Configure Session Monitoring

Session monitoring records the actions of a user while they access your password-protected managed systems. The actions are recorded in real time with the ability to bypass inactivity in the session. This allows you to view only the actions of the user.

You configure session monitoring when you add or edit a managed system.

There are additional settings that you need to configure, such as listen host and screen resolution.

Configure Listen Host and File Location

Using the BeyondInsight Configuration tool, you can set the listen host and file location for the monitored sessions.

  1. Open the BeyondInsight Configuration tool.
  2. Go to the Password Safe section.
  3. Enter the IP address for the listen host.
  4. Set the location for the session monitoring file. The default location is in the installation directory \data\sessionmonitoring.

Configure Concurrent Sessions

Set Limit for Concurrent Sessions

Remote sessions can be limited to a set number of concurrent sessions.

The option to increase or limit the number of sessions a user can open at one time is configured in access policies, when setting the schedule.

 

Error message displayed when a user tries to open more sessions than allowed.

If a user tries to open more sessions than allowed, a message is displayed on the Requests page.

For more information, please see Configure Password Safe Access Policies.

Use Session Masking

Passwords can be hidden from session replays by applying a mask. When session masks are active, an SSH session recording at that time will check the keystrokes against the mask. Any matches are replaced. When the keystroke session is replayed, the viewer sees the asterisks instead of the password. More than one mask can be active at a time.

Password Safe Session Masks

Masks can be created, changed, and deleted. These actions are captured in user auditing.

 

  1. In the BeyondInsight console, go to Configuration > Privileged Access Management > Session Masks.
  1. To create a mask:
    • Click Create New Mask.
    • Enter a name for the mask and the mask pattern.
    • Check the Active option.
    • Click Create Session Mask.  
  1. To edit a mask:
    • Click the More Options icon for the mask, and then select Edit Session Mask.
    • Edit the name for the mask or the mask itself.
    • Check or uncheck the Active option as appropriate.
    • Click Update Session Mask.
  2. To delete a mask, click the More Options icon for the mask, and then select Delete.

Customize Session Images

As a Password Safe administrator, you can add corporate logos to replace default brand splash, replay, and lock images.

 

You must clear the browser cache to see new images after they have been updated. Also, all image files should be backed up in a safe location because they will be overwritten on the next upgrade and must be replaced after the upgrade completes to restore the customization.

Customize Splash Image

To customize the splash image:

  1. Place the customized splash.png file in this directory:

    /eEye Digital Security/Retina CS/ Website/images

    Size must be 1024 x 768px

  2. Rename the original splash.png file or move it to another location.
  3. In the [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\rdp_proxy] registry key, add a string value of splash_png with a value of the path to the customized splash image.

Customize Replay Images

To customize the Admin > Replay logos:

Modify the following files:

  • C:\Program Files (x86)\eEye Digital Security\Retina CS\website\images\rdp-placeholder.jpg

    Size must be 147 x 125px

  • C:\Program Files (x86)\eEye Digital Security\Retina CS\website\images\rdp-placeholder-lg.jpg

    Size must be 1024 x 768px

  • C:\Program Files (x86)\eEye Digital Security\Retina CS\website\images\ssh_placeholder.jpg

    Size must be 137 x 125px

Customize Lock Image

To customize the lock image that appears to the end user when an administrator locks an active session:

  1. Place the customized lock.png file in this directory:

    /eEye Digital Security/Retina CS/ Website/images

    Size must be 1024 x 768px

  2. Rename the original lock.png file or move it to another location.
  3. In the [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\rdp_proxy\lock] registry key, add a string value of png with a value of the path to the customized lock image.

Configure Recorded Sessions in a Multi-Node Environment

In a multi-node environment, sessions can be viewed from any node in the environment, regardless of the node it was created on.

SSL certificates are used to ensure secure communication between the nodes. You must create a certificate using a Certificate Authority (CA) and import the certificate on each of the nodes.

When setting up the certificate, the Password Safe agent host name (or host name override) must match the Issued to details on the certificate properties in the Certificates snap-in.

The CA certificates that issue the SSL certificates (the Issued by on the certificate properties) must be trusted by all nodes in the environment.

To confirm the host name matches the Issued to field:

  1. In the BeyondInsight console, go to Configuration > Privileged Access Management Agents > Session Agents.
  1. Select the agent from the list, and view the host name indicated in the Host Name Override box.
  2. Open the Windows Certificates snap-in, and then double-click the certificate.
  3. Confirm the name of the certificate in one of the following places:
    •  On the General tab, confirm the host name is the same name as in the Issued to field.
    •  On the Details tab, scroll to the Subject field and confirm the CN=<name> matches on the agent host name.

Configure Keystroke Logging

Password Safe records keystrokes for all recorded sessions. Keystroke logging is enabled by default. When you open a recorded session, the pane on the right displays keystrokes. You can select a keystroke entry to view where that keystroke occurred. You can also filter keystroke entries by date, time, or keystroke in the Search box.

Turn Off Keystroke Logging

From the Global Settings > Session Monitoring configuration, you can turn off keystroke logging for ISA users and admin sessions.

Keystroke logging can be enabled for all other users when setting the scheduling options for an access policy.

  1. In the BeyondInsight console go to Configuration > Privileged Access Management > Global Settings.
  2. Under the Session Monitoring settings, clear the applicable keystroke logging options.
  3. Click Update Session Monitoring Settings.

Enhanced Session Auditing

Enhanced session auditing captures and records all mouse activity in the Keystrokes menu of Recorded Sessions for RDP and RDP application sessions. Enhanced session auditing is enabled by default. It uses the rules in the access policy for Admin Session multi-session checkouts. During a recorded RDP session, an agent called pbpsmon is installed on the host for the duration of the session. The agent monitors and audits Windows click events.

Session monitoring captures text that is copied in an RDP session window. The copied text is captured only the first time. Any subsequent copy tasks of the same text are not captured for the session.

To use enhanced session auditing, the functional account of the managed Windows host or Remote Desktop Services host needs administrative rights.

Turn Off Enhanced Session Auditing ISA Users

  1. In the BeyondInsight console, go to Configuration > Privileged Access Management > Global Settings.
  2. Under the Session Monitoring settings, clear the applicable enhanced session auditing options.
  3. Click Update Session Monitoring Settings.

You can turn off enhanced session auditing for admin sessions and all other non-ISA users, when setting the scheduling options for an access policy.

Troubleshoot Enhanced Session Auditing

The following files are deployed as part of enhanced session auditing:

  • pbpsdeploy (Password Safe Deployment Agent service)
  • pbpsmon
  • pbpslaunch
  • pbpsmon and pbpslaunch (These are contained in a cab file that is copied to the Windows directory and extracted to C:\pbps\.)

pbpsdeploy

The pbpsdeploy.exe file resides in the Windows directory (C:\Windows).

  • Access to ADMIN$ is required to copy pbpsdeploy.exe from Password Safe to the target server.
  • Confirm the service is displayed in the Services snap-in after deployment.
  • The output from the deployment service should be in the pbsm logs.
 
2017/03/07 15:47:12.186 2292 6548 INFO: Pushing pbpsdeploy service to 10.200.28.39 as user backupadmin 
2017/03/07 15:47:13.528 2292 6548 INFO: Starting pbpsdeploy service on 10.200.28.39 as user backupadmin
2017/03/07 15:47:13.593 2292 6548 INFO: Copied pbpsmon.cab

2017/03/07 15:47:13.716 2292 6548 INFO: pbpsmon install:
    Using binary directory C:\Windows\
    Created directory C:\pbps
    Extracting File "pbpsmon.exe" (Size: 15872 bytes) -> "C:\pbps\pbpsmon.exe"
    Extracting File "pbpslaunch.exe" (Size: 145408 bytes) -> "C:\pbps\pbpslaunch.exe"
    Extracting File "msvcp120.dll" (Size: 455328 bytes) -> "C:\pbps\msvcp120.dll"
    Extracting File "msvcr120.dll" (Size: 970912 bytes) -> "C:\pbps\msvcr120.dll"
    Extracting File "vccorlib120.dll" (Size: 247984 bytes) -> "C:\pbps\vccorlib120.dll"
    Extracting File "libeay32.dll" (Size: 1359872 bytes) -> "C:\pbps\libeay32.dll"
    Extracting File "ssleay32.dll" (Size: 252928 bytes) -> "C:\pbps\ssleay32.dll"
    Creating registry keys
    Registry keys successfully created
    Creating task
    Task successfully created

pbpsmon

Verify the following setup has been performed by the deployment service:

View Password Safe Monitoring Task in Windows Task Scheduler.

  • In Task Scheduler, confirm the following task is created: BeyondTrust Password Safe Monitoring Task.

     

  • In regedit, the following registry key is created, which creates the disconnect event:

    HKLM\System\CurrentControlSet\Control\Terminal Server\Addins\PBPSMON

pbpslaunch

Verify the following setup has been performed by the deployment service:

  • In regedit, the following registry key is created:

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\TerminalServer\TSAppAllowList\Applications\pbpslaunch

    Verifiy deployment service setup in Remote App Manager.

  • A pbpslaunch entry exists in RemoteApp Manager.

     

  • Locate the log statement Accepting RDP Channel <name>. There should be one for pbpsmon, and if it is an application session, one for pbpslaunch.
    2017/03/07 15:47:14.659 3672 4788 INFO: Accepting RDP Channel PBPSMON
  • The Event Viewer on the target server includes setup and cleanup results of pbpsmon and pbpslaunch sent to pbsmd.
    1. Open Event Viewer.
    2. Expand Windows Logs.
    3. Click Application.
    4. Filter the application log on Source = pbpsdeploy.

You can prevent the session monitoring service from deploying pbpsmon and pbpslaunch on the managed system by setting the following registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\rdp_proxy\use_pbpsdeploy = 0 (REG_DWORD)

Configure Algorithms used by the Session Monitoring Proxy

The encryption algorithms (ciphers), host key algorithms, key exchange (kex) algorithms, and MAC algorithms that may be used by Password Safe between the user's SSH client and the SSH proxy are configurable using the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\ssh_proxy\ciphers
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\ssh_proxy\host_key_algorithms
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\ssh_proxy\kex_algorithms
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\ssh_proxy\macs

The encryption algorithms (ciphers), host key algorithms, key exchange (kex) algorithms, and MAC algorithms that may be used by Password Safe between the SSH proxy and the managed system are configurable using the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\ssh_proxy\client_ciphers
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\ssh_proxy\client_host_key_algorithms
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\ssh_proxy\client_kex_algorithms
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\ssh_proxy\client_macs

Each of these keys, if defined, must hold a multi-string value (REG_MULTI_SZ), with one algorithm name per line.

For example, ciphers might be:

  • aes128-ctr
  • aes192-ctr
  • aes256-ctr

This restricts the available encryption algorithms to those named.