How ObserveIT Secures Data
ObserveIT audits and records all user activities performed through a Terminal Server, RDP, Windows console, VMware viewer, VNC, NetOp, DameWare or any other type of remote or local connection to the organization’s computers and servers.
ObserveIT monitors activities at the GUI level and captures and indexes all user actions that a user takes on the screen.
The recorded data, together with additional Metadata, is stored and indexed in a central database and provides a complete picture of people’s activities on the organizational servers and workstation.
ObserveIT is designed to be deployed within a secure network and accessed by administrators, and as such, is secure. Out-of-the-box deployment is designed to be simple, however security features such as digital signing and encryption can be optionally configured.
- Security Implementation
- ObserveIT Agent Security
- ObserveIT Agent to Application Server Traffic Security
- ObserveIT Application Server Security
- ObserveIT Application Server to SQL Server Traffic Security
- ObserveIT Database Security
- ObserveIT Web Console Security
- Integration with LDAP
- Web Console Traffic Security
- Web Console Isolation
Security Implementation
As soon as a user creates a session on a monitored server, the Agent is started and begins recording – based upon a pre-determined recording policy. The ObserveIT Agent is triggered by user activities such as keyboard and mouse events. Idle time – when a user is reading, or inactive – is not recorded. When triggered, the Agent performs a screen capture. At the same moment it captures textual metadata of what is seen on the screen (window title, executable name, date, time, user name, etc.).
The captured data is packaged and delivered in real-time. No caching is performed on the recorded server, and no files are stored on the server's file system.
The security mechanism for the Agent to Server communication includes:
Encryption (Rijndael)
Digital signing
Token exchange
ObserveIT Agent Security
The ObserveIT Agent is protected by a watchdog mechanism that restarts the Agent in case the process is ended. If a user stops the watchdog process, it is re-started by the ObserveIT Agent.
If a malicious user manages to stop both processes at the same time, the ObserveIT health check system will alert the administrator that an Agent is no longer recording, which gives clear indication that someone has deliberately stopped the agent.
3rd-party monitoring tools that poll the servers' registry to see if the initialization string for the ObserveIT Agent is intact can be used to monitor the Agent. These tools should also periodically look at the Agent's installation folder and check to see if the file hash is identical and that the actual executable has not been modified. During an active session, this can also be done by querying the servers' WMI repository for the executable name and registry values.
ObserveIT Agent to Application Server Traffic Security
The ObserveIT Agent transmits the captured screenshots and textual metadata to the ObserveIT Application Server (via HTTP). The only port required to be open between the Agent and the Application Server is the port used to post the data. During installation, the ObserveIT setup optionally creates an additional website in IIS, that listens on TCP port 4884. ObserveIT Agents communicate with the ObserveIT Application Server via this port. This port can be changed (for example - TCP port 80).
The ObserveIT Agent uses the POST request method of the HTTP protocol to communicate with the Application Server. It does not listen on any UDP or TCP port.
The ObserveIT Agent to ObserveIT Application Server secure conversation implements OASIS standards for WS-Secure conversation, which allows security contexts to be created and key material to be exchanged more efficiently.
Binary data is serialized and is stamped with a token key and digitally signed. In order to prevent session hijacking, ObserveIT uses a 2-minutes transaction Time-To-Live parameter. In future releases we are planning to integrate with a certificate server in order to obtain a unique certificate for each agent.
Communication can be further secured by configuring IIS on the Application server to require SSL, and the Agent to use HTTPS instead of HTTP. If SSL is implemented in the deployment scenario, the data is sent over HTTPS (SSL) to the ObserveIT Application Server. This is done over TCP port 443.
If needed, an IPSec tunnel can also be used to protect the Agent to Server traffic.
ObserveIT Application Server Security
The ObserveIT Application Server accepts the data and verifies the integrity of the content using the token of the package.
The ObserveIT Application Server opens the package and encrypts the screenshots by using the Rijndael method. The captured metadata is not encrypted. The screenshots and metadata are digital signed in the database by using HMACSHA-1.
ObserveIT Application Server to SQL Server Traffic Security
The ObserveIT Application Server communicates with the SQL Server by using Windows Authentication.
All traffic between the ObserveIT Application Server and the SQL Server uses regular SQL traffic, usually on TCP port 1433.
ObserveIT Database Security
Unlike other recording software, the resulting data of the ObserveIT recording is not stored as individual files. Instead, each recording is stored as individual frames. Each frame is stored in a separate record in a partitioned table inside the SQL database:
The screenshot is stored in partitioned table inside the "ObserveIT_Data" database.
The metadata is stored in the screenshot table inside the "ObserveIT" database.
Access to the data is limited by permissions defined within the Web Management Console.
ObserveIT Web Console Security
The ObserveIT Web Console is used to replay sessions, perform searches inside the database, and make configuration changes.
ObserveIT administrators can log on to the ObserveIT Web Management Console and view recorded sessions and other information, as well as make configuration changes based upon their role.
When a recorded session is replayed, the ObserveIT Player retrieves the sequence of frames that is related to the session that is being replayed from the SQL database. The sequence of frames are viewed by the ObserveIT Administrator as one long recording, and the VCR-like controls within the Player can be used to stop, pause, forward or rewind the session.
ObserveIT allows the administrator to grant permissions for auditors to replay sessions and be exposed only to information that was generated by specific users or on particular servers. This way, the auditor can only view specific recorded sessions and will not be exposed to potentially sensitive information that was recorded on other sessions that were created by users outside the scope of that auditor’s responsibility.
All access to the Web Management Console is audited. Each time a video is accessed a log is created with the user, IP, capture session and frames viewed. This allows the auditing of the administrators that have accessed the Web Console and who have replied videos, and prevents the need to design an external audit mechanism that will audit the auditor.
Integration with LDAP
When deployed in a workgroup installation scenario, ObserveIT Console Users are created locally in the ObserveIT Web Management Console. This means that you will need to manually create a Console User for each user that requires access to the ObserveIT Web Management Console.
However, it is possible to create a connection between the ObserveIT Application and Web Management Console server components and an external LDAP server, such as a Microsoft-based Active Directory Domain Controller. This connection is an LDAP, read-only connection, in which the ObserveIT server components query the LDAP server for logon information. This way, you will be able to utilize the user accounts from within the Active Directory domain to allow them access to the ObserveIT Web Management Console.
Web Console Traffic Security
Access to the Web Management Console is done through a web browser. Traffic between the workstation running the web browser to the server hosting the ObserveIT Web Management Console is HTTP-based, and by default uses TCP port 4884. This port can be changed (for example - TCP port 80).
Communication can be further secured by configuring IIS on the Web Management Console server to require SSL, and the web browser to use HTTPS instead of HTTP.
Web Console Isolation
For large enterprise-size implementations of ObserveIT, where there is need to separate the ObserveIT Application Server components from the ObserveIT Web Console component, clients would want to install these components on separate servers.
By doing so, clients will achieve Agent isolation from a management perspective.
