Product Review: ObserveIT Remote Access Auditor
Product: ObserveIT Remote Access Auditor
Product Homepage: click here
When dealing with a security issue or compliance audit, your server logs are often the most important asset you have to work with. Unfortunately, under the most ideal of circumstances you may find that your devices, even when configured for the most strenuous logging settings, simply do not provide enough information to satisfy your needs.
I have recently had the opportunity to install and configure the ObserveIT software package which is aimed at filling the gap in device logging. In this review I'm going to talk a bit about ObserveIT, how it works, and the feature set it offers.
Taken directly from their website, ObserveIT describes their software as saying that it "Audits and records all user activities performed on your server platform. Every window session on your network - whether via remote access or console access, is recorded and indexed according to usage metadata. User recordings can be searched, navigated and replayed to identify any specific activity. Detailed reporting and real-time alerting ensures strict compliance with corporate security policies."
The software falls nowhere short of this description. Quite literally, it's as though you were to have a video camera pointed directly at your server monitor recording every on screen action that the user is doing. If that was not enough, not only will it record the on-screen data, it will also keep track of every click or key pressed by the user whether they are logged into the console physically or via Remote Desktop, Citrix, SSL, or virtually any other remote access platform you can think of. To really put it over the top, it even indexes everything in a SQL database for fast and customizable retrieval based upon your needs at any given point in time.
Let's dig into each of these components separately.
Requirements and Installation
Considering what it does, ObserveIT is very lightweight but very expandable. At a bare minimum it consists of four components:
- Database Back End - The data captured by ObserveIT is stored in a Microsoft SQL database. This can be used with SQL Server Express or full blown Microsoft SQL Server, which is recommended for anything above a small installation.
- Web Management Console - The web management console is where you will administer the agents and database. All management, monitoring, and reporting is done from here. The web management console requires Microsoft Internet Information Services (IIS) with ASP.NET support.
- Application Server - The application server is an ASP.NET web application that also runs in IIS. The application server accepts data posted by the agent, processes it, and sends it to the database back end to be stored. The application server also provides configuration information to the agents.
- Agent - The last piece of the puzzle is the agent. This is the portion of the software the runs on the computers you are monitoring and reports back to the SQL database. The agent supports a variety of operating system platforms.
ObserveIT defines a few different deployment scenarios depending on your network:
- Small Implementation - This scenario is designed for 1-100 monitored servers. In this type of environment the database server and web management console can be installed on the same system, eliminating the need for multiple pieces of hardware. There documentation doesn't say this anywhere, but this seems to me like a great deployment for Microsoft Small Business Server. Alternatively, you can deploy this scenario on the same physical hardware within virtual machines as well.
- Medium Implementation - Anything consisting of a few hundred monitored clients warrants that the database server and web management console be installed on separate hardware to sustain the load.
- LDAP Integration - If you have Active Directory deployed on your network then you can setup ObserveIT to have read only access to the AD database. This can be used to integrate authentication between AD and the web management console, decreasing administrative effort for management of the software.
- Web Console Isolation - ObserveIT supports isolation of the web management console from the database back end and monitored clients. They recommend this isolation for enterprise level deployments, but it's a good security practice regardless of your organization side.
- Large Enterprise Implementation - In environments where there are more than one thousand monitored servers along with high availability requirements ObserveIT supports the use of multiple servers running both the database and web management servers in clustered and load balanced scenarios.
- Remote Vendor/Privileged Access Implementation - Cited as one of their most common scenarios, ObserveIT can be deployed in conjunction with a VPN/SSL solution with the aid of Citrix or Terminal Services to allow remote vendors, IT support, and other privileged users access to the web management console. As a consultant this seems like one of the most valuable deployment scenarios for me. Not only does it allow me to quickly log in and see what's going on, but it also allows external access for compliance audits.
I installed ObserveIT in almost all of these deployment scenarios and each worked correctly as claimed. Once I made sure all of the prerequisites were installed I followed their "One Click Installation Guide". Just like the guide states, I typed in the required information, made my one click, and the software was installed within a few minutes (Figure 1).
Figure 1: A successful completed installation
Once installed, the first thing on my to-do list was to deploy the agent software to the machines that I would be monitoring. The agent software is included with the server installation and installing it was as simple as double clicking the executable and clicking next a few times. I only did this to a few machines so I took the manual approach and placed the file in a shared directory and ran it manually from each terminal, but they include an MSI file so that the agent can be deployed in an automated fashion with Group Policy or SMS.
All that is required during the agent installation is the IP address of the ObserveIT server. Once completed, the server the agent is installed on will begin reporting back to the application.
Viewing User Activity
When you have your agents deployed they will automatically begin transmitting screen captures of user activity. This is the core functionality of the software and it works as advertised. I performed all sorts of actions from creating and editing files, to performing administrative tasks, to browsing the Internet and they were all recorded verbatim.
Before evaluating the software one of my bigger concerns was retrieval of the stored images once captured. Much to my approval the captures are stored in a very easy to navigate format. First of all, ObserveIT tracks user sessions by time. This means that if a user logs in for a 15 minute stint of activity during one hour, and then again for a 10 minute stint the next hour, these will be broken up into two separate sessions. The best part is that once you expand these sessions the activity is broken up by user action. As you will see in Figure 2, I performed several tasks including modifying an RTF file, performing a Google search, running Disk Defragmenter, and deleting a file. ObserveIT enumerated all of these actions very clearly and separated out the playbacks accordingly.
Figure 2: ObserveIT makes locating the event you are looking for very easy and convenient
The actual screen playbacks work very efficiently and do just what they should. I was able to clearly watch all of the activities I performed without missing a beat. I even made some attempts to trick the software by creating scripts that performed an action quickly via a pop-up command prompt that disappeared very quickly. ObserveIT caught every single one of these attempts and recorded it.
It's important to note that ObserveIT does not actually record user activity in a video format because that would be far too bandwidth and storage intensive. Instead, it records a series of screenshots that are optimized for efficient storage. These images are stored in black and white by default but this can be changed to color if desired.
Figure 3: The actual captures from ObserveIT are clear, optimized for storage, and don't miss anything
ObserveIT does not limit your auditing to just the actions performed on a per server basis. It also provides a User Diary which allows you to track and view the actions of specific users across all monitored systems. While per server monitoring seems more suited for the purpose of audits and compliance, per user monitor seems well suited for security and incident response purposes. All bases are covered for both target audiences.
The flexibility of the software configuration was more than I had expected. I had expected that the software would be all or nothing monitoring but it is actually quite robust in its offerings. You can setup recordings so that they only occur on specific devices when certain users log, when specific applications are started, or when certain actions are performed by those users. Along with that you can assign specific groupings for servers, configure SMTP notifications, and define users who have access to the web console.
There were two features I especially liked. The first is the ability to configure logging for users who access playbacks from the ObserveIT console. This is often overlooked by monitoring software and is a gem of a thing to have for auditing purposes. If you are concerned with who is watching the watcher then this option will satisfy you. I was also really happy to see an option which lets you hide the ObserveIT tray icon on systems where the agent is deployed. I don't see many ways an attacker could get past this software without disabling the agent software, and if they don't know the agent is even running then that is very effective security through obscurity.
I have always been a firm believer that function is important, but reporting is where software becomes worth its money. Reporting from the web management console is fast, flexible, and covers anything and everything you could think of. ObserveIT comes packaged with some standard reports including the following:
- Administrative-related tasks performed on monitored servers
- All apps used on monitored servers
- All RDP sessions initiated from monitored servers
- All users accessing monitored servers
As should be expected all reports can be run on demand or on a scheduled basis.
Beyond the built-in reports I could setup custom reports to do just about anything I could think that I might need a report for. Not only is this a great way to organize reports for viewing playback sessions but it's also a great way to augment your existing sever system, application, and security logs. Another nice feature that was unexpected was a section that displayed all of the recently installed software on the servers. Of course, there are other ways of doing this but having this readily accessible within the reporting console was something I found convenient and useful.
Figure 4: Customizable reports are easy to create and very flexible
Overall, I really do not have anything at all negative to say about ObserveIT. The product does exactly what it claims to do, and does it perfectly; providing all of the features I would expect to be provided with a software claiming to be a screen capture based logging solution. As someone who works as a consultant quite frequently, I have many clients who have auditing and compliance needs that ObserveIT would immediately fill. Along with this, in high security environments the audit trail created by ObserveIT is unimaginably valuable in an incident response situation. Can you imagine being able to sit in court and replay video of an attackers every move, or being able to actually show a compliance auditor every step that was taken to secure a subset of company financial data? Now that I've had the chance to use ObserveIT I know it's something that can be done easily, correctly, and reliably. To check out ObserveIT's solution, follow this link.
WindowSecurity.com Rating: 5/5
More information about ObserveIT