In today’s shifting IT world many organizations has servers hosting applications for both internal and customer-facing applications. These servers are managed and accessed by multiple staff members and in some cases, accessible by external vendor contractors as well. While a lot of money was invested in protecting these servers from malicious users and other types of unauthorized connections by deploying firewalls, VPN servers, identity management solutions and intrusion detection systems, currently, these organizations have no practical way of logging user activities on these servers and of knowing exactly who did what on these machines.
The need for recording user actions is mostly due to these reasons:
- Regulatory compliance – Over the past few years, organizations have implemented internal controls as part of their efforts to meet regulatory requirements. Non-compliance with these requirements carries great risk for organizations. In order to comply with these regulatory requirements, Organizations need to record on-screen user activity for applications that deal with sensitive information. The organization is responsible for reducing this risk and developing a risk management strategy that incorporates effective internal controls to meet regulatory compliance such as Sarbanes-Oxley, HIPAA, and many others, and monitor suspicious activity while protecting company information. This is especially critical in regulated industries such as healthcare and finance, where compliance with personal information security rules is critical. Most organizations strive to be compliant and protect company information, but because of growing dependency on outsourcing, partners, external vendors and contract workers, these requirements continuously grow.
- Troubleshooting and root cause analysis – IT departments need a solution for capturing user problems when they happen to help pinpoint and resolve issues faster, and to help mitigate and resolve issues caused by user actions.
- Security – When using recording software, security managers have a greater chance of proving criminal intent, where it exists, by using visual evidence combined with traditional text-based management and monitoring tools.
Any company that has multiple individuals with access to its enterprise servers can benefit by using visual recording software. This is particularly true when, in addition to IT administrators, developers, project managers and consultants are able to modify server configuration.
Two products exist that address this need: Citrix SmartAuditor and ObserveIT. Both offer visual recording capabilities of user sessions, and both are designed from the ground up as enterprise-scale solutions that centrally store, index the recordings, and offer granular policy-based control capabilities. Visit the home pages of these two products:
Concept – Citrix SmartAuditor vs. ObserveIT
Citrix SmartAuditor allows you to record any user’s session, from any computer running Presentation Server. Recorded sessions are cataloged and archived for retrieval and playback. SmartAuditor acts just like a security video camera pointed to the screen. However, just like a “dummy” security surveillance camera, the recoding software does not “know” what happens on the screen at any given moment. The only information available is the user name, application name, and date and time. No other information is available regarding to the things that happened inside the user session.
SmartAuditor is only available for Platinum Edition clients and only allows monitoring and recording of application sessions that are being used on Citrix Presentation Servers. This type of requirement means that only large enterprises will be able to afford using it.
ObserveIT is a software that records all human activities on monitored servers, either visually, or through metadata. This allows replaying of the recorded sessions in case of visual recording, and understanding of what exactly was performed on the monitored servers, who did it, and what applications where accessed.
ObserveIT captures not only screenshots, but also an abundance of information about what is seen on the screen, the user performing the action, the remote computer’s name and IP, date, time, application executable name, windows title and more. All this information is stored as metadata alongside the screenshots, inside a SQL database, allowing very flexible searching capabilities and enterprise-scale management.
ObserveIT can be installed in an Active Directory environment, but also in workgroup or stand-alone environments, similar to those found in DMZ or Perimeter Networks typically used in external vendor remote access scenarios. ObserveIT records user sessions in a way that is not limited to the method that these sessions were created. It works with virtually any remote access software such as Terminal Server, Remote Desktop, VNC, NetOP, Damware, Remote Admin, PcAnywhere and more.
SmartAuditor is a single protocol solution, recording only ICA access.
ObserveIT, on the other hand, is totally agnostic to protocol types, because it is recording at the operating system level. Because of that, ObserveIT will record ANY type of remote access, including RDP, Terminal Server, ICA, VNC, NetOP, Damware and so on.
SmartAuditor uses 5 components, which, based on the design, can be installed separately or on the same machine:
- SmartAuditor Agent – Component installed on each Presentation Server to enable recording.
- SmartAuditor Server – Hosts the Broker that handles the search queries and file download requests from the player, policy administration requests from the SmartAuditor Policy Console, and evaluates recording polices for each Citrix Presentation Server session; and the Storage Manager that manages the recorded session files received from each SmartAuditor-enabled computer running Citrix Presentation Server.
- SmartAuditor Policy Console – A Microsoft Management Console snap-in that allows you to specify which sessions are recorded. Each time a new verify that the session should be recorded.
- SmartAuditor Database – A SQL Server database schema used by the Storage Manager for storing recorded session file metadata and servicing search requests.
- SmartAuditor Player – A user interface that reviewers access from their workstation to play back recorded Citrix Presentation Server sessions.
One major drawback of SmartAuditor is that it is designed ONLY for Citrix Presentation Servers. It will not work for any other type of server.
ObserveIT uses 4 components, which, again based on the design, can be installed separately or on the same machine:
- The ObserveIT Agent – The component that needs to be installed on each server/workstation being monitored. The ObserveIT Agent captures data any time keyboard or mouse activity is detected.
- The ObserveIT Application Server – An ASP.NET application that runs on Microsoft Internet Information Server. It accepts the data posted by the Agent, processes it and sends it to the ObserveIT Database Server to be stored and indexed. In addition, the Application Server periodically provides configuration information to the Agents.
- The ObserveIT Web Management Console – An ASP.NET application that runs on Microsoft Internet Information Server. It is the primary interface for ObserveIT users to access ObserveIT data and to configure and administer ObserveIT. All configuration information is stored in the ObserveIT Database Server.
- The ObserveIT Database Server – That runs Microsoft SQL Server, and stores all screenshots and metadata captured by ObserveIT Agents and all the configuration data.
- The ObserveIT Agents can be deployed on ANY Windows-based operating system, regardless of version or role. It will work for terminal or Citrix servers as well as for regular servers running roles such as Domain Controllers, File and Print servers, web servers and so on. Any type of server that remote users connect to is a candidate for ObserveIT Agent and can be visually recorded.
Citrix SmartAuditor is managed by using the SmartAuditor Policy Console, a Microsoft Management Console snap-in. This tool requires installation, which in turn can add to the administrative overhead of software management.
As a side note it’s worth mentioning that by running SmartAuditor on your Citrix servers, shadowing of user session will no longer work.
ObserveIT is managed from the ObserveIT Web Management Console, which is a web application that is hosted on the ObserveIT Application Server, and is accessed from any computer by using a web browser. This makes connecting to the management console an easy task that does not require any deployment planning or software installation.
Running ObserveIT Agent on terminal or Citrix servers will have no effect on the regular management of these servers.
SmartAuditor uses recording policies to provide a granular approach to recording Presentation Server sessions. A recording policy can be configured to record individual users, groups of users, specific published applications and specific Presentation Server computers. Multiple rules can be defined in a policy to apply different recording actions or separate recording criteria for easier manageability.
ObserveIT recording is configured by using flexible Server Policies. These policies are sets of configuration options that control aspects of how the monitored server is configured. Some of the settings included in these policies control the way the Agent works, the recording resolution and color depth, and the recording notification prompt. Further settings allow control over which users to record (or exclude from recording), and which applications to record (or exclude from recording). In order to dramatically reduce storage space required for the recordings, and in order to still keep a clear textual audit trail of what the users did while logged on, policies can be configured to record all textual metadata for the users’ actions even though not all applications will be visually recorded. This allows an administrator to have a lot more information than was possible prior to using ObserveIT, while avoiding potential privacy issues. These policies are linked to servers or server groups for ease or management and flexibility.
In scenarios where many users use generic built-in accounts such as the “Administrator” account to log on to servers, it is difficult to know who really used that account. The ObserveIT Identification services forces users to further identify themselves before gaining access to the servers’ desktops. After completing the Windows logon process, the user will be prompted with the secondary ObserveIT logon window, where they will be forced to enter their own personal username and password. This allows to distinguish these users and clearly see who used the “Administrator” account to log on. In addition, ObserveIT can be configured to work against external LDAP targets such as Microsoft Active Directory, which makes it possible to use secondary identification in scenarios where the monitored servers are stand-alone machines that are not part of a domain and that are placed inside the company’s Perimeter Network (or DMZ).
SmartAuditor relies only on the initial username and password provided in the process of logging on the Presentation Server sessions, and provides no other means of identification.
Recording only metadata
As mentioned above, Citrix SmartAuditor has no information about what the user is doing inside the session. It records all the user activity within the session, based upon policies that can be configured by using the SmartAuditor Policy Console.
On the other hand, ObserveIT’s Agents, with each user action, capture a screen snapshot and metadata. The metadata is information extracted by the Agent about the state of the operating system and the application program being used which allows ObserveIT to precisely identify what the user is doing. This information is analyzed, encoded in a standardized format and stored and indexed in the Database Server.
While ObserveIT’s main feature is its ability to visually record user sessions, in some cases, ObserveIT administrators will choose to configure ObserveIT to only record metadata about certain applications that are accessed on certain servers. Because this metadata is used to describe what is seen on the screen, you can perform very powerful searches across your entire enterprise. Although no visual trace will be available when selecting this option, it will still provide far more auditing capabilities than when compared to a server with no ObserveIT Agent installed. By using this feature, an administrator can use the recorded metadata to read through the user activities, giving them auditing and root cause analysis capabilities. Furthermore, by recording only metadata, storage size can be dramatically reduced and still provide a good audit trail of user actions.
Because SmartAuditor stores the data as separate video files in the Windows file system, and because it does not ignore idle time in the user’s session, the files sizes are considerably large, resulting in an overwhelming need for storage space. Needless to say, this solution is far from suitable to an enterprise-wide deployment.
ObserveIT only captures changes to the screen, and does not capture idle time. Because most of a user’s session is idle time, a recording of an hour-long session is dramatically reduced to 5-10 minutes. This, alongside with data compression and lower screen resolution enables ObserveIT to demonstrate an extremely small database size. Clients that have deployed ObserveIT on 1000 servers have a year’s worth of stored recorded session stored inside a database approximately 100GB in size.
Both SmartAuditor and ObserveIT use SQL to store the recorded data. However, SmartAuditor stores the data as separate video files in a separate folder.
ObserveIT, on the other hand, stores the data inside the SQL Server database, each frame and metadata as a separate entry. This makes the product more secure to unauthorized replaying of the stored sessions.
SmartAuditor uses a viewer that needs to be installed on any computer that will be used to reply videos. This requires additional planning and software maintenance. When viewed, the video files are actually being downloaded to the computer where the viewer is installed at. When viewed, the manager can stop, pause, fast forward or rewind the video, but they need to watch the entire video from beginning to end in order to figure out what exactly has happened in it, similar to watching a security camera recording.
ObserveIT, on the other hand, uses a viewer that is a web application, which means that it is opened in a standard web browser. This eliminates the need to install any application on the computer where the sessions will be viewed from, and lowers the overall software maintenance issues. Here too, the manager can stop, pause, fast forward or rewind the video by using VCR-like controls. However, since the video is in fact comprised of individual frames, no large files are being downloaded to the computer when the sessions are replayed. Furthermore, ObserveIT’s textual transcript allows the manager to instantly identify the need (or lack of need) to view that specific session. By using the expanded textual transcript or each session, the manager can choose to start the reply from a specific point in time and does not have to view the entire recording from beginning to end.
SmartAuditor captures and archives screen updates, including mouse clicks and the visible output of keystrokes, in digitally signed video recordings. It can be configured to use NTFS file-based security to protect the stored recordings, which, as mentioned above, are stored as video files.
ObserveIT can be configured to use encryption and digital signature at the database level protecting each screenshot from any unauthorized access or modification, and for the traffic that is transmitted from the Agent to the Application Server. When configured, the ObserveIT Agents and Application Server use a token exchange mechanism to prevent session hijacking and replay, and to encrypt the data communication. The security mechanism for the communication consists of:
- Encryption (Rijndael)
- Digital signing
- Token exchange
You can further secure the communication by configuring it to use SSL encryption.
Searching for data and producing reports
ObserveIT allows the administrator to view recently recorded sessions and filter them based on simple parameters such as server name and user name. However, in ObserveIT, because all metadata is stored alongside the screenshots inside a SQL database, very flexible searching capabilities are easily performed. An administrator can easily search by server name, user name, application name, and even perform “Google”-like free text search. By using these capabilities you can easily see who logged on to a server, what they did, and what applications they used. Clicking on the video icon next to the user session will launch the ObserveIT Slide Viewer, and begin replaying the entire recorded session from beginning to end. The replay can be paused, resumed, fast forwarded or rewinded, and zoomed in or out.
However, replaying entire sessions is a time consuming process and might prove to be irrelevant to the problem you’re trying to troubleshoot. ObserveIT lets administrators expand sessions and view a textual breakdown (similar to DVD chapters) of all applications, files and window titles that user accessed during the session. Each session can be replayed from any point in time (or from any “chapter”). In this manner, within seconds it’s possible to determine what where the applications and actions that were performed by the user, and to determine the relevancy of that session to your troubleshooting process. Needless to say, this will save you a considerable amount of time.
ObserveIT also has flexible reports that can be created based upon user names, server names, dates or applications. For example “where was the IIS Manager MMC Console accessed in my organization” or “give me a list of all the times where remote desktop has been used in the past month”.
SmartAuditor presents a list of the recently recorded sessions or lets the administrator search for a previous recorded session. Searching for archived sessions is done by using the application name and date range. Additional information is displayed about the user name, client name, IP address, resolution and so on. However, since extended information of what is seen in the recording is not available, SmartAuditor’s search capabilities are extremely limited in comparison with ObserveIT.
Permissions and auditing of the replay of sessions
In SmartAuditor, it’s possible to grant reviewer permissions for specific users. By using the playback encryption feature you can grant only the authorized reviewers to playback recordings. However, there isn’t a way to authorize specific reviewers to specific recordings. In order to have granular control over who can watch which recording, you need to work around this limitation by setting up different file permission in Windows, a process that is very time consuming and not suitable for enterprise-wide deployments.
In ObserveIT, you can easily create additional Console Users and grant them either “Admin” or “View-Only Admin” role, and given permissions on specific servers or groups of servers, based upon the organization’s requirements. This allows the administrator to grant granular replaying access control permissions for specific security managers or auditors. For example, only to be able to view servers included in a server group called “SQL Servers”.
Furthermore, ObserveIT has a built-in capability for auditing any access to the Web Management Console, plus any replaying of recorded sessions. This auditing mechanism eliminates the need to have a 3rd-party auditing tool to control Web Management Console access. Anytime a recording is replayed, an event is created in the ObserveIT audit log, showing you which user has replayed the recording.
Integration with 3rd-party monitoring and management tools
SmartAuditor is a solution for recording user sessions that were hosted on Citrix Presentation Servers. No other means of remote access recording is available with SmartAuditor. Since recorded sessions are stored as video files similar to those produced by “dummy” security surveillance cameras, the recoding software does not “know” what happens on the screen at any given moment. Therefore, there can be no integration with any 3rd-party monitoring tool, and you cannot create any custom events or actions based on the users’ actions in the recorded videos.
On the contrast, ObserveIT records any type of remote access or interaction with the remote desktop, and has the ability to “know” exactly what is happening on the screen at any moment in the user’s session. ObserveIT stores this metadata information as part of the recorded sessions database. ObserveIT produces a textual log file used for monitoring purposes. These log files record all activity as it happens on the servers. These log file contain important Metadata information such as the time, data, server name, user session, user name, application window title and executable name. You can use 3rd-party monitoring and management tools such as Microsoft System Center Operation Manager 2007, CA-Unicenter, IBM Tivoli, HP Openview and others – to parse these log files and create events, triggers and alerts based upon text strings that appear inside the log files. By doing so, you integrate ObserveIT into your existing monitoring software and gain very important real-time alerting and reporting capabilities, answering questions such as “Alert me when a Remote Desktop session is opened by a user called John to a remote server with a given IP address”.
In today’s shifting IT world there is a great need for recording user actions. This need is mostly due to Regulatory compliance reasons, and also for Troubleshooting and root cause analysis purposes. In this article I described the concepts behind 2 leading session recording software solutions – Citrix SmartAuditor and ObserveIT. By comparing the two products features and deployment options we now have a better understanding of which one of the two products to choose when there is need to visually record user sessions and provide a clear and visible audit trail.