Configure Session Monitoring

Session monitoring records the actions of a user while they access your password-protected managed systems. The actions are recorded in real time with the ability to bypass inactivity in the session. This allows you to view only the actions of the user.

You configure session monitoring when you add or edit a managed system.

There are additional settings that you need to configure, such as listen host and screen resolution.

Configure Listen Host and File Location

Using the BeyondInsight configuration tool, you can set the listen host and file location for the monitored sessions.

  1. Open the BeyondInsight configuration tool.
  2. Go to the Password Safe section.
  3. Enter the IP address for the listen host.
  4. Set the location for the session monitoring file. The default location is in the installation directory \data\sessionmonitoring.

Configure Concurrent Sessions

Set Limit for Concurrent Sessions

Remote sessions can be limited to a set number of concurrent sessions.

The option to increase or limit the number of sessions a user can open at one time is configured in access policies, when setting the schedule.

 

Error message displayed when a user tries to open more sessions than allowed.

If a user tries to open more sessions than allowed, a message is displayed on the Requests page.

For more information, please see Configure Password Safe Access Policies.

Use Session Masking

Passwords can be hidden from session replays by applying a mask. When session masks are active, an SSH session recording at that time checks the keystrokes against the mask. Any matches are replaced. When the keystroke session is replayed, the viewer sees the asterisks instead of the password. More than one mask can be active at a time.

Password Safe Session Masks

Masks can be created, changed, and deleted. These actions are captured in user auditing.

 

  1. In the BeyondInsight Console, go to Configuration > Privileged Access Management > Session Masks.
  1. To create a mask:
    • Click Create New Mask.
    • Enter a name for the mask and the mask pattern.
    • Check the Active option.
    • Click Create Session Mask.  
  1. To edit a mask:
    • Click the More Options icon for the mask, and then select Edit Session Mask.
    • Edit the name for the mask or the mask itself.
    • Check or uncheck the Active option as appropriate.
    • Click Update Session Mask.
  2. To delete a mask, click the More Options icon for the mask, and then select Delete.

Configure Keystroke Logging

Password Safe records keystrokes for all recorded sessions. Keystroke logging is enabled by default. When you open a recorded session, the pane on the right displays keystrokes. You can select a keystroke entry to view where that keystroke occurred. You can also filter keystroke entries by date, time, or keystroke in the Search box.

Turn Off Keystroke Logging

From the Global Settings > Session Monitoring configuration, you can turn off keystroke logging for ISA users and admin sessions.

Keystroke logging can be enabled for all other users when setting the scheduling options for an access policy.

  1. In the BeyondInsight Console go to Configuration > Privileged Access Management > Global Settings.
  2. Under the Session Monitoring settings, clear the applicable keystroke logging options.
  3. Click Update Session Monitoring Settings.

Enhanced Session Auditing

Enhanced session auditing captures and records all mouse activity in the Keystrokes menu of Recorded Sessions for RDP and RDP application sessions. Enhanced session auditing is enabled by default. It uses the rules in the access policy for Admin Session multi-session checkouts. During a recorded RDP session, an agent called pbpsmon is installed on the host for the duration of the session. The agent monitors and audits Windows click events.

Session monitoring captures text that is copied in an RDP session window. The copied text is captured only the first time. Any subsequent copy tasks of the same text are not captured for the session.

To use enhanced session auditing, the functional account of the managed Windows host or Remote Desktop Services host needs administrative rights.

Turn Off Enhanced Session Auditing ISA Users

  1. In the BeyondInsight Console, go to Configuration > Privileged Access Management > Global Settings.
  2. Under the Session Monitoring settings, clear the applicable enhanced session auditing options.
  3. Click Update Session Monitoring Settings.

You can turn off enhanced session auditing for admin sessions and all other non-ISA users, when setting the scheduling options for an access policy.

Troubleshoot Enhanced Session Auditing

The following files are deployed as part of enhanced session auditing:

  • pbpsdeploy (Password Safe Deployment Agent service)
  • pbpsmon
  • pbpslaunch
  • pbpsmon and pbpslaunch (These are contained in a cab file that is copied to the Windows directory and extracted to C:\pbps\.)

pbpsdeploy

The pbpsdeploy.exe file resides in the Windows directory (C:\Windows).

  • Access to ADMIN$ is required to copy pbpsdeploy.exe from Password Safe to the target server.
  • Confirm the service is displayed in the Services snap-in after deployment.
  • The output from the deployment service should be in the pbsm logs.
 
2017/03/07 15:47:12.186 2292 6548 INFO: Pushing pbpsdeploy service to 10.200.28.39 as user backupadmin 
2017/03/07 15:47:13.528 2292 6548 INFO: Starting pbpsdeploy service on 10.200.28.39 as user backupadmin
2017/03/07 15:47:13.593 2292 6548 INFO: Copied pbpsmon.cab

2017/03/07 15:47:13.716 2292 6548 INFO: pbpsmon install:
    Using binary directory C:\Windows\
    Created directory C:\pbps
    Extracting File "pbpsmon.exe" (Size: 15872 bytes) -> "C:\pbps\pbpsmon.exe"
    Extracting File "pbpslaunch.exe" (Size: 145408 bytes) -> "C:\pbps\pbpslaunch.exe"
    Extracting File "msvcp120.dll" (Size: 455328 bytes) -> "C:\pbps\msvcp120.dll"
    Extracting File "msvcr120.dll" (Size: 970912 bytes) -> "C:\pbps\msvcr120.dll"
    Extracting File "vccorlib120.dll" (Size: 247984 bytes) -> "C:\pbps\vccorlib120.dll"
    Extracting File "libeay32.dll" (Size: 1359872 bytes) -> "C:\pbps\libeay32.dll"
    Extracting File "ssleay32.dll" (Size: 252928 bytes) -> "C:\pbps\ssleay32.dll"
    Creating registry keys
    Registry keys successfully created
    Creating task
    Task successfully created

pbpsmon

Verify the following setup has been performed by the deployment service:

View Password Safe Monitoring Task in Windows Task Scheduler.

  • In Task Scheduler, confirm the following task is created: BeyondTrust Password Safe Monitoring Task.

     

  • In regedit, the following registry key is created, which creates the disconnect event:

    HKLM\System\CurrentControlSet\Control\Terminal Server\Addins\PBPSMON

pbpslaunch

Verify the following setup has been performed by the deployment service:

  • In regedit, the following registry key is created:

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\TerminalServer\TSAppAllowList\Applications\pbpslaunch

    Verifiy deployment service setup in Remote App Manager.

  • A pbpslaunch entry exists in RemoteApp Manager.

     

  • Locate the log statement Accepting RDP Channel <name>. There should be one for pbpsmon, and if it is an application session, one for pbpslaunch.
    2017/03/07 15:47:14.659 3672 4788 INFO: Accepting RDP Channel PBPSMON
  • The Event Viewer on the target server includes setup and cleanup results of pbpsmon and pbpslaunch sent to pbsmd.
    1. Open Event Viewer.
    2. Expand Windows Logs.
    3. Click Application.
    4. Filter the application log on Source = pbpsdeploy.

Configure Algorithms used by the Session Monitoring Proxy

The encryption algorithms (ciphers), host key algorithms, key exchange (kex) algorithms, and MAC algorithms that may be used by Password Safe between the user's SSH client and the SSH proxy are configurable using the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\ssh_proxy\ciphers
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\ssh_proxy\host_key_algorithms
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\ssh_proxy\kex_algorithms
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\ssh_proxy\macs

The encryption algorithms (ciphers), host key algorithms, key exchange (kex) algorithms, and MAC algorithms that may be used by Password Safe between the SSH proxy and the managed system are configurable using the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\ssh_proxy\client_ciphers
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\ssh_proxy\client_host_key_algorithms
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\ssh_proxy\client_kex_algorithms
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\ssh_proxy\client_macs

Each of these keys, if defined, must hold a multi-string value (REG_MULTI_SZ), with one algorithm name per line.

For example, ciphers might be:

  • aes128-ctr
  • aes192-ctr
  • aes256-ctr

This restricts the available encryption algorithms to those named.