If you recall, I’ve recently began working for ObserveIT (www.observeit-sys.com), a startup company that has an amazing solution for one of the toughest questions that IT professionals face in today’s dynamic IT world: Who touched my servers, what did they do, what did my privileged users do, what did my external vendors change on my servers. ObserveIT’s product allows enterprise-wide recording and indexing of any human interaction with the servers, and what makes it so awesome is the fact that it indexes this data alongside with detailed metadata of what is seen on the screen, allowing full searches within the database. I’ve written more about ObserveIT’s recording capabilities in my “Record and Audit Terminal, Citrix and RDP Sessions – ObserveIT Product Overview” article.
Seeing the new and exciting features that are added to Windows Server 2008 TS, you can imagine that I immediately wanted to test how these additions incorporate with ObserveIT’s capabilities. After some testing and tweaking I decided to write this article in order to expose you to these great features, and in order to show you how you can get full visual audit of your system.
Terminal Server on Windows Server 2008 has four primary features that deal directly with ObserveIT’s capabilities to record, audit, and provide visual tracking of Terminal Server connections:
- TS RemoteApp (a seamless windows/application publishing)
- TS Web Access (a web front-end for TS RemoteApps)
- TS Gateway (an SSL gateway for RDP)
- TS Session Broker (a load balancer for incoming RDP sessions)
Let’s look at each of these four major new features and see how they interact with ObserveIT.
New to Microsoft Terminal Services, TS RemoteApp is Microsoft’s application publishing feature. TS RemoteApp lets the users connect to a single application window instead of a full remote desktop, and offers a seamless integration with the users’ desktops. This allows an administrator to easily deploy applications and quickly have users working on them.
TS RemoteApp does not need to be installed, it’s automatically added to the server when you install the TS role service on Windows Server 2008.
The administrator uses the RemoteApp wizard to create custom RDP files for specific applications that are installed on specific Terminal Servers. Once these RDP files are sent to the users’ desktops, they can then double-click them to launch the RemoteApp. TS RemoteApp also allows the administrator to publish these files by using an MSI installer package, and “push” these packages through Group Policy or logon scripts. Like with RDP files, the installer packages don’t contain the actual application (they’re small in size). They just contain the RDP file, an icon, a Start menu shortcut, and any file type associations. After installing the MSI file, the RemoteApp version of the app shows up in Add/Remove Programs and on the Start menu, and also integrates the file type association with the RDP file.
Clicking the icon launches the remote seamless instance of the app, and so does clicking on a file type with the registered association.
With ObserveIT, you can record the user interaction with the published applications. Since each time a user logs on to the Terminal Server running the application a new session is started, the ObserveIT agent will immediately begin recording the interaction with the published application. However, because with RemoteApp the user session does not open a full desktop window, a small tweak is necessary in order to configure ObserveIT’s agent to run. It is done by adding it as a logon script to the user’s account in Active Directory.
This logon script should include this line:
start "ObserveIT" /I "C:'Program Files'ObserveIT'ObserveITAgent'bin'ObserveIT.Client.exe"
Save the logon script as “logon.bat” (or similar), and use one of the following methods to apply it:
1. Place the logon script in the NETLOGON share of one of your Domain Controllers. Next, open each individual user account in Active Directory and enter the logon script’s name in the Logon Script path under the user’s Profile tab. Consult with the Windows Server 2003/2008 online help in order to read more about this configuration.
2. Edit and existing GPO or create a new one and link it to the OU/Domain level, based upon your design. By using the GPO’s Logon Scripts option, add the logon script for ObserveIT. Consult with the Windows Server 2003/2008 online help in order to read more about this configuration.
Since TS RemoteApp is designed to hold any RemoteApp used by the user in one single session, when recording a TS RemoteApp, the recording will include any RemoteApp application that was used during that session. The recording will show a blank desktop with any RemoteApp that is running by the user. When the user minimizes a RemoteApp on their end, the RemoteApp will be minimized on the server. This is also true to dragging windows for RemoteApp on the user end. When the user focuses or maximizes a RemoteApp on their end, it will also be focused or maximized in the recording.
Different users running different sessions will naturally be recorded in separate recordings and thus you will be able to view exactly what each user did.
TS Web Access is a role service in the Terminal Services role that lets you make TS RemoteApp programs, and a connection to the terminal server desktop, available to users from a Web browser. Additionally, TS Web Access enables users to connect from a Web browser to the remote desktop of any server or client computer where they have the appropriate access. By using TS Web Access, there is much less administrative overhead. You can easily deploy programs from a central location.
With TS Web Access, users can visit a Web site (either from the Internet or from an intranet) to access a list of available RemoteApp programs. When they start a RemoteApp program, a Terminal Services session is started on the Windows Server 2008-based terminal server that hosts the RemoteApp program.
Since TS Web Access is merely a front-page for using TS RemoteApps, using ObserveIT in this scenario is very simple and does not require any additional configuration besides the one needed for the TS RemoteApp scenario. All you need to do is to create the logon script described in the previous section of this article, and apply it either at the user level, or at the domain/OU level by using GPO.
When a user logs on to the Web Access page, they click on the icon for the application they want to run. This launches a TS session with the TS server that holds the published application. Since ObserveIT’s agent is installed on the TS server it will begin recording the user session.
TS Gateway is a role service in the Terminal Services server role that allows authorized remote users to connect to resources on an internal corporate or private network from any Internet-connected device. The network resources can be terminal servers, terminal servers running RemoteApp programs, or even workstation computers with Remote Desktop enabled. By doing this, TS Gateway provides a point-to-point RDP connection, rather than allowing remote users access to all internal network resources.
TS Gateway uses Remote Desktop Protocol (RDP) over HTTPS to establish a secure, encrypted connection between remote users on the Internet and the internal network resources on which their productivity applications run.
Because TS Gateway uses port 443 instead of 3389, by using an HTTP Secure Sockets Layer/Transport Layer Security (SSL/TLS) tunnel, it enables most remote users to connect to internal network resources that are hosted behind firewalls in private networks and across network address translators (NATs). You can configure TS Gateway servers and Terminal Services clients to use Network Access Protection (NAP) to further enhance security.
When using ObserveIT and TS Gateway you do not need to perform any additional tasks. Since ObserveIT is an agent-based solution, you install ObserveIT’s agents on the Terminal Servers, RDP machines, or Citrix servers that you want to monitor, record and audit. In this scenario, the TS Gateway itself is not installed with the Terminal Server role, therefore it does not require an agent in order to capture human interaction with the remote machines.
TS Session Broker
TS Session Broker is the load balancer capability of Windows Server 2008 Terminal Services. TS Session Broker is almost identical to the Session Directory feature of Windows Server 2003, but also has a new feature that works when users connect to new sessions. TS Session Broker stores session state information that includes session IDs and their associated user names, and the name of the server where each session resides. After installing the service-role and configuring all the TS servers to be part of the same farm, when an incoming RDP connection is made, and the user authenticates to one of the Terminal Servers, that server then contacts the server running the session broker to see if that user should be redirected to a different Terminal Server. This might happen either because another server has lower load or because the user has an existing session on another server. The TS Session Broker Load Balancing feature also enables you to assign a relative weight value to each server. By assigning a server weight value, you can help to distribute the load between more powerful and less powerful servers in the farm.
Another feature of TS Session Broker is the ability to prevent new users from logging on to a terminal server that is scheduled to be taken down for maintenance. This mechanism provides for the ability to take a server offline without disrupting the user experience.
When using ObserveIT alongside with the TS Session Broker service role, the ObserveIT agent needs to be deployed as usual on any Terminal Server that is part of the farm. No additional configuration is required, and all user sessions are recorded as usual on the Terminal Servers. Because ObserveIT’s screenshots and metadata is stored centrally inside an indexed SQL database, you retain the ability to search for user’s sessions throughout the Terminal Server farm by using ObserveITs’ user diary feature or the free text search.
In conclusion, the new and exiting features of Terminal Server found in Windows Server 2008 are well worth looking into by organizations that are looking to deploy and publish applications to the users’ desktops, and that are looking into ways to ease the access to these applications and desktops from remote locations. By using ObserveITs unique recording, auditing and replaying capabilities, the organization can maintain a visual audit trail and track human interactions with servers and applications.
To read more please visit ObserveIT’s website (www.observeit-sys.com) and see an online demo video showing you some of the software’s recording capabilities.