In today’s shifting IT world many organizations has servers hosting applications for both internal and customer-facing applications. These servers are managed and accessed by multiple staff members and in some cases, accessible by external vendor contractors as well. While a lot of money was invested in protecting these servers from malicious users and other types of unauthorized connections by deploying firewalls, VPN servers, identity management solutions and intrusion detection systems, currently, these organizations have no practical way of logging user activities on these servers and of knowing exactly who did what on these machines.
Do you use any social networks? Follow ObserveIT on Facebook, Linkedin and/or Twitter.
The need for recording user actions is mostly due to these reasons:
Any company that has multiple individuals with access to its enterprise servers can benefit by using visual recording software. This is particularly true when, in addition to IT administrators, developers, project managers and consultants are able to modify server configuration.
Two products exist that address this need: Citrix SmartAuditor and ObserveIT. Both offer visual recording capabilities of user sessions, and both are designed from the ground up as enterprise-scale solutions that centrally store, index the recordings, and offer granular policy-based control capabilities. Visit the home pages of these two products:
Citrix Systems » XenApp Feature Spotlight SmartAuditor
Record Secure Remote access VPN-SSL, RDP, Terminal Sessions Audit Software – ObserveIT
Citrix SmartAuditor allows you to record any user’s session, from any computer running Presentation Server. Recorded sessions are cataloged and archived for retrieval and playback. SmartAuditor acts just like a security video camera pointed to the screen. However, just like a “dummy” security surveillance camera, the recoding software does not “know” what happens on the screen at any given moment. The only information available is the user name, application name, and date and time. No other information is available regarding to the things that happened inside the user session.
SmartAuditor is only available for Platinum Edition clients and only allows monitoring and recording of application sessions that are being used on Citrix Presentation Servers. This type of requirement means that only large enterprises will be able to afford using it.
ObserveIT is a software that records all human activities on monitored servers, either visually, or through metadata. This allows replaying of the recorded sessions in case of visual recording, and understanding of what exactly was performed on the monitored servers, who did it, and what applications where accessed.
ObserveIT captures not only screenshots, but also an abundance of information about what is seen on the screen, the user performing the action, the remote computer’s name and IP, date, time, application executable name, windows title and more. All this information is stored as metadata alongside the screenshots, inside a SQL database, allowing very flexible searching capabilities and enterprise-scale management.
ObserveIT can be installed in an Active Directory environment, but also in workgroup or stand-alone environments, similar to those found in DMZ or Perimeter Networks typically used in external vendor remote access scenarios. ObserveIT records user sessions in a way that is not limited to the method that these sessions were created. It works with virtually any remote access software such as Terminal Server, Remote Desktop, VNC, NetOP, Damware, Remote Admin, PcAnywhere and more.
SmartAuditor is a single protocol solution, recording only ICA access.
ObserveIT, on the other hand, is totally agnostic to protocol types, because it is recording at the operating system level. Because of that, ObserveIT will record ANY type of remote access, including RDP, Terminal Server, ICA, VNC, NetOP, Damware and so on.
SmartAuditor uses 5 components, which, based on the design, can be installed separately or on the same machine:
One major drawback of SmartAuditor is that it is designed ONLY for Citrix Presentation Servers. It will not work for any other type of server.
ObserveIT uses 4 components, which, again based on the design, can be installed separately or on the same machine:
Citrix SmartAuditor is managed by using the SmartAuditor Policy Console, a Microsoft Management Console snap-in. This tool requires installation, which in turn can add to the administrative overhead of software management.
As a side note it’s worth mentioning that by running SmartAuditor on your Citrix servers, shadowing of user session will no longer work.
ObserveIT is managed from the ObserveIT Web Management Console, which is a web application that is hosted on the ObserveIT Application Server, and is accessed from any computer by using a web browser. This makes connecting to the management console an easy task that does not require any deployment planning or software installation.
Running ObserveIT Agent on terminal or Citrix servers will have no effect on the regular management of these servers.
SmartAuditor uses recording policies to provide a granular approach to recording Presentation Server sessions. A recording policy can be configured to record individual users, groups of users, specific published applications and specific Presentation Server computers. Multiple rules can be defined in a policy to apply different recording actions or separate recording criteria for easier manageability.
ObserveIT recording is configured by using flexible Server Policies. These policies are sets of configuration options that control aspects of how the monitored server is configured. Some of the settings included in these policies control the way the Agent works, the recording resolution and color depth, and the recording notification prompt. Further settings allow control over which users to record (or exclude from recording), and which applications to record (or exclude from recording). In order to dramatically reduce storage space required for the recordings, and in order to still keep a clear textual audit trail of what the users did while logged on, policies can be configured to record all textual metadata for the users’ actions even though not all applications will be visually recorded. This allows an administrator to have a lot more information than was possible prior to using ObserveIT, while avoiding potential privacy issues. These policies are linked to servers or server groups for ease or management and flexibility.
In scenarios where many users use generic built-in accounts such as the “Administrator” account to log on to servers, it is difficult to know who really used that account. The ObserveIT Identification services forces users to further identify themselves before gaining access to the servers’ desktops. After completing the Windows logon process, the user will be prompted with the secondary ObserveIT logon window, where they will be forced to enter their own personal username and password. This allows to distinguish these users and clearly see who used the “Administrator” account to log on. In addition, ObserveIT can be configured to work against external LDAP targets such as Microsoft Active Directory, which makes it possible to use secondary identification in scenarios where the monitored servers are stand-alone machines that are not part of a domain and that are placed inside the company’s Perimeter Network (or DMZ).
SmartAuditor relies only on the initial username and password provided in the process of logging on the Presentation Server sessions, and provides no other means of identification.
As mentioned above, Citrix SmartAuditor has no information about what the user is doing inside the session. It records all the user activity within the session, based upon policies that can be configured by using the SmartAuditor Policy Console.
On the other hand, ObserveIT’s Agents, with each user action, capture a screen snapshot and metadata. The metadata is information extracted by the Agent about the state of the operating system and the application program being used which allows ObserveIT to precisely identify what the user is doing. This information is analyzed, encoded in a standardized format and stored and indexed in the Database Server.
While ObserveIT’s main feature is its ability to visually record user sessions, in some cases, ObserveIT administrators will choose to configure ObserveIT to only record metadata about certain applications that are accessed on certain servers. Because this metadata is used to describe what is seen on the screen, you can perform very powerful searches across your entire enterprise. Although no visual trace will be available when selecting this option, it will still provide far more auditing capabilities than when compared to a server with no ObserveIT Agent installed. By using this feature, an administrator can use the recorded metadata to read through the user activities, giving them auditing and root cause analysis capabilities. Furthermore, by recording only metadata, storage size can be dramatically reduced and still provide a good audit trail of user actions.
Because SmartAuditor stores the data as separate video files in the Windows file system, and because it does not ignore idle time in the user’s session, the files sizes are considerably large, resulting in an overwhelming need for storage space. Needless to say, this solution is far from suitable to an enterprise-wide deployment.
ObserveIT only captures changes to the screen, and does not capture idle time. Because most of a user’s session is idle time, a recording of an hour-long session is dramatically reduced to 5-10 minutes. This, alongside with data compression and lower screen resolution enables ObserveIT to demonstrate an extremely small database size. Clients that have deployed ObserveIT on 1000 servers have a year’s worth of stored recorded session stored inside a database approximately 100GB in size.
Both SmartAuditor and ObserveIT use SQL to store the recorded data. However, SmartAuditor stores the data as separate video files in a separate folder.
ObserveIT, on the other hand, stores the data inside the SQL Server database, each frame and metadata as a separate entry. This makes the product more secure to unauthorized replaying of the stored sessions.
SmartAuditor uses a viewer that needs to be installed on any computer that will be used to reply videos. This requires additional planning and software maintenance. When viewed, the video files are actually being downloaded to the computer where the viewer is installed at. When viewed, the manager can stop, pause, fast forward or rewind the video, but they need to watch the entire video from beginning to end in order to figure out what exactly has happened in it, similar to watching a security camera recording.
ObserveIT, on the other hand, uses a viewer that is a web application, which means that it is opened in a standard web browser. This eliminates the need to install any application on the computer where the sessions will be viewed from, and lowers the overall software maintenance issues. Here too, the manager can stop, pause, fast forward or rewind the video by using VCR-like controls. However, since the video is in fact comprised of individual frames, no large files are being downloaded to the computer when the sessions are replayed. Furthermore, ObserveIT’s textual transcript allows the manager to instantly identify the need (or lack of need) to view that specific session. By using the expanded textual transcript or each session, the manager can choose to start the reply from a specific point in time and does not have to view the entire recording from beginning to end.
SmartAuditor captures and archives screen updates, including mouse clicks and the visible output of keystrokes, in digitally signed video recordings. It can be configured to use NTFS file-based security to protect the stored recordings, which, as mentioned above, are stored as video files.
ObserveIT can be configured to use encryption and digital signature at the database level protecting each screenshot from any unauthorized access or modification, and for the traffic that is transmitted from the Agent to the Application Server. When configured, the ObserveIT Agents and Application Server use a token exchange mechanism to prevent session hijacking and replay, and to encrypt the data communication. The security mechanism for the communication consists of:
You can further secure the communication by configuring it to use SSL encryption.
ObserveIT allows the administrator to view recently recorded sessions and filter them based on simple parameters such as server name and user name. However, in ObserveIT, because all metadata is stored alongside the screenshots inside a SQL database, very flexible searching capabilities are easily performed. An administrator can easily search by server name, user name, application name, and even perform “Google”-like free text search. By using these capabilities you can easily see who logged on to a server, what they did, and what applications they used. Clicking on the video icon next to the user session will launch the ObserveIT Slide Viewer, and begin replaying the entire recorded session from beginning to end. The replay can be paused, resumed, fast forwarded or rewinded, and zoomed in or out.
However, replaying entire sessions is a time consuming process and might prove to be irrelevant to the problem you’re trying to troubleshoot. ObserveIT lets administrators expand sessions and view a textual breakdown (similar to DVD chapters) of all applications, files and window titles that user accessed during the session. Each session can be replayed from any point in time (or from any “chapter”). In this manner, within seconds it’s possible to determine what where the applications and actions that were performed by the user, and to determine the relevancy of that session to your troubleshooting process. Needless to say, this will save you a considerable amount of time.
ObserveIT also has flexible reports that can be created based upon user names, server names, dates or applications. For example “where was the IIS Manager MMC Console accessed in my organization” or “give me a list of all the times where remote desktop has been used in the past month”.
SmartAuditor presents a list of the recently recorded sessions or lets the administrator search for a previous recorded session. Searching for archived sessions is done by using the application name and date range. Additional information is displayed about the user name, client name, IP address, resolution and so on. However, since extended information of what is seen in the recording is not available, SmartAuditor’s search capabilities are extremely limited in comparison with ObserveIT.
In SmartAuditor, it’s possible to grant reviewer permissions for specific users. By using the playback encryption feature you can grant only the authorized reviewers to playback recordings. However, there isn’t a way to authorize specific reviewers to specific recordings. In order to have granular control over who can watch which recording, you need to work around this limitation by setting up different file permission in Windows, a process that is very time consuming and not suitable for enterprise-wide deployments.
In ObserveIT, you can easily create additional Console Users and grant them either “Admin” or “View-Only Admin” role, and given permissions on specific servers or groups of servers, based upon the organization’s requirements. This allows the administrator to grant granular replaying access control permissions for specific security managers or auditors. For example, only to be able to view servers included in a server group called “SQL Servers”.
Furthermore, ObserveIT has a built-in capability for auditing any access to the Web Management Console, plus any replaying of recorded sessions. This auditing mechanism eliminates the need to have a 3rd-party auditing tool to control Web Management Console access. Anytime a recording is replayed, an event is created in the ObserveIT audit log, showing you which user has replayed the recording.
SmartAuditor is a solution for recording user sessions that were hosted on Citrix Presentation Servers. No other means of remote access recording is available with SmartAuditor. Since recorded sessions are stored as video files similar to those produced by “dummy” security surveillance cameras, the recoding software does not “know” what happens on the screen at any given moment. Therefore, there can be no integration with any 3rd-party monitoring tool, and you cannot create any custom events or actions based on the users’ actions in the recorded videos.
On the contrast, ObserveIT records any type of remote access or interaction with the remote desktop, and has the ability to “know” exactly what is happening on the screen at any moment in the user’s session. ObserveIT stores this metadata information as part of the recorded sessions database. ObserveIT produces a textual log file used for monitoring purposes. These log files record all activity as it happens on the servers. These log file contain important Metadata information such as the time, data, server name, user session, user name, application window title and executable name. You can use 3rd-party monitoring and management tools such as Microsoft System Center Operation Manager 2007, CA-Unicenter, IBM Tivoli, HP Openview and others – to parse these log files and create events, triggers and alerts based upon text strings that appear inside the log files. By doing so, you integrate ObserveIT into your existing monitoring software and gain very important real-time alerting and reporting capabilities, answering questions such as “Alert me when a Remote Desktop session is opened by a user called John to a remote server with a given IP address”.
In today’s shifting IT world there is a great need for recording user actions. This need is mostly due to Regulatory compliance reasons, and also for Troubleshooting and root cause analysis purposes. In this article I described the concepts behind 2 leading session recording software solutions – Citrix SmartAuditor and ObserveIT. By comparing the two products features and deployment options we now have a better understanding of which one of the two products to choose when there is need to visually record user sessions and provide a clear and visible audit trail.