or email, then delegate to other administrators based on their role.

All the configuration settings are grouped into Configuration Policies; you can then assign servers to an appropriate policies.

One option worth looking into is the Identification Services provided by ObserveIT. This is very useful when, for example, server people in the IT department share a single account to administrator the servers (a generic account like the build-in ‘Administrator’). You can specify that when anyone uses such an account to administer ObserveIT, they need to indentify once again, using another account defined within ObserveIT. In this way even with a general account the actual person logging it can be identified.   If it were me I would lock-down the Administrator, and make everyone use their own account, but I know that does not fit with every organizations modus operandi.

When ObserveIT is being used to record Published Applications/RemoteApp sessions, you need to include the executable ObserveIT.Client.exe in a login script.  Once again the product documentation comes up trumps and provides detailed instruction to setup this login script. 

Using ObserveIT

Recording starts as soon as you install the agent and connect to the application server.   You can review the recordings in the management web console.Audit ObserveIT

There are three tabs in web console, the first tab, displays the recordings per server. When the server and period of time is selected, the recordings are presented based on logon time per user (activities part). You can also view the recordings based on started application.  You can also sort the view based on ‘Started applications’.  I think of this first tab as the Server Diary.

The second tab provides a user centric view.  From this tab you can view User activity.  What you do is specify the user and the time period, then ObserveIT shown activities within the chosen time-frame.  Just as with the Server tab you can audit based on activities (per logon) or per accessed item/application.  I think of this second tab as the User Diary

There is third tab for Reports, here you can filter the recorded sessions on time period, user, server and/or application.  This last option uses keywords to find an activity.

ObserveIT’s unique feature is that it captures metadata; the advantage is that you can home in on a particular time-frame without having to replay the whole ‘Movie’.  Using the metadata, you can simply expand a recorded session and immediately get to the exact point in time where the user did the deed.  This saves a lot of time if you know what event you are looking for.  ObserveIT can also export any recording to a single executable, thus the evidence can be viewed by other people, such as line managers, who are not authorized to use the ObserveIT console.

Besides manually looking for recordings, ObserveIT also has a context-sensitive search inside the database; this is invaluable in finding all the instances where the same application accessed.  All you need to see the browser window is press the F12 key.  This technique is handy as a troubleshooting tool, and also to view configuration history for the application you’re interested in.

The Sticky Notes is another feature of ObserveIT. With sticky notes you can define a message which will be pop up when another person will access the same application/window.  For example you can set a message that an option should not be enabled, because there are issues with that component. See a demonstration of ObserveIT

Managing ObserveIT

One very important part of ObserveIT is the internal audit option.  For example, you can view which persons have viewed which recordings. A necessary option if you are looking to the privacy regulations.

Other management related features are available via the appropriate tab. For example, the Server Diary tab shows each installed software program together with its characteristics.  Turning to the reports tab, you can create a report of which software was installed or uninstalled within a time period.

ObserveIT Conclusion

For a long time session recording has featured high on every network manager’s wish list.  ObserveIT offers more than just session recording, because it has the ability to break down what was done, by whom.  Through using ObserveIT you can not only record the users’ actions, for compliance and auditing, but also for root cause analysis. 

What Next?

  1. Download your copy of ObserveIT (Bottom right of screen) 
  2. See a demonstration of ObserveIT
  3. Try a live hosted demo of ObserveIT

If you like this page then please share it with your friends


Related topics