design and implementation of administrator session monitoring

Design and Implementation

of Administrator Session Monitoring

© 2014 Hitachi ID Systems, Inc. All rights reserved.

http://Hitachi-ID.com/

http://Hitachi.com/

Contents

1 Introduction 1

2 Business drivers for recording login sessions 1

3 Which login sessions should be recorded? 2

4 What data should be captured? 2

5 Data format and volume 3

6 Where to insert instrumentation 4

7 Visible or stealth surveillance 6

8 Tamper-proofing the recording process 6

9 Planning for network bandwidth and storage requirements 7

10 What to do in the event of a termination 7

11 Privacy protection and access controls 8

12 Summary 9

APPENDICES 10

A Hitachi ID Privileged Access Manager overview 11

B Session monitoring in Hitachi ID Privileged Access Manager 14

i

Design and Implementation of Administrator Session Monitoring

1 Introduction

This document introduces the business case for implementing a session monitoring system to record loginsessions to privileged accounts. It examines a series of technological design decisions that must be con-sidered when developing a session monitoring system and offers guidance about how such a system mightbe best deployed and managed in practice.

2 Business drivers for recording login sessions

There are three main business drivers for recording the activity of users as they sign into privileged ac-counts:

1. Forensic audits:

In the event that an IT user is under suspicion or has been found to act unethically or illegally, it ishelpful to be able to play back all of that user’s activity, to see what inappropriate actions they mayhave taken. This data may be required as supporting evidence if the user must be terminated andmay be needed in the course of legal proceedings thereafter. This data may also be needed to findand reverse any harmful changes the user has made to systems or data.

2. Accountability:

The knowledge that their actions are being recorded and that they may be held accountable for themmay alter user behaviour for the better.

3. Knowledge sharing:

Recording user activity makes it possible to replay work. This can aid in knowledge sharing, under anumber of scenarios:

(a) A user records the steps taken to complete a task and shares this recording with peers, in thecontext of training. This is intentional, planned knowledge sharing.

(b) One user accesses a recording of another’s actions from some time in the past, to learn howa task was performed. This may be done with or without the original user’s active participation.This is ad-hoc, after-the-fact knowledge sharing.

© 2014 Hitachi ID Systems, Inc.. All rights reserved. 1


3 Which login sessions should be recorded?

When deploying a session recording system, the first question is which sessions to record. There areseveral possibilities:

1. All sessions, by all users.

2. All sessions to sensitive, by any user with access to those systems.

3. All sessions by high-risk users (i.e., users whose actions could cause harm).

The cost and impact of session recording technology directly affects how this question is answered. If cap-turing more sessions is relatively inexpensive and if it does not noticeably slow down the work of the affectedusers, then it makes sense to record more sessions. Conversely, as the cost of capture, transmission andstorage rise, the motivation to more carefully target what is and what is not recorded diminishes.

In the context of session recording of system administrators, Hitachi ID Systems recommends that all loginsto sensitive accounts should be recorded.

In the context of session recording of high-risk business users – for example, HR staff, financial traders, etc.– Hitachi ID Systems recommends that all logins by those users, to any system, should be recorded.

Over time, as the cost of storage and bandwidth continue to decline, it may make sense to record all loginsessions by all users to all systems. Hitachi ID Systems does not recommend this approach at the time thatthis document was prepared (mid-2011).

4 What data should be captured?

The data that can be recorded from a modern, graphical user interface is extensive. It includes:

1. Screen captures – i.e., image files of the contents of a single application or of a user’s graphicaldesktop.

2. Process information, such as the names of and arguments passed to running programs.

3. User interface elements, such as window titles, labels and text from input fields.

4. Keyboard events, such as key presses and releases.

5. Pointer device (mouse) events, such as movement and button clicks.

6. The contents of the operating system copy buffer.

7. Filesystem events, such as mounting or detaching network drives or removable media.

8. File transfers, such as copying files from one filesystem to another.

9. Video or image streams from a video capture device such as a webcam.



10. Network data transfers, such as e-mails or web pages.

At a minimum, when recording the login sessions of a user into an administrator-level account, it makessense to capture what they typed and what the system displayed. This means video capture as well ascapture of input from both the keyboard and copy buffer.

Regarding video capture, it may make sense to capture the user’s entire desktop, so that in the event thatthe user downloaded a file with sensitive data to his computer, the recording will show what he then didwith that file? For instance, if a sensitive file was briefly examined – as would be normal in the contextof troubleshooting – and then deleted, the action can be taken to be innocuous. On the other hand, if asensitive file was copied to a USB flash drive or sent to the user’s personal GMail account, the action canbe interpreted as malicious.

Regarding input capture, it makes sense to capture both keyboard events and copy buffer contents. Thisis because the user may have constructed commands in advance and pasted them into the login session,without generating any keyboard events.

Finally, it may make sense to capture webcam video. This is useful in the event of serious misconductleading to legal proceedings. When this happens, the user in question is likely to claim that the recordedactions were taken by someone else – i.e., “that wasn’t me – someone must have stolen my password!”With webcam capture, this argument won’t work, since images of the user who performed the actions inquestion will accompany screen captures and input events.

5 Data format and volume

There are two broad categories of data that may be captured by a session recording system:

1. High volume, unstructured data, principally video capture from the screen and possibly web camera.

2. Low volume, structured data, principally keyboard events, copy buffer contents, process IDs, UI ele-ments, etc.

It makes sense to store the low volume data stream in a database, so that it can be manipulated andsearched.

Modern databases do not cope well with large volume data such as video. It therefore makes sense to storeonly pointers to this data set in the database and store the actual raw data either on a filesystem or in acontent archiving system.

For data stored on a filesystem, the next question is how to encode it. For efficiency, it makes sense tocapture differential data (i.e., what changed from one screen capture to the next) and to compress thedata. For screen capture, lossless compression such as PNG makes sense, since the data is normally veryuniform. For web cam capture, lossy capture makes more sense, since the input stream consists of more“natural” lighting and scenes. For this, it makes sense to capture JPEG files.

In either case, when constructing videos for playback, it is important to use standard encoding and packag-ing, such as MPEG4 or AVI. This ensures that popular playback programs can be used.



6 Where to insert instrumentation

When a user connects to a privileged account on a server, there are three basic places where the connec-tion can be instrumented for recording:

1. On the user’s own PC.

2. On the server to which the user connects.

3. On the network in between these two endpoints.

Each of these approaches has its own pros and cons:

Monitor user PCsPros Cons

• Nothing to install on servers.• Works with every type of server – operating

systems, databases, network devices,applications, etc.

• May require software to be installed on manycomputers.

• User might be able to tamper with and disablemonitoring.

• Implies uniform types of endpoint devices, or atleast a limited set of options (e.g., all Windows,or Windows+Mac, etc.).

Monitor managed systems

Pros Cons

• Nothing to install on user PCs.• More difficult to bypass.• Can monitor user sessions even if they are

made directly to the console of a server, not viaa privileged access management system at all.

• Potentially destabilizing change control onsensitive servers, to install invasivesurveillance code.

• Only compatible with a few types of servers.For example, this approach is not likely to workwith relatively closed systems such as networkdevices or with vertical market or customapplications.



Monitor network (proxy)

Pros Cons

• Nothing to install on either user endpointdevices or servers.

• Compatible with multiple types of endpointdevices.

• Difficult or impossible for users to disablemonitoring.

• Since a specific proxy is required for each typeof application (e.g., SSH, RDP, etc.), onlyworks for some types of servers.

• Quite difficult to add support for newapplications or even new versions of oldapplications (e.g., new version of RDP, SSH,SQL clients, etc.).

• Difficult or impossible to capture everythingthat happens with SSH, since users can usethat to proxy other connections, including otherSSH connections.

• Session playback is a difficult problem,especially for complex and multi-layeredclient/server protocols.

• Creates a single point of failure for systemadministration (the proxy).

• May introduce performance problems inadministrator sessions.

Examples can help clarify this analysis:

• Assuming a client based approach is used, which instruments Windows PCs used by administrators.If an administrator wishes to connect to a system from a Mac or Linux PC or using a smart phone ortablet, then monitoring of a direct connection will not be possible. Instead, assuming that monitoringis mandatory, the user will have to first launch a connection to a Terminal Services or Citrix server andfrom there – where monitoring is available – connect to the managed system.

• Assuming that a proxy-based approach is used, users will no longer be able to sign into managedsystems directly. Instead, they must connect to the proxy, which forwards their connection to themanaged system and also records it. While any protocol can be recorded this way, conversion ofa recorded data stream to a human-legible video requires a deep understanding of the protocol inquestion. This means that in practice only a handful of versions of a handful of the most popularprotocols – remote desktop (RDP), secure shell (SSH), Telnet/TN3270 and perhaps some SQL variant– will be recorded. This strictly limits the ability of the system to monitor all administrator logins, toall systems. This approach also does not work if a user signs directly into the console of a managedsystem.

• Assuming that a proxy-based approach is used, even console logins can be recorded. On the otherhand, support for only the most common and most open types of managed systems is possible – mostlikely just Windows and Linux servers. Connections to network devices, applications and databaseswill simply not be possible.

In practice, multiple approaches can be combined. In particular, the client-based and server-based ap-proaches work well together as they provide lightweight and protocol-neutral session monitoring in generalplus a hard-to-bypass solution for the most sensitive servers, with the two mechanisms sharing the sameplayback technology.



7 Visible or stealth surveillance

With a proxy-based monitoring solution, the fact that sessions can be recorded is self-evident. This is notnecessarily true of recording on the user’s PC or on a system to which the user connects.

When a user’s login session – on the console of his own PC or connected via an application such as RDP,SSH or SQL Studio to another system – is recorded, the recording process itself may be evident to the useror stealthed. Stealth recording means that there are no obvious user interface elements to indicate to theuser that recording is happening. It should be noted that a sophisticated user will always be able to tell thatmonitoring is happening – by inspecting the computer’s process table, network traffic or simply by notingthat the activity indicator lights up on his web cam.

In general it seems reasonable to inform users that recording is happening:

1. This is less likely to violate privacy-protection legislation.

2. Awareness of monitoring is likely to encourage business-appropriate behaviour on the part of users.

If stealthy monitoring is chosen, the process should be reviewed by an organization’s legal counsel. More-over, an explanation should be made ready for users who detect that their logins are being recorded despitestealth measures.

8 Tamper-proofing the recording process

When a proxy-based solution is used, there may simply be no network path that allows users to bypass therecording system.

When monitoring is launched from a user’s PC, it should be linked to the login session, so that any inter-ference with the monitoring process itself or with the recording data stream sent to the monitoring servercauses (a) an alarm and (b) the login session to be automatically disconnected.

When monitoring is implemented directly on a managed system, it should likewise be configured to detectinterference and automatically sign off any logged in users in the event that surveillance is interrupted.

In some cases, it may be desirable to allow users to establish and maintain login sessions even in theevent that session recording is non-functional. This may be the case in the event of a network outage thatinterrupts connectivity to the session recording server, for instance. In these cases, at least a local cache ofrecorded data should be maintained. A business decision must be made to choose which is more important– the ability to sign into and manage systems, even if session recording is not available – or the assurancethat all administrative logins are recorded. It is likely that a different choice will be made on each system,depending on how highly available that system must be versus the sensitivity of data on that system.



9 Planning for network bandwidth and storage requirements

Session recordings can generate terabytes of data, mainly due to video capture. A single user whose PC isinstrumented, generating one screen shot of his desktop per second, will generate about 10 kBytes/secondof data per monitor. In comparison to this, structured data (keystroke events, etc.) adds a negligible amountof data.

This data stream must be transmitted from the user’s PC to a central storage server and from there perhapsreplicated to a backup location. Assuming that a user’s entire work day is subject to surveillance, thisamounts to:

1. Bandwidth from user to server: 10kBytes/sec.

2. Data on server: 290MByte/day (8 hours/day); 64GByte/year (220 work days/year).

Assuming that 100 users are being monitored this scales up to:

1. Bandwidth from 100 users to a single server: 1MBytes/sec or 10MBits/sec.

2. Data on server: 29GByte/day (8 hours/day); 6.4TByte/year.

While these storage requirements are manageable with contemporary technology, if the data is replicatedthis means data transfer of 29GByte/day – over a wide area network this is significant.

Assuming that 7 years of data are retained to support possible future forensic audits, this amounts to 45TBof storage.

10 What to do in the event of a termination

Session recording is very helpful in the event that a user with access to privileged accounts has to beterminated:

1. At the point of termination, the active communication between the user’s PC and managed systemscan be leveraged to actively disconnect any currently logged-in sessions.

2. Post termination, recent user activity can be reviewed to see if the user has taken any inappropriateactions.



11 Privacy protection and access controls

In most jurisdiction, it is reasonable for employers to monitor the activity of their employees and contractors,so long as:

1. The surveillance takes place at the workplace.

2. The surveillance takes place on employer-owned equipment.

In some jurisdictions, there may be a third requirement, which is to make sure that users are aware of thesurveillance.

These criteria create some boundary cases which organizations should consider carefully and avoid wher-ever possible:

1. Regarding video capture (i.e., web cam surveillance) – it is important to only enable it on corporatecomputers and only when those computers are known to be physically in an employer-owned location/ facility and perhaps even only in a location that is closed to outsiders.

2. It should be understood that if a user who can legitimately be monitored uses a corporate computerfor some private activity while at work – even where this is perfectly legitimate and reasonable – thatactivity will be captured. For example, if a system administrator takes a break and does some on-linebanking, his bank account number and password may be captured along with his work.

To mitigate the risks of inappropriate compromise of employee or contractor privacy, it is essential to imple-ment security measures to ensure that access to recordings is legitimate and authorized in all cases. Sincethe simple act of performing a search on the database of recordings may yield privacy-related information, itmakes sense to authorize access to recordings in two steps: First, request and approve the right to performa specific search. Second, request and approve the right to retrieve the recording from a specific session.



12 Summary

Session recording is a powerful technology that enables organizations to create accountability, generateforensic audit trails and support knowledge sharing. The advent of inexpensive broadband networks andlarge storage systems makes it feasible to record and archive large numbers of login sessions in detail.

When designing a session monitoring system, it is important to take into consideration compatibility withboth end user devices and back-end systems. Other parameters, such as tamper-proofing the system,making users aware of its operation, protecting the privacy of users by controlling when recordings happenand who can retrieve them are also all very important.

A session recording system can generate large volumes of data. Because of this, it is important to plan inadvance for the network bandwidth and storage requirements of the system.



APPENDICES



A Privileged Access Manager overview

Overview:

Hitachi ID Privileged Access Manager is a system for securing access to privileged accounts. It works byregularly randomizing privileged passwords on workstations, servers, network devices and applications.Random passwords are encrypted and stored on at least two replicated credential vaults. Access to privi-leged accounts may be disclosed:

• To IT staff, after they have authenticated and their requests have been authorized.• To applications, replacing embedded passwords.• To Windows workstations and servers, which need them to start services.

Password changes and access disclosure are closely controlled and audited, to satisfy policy and regulatoryrequirements.

Features:

Privileged Access Manager secures privileged accounts with:

• Random passwords:

Privileged Access Manager is designed to change as many as 2,000,000 passwords per day to new,random values. This minimizes the window of opportunity that hackers and former users have tocompromise systems and applications.

• Encrypted, replicated vault:

Privileged Access Manager stores randomized passwords in an encrypted and replicated vault. Thisprotects against unauthorized access to passwords and against loss of access to data because of ahardware failure or physical disaster.

• Many built-in connectors:

Privileged Access Manager ships with built-in integrations for over 110 systems and applications. Thatmeans that it can secure access to sensitive accounts on most servers, directories, network devices,databases and applications without customization.

• Laptop support with a local service:

Privileged Access Manager also ships with software that can be installed on laptops running Windowsor Linux. This allows it to secure access to computers that are sometimes turned off, unplugged fromthe network, change IP addresses or physically removed from the premises.

• Access control policy engine:

Security officers set policy on Privileged Access Manager to control who can access which accounts.For example, Windows administrators can be granted access to local Administrator accounts, Unix



administrators can be allowed to login as root, etc. The policy engine is very flexible, as it connectsgroups of administrators to named accounts on groups of systems.

• Workflow for one-time access requests:

Privileged Access Manager includes a powerful workflow engine that allows users to request one-timeaccess to privileged accounts. Requests are subject to policy (who can ask, who must approve).

The workflow engine leverages e-mail to invite authorizers to act and a secure web form for approvals.Timely response is assured by inviting multiple authorizers, sending automated reminders, escalatingrequests from non-responsive authorizers to alternates and more.

• Flexible access disclosure options:

Rather than displaying passwords to users, Privileged Access Manager can:

– Launch RDP, SSH, SQL Studio, VMWare vSphere and similar sessions, injecting passwordswithout displaying them.

– Temporarily attach the authorized user’s Active Directory account to a local security group on thetarget Windows server.

– Temporarily attach the authorized user’s SSH public key to the authorized_users key ring on thetarget Unix or Linux server.

• Session recording:

Privileged Access Manager can be configured to record screen, keyboard and other data while usersare connected to privileged accounts. The recording may be of just the window launched to connecta user to a privileged account or of the user’s entire desktop.

The session recording system is tamper resistant – if users attempt to interrupt recording, their loginsessions to privileged accounts are disconnected and an alarm is raised.

Session recordings may be archived indefinitely and may serve a variety of purposes, ranging fromknowledge sharing and training to forensic audits. Access to recorded sessions is secured through acombination of access control policies and workflow approvals, designed to safeguard user privacy.

The Privileged Access Manager session monitoring infrastructure is included at no extra cost. It worksusing ActiveX components and does not require software to be permanently installed on user PCs.There is no footprint on managed systems and no proxy servers are used.

Session monitoring is compatible with all administration programs and protocols, as it instruments theadministrator’s PC, rather than network traffic. Recordings can be made of SSH, RDP, vSphere, SQLStudio and any other administrative sessions launched via Privileged Access Manager. Recordingscan include key-logging, video, webcam, copy buffer and more, based on policy settings and withoutregard to the type of session (protocol, client tool) that was launched.

• Infrastructure to secure Windows service account passwords:

In addition to managing access to administrator accounts, Privileged Access Manager can randomizepasswords used to run services, scheduled jobs and other unattended processes on Windows com-puters. It can then notify the Windows Service Control Manager, Scheduler, IIS and other componentsof the new password, so that tasks can be successfully started in the future.

• An API to replace static, embedded passwords:

Privileged Access Manager exposes an API that allows one application to securely acquire a passwordthat will then be used to connect to another application. This mechanism is used to eliminate plaintextpasswords in application source code or text files.



• Auto-discovery:

Privileged Access Manager includes an advanced infrastructure auto-discovery system, designed tominimize both initial and ongoing configuration. This system can:

1. Extract a list of systems from AD, LDAP or other sources.

2. Apply rules to decide whether a given system should be managed.

3. Apply rules to choose a security policy to apply to each managed system.

4. Probe systems in a massively parallel fashion, to get a list of accounts, groups and services oneach one.

5. Apply rules to decide which accounts on each system should be managed.

• Reports:

Privileged Access Manager includes a variety of built-in reports, that are used to answer questionssuch as:

– What computers are on the network?– Which computers have been unresponsive during the past 30 days?– Which administrators have signed into this computer?– Which systems has this administrator managed?– Who has made a large number of requests for one-off access?

Benefits:

Privileged Access Manager improves the security of privileged accounts by:

• Eliminating static, shared, well-known passwords.• Ensuring that former IT staff cannot access sensitive infrastructure.• Requiring strong, personal authentication of users prior to accessing privileged accounts.• Enforcing robust policy over who can access privileged accounts.• Recording a detailed audit trail of privileged login sessions.

Privileged Access Manager reduces the cost of managing passwords on privileged accounts by automatingthe password change, storage and disclosure process.



B Session monitoring in Privileged Access Manager

Hitachi ID Privileged Access Manager session recording technology consists of:

ActiveX Recording Architecture

Session monitoring in Privileged Access Manager works by launching an ActiveX component when a loginsession is established to a privileged account.

The ActiveX component, in turn, launches the administration tool the user wishes to use – terminal servicesclient (TSC), PuTTY or similar for SSH sessions, SQL Studio, vSphere, etc. and passes a target systemaddress, login ID and password into that client.

While the user is connected, the ActiveX component can capture session data – video, key-log, etc. andstream that back to an Privileged Access Manager server. The ActiveX component also checks with theserver, to find out whether the user’s session should be terminated, for example if the allotted time has runout or if the user’s access is being terminated intentionally.

Using an ActiveX component means that the installation footprint of Privileged Access Manager sessionmonitoring is minimized – there is no software to install on user PCs and no proxy server for users toconnect through.

Types of Recorded Data

The session monitoring infrastructure in Privileged Access Manager is designed to capture any combinationof the following data types:

1. Video capture: either the display window of the program launched on behalf of the authorized user(e.g., RDP, SSH, vSphere, etc.) or that user’s entire desktop (could span multiple monitors).

2. Keystrokes – either just those entered when the launched window has focus, or all keystrokes for theduration of the login session.

3. Snapshots from the user’s web cam (of the user, presumably).

4. Contents of the user’s copy buffer – useful if the user pastes text into an input field, such that the textwould not appear in key-log data.

5. Meta data about processes running on the user’s PC, including process name and ID, window title,etc.

6. Meta data about user interface elements on the user’s screen, such as text prompts and the contentof input fields.

Indefinite Retention

Session recordings may be archived indefinitely and may serve a variety of purposes, ranging from knowl-edge sharing and training to forensic audits of administrator actions. Access to recorded sessions is securedthrough a combination of access control rules and workflow processes, to protect user privacy.

Tamper Proofing



The session recording system is tamper resistant – if users attempt to interrupt recording, their login ses-sions to privileged accounts are disconnected and an alarm is raised.

Privileged Access Manager can be configured to make a recording of a user’s PC for the duration of alogin session to a privileged account. This includes either video capture of either the full screen or just thelogin window, key logging, recording of the contents of the copy buffer and even snapshots from the user’swebcam.

Full screen and web cam capture

Capturing the full screen gives context for administrator actions. For example, if a user downloads a filefrom a privileged account to his PC, a recording of just his login window will not show what happens next,but a full screen recording may show the file being copied to a USB drive or uploaded to a web site.

Capturing web cam snapshots reliably links the session to the user in question. In the event of a forensicaudit, if the user claims that actions recorded and associated with his profile were performed by someoneelse, perhaps after stealing his password, there will be clear evidence that it was the user in question whoperformed.

Network and storage impact

The session monitor ActiveX component can generate up to about 10 kBytes/second of data, most of whichis video. On a modern PC, it will consume no more than 2% to 3% of the user’s CPU and only a very smallamount of memory.

A single Privileged Access Manager server can collect about 100 concurrent session recording data streams.This means that a load balanced arrangement of 3 Privileged Access Manager nodes can capture sessionsfrom 300 IT workers simultaneously, and probably more than 500 users total, 24x7.

The data volume from a single administrator session, assuming a constant stream of data for 8 hours/day,220 days/year, amounts to about 60GB/year. 100 concurrently active administrators whose every action isrecorded will generate about 6TB/year of data.

www.Hitachi-ID.com

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: [email protected]

File: / pub/ wp/ documents/ sessmon-howto/ sessmon-howto-1.texDate: 2011-04-29

http://Hitachi-ID.com/

design and implementation of administrator session monitoring

Technology

recording login sessions

session recording system

hitachi id systems

session monitoring system

recording process

activity of users

users activity

user activity