Wilco van Bragt - LinkeIn Wilco van Bragt - Twitter rssa 

ObserveIT

One of the most awaited features in Server Based Computing products was session recording. Because of legal regulations or in high confidential departments, all actions carried out by end users should be recorded so they can be reviewed at a later time. Another major advantage of session recording is its usage as a root cause analysis and troubleshooting mechanism. Imagine the ability to reply any action performed by privileged users or external vendors, and imagine the power you will gain by just looking at who did what on the servers. 

A product that offers both functionalities is ObserveIT. ObserveIT is a visual auditing tool that enables the administrator to get a visual audit trail of what has been done on the servers, who did it, and where else the same action was performed.  Since the product is agnostic to protocol and software, it captures and records ALL methods of remote access to the server, including RDP, VNC, TS, Citrix, Netop, Damware and others. In this review I'm going to take a look at this product from both perspectives.  




Installation

The ObserveIT product has four components: a database, an application server, a web console and an agent. The agent is running logically on every machine where the recording is necessary, and when it is installed, it does not create a service, but instead it is started the moment a user creates a session on that server. The application server and the web console are both based on IIS and can be installed on one machine or separately on different machines.

The database component requires Microsoft SQL Server 2000/2005, and again, it can be installed on the same server as the application and management web console, or on one of your existing SQL servers.

The installation can be done on two ways: the so called "one click installation", or by using a custom installation. The single click installation can be used for an easy installation where the web console and the application server are installed on the same machine, using the default directory paths. If you need to specify this you need to use the custom installation as described in the clear manual.

Image

The only information you need to specify in is the server hosting the Microsoft SQL services, the account that has privileges to create the databases automatically, and to check that you agree with the license agreement.

The agent should then be installed on any server that you wish to monitor and record. This can be a regular server which is a member of the domain, or on a standalone machine in your firewall's perimeter network. It can be any type of server role and is especially useful for Terminal Servers (including Windows 2008 TS features). The agent installation is available as a MSI file, with unattended parameters.

Configuration

After the installation is complete, all of the management and configuration tasks are performed through the web-based console. On the configuration tab all the settings can be configured. There are several logical settings to be defined like adding additional operators/administrators (including LDAP support to use AD accounts), SMTP settings and configuration of the settings on the agents. You can specify which users should be monitored, servers can be divided in groups (and connected to the previous mentioned additional administrators) and which application (executable) should be excluded. All the configuration settings are grouped into Configuration Policies, and servers can be added to these policies. By using policies you can easily manage a large number of servers and configure all the required settings in just a few clicks.

One option worth looking into is the Identification Services provided by ObserveIT. This is very useful when, for example, the IT department is using a single account to administrator the servers (a generic account like the build-in "Administrator"). You can specify that this account is configured into ObserveIT and when an employee logs on to a server with such an account, they will need to indentify once again (with another account defined within ObserveIT). In this way even with a general account the actual person logging it can be identified.

Image

When ObserveIT is being used to record Published Applications/RemoteApp sessions, the executable ObserveIT.Client.exe need to be included within a login script (or similar and the steps to create such a logon script are detailed in the product documentation. For the further review it does not matter if the actions are recorded into a terminal server session or on the console of a server.

Using ObserveIT

As soon as the agent is installed and connected to the application server recording starts. The recordings can be viewed in the management web console after logging in via three tabs.

The first tab which can be used is Server Diary. On this tab you view the recordings per server. When the server and period of time is selected, the recordings are presented based on logon time per user (activities part). You can also view the recordings based on started application. The view is than sorted on the started applications, subdivided per option within the application.

Image

The second way the recordings can be viewed is via the User Diary tab. On this tab you specify the user and the time period, and the recordings will be shown based upon your selection. Just like the Server Diary tab the view can be based on activities (per logon) and per accessed item/application.

The third possibility is using the Reports tab, where you can filter the recorded sessions on time period, user, server and/or application. The last option is to search on a keyword to find a recording about this keyword.

In contrast to other recording products where you must view an entire movie in order to determine what happened during that period of time, ObserveIT's advantage is in the fact that it also captures metadata of what is seen in each captured frame. Using this information, you can simply expand a recorded session and immediately get to the exact point in time where the user action was performed without having to watch the whole recording. This can reduce a lot of time of watching the recordings if you know where you are looking for.  ObserveIT has also the ability to export any recording to a single executable so the recording can be viewed by other persons which are not authorized to use the ObserveIT console.

Besides manually looking for recordings, ObserveIT also has the F12 key option. Pressing this key while you are looking at any application or configuration tab on any Windows application causes the ObserveIT program to perform a context-sensitive search inside the database and displays in a browser window of all the instances where the same application or configuration tab has been accessed. This can be very handy as a troubleshooting tool and also to view configuration history for the application you're looking at.

Image

The Sticky Notes is another feature of ObserveIT.  With sticky notes you can define a message which will be pop up when another person will access the same application/window. For example you can set a message that an option should not be enabled, because there are issues with that component.

Image

Management

One very important part of ObserveIT is the audit option within the product. Within the audit option you can view which persons have viewed which recordings. A necessary option if you are looking to the privacy regulations.

Other management related parts are divided in the several available tabs. For example on the Server Diary tab you can also view the server characteristics and the installed software. On the configuration tab you can find the size stored in the database per server and several log files.

Also on the reports tab some management reports are available, which can be useful. You can create a report of the installed software based on two templates and a report which software is installed or uninstalled within a time period.

At last there is an option to centrally see the sticky notes and remove those if necessary.  

Conclusion

For a long time session recording was one topic that had a top position on the wish list. Nowadays you have several choices for terminal server session recording. ObserveIT offers more than just session recording with the ability to break down each what was done during that session. By using ObserveIT you can not only record the users' actions for compliance and regulatory issues, but also for administrative task auditing, root cause analysis and knowledge management. But you should ask yourself the question that in that case also changes or needed on an organizational and procedure basis.

Advantages

  • Recordings are divided in several parts, allowing for quick look up to a specific action.
  •  A web console that allows fast and granular searches through the recording database, based upon server, user, application, period of time and free text searches.
  • Built-in self auditing of who viewed each recording and granular permission settings for console operators.

Disadvantages

  • There is no possibility in the product to set a time the videos should be kept in the database.
  • The collected information about the hardware inventory is not searchable.
  • Time periods can be chosen on a monthly basis only.

ObserveIT