Configure Session Monitoring
Session monitoring records the actions of a user while they access your password-protected managed systems. The actions are recorded in real time with the ability to bypass inactivity in the session. This allows you to view only the actions of the user.
You configure session monitoring when you add or edit a managed system.
There are additional settings you must configure, such as concurrent sessions and screen resolution.
Configure Listen Host and File Location
Using the BeyondInsight Configuration tool, you can set the listen host and file location for monitored sessions.
- Open the BeyondInsight Configuration tool.
- Go to the Password Safe section.
- Enter the IP address for the listen host.
- Set the location for the session monitoring file. The default location is in the installation directory: \data\sessionmonitoring.
Configure Concurrent Sessions
Remote sessions can be limited to a set number of concurrent sessions.
The option to increase or limit the number of sessions a user can open at one time is configured from the schedule settings within an Access Policy.
To modify the number of concurrent sessions:
- Navigate to Configuration > Privilege Access Management Policies > Access Policies.
- Select an Access Policy or create a new one.
- From the Schedule tab, select an existing schedule or click Create New Schedule to create a new one.
- Scroll down to Policy Types and select RDP or SSH.
- Set the number for the Concurrent option.
- Click Update Schedule or Create Schedule to save the schedule.
If a user tries to open more sessions than allowed, a message displays on the Requests page.
For more information, please see Configure Password Safe Access Policies.
Use Session Masking
Passwords can be hidden from session replays by applying a mask. When session masks are active, an SSH session recording at that time checks the keystrokes against the mask. Any matches are replaced. When the keystroke session is replayed, the viewer sees asterisks instead of the password. More than one mask can be active at a time.
Masks can be created, changed, and deleted. These actions are captured in user auditing.
- Navigate to Configuration > Privileged Access Management > Session Masks.
- To create a mask:
- Click Create New Mask above the grid.
- Enter a name for the mask and provide the mask pattern.
- Leave the Active option checked.
- Click Create Session Mask.
- To edit a mask:
- Locate the mask in the grid and click the vertical ellipsis button for it.
- Select Edit Session Mask.
- Edit the name and pattern for the mask as desired.
- Check or uncheck the Active option as appropriate.
- Click Update Session Mask.
- To delete a mask, click the vertical ellipsis button for the mask, and then select Delete.
Customize Session Images
As a Password Safe administrator, you can add corporate logos to replace default brand splash, replay, and lock images. You can also specify an image that displays when an RDP session is being monitored and recorded in Password Safe.
You must clear the browser cache to see new images after they have been updated. Also, it is a good practice to back up image files to a safe location because they will be overwritten on the next upgrade and must be replaced after the upgrade completes to restore the customization.
Specify a Custom Splash Image
To customize the splash image:
- Place the customized splash.png file in this directory: /eEye Digital Security/Retina CS/ Website/images.
Size must be 1024 × 768px
- Rename the original splash.png file or move it to another location.
- In the [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\rdp_proxy] registry key, add a string value of splash_png with a value of the path to the customized splash image.
Specify Custom Replay Images
To customize Admin > Replay logos, modify the following files:
- C:\Program Files (x86)\eEye Digital Security\Retina CS\website\images\rdp-placeholder.jpg
Size must be 147 × 125px
- C:\Program Files (x86)\eEye Digital Security\Retina CS\website\images\rdp-placeholder-lg.jpg
Size must be 1024 × 768px
- C:\Program Files (x86)\eEye Digital Security\Retina CS\website\images\ssh_placeholder.jpg
Size must be 137 × 125px
Specify a Custom Lock Image
To customize the lock image that appears to the end user when an administrator locks an active session:
- Place the customized lock.png file in this directory: /eEye Digital Security/Retina CS/ Website/images.
Size must be 1024 × 768px
- Rename the original lock.png file or move it to another location.
- In the [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\rdp_proxy\lock] registry key, add a string value of png with a value of the path to the customized lock image.
By default, the lock image is centered on the screen. To specify alternative x- and y-coordinates, create DWORD registry values named x and y under the lock registry key.
Specify a Monitoring Image
To specify an image to display when an RDP session is being monitored in Password Safe:
- Name the image file monitor.png and place it in the /eEye Digital Security/Retina CS/Website/images directory.
- Create the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\rdp_proxy\monitor
- Under this key, create a string value named png and set it to the path of monitor.png.
By default, the monitoring image is centered on the screen. To specify alternative x- and y- coordinates, create DWORD registry values named x and y under the monitor registry key.
The monitoring image is removed 15 seconds after the session stops being monitored.
Specify a Recording Image
To specify an image to display when an RDP session is being recorded in Password Safe:
- Name the image file record.png and place it in the /eEye Digital Security/Retina CS/Website/images directory.
- Create the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\rdp_proxy\record
- Under this key, create a string value named png and set it to the path of record.png.
By default, the recording image is centered on the screen. To specify alternative x- and y- coordinates, create DWORD registry values named x and y under the record registry key.
Configure Recorded Sessions in a Multi-Node Environment
In a multi-node environment, sessions can be viewed from any node in the environment, regardless of the node where it was created.
SSL certificates are used to ensure secure communication between the nodes. You must create a certificate using a certificate authority (CA) and import the certificate on each of the nodes.
When setting up the certificate, the Password Safe agent host name (or host name override) must match the Issued to details on the certificate properties in the Certificates snap-in.
The CA certificates that issue the SSL certificates (the Issued by on the certificate properties) must be trusted by all nodes in the environment.
To confirm the host name matches the Issued to field:
- In the BeyondInsight Console, go to Configuration > Privileged Access Management Agents > Session Agents.
- Select the agent from the list, and view the host name indicated in the Host Name Override box.
- Open the Windows Certificates snap-in, and then double-click the certificate.
- Confirm the name of the certificate in one of the following places:
- On the General tab, confirm the host name is the same name as in the Issued to field.
- On the Details tab, scroll to the Subject field and confirm the CN=<name> matches on the agent host name.
Configure Keystroke Logging
Password Safe records keystrokes for all recorded sessions. Keystroke logging is enabled by default. When you open a recorded session, the pane on the right displays keystrokes. You can select a keystroke entry to view where that keystroke occurred. You can also filter keystroke entries by date, time, or keystroke in the Search box.
Turn Off Keystroke Logging
You can turn off keystroke logging for ISA users and admin sessions as follows:
- Navigate to Configuration > Privileged Access Management > Global Settings.
- Under the Session Monitoring settings, clear the applicable keystroke logging options.
- Click Update Session Monitoring Settings.
Keystroke logging can be enabled for all other users when setting the scheduling options for an access policy.
For more information, please see Configure Password Safe Access Policies.
Enhanced Session Auditing
Enhanced session auditing captures and records all mouse activity in the Keystrokes menu of Recorded Sessions for RDP and RDP application sessions. Enhanced session auditing is enabled by default. It uses the rules in the access policy for Admin Session multi-session checkouts. During a recorded RDP session, an agent called pbpsmon is installed on the host for the duration of the session. The agent monitors and audits Windows click events.
Session monitoring captures text that is copied in an RDP session window. The copied text is captured only the first time. Any subsequent copy tasks of the same text are not captured for the session.
To use enhanced session auditing, the functional account of the managed Windows host or Remote Desktop Services host must have administrative rights.
Turn Off Enhanced Session Auditing ISA Users
- Navigate to Configuration > Privileged Access Management > Global Settings.
- Under the Session Monitoring settings, clear the applicable enhanced session auditing options.
- Click Update Session Monitoring Settings.
You can turn off enhanced session auditing for admin sessions and all other non-ISA users, when setting the scheduling options for an access policy.
Troubleshoot Enhanced Session Auditing
The following files are deployed as part of enhanced session auditing:
- pbpsdeploy (Password Safe Deployment Agent service)
- pbpsmon
- pbpslaunch
- pbpsmon and pbpslaunch (These are contained in a cab file that is copied to the Windows directory and extracted to C:\pbps\.)
pbpsdeploy
The pbpsdeploy.exe file resides in the Windows directory (C:\Windows).
- Access to ADMIN$ is required to copy pbpsdeploy.exe from Password Safe to the target server.
- Confirm the service is displayed in the Services snap-in after deployment.
- The output from the deployment service should be in the pbsm logs.
2017/03/07 15:47:12.186 2292 6548 INFO: Pushing pbpsdeploy service to 10.200.28.39 as user backupadmin
2017/03/07 15:47:13.528 2292 6548 INFO: Starting pbpsdeploy service on 10.200.28.39 as user backupadmin
2017/03/07 15:47:13.593 2292 6548 INFO: Copied pbpsmon.cab
2017/03/07 15:47:13.716 2292 6548 INFO: pbpsmon install:
Using binary directory C:\Windows\
Created directory C:\pbps
Extracting File "pbpsmon.exe" (Size: 15872 bytes) -> "C:\pbps\pbpsmon.exe"
Extracting File "pbpslaunch.exe" (Size: 145408 bytes) -> "C:\pbps\pbpslaunch.exe"
Extracting File "msvcp120.dll" (Size: 455328 bytes) -> "C:\pbps\msvcp120.dll"
Extracting File "msvcr120.dll" (Size: 970912 bytes) -> "C:\pbps\msvcr120.dll"
Extracting File "vccorlib120.dll" (Size: 247984 bytes) -> "C:\pbps\vccorlib120.dll"
Extracting File "libeay32.dll" (Size: 1359872 bytes) -> "C:\pbps\libeay32.dll"
Extracting File "ssleay32.dll" (Size: 252928 bytes) -> "C:\pbps\ssleay32.dll"
Creating registry keys
Registry keys successfully created
Creating task
Task successfully createdpbpsmon
Verify the following setup has been performed by the deployment service:
- In Task Scheduler, confirm the following task is created: BeyondTrust Password Safe Monitoring Task, or BeyondTrust Password Safe Disposable Monitoring Task. The task name depends on how enhanced session monitoring was installed.
- In regedit, the following registry key is created, which creates the disconnect event:
HKLM\System\CurrentControlSet\Control\Terminal Server\Addins\PBPSMON
pbpslaunch
Verify the following setup has been performed by the deployment service:
- In regedit, the following registry key is created:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\TerminalServer\TSAppAllowList\Applications\pbpslaunch
- A pbpslaunch entry exists in RemoteApp Manager.
- Locate the log statement Accepting RDP Channel <name>. There should be one for pbpsmon, and if it is an application session, one for pbpslaunch.
2017/03/07 15:47:14.659 3672 4788 INFO: Accepting RDP Channel PBPSMON
- The Event Viewer on the target server includes setup and cleanup results of pbpsmon and pbpslaunch sent to pbsmd.
- Open Event Viewer.
- Expand Windows Logs.
- Click Application.
- Filter the application log on Source = pbpsdeploy.
You can prevent the session monitoring service from deploying pbpsmon and pbpslaunch on the managed system by setting the following registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\rdp_proxy\use_pbpsdeploy = 0 (REG_DWORD)
Configure Algorithms used by the Session Monitoring Proxy
The encryption algorithms (ciphers), host key algorithms, key exchange (kex) algorithms, and MAC algorithms that may be used by Password Safe between the user's SSH client and the SSH proxy are configurable using the following registry keys:
The encryption algorithms (ciphers), host key algorithms, key exchange (kex) algorithms, and MAC algorithms that may be used by Password Safe between the SSH proxy and the managed system are configurable using the following registry keys:
Each of these keys, if defined, must hold a multi-string value (REG_MULTI_SZ), with one algorithm name per line.
For example, ciphers might be:
- aes128-ctr
- aes192-ctr
- aes256-ctr
This restricts the available encryption algorithms to those named.
