How Advanced Session Recording Agents Work

1.  Once the ASRA is installed, it contacts the ASRA callback URL to see if it should record metadata any time someone logs on to the computer.

2.  A user logs on.

3.  The ASRA sends SS the computer’s hostname, the username who logged on, any domain name if available, and a list of the computer’s IP addresses.

Note: This data is not logged by SS unless you enable DEBUG logging, only for troubleshooting purposes.

4.  SS checks for any recently launched protocol handler sessions with matching details and tells the ASRA if it should record the session.

5.  If there is a match, the ASRA starts recording metadata and sends it back to SS over the chosen response bus for the duration of the session. If there is not a match, the ASRA does not record any metadata, and just waits for the next person to log in.

6.  Once the session has been closed, the video from the protocol handler is matched up to the metadata provided by the ASRA and combined.

7.  On the Session Monitoring page, additional icons are presented based on what extra metadata is present for that session, such as keystroke data for both RDP and SSH and process data for Remote Desktop Protocol (RDP).

8.  Once the session recording has been processed, on the Session Playback page the additional metadata is visible:

And on the Session Monitoring page:

In this example, we searched for activity where the user typed in the word “powershell.”

Secret Server Configuration

First, session recording must be enabled (ADMIN > Configuration > Session Recording). As that page warns, Thycotic highly recommends using RabbitMQ when using session recording in any production environments. See the Configuring Session Recording KB article for more information.

SSH Metadata

To record SSH keystroke data, enable the SSH proxy (ADMIN > SSH Proxy). Individual secrets then need the Enable Proxy setting configured, along with Enable Session Recording setting. Then when the SSH session is launched and recorded, keystroke data is recorded, which can be searched and is displayed in the session playback interface. See the SSH Proxy configuration KB article for more information.

Remote Desktop Metadata

To record RDP session metadata, first distributed engine needs to be enabled (ADMIN > Distributed Engine) with an appropriate response bus site connector chosen, which should be a RabbitMQ site connector in production environments. The ASRAs will communicate with the chosen site connector to return any recorded metadata.

Next, the Advanced Session Recording feature needs to be enabled (ADMIN > Configuration > Session Recording > Configure Advanced Session Recording), and an ASRA callback URL entered. HTTPS should always be used in production environments.

Individual secrets then just need the Enable Session Recording setting enabled, and the computer you launch into must have the ASRA installed. The secrets do not have to use SSH proxy since the ASRA is what records the metadata.

Session Recording Worker Role

As of SS 10.6, there is a dedicated Session Recording Worker role. If you have a clustered SS environment, you can pick which nodes process recordings on the ADMIN > Server Nodes page. In a large environment with many recordings, you can configure nodes to be dedicated just to session recording, letting other nodes run the Background Worker and other roles.

Session recording processes multiple videos at once, which can be controlled with the PrefetchCount.ConvertVideoMessage AppSetting (default: 2). We recommend setting this AppSetting to half the number of CPU cores on the server as a starting point. This setting only applies when using a RabbitMQ site connector, which is another reason why Thycotic highly recommends using Rabbit if you are using session recording.

Advanced Session Recording Agent

First, create one or more collections to group the ASRAs together, for example, for different domains or environments. Each collection has a unique installer which you can download from their page – the installer is customized to know which collection it is associated with.

Agent Manual Installation

The downloaded installer can either be manually installed on a computer by running the setup.exe inside the zip file, or it can be deployed using group policy software installation or other MSI management software.

The ASRA installs itself in C:\Program Files\Thycotic Software Ltd\Session Recording Agent and adds a Windows service, Thycotic Session Recording Agent.

Note: Only 64-bit Windows operating systems are currently supported. .NET Framework 4.5.1 or greater is also required.

Agent Updates

The ASRA does not automatically update, so new versions need to be manually installed or re-deployed using the Group Policy MMC.

Agent Uninstallation

You can deactivate specific ASRAs or an entire collection in SS, and the next time the ASRA reaches out to the ASRA callback URL, it will uninstall itself. Since it only reaches out when someone logs on the computer, it will not get uninstalled until someone logs on again, not right away.

The ASRA can also be manually uninstalled directly on the computer like any normal Windows application, but then SS will still show it in the list of active ASRAs under its collection. It should also be deactivated in SS to keep the list accurate.

Agent Group Policy Installation

Task 1: Review the Prerequisites

The ASRA requires a 64-bit operating system with .NET Framework 4.5.1 or greater installed on the client machine. This is the version that ships with Windows 8.1 and Windows 2012 R2.

Task 2: Download the Advanced Session Recording Agent Installer

1.  Log on to SS.

2.  Go to Admin > Configuration > Session Recording > Configure Advanced Session Recording.

3.  Click on an existing collection, or create a new one, as appropriate.

4.  Click the Download Session Recording Installer (64-bit) button. The installer is downloaded to your computer.

Note: The zip file is customized for each collection. Be sure to download the installer from the collection you want your new ASRAs associated with.

Task 3: Customize the Installer

For a normal manual installation, you extract the zip file, and run setup.exe. There are settings saved in setup.exe.config that customize the installation of the MSI file contained in the zip (gsresvc.msi). When you deploy the ASRA using Group Policy software installation instead of a manual one, the only other files in the zip you need is the MSI, which is deployed from a network share, and an MST (Master Software Tools?) “Transform” file which configures the custom settings.

1.  If you do not already have it installed, install Microsoft’s free MSI editing tool, Orca.

2.  Extract the ASRA zip file into its own folder.

3.  Right click on the MSI file (gsresvc.msi) in the folder where you extracted the zip and select Properties to verify that there is a Digital Signatures tab that shows that the MSI was signed by Thycotic Software.

4.  Launch Orca.

5.  Open the extracted MSI file (gsresvc.msi). The Tables list appears.

6.  Click the Transform menu at the top and select New Transform.

7.  In the Tables list, click ServiceInstall. Only one row should be listed on the right.

Note: This grab shows the Arguments column dragged wider to see its contents. When you initially see it, it will be very narrow, barely showing the contents.

8.  Scroll over to the Arguments column and copy and paste its contents into a text editor. It should look like this example. Be sure to select the entire thing. You might need to adjust the column width.

Note: The entire string of text is essentially a CLI command with a bunch of parameters, which begin with a hyphen. For illustration purposes we put each parameter on its own line below.

runSessionRecordingAgent

-ProductCode=[ProductCode]

-Installer.Version=10.6.000000

-E2S.ConnectionString=[E2S.CONNECTIONSTRING]

-E2S.UseSsl=[E2S.USESSL]

-E2S.AuthorizationGuid=[E2S.AUTHORIZATIONGUID]

-E2S.OrganizationId=[E2S.ORGANIZATIONID]

Everything highlighted is what we will customize. The fields in brackets are what setup.exe normally would customize.

9.  In your text editor, open the setup.exe.config XML file from the zip. You will get the Globally Unique Identifier (GUID) from it.

10.  In your text editor, replace each of these with the correct values as listed below. The GUID will require looking in setup.exe.config in the <appSettings> XML block. The values are as follows:

·  ProductCode should always be: “{A7FA0ADA-BEED-4841-9D3E-9D700B36F653}” (not in setup.exe.config).

·  Installer.Version should match your SS version (visible in SS in the bottom right corner).

·  E2S.ConnectionString is the callback URL configured on the Advanced Session Recording page.

·  E2S.UseSsl is True or False, based on if you are using HTTP:// or HTTPS:// for the callback URL (SSL should always be used in production).

·  E2S.AuthorizationGuid is a unique GUID specific to the ASRA collection that you downloaded the installer file from. You can find it in the setup.exe.config file (in setup.exe.config). This is unique for each ASRA Collection.

·  E2S.OrganizationId should always be: 1.

For example:

11.  Back in Orca, delete everything in the ServiceInstall Arguments column so it is empty.

12.  Copy and paste the customized version you just created from your text editor into the Arguments column.

13.  Click on the Transform menu and click Generate Transform.

14.  Save the file as gsresvc.mst in the folder you extracted the installer into. This transform file now contains your customizations for the ServiceInstall Arguments.

15.  Close Orca.

16.  Check MSI file’s digital signature again to ensure it was not edited: If you right click the MSI file and select Properties again, the Digital Signatures tab should still show that the MSI is signed by Thycotic Software. You created your own custom MST transform file, but the MSI itself should be unchanged. Orca can technically edit the MSI file itself, but that is not necessary and will invalidate Thycotic’s digital signature.

Task 4: Set up a Network Share

1.  Place the gsresvc.msi and gsresvc.mst files on a network share on your domain controller.

2.  Give “Authenticated Users” read access to this share.

Note: Computers in the domain will access this network share to grab the installer files before any users log into the machine. It will be the machine account authenticating to the network share, before any users have logged in.

Task 5: Create a Group Policy with Software Installation to install the MSI

1.  Open the group policy management console (Start > Administrative Tools > Group Policy Management).

2.  Expand the Forest and Domain nodes until you locate the domain on which you are installing the ASRA.

3.  Right click on Group Policy Objects and click New.

4.  Enter a descriptive name for your GPO, such as “Thycotic Session Recording Agent Installation, and click OK.

5.  Right click on the newly created GPO node and click Edit.

6.  Select Computer Configuration > Policies > Software Settings > Software Installation.

7.  Right click on the Software Installation node and select New > Package.

8.  Browse to the MSI on your network share using the share’s UNC path, not its folder path. For example:  \\ServerMachineName\Shared and not C:\Shared.

9.  Click Open.

10.  Click to select the Advanced option button.

11.  Click OK. The name is automatically be set to “Thycotic Session Recording Agent”, since that is the product name in the MSI file.

Note: You can customize the name here, but if you use something else, that is what you will want to check for in the Verify Configuration section, instead of “Thycotic Session Recording Agent.”

12.  On the Modifications tab, click Add, and select your MST transform file. Be sure to again use a UNC path like \\ServerMachineName\Shared, not C:\Shared.

Note:  If you wish to have the ASRA uninstalled when it falls out of management, click on the Deployment tab and click the “Uninstall this application when it falls out of the scope of management” check box.

13.  Click OK.

14.  In the group policy object editor, expand Computer Configuration > Administrative Templates > System.

15.  Click the Logon node.

16.  Right click Always wait for the network at computer start-up and logon and select Properties.

17.  Click Enabled.

18.  Click OK. This helps reduce the number of reboots required for this policy to take effect as noted in the description of this option.

Task 6: Link your Group Policy Object to an OU

1.  Open the Group Policy Management Console (Start > Administrative Tools > Group Policy Management)

2.  Expand the Forest and Domain nodes until you locate the domain on which you are installing the SS protocol handler

3.  Right-click the Organizational Unit (OU) for which you want SS Protocol Handler to be installed and select Link an Existing GPO.

4.  Select the GPO you created earlier.

5.  Click OK. The GPO is now linked the entire OU.

Note: To immediately force the group policy change and install the software on a client machine, open a command console on the client machine (start > run > cmd), type gpupdate /force, and restart the client machine. You can also wait for the group policy to go into effect, which usually takes one to two hours, but a reboot will still be required due to the mechanics of group policy software installations.

Task 7: Verify Configuration at the Domain Level

1.  Go to Start > Administrative Tools > Active Directory Users and Computers.

2.  Right-click the OU for which SS Protocol Handler is now configured and select All Tasks > Resultant Set of Policy.

3.  Check to select the Skip to the final page of this wizard without collecting additional information check box.

4.  Click Next twice.

5.  Click Finish.

6.  In the new Resultant Set of Policy window, expand Software Settings under Computer Configuration.

7.  Click to select Software installation.

8.  Thycotic Session Recording Agent should be visible under Installed Applications column.

Task 8: Verify the Configuration of a Domain Member

1.  From a command prompt, run gpresult /h report.html to output a report for just that one computer to the specified HTML file, which you can then view in a browser.

2.  Thycotic Session Recording Agent should be visible under the Installed Applications section.

3.  Once the computer has rebooted and completed the installation, the software shows up in Apps and Features (Add Remove Programs). As usual, the Thycotic Session Recording Agent Windows Service is installed, and it is present on the system in C:\Program Files\Thycotic Software Ltd\Session Recording Agent.