ObserveIT Xpress is a free utility that allows you to monitor Terminal Service sessions.
This knowledge about what users are doing is particularly important
where your organization has confidential, sensitive or research
departments.
When I see the word 'Free' next to a product it raises concerns about
just how good the product is. All my worries about the robustness of
the free
ObserveIT Xpress melted away when I realized that has all the
qualities of its big brother ObserveIT Pro. In particular the way
Xpress allows me to replay any action performed by administrators or people
who logon with a senior staff account.
Returning to this free utility theme, to me ObserveIT is like a modern day Robin
Hood, only instead of taking from the rich and giving to the poor;
they invest the profits from selling to big organizations in
providing free Xpress auditing tools to small companies. I am guessing
here, but the Xpress version probably has the same code as the Pro, it's
just that you can only replay the activities of the last 24hrs, and you
can only monitor a handful of servers. (Pro is unlimited in both
respects.)
What You Get with ObserveIT Xpress
To let you into a secret, I wasn't that interested in auditing
Terminal Sessions until
I happened upon ObserveIT, it's just that I love trying these free toys
and learning from their ability to troubleshoot user
actions.
In the workplace, ObserveIT not only helps administrators with
security, but also it provides answers when management insists on
compliance with company IT procedures. Then there is a second use
of ObserveIT as
a troubleshooting tool, for example seeing what users are actually doing
to cause a problem.
The ObserveIT software works by recording, and visually replaying, all
Terminal Server, Citrix, and Console sessions, thus providing detailed insight into
all activities on your network. Since the product is agnostic to
protocol and software, it captures and stores activity coming from ALL
methods of remote access to the server, including RDP, VNC, TS, Citrix,
Netop and Damware.
ObserveIT has four
components: a database, an application server, an agent and a web console. The agent runs locally on every machine where the
recording is necessary. When you install ObserveIT Xpress, it does not create a
service, but instead it is started the moment a user creates a session
on that server. The application server and the web console are both
based on IIS, and can be installed on the same machine or separately if
you prefer.
It makes sense for the database component to require Microsoft SQL
Server 2000/2005, and again, ObserverIT can be installed on the same server as
the application, or on one of your existing
SQL servers.
The installation can be done on two ways: the so called
'one click installation', or by using a custom installation. The single
click installation is particularly suitable where the web
console and the application server are installed on the same machine. If you need to
change the defaults, then use the custom installation as described in the clear manual.
All that the installation wizards needs is the name of the server hosting the
Microsoft SQL services, and the name of an account that can create the
databases automatically. Other than that, it's just click to agree with the license
agreement.
Next, install the agent on each server that you
wish to monitor and record. This can be a regular server, which is a
member of the domain, or on a standalone machine in your firewall�s
perimeter network. The ObserveIT agent is especially
useful for Terminal Servers (including Windows 2008 TS features).
You can install the
agent installation via an a MSI file, with unattended
parameters.
After the installation is complete, all
of the management and configuration tasks are performed through the
web-based console. Using the configuration tab you can add more operators/administrators,
configure SMTP settings, and check the settings on the
agents. One key decision is which users should you monitor.
If you prefer to delegate particular administrator to particular types
of server, then you could create groups of servers. For example,
Terminal Services or email, then delegate to other administrators based
on their role.
All the configuration settings are grouped into Configuration Policies;
you can then assign servers to an appropriate policies.
One option worth looking into is the
Identification Services provided by ObserveIT. This is very useful when,
for example, server people in the IT department share a single account to
administrator the servers (a generic account like the build-in 'Administrator'). You can specify that
when anyone uses such an account to administer ObserveIT,
they need to indentify once again, using another account defined
within ObserveIT. In this way even with a general account the actual
person logging it can be identified. If it were me I would
lock-down the Administrator, and make everyone use their own account,
but I know that does not fit with every organizations modus operandi.
When ObserveIT is being used to record Published
Applications/RemoteApp sessions, you need to include the executable ObserveIT.Client.exe in a login script.
Once again the product documentation comes up trumps and provides
detailed instruction to setup this login script.
Using
ObserveIT Xpress
Recording starts as soon as you install the agent and connect to the
application server. You can review the recordings in the
management web console.
There are three tabs in web console, the first tab, displays the recordings
per server. When the server and period of time is selected, the
recordings are presented based on logon time per user (activities part).
You can also view the recordings based on started application. You
can also sort the view
based on 'Started applications'. I think of this first tab as the Server Diary.
The second tab provides a user centric view. From this tab you
can view User activity. What you do is specify the user and the time period,
then ObserveIT shown activities within the chosen time-frame. Just
as with the Server
tab you can audit based on activities (per logon) or per
accessed item/application. I think of this second tab as the User Diary
There is third tab for
Reports, here you can filter the recorded sessions on time period,
user, server and/or application. This last option uses
keywords to find an activity.
ObserveIT's unique feature is that
it captures metadata; the advantage is that you can home in on a
particular time-frame without having to replay the whole 'Movie'.
Using the metadata, you can simply expand a
recorded session and immediately get to the exact point in time where
the user did the deed. This saves a lot of time if
you know what event you are looking for. ObserveIT can also
export any recording to a single executable, thus the evidence can be
viewed by other people, such as line managers, who are not authorized to use the ObserveIT
console.
Besides manually looking for recordings, ObserveIT also has
a context-sensitive search inside the
database; this is invaluable in finding all the instances where the
same application accessed. All you need to see the browser window
is press the F12 key. This technique is handy as a troubleshooting tool, and also to view configuration
history for the application you're interested in.
The Sticky Notes is another feature of ObserveIT. With sticky notes
you can define a message which will be pop up when another person will
access the same application/window. For example you can set a message
that an option should not be enabled, because there are issues with that
component.
Managing ObserveIT
One very important part of ObserveIT is the
internal audit
option. For example, you can view which
persons have viewed which recordings. A necessary option if you are
looking to the privacy regulations.
Other management related
features are available via the appropriate tab. For example, the Server
Diary tab shows each installed
software program together with its characteristics. Turning to the reports tab,
you can create a report of which software was installed or uninstalled within a time period.
ObserveIT Conclusion
For a long time session recording has
featured high on every network manager's wish list. ObserveIT
offers more than just session recording, because it has the ability to
break down what was done, by whom. Through using ObserveIT you can
not only record the users' actions, for compliance and auditing, but
also for root cause analysis.
Guy Recommends:
SolarWinds' NPM - Network Performance Monitor
SolarWinds' performance monitor is designed for detecting network outages,
making it easy to see what's working, and what needs your attention.
This utility guides you through creating network maps; it also helps
identifying whether the
root cause is faulty equipment, or resource overload. Give NPM a try.
