Robust Security

The ObserveIT architecture is designed from the ground up with security in mind.

Security Implementation

As soon as a user starts a session on a monitored server, the ObserveIT Agent starts up and begins recording  the session. The ObserveIT Agent is triggered by user activities such as keyboard and mouse events, thus capturing visual pictures and metadata information. The captured data is packaged and delivered in real-time. No caching is performed on the recorded server, and no files are stored on the server's file system.

The security mechanism for the Agent to Server communication includes:

• Encryption (Rijndael)
• Digital signing
• Token exchange

ObserveIT Agent Security

The ObserveIT Agent is protected by a watchdog mechanism that restarts the Agent if the process is stopped. If a user stops the watchdog process, it is re-started by the ObserveIT Agent.

If a user manages to stop both processes at the same time (which is very unlikely), a health check system will alert the administrator that an Agent is no longer recording, which gives clear indication that someone has deliberately stopped the agent.

Additional system monitor tools can be sued to poll the server registry, checking for the ObserveIT Agent initialization string . These tools can also validate file hashes in the Agent installation folder to prevent tampering. During an active session, this can also be done by querying the servers' WMI repository for the executable name and registry values.

Agent to Application Server Traffic Security

The ObserveIT Agent transmits the captured screenshots and textual metadata to the ObserveIT Application Server (via HTTP). The only port required to be open between the Agent and the Application Server is the port used to post the data. During installation, the ObserveIT setup optionally creates a separate website in IIS that listens on TCP port 4884. ObserveIT Agents communicate with the ObserveIT Application Server via this port. This port can be changed (for example - TCP port 80).

• The ObserveIT Agent uses the POST request method of the HTTP protocol to communicate with the Application Server. It does not listen on any UDP or TCP port.
• The ObserveIT Agent to ObserveIT Application Server secure conversation implements OASIS standards for WS-Secure conversation, which allows security contexts to be created and key material to be exchanged more efficiently.
• Binary data is serialized and is stamped with a token key and digitally signed. In order to prevent session hijacking, ObserveIT uses a 2-minute transaction Time-To-Live parameter.
• Communication can be further secured by configuring IIS on the Application server to require SSL, and the Agent to use HTTPS instead of HTTP, over TCP port 443.
  
• An IPSec tunnel can also be used to protect the Agent to Server traffic.

ObserveIT Application Server Security

The ObserveIT Application Server accepts the data and verifies integrity of the content using the token of the package. The ObserveIT Application Server opens the package and encrypts the screenshots using the Rijndael method. The screenshots and metadata are digital signed in the database by using HMACSHA-1.

ObserveIT Application Server to SQL Server Traffic Security

The ObserveIT Application Server communicates with the SQL Server using Windows Authentication.

All traffic between the ObserveIT Application Server and the SQL Server uses regular SQL traffic, typically on TCP port 1433.

ObserveIT Database Security

Unlike other recording software products, ObserveIT keeps all data in the SQL database, and does not store recordings as individual files. Instead each recorded frame is stored in a separate record in a partitioned table inside the SQL database. Access to the data is limited by permissions defined within the Web Management Console.

ObserveIT Web Console Security

ObserveIT administrators can log on to the ObserveIT Web Management Console and view recorded sessions and other information, as well as make configuration changes based upon their role.

ObserveIT allows the administrator to grant permissions for auditors to replay sessions and be exposed only to information that was generated by specific users or on particular servers. This way, the auditor can only view specific recorded sessions and will not be exposed to potentially sensitive information that was recorded on other sessions that were created by users outside the scope of that auditor’s responsibility.

All access to the Web Management Console is audited. Each time a video is accessed, a log is created with the user, IP address, capture session and frames viewed. This allows the auditing of the administrators that have accessed the Web Console and who have replayed videos, and prevents the need to design an external audit mechanism that will audit the auditor.

Integration with LDAP

When deployed in a workgroup installation scenario, ObserveIT Console Users are created locally in the ObserveIT Web Management Console. This means that you will need to manually create a Console User for each user that requires access to the ObserveIT Web Management Console.

However, you can connect between the ObserveIT Application and Web Management Console server components and an external LDAP server, such as a Microsoft-based Active Directory Domain Controller. This connection is an LDAP, read-only connection, in which the ObserveIT server components query the LDAP server for logon information. This way, you will be able to utilize the user accounts from within the Active Directory domain to allow them access to the ObserveIT Web Management Console.

Web Console Traffic Security

Access to the Web Management Console is done through a web browser. Traffic between the workstation running the web browser to the server hosting the ObserveIT Web Management Console is HTTP-based, and by default uses TCP port 4884. This port can be changed (for example - TCP port 80).

Communication can be further secured by configuring IIS on the Web Management Console server to require SSL, and the web browser to use HTTPS instead of HTTP.