Auditing Terminal Services with ObserveIT Xpress
ObserveIT Xpress is a free utility that allows you to monitor Terminal Service sessions. This knowledge about what users are doing is particularly important where your organization has confidential, sensitive or research departments.
When I see the word 'Free' next to a product it raises concerns about just how good the product is. All my worries about the robustness of the free ObserveIT Xpress melted away when I realized that has all the qualities of its big brother ObserveIT Pro. In particular the way Xpress allows me to replay any action performed by administrators or people who logon with a senior staff account.
Returning to this free utility theme, to me ObserveIT is like a modern day Robin Hood, only instead of taking from the rich and giving to the poor; they invest the profits from selling to big organizations in providing free Xpress auditing tools to small companies. I am guessing here, but the Xpress version probably has the same code as the Pro, it's just that you can only replay the activities of the last 24hrs, and you can only monitor a handful of servers. (Pro is unlimited in both respects.)
What You Get with ObserveIT Xpress
To let you into a secret, I wasn't that interested in auditing Terminal Sessions until I happened upon ObserveIT, it's just that I love trying these free toys and learning from their ability to troubleshoot user actions.
In the workplace, ObserveIT not only helps administrators with security, but also it provides answers when management insists on compliance with company IT procedures. Then there is a second use of ObserveIT as a troubleshooting tool, for example seeing what users are actually doing to cause a problem.
The ObserveIT software works by recording, and visually replaying, all Terminal Server, Citrix, and Console sessions, thus providing detailed insight into all activities on your network. Since the product is agnostic to protocol and software, it captures and stores activity coming from ALL methods of remote access to the server, including RDP, VNC, TS, Citrix, Netop and Damware.
ObserveIT Express - Free product download
ObserveIT has four components: a database, an application server, an agent and a web console. The agent runs locally on every machine where the recording is necessary. When you install ObserveIT Xpress, it does not create a service, but instead it is started the moment a user creates a session on that server. The application server and the web console are both based on IIS, and can be installed on the same machine or separately if you prefer.
It makes sense for the database component to require Microsoft SQL Server 2000/2005, and again, ObserverIT can be installed on the same server as the application, or on one of your existing SQL servers.
The installation can be done on two ways: the so called 'one click installation', or by using a custom installation. The single click installation is particularly suitable where the web console and the application server are installed on the same machine. If you need to change the defaults, then use the custom installation as described in the clear manual.
All that the installation wizards needs is the name of the server hosting the Microsoft SQL services, and the name of an account that can create the databases automatically. Other than that, it's just click to agree with the license agreement.
Next, install the agent on each server that you wish to monitor and record. This can be a regular server, which is a member of the domain, or on a standalone machine in your firewall�s perimeter network. The ObserveIT agent is especially useful for Terminal Servers (including Windows 2008 TS features). You can install the agent installation via an a MSI file, with unattended parameters.
Configuring ObserveIT Xpress
After the installation is complete, all of the management and configuration tasks are performed through the web-based console. Using the configuration tab you can add more operators/administrators, configure SMTP settings, and check the settings on the agents. One key decision is which users should you monitor. If you prefer to delegate particular administrator to particular types of server, then you could create groups of servers. For example, Terminal Services or email, then delegate to other administrators based on their role.
All the configuration settings are grouped into Configuration Policies; you can then assign servers to an appropriate policies.
One option worth looking into is the Identification Services provided by ObserveIT. This is very useful when, for example, server people in the IT department share a single account to administrator the servers (a generic account like the build-in 'Administrator'). You can specify that when anyone uses such an account to administer ObserveIT, they need to indentify once again, using another account defined within ObserveIT. In this way even with a general account the actual person logging it can be identified. If it were me I would lock-down the Administrator, and make everyone use their own account, but I know that does not fit with every organizations modus operandi.
When ObserveIT is being used to record Published Applications/RemoteApp sessions, you need to include the executable ObserveIT.Client.exe in a login script. Once again the product documentation comes up trumps and provides detailed instruction to setup this login script.
Using ObserveIT Xpress
There are three tabs in web console, the first tab, displays the recordings per server. When the server and period of time is selected, the recordings are presented based on logon time per user (activities part). You can also view the recordings based on started application. You can also sort the view based on 'Started applications'. I think of this first tab as the Server Diary.
The second tab provides a user centric view. From this tab you can view User activity. What you do is specify the user and the time period, then ObserveIT shown activities within the chosen time-frame. Just as with the Server tab you can audit based on activities (per logon) or per accessed item/application. I think of this second tab as the User Diary
There is third tab for Reports, here you can filter the recorded sessions on time period, user, server and/or application. This last option uses keywords to find an activity.
ObserveIT's unique feature is that it captures metadata; the advantage is that you can home in on a particular time-frame without having to replay the whole 'Movie'. Using the metadata, you can simply expand a recorded session and immediately get to the exact point in time where the user did the deed. This saves a lot of time if you know what event you are looking for. ObserveIT can also export any recording to a single executable, thus the evidence can be viewed by other people, such as line managers, who are not authorized to use the ObserveIT console.
Besides manually looking for recordings, ObserveIT also has a context-sensitive search inside the database; this is invaluable in finding all the instances where the same application accessed. All you need to see the browser window is press the F12 key. This technique is handy as a troubleshooting tool, and also to view configuration history for the application you're interested in.
The Sticky Notes is another feature of ObserveIT. With sticky notes you can define a message which will be pop up when another person will access the same application/window. For example you can set a message that an option should not be enabled, because there are issues with that component.
One very important part of ObserveIT is the internal audit option. For example, you can view which persons have viewed which recordings. A necessary option if you are looking to the privacy regulations.
Other management related features are available via the appropriate tab. For example, the Server Diary tab shows each installed software program together with its characteristics. Turning to the reports tab, you can create a report of which software was installed or uninstalled within a time period.
For a long time session recording has featured high on every network manager's wish list. ObserveIT offers more than just session recording, because it has the ability to break down what was done, by whom. Through using ObserveIT you can not only record the users' actions, for compliance and auditing, but also for root cause analysis.