Ekran System v.5.1 Help File

Transcription

1 Ekran System v.5.1 Help File

2 Table of Contents About What s New System Requirements Program Structure Getting Started Deployment Process Working with Application Server and Database About Database Types Comparison High Availability Mode About Standard and High Availability Modes Comparison Installing/Uninstalling/Updating the Server Installing the Server Adding Server Executable to Windows Firewall Using an External/Cloud-Based Server Computer Updating the Server Uninstalling the Server Server Tray Database Management About Cleanup Parameters One-Time Cleanup Scheduled Cleanup Shrinking MS SQL Database Firebird Database Optimization Deleting the Client Moving the Server Database Moving Binary Data to Shared or Local Folder Validating Monitoring Data About Validating Monitoring Data Using Hash Codes

3 Signing Monitoring Data with Certificate Moving the Server Database Signed with Certificate to another Computer Advanced SIEM Integration About CEF Log File Contents Enabling CEF Log File Creation CEF Log Cleanup Management Tool About Management Tool Installation Prerequisites Prerequisites Overview Turning on Internet Information Service (IIS) Turning on IIS for Windows 8 and Windows Turning on IIS for Windows Server 2008 R Turning on IIS for Windows Server Installing.NET Framework Configuring Internet Information Service (IIS) Using Certificates Generating Self-Signed Certificate Exporting Self-Signed Certificate Importing Trusted Certificate Adding Certificate to Trusted Root Certification Authorities Setting HTTPS Binding for a Default Web-Site Installing/Uninstalling/Updating the Management Tool Installing the Management Tool Adjusting Computer for Remote Access Updating Management Tool Uninstalling Management Tool Opening Management Tool Management Tool Interface Changing Password for Logged in User Licensing General Licensing Information About Update & Support Period Viewing License State Activating Serial Keys Online

4 Adding Activated Serial Keys Offline Deactivating Serial Keys Client License Management User and User Group Management About Viewing Users and User Groups User Management Adding Users Editing Users Deleting Users User Group Management Adding User Groups Editing User Groups Deleting User Groups Permissions About Administrative Permissions Client Permissions Permission Example Management Tool Log About Viewing Management Tool Log Management Tool Log Protection Filtering and Sorting Log Data Windows Clients About Monitoring via Windows Clients Installing Windows Clients About Setting up Environment for Remote Installation Windows Client Installation Prerequisites Disabling Simple File Sharing in Windows XP Disabling Sharing Wizard in Windows 8.1, Windows 8, and Windows Checking System Services Setting up Windows Vista, Windows XP, and Windows Server 2003 Firewall

5 Setting up Firewall for Windows 8.1, Windows 8, Windows 7, Windows Server 2012, Windows Server Installing Windows Clients Remotely via the Management Tool About Selecting Computers Remote Windows Client Installation Process Remote Installation from an Existing.INI File Installing Windows Clients Locally About Windows Client Installation Package Generating Windows Client Installation Package Installing Windows Clients Locally with Custom Monitoring Parameters Downloading Windows Client Installation File (.exe) Installing Windows Clients Locally without.ini File Installation via Third Party Software Installing Windows Client on Amazon WorkSpace Cloning a Virtual Machine with Installed Client Unassigning License on Virtual Machine Shutdown Updating Windows Clients Reconnecting Windows Clients to another Server Uninstalling Windows Clients About Client Uninstallation Key Uninstalling Windows Clients Remotely Uninstalling Windows Clients Locally Viewing Windows Clients Windows Client Description Windows Client Configuration About Protected Mode Parameter Client Tray Icon Parameter Screen Capture Creation Parameters Keystroke Logging Parameter Start Monitoring on Keyword Parameter Clipboard Monitoring Parameter Monitoring Log Parameter

6 URL Monitoring Parameters Application Filtering Parameters User Filtering Parameters Forced User Authentication Parameter One-Time Password Parameter Two-Factor Authentication Parameter Additional Message on User Login Parameter User s Comment Parameter Ticket Number Parameter Editing Windows Client Configuration Viewing Windows Client Configuration Forced User Authentication on Windows Clients About Enabling Forced User Authentication on Windows Client Granting the User Permission to Log In Managing One-Time Passwords About Generating One-Time Password Viewing One-Time Passwords Resending the Terminating One-Time Password Manually Logging In Logging in Using the Ekran System User Additional Credentials Logging in Using a One-Time Password Requesting a One-Time Password Informing about Monitoring About Enabling Displaying Additional Message Enabling User s Comment Option Enabling Displaying Client Tray Icon Logging In Integration with Ticketing Systems About Enabling Ticket Number Option Logging In Linux Clients

7 About Monitoring via Linux Clients Installing Linux Client About Downloading Linux Client Installation File Installing Linux Clients Uninstalling Linux Clients Viewing Linux Clients Linux Client Description Forced User Authentication on Linux Clients About Enabling Forced User Authentication on Linux Client Granting the User Permission to Work with the Terminal Launching the Terminal Two-Factor Authentication About Allowing the User to Log In Deleting User from the List Editing Key for Two-Factor Authentication Enabling Two-Factor Authentication on Windows Server Clients Logging in Using Time-Based One-Time Password User Blocking About Blocking User from Live Session Blocking User from Finished Session Blocking User on Client with Secondary Authentication Blocked User List Viewing Blocked User List Removing User from Blocked User List Client Group Management About Adding Client Groups Editing Client Groups Adding Clients to Groups Adding Clients to Groups during Client Group Editing Adding Clients to Groups during Client Editing

8 Applying Group Settings to Client Removing Clients from Groups Removing Clients from Groups during Client Group Editing Removing Clients from Groups during Client Editing Deleting Client Groups Alerts About Viewing Alerts Default Alerts Alerts Management Adding Alerts Rules About Rule Examples Enabling/Disabling Alerts Editing Alerts Editing Single Alert Editing Multiple Alerts Assigning Alerts to Clients Assigning Alerts to Clients during Alert Editing Assigning Alerts to Clients during Editing Multiple Alerts Assigning Alerts to Clients during Client/Client Group Editing Exporting and Importing Alerts Exporting Alerts Importing Alerts Deleting Alerts Defining Global Alert Settings Receiving Information on Alert Events Advanced Reports About Report Types Scheduled Reports About Adding Report Rules Editing Report Rules Deleting Report Rules

9 Generating Reports from the Scheduled Report Rule Frequency and Time Interval for Report Creation Viewing Logs Report Generator About Report Parameters Generating Report Creating a Scheduled Report Rule from the Report Generator Page USB Monitoring & Blocking About Monitored Devices Kernel-Level USB Monitoring Rules About Adding USB Monitoring Rules Editing USB Monitoring Rules Deleting USB Monitoring Rules Defining Exceptions for USB Rules Viewing Device Hardware ID Configuration Defining Sending Settings Defining Player Link Settings Defining CEF Log Settings Defining Ticketing System Integration Settings Defining LDAP Targets About Automatic LDAP Target Adding LDAP Target Manually Editing LDAP Target Deleting LDAP Target Viewing Monitoring Results Session List About Client Sessions List Filtering Sessions Filtering by Specific Parameters Searching in the Session Data

10 Sorting Sessions Playing Sessions About Session Viewer Interface Session Player Magnifier Getting Data URL Metadata Grid Player and Metadata Synchronization Filtering Data Sorting Data Live Sessions Windows Client Sessions Playing Windows Sessions Viewing Keystrokes Viewing Clipboard Text Data Viewing USB Device Info Viewing URLs Viewing Idle State Linux Client Sessions Playing Linux Sessions Filtering EXEC Commands Viewing Alerts About Alert Viewer Interface Using Alert Viewer Archived Sessions About Changing Investigated Database Viewing Archived Sessions Dashboards About Dashboard Types Licenses Clients Database Usage Storage

11 Recent Alerts Latest Live Sessions Sessions out of Work Hours Rarely Used Computers Rarely Used Logins Customizing Dashboards Interactive Monitoring About Viewing Data Applications Monitoring Chart URL Monitoring Chart Forensic Export About Exporting Session Fragment Exporting Full Session Viewing Forensic Export History Playing Exported Session Validating Exported Data Troubleshooting Quick Access to Log Files Database/Server Database/Server Related Issues Database/Server Related Error Messages Management Tool Management Tool Related Issues Management Tool Error Messages Viewing Monitored Data Windows Client Checking that the Client Is Installed Clients Installation/Uninstallation Issues and Error Messages Possible Problems with Receiving Data from Clients Possible USB Monitoring Problems Linux Client Possible Problems with Receiving Data from Clients Checking the State of the Linux Client Restarting Linux Client

12 Appendix Default Alerts Fraud Activity Data Leakage Potentially Illicit Activity Not Work-related Activity Standard and Enterprise Edition Comparison Chart

13 About About Welcome to Ekran System! Ekran System is an application that allows you to record the activity of the target computers with installed Clients and to view the screen captures from these computers in the form of video. 13

14 What s New What s New Ekran System v. 5.1 introduces the following changes: Windows Platforms Two-Factor Authentication: Using a new Two-Factor Authentication feature, you can enable an extra layer of security to better protect the critical endpoints in your network. When this feature is enabled, the Client will require the users to additionally enter the time-based one-time password generated in their smartphone to log in to the Client machine with Windows Server operating system. Integration with Active Directory: Now you can integrate Ekran System with Active Directory by adding multiple LDAP targets. In such a way, you can use a wizard to detect and add domain users and user groups to the system allowing them access to the Management Tool and Client computers with enabled Forced User Authentication. New Active Directory related alert parameters: With new Active Directory Group alert parameters, you can configure alerts to be triggered each time when users belonging to the target domain group perform suspicious actions on the Client machines and monitor activity on the computers belonging to certain domain groups. Monitoring remote IP of third-party remote desktop software: Now Ekran System allows monitoring the remote IP-addresses used to log into the Client machines via such third-party remote desktop applications as DameWare, Radmin, UltraVNC and TightVNC. Clipboard monitoring: Using a new clipboard monitoring feature, you can enable monitoring of text data, which has been copied or cut and then pasted on the Windows Client machines. Moreover, you can generate a new Clipboard grid report to quickly view the clipboard text data captured on the Client machines within the specified time interval. Integration with SysAid ticketing system: Using a new integration with the SysAid ticketing system, you can prompt users to enter valid ticket numbers to start working with Windows Client machines. This allows you to better protect Client machines from the undesired access and make security audit more transparent. Signing monitoring data with certificate: This mechanism allows signing of each screen capture and metadata record received from Windows Clients with the trusted certificate. In such a way, you can verify that data integrity in the database has not been altered. Detailed activity report: A new Detailed Activity Report focuses on user activities. It provides the complete information on all user actions performed on any Client machine in the network within the specified time interval. With the help of this report, you can perform the in-depth analysis and investigation of user behaviour thus detecting highrisk users. 14

15 What s New Linux Platforms Solaris OS support: Now Ekran System allows you to install the Linux Clients on machines with Solaris operating system and monitor the activity of their users in the terminal. Forced User Authentication on Linux Clients: Using the Forced User Authentication feature, you can force the user to prove their claimed identity before starting work with the terminal on the Linux machines. The users will have to enter credentials of the users from a permitted user group defined in the Management Tool. Detecting remote IP on Linux Clients: Now Ekran System allows monitoring the IPaddress used to start terminal on the Linux Client machines remotely. This provides you with an additional information on how the users access the machines in your network. 15

16 System Requirements System Requirements Ekran System claims different system requirements for each of its components. Make sure your hardware and software meet the following system requirements to avoid possible component malfunctions. Server requirements: 2 GHz or higher CPU 1024 MB or more RAM Enterprise-level Ethernet card Minimum 1 Gbit/s network adapter Windows Server 2016, Windows Server 2012, and Windows Server 2008 R2 (x64 platform).net Framework NOTE: If the Server and the Management Tool are to be installed on the same computer, make sure you turn on the Internet Information Service before the installation of.net Framework [When using MS SQL Database]: Full edition of MS SQL Server 2008R2 SP1 or higher. Standard license or higher is required. NOTE: If you want to deploy the Ekran System in the High Availability mode, enabled Message Queueing and configured NLB cluster are required. Please refer to the High Availability Deployment Guide for more information. Management Tool requirements: 2 GHz or higher CPU 1024 MB or more RAM 100 Mbit/s network adapter Windows 10, Windows 8.1, Windows 8, Windows 7 (any edition except Home); [recommended] Windows Server 2016, Windows Server 2012, and Windows Server 2008 R2 (starting from SP1 version). Both x86 and x64 platforms are supported..net Framework IIS 7.5 or higher with enabled ASP.NET 3.5 and 4.5 support [For accessing the Management Tool locally or remotely] One of the following browsers: Google Chrome 37 or higher Mozilla Firefox 32 or higher Internet Explorer 10 or higher Safari S6 and Safari S5 Opera 15 or higher NOTE: The Management Tool might be opened in other browsers, but its compatibility with other browsers is not guaranteed. 16

17 System Requirements Windows Client requirements: 1 GHz or higher CPU 512 MB or more RAM 100 Mbit/s network adapter Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows XP SP3; Windows Server 2016, Windows Server 2012, Windows Server 2008, and Windows Server 2003 SP1. Both x86 and x64 platforms are supported. Citrix XenDesktop; Citrix XenApp; Citrix XenDesktop/XenApp with Citrix Provisioning Services (PVS). It is recommended to have not less than 500MB of free space on the disk where the Client is installed to save data during the offline session. Linux Client requirements: 1 GHz or higher CPU 512 MB or more RAM 100 Mbit/s network adapter It is recommended to have not less than 500MB of free space on the disk where the Client is installed to save data during the offline session. Linux Kernel and higher Distributor Base OS Versions Supported Debian RedHat Debian Ubuntu Linux Mint RedHat CentOS Oracle Linux 8.0, , 15.0, 14.0, xx , x, 6.x 7.x Sun Microsystems Solaris 11.x 10.0 NOTE: When the Client is installed to the terminal server, hardware requirements depend on the number of active user sessions and may increase drastically. For example, hardware requirements for the Client deployed on the terminal server hosting 10 active user sessions will be as follows: Intel Core i3 or similar AMD CPU 2048 MB RAM 17

18 Program Structure Program Structure Ekran System is an application specially designed to control user activity remotely. Ekran System includes the following components: Ekran System Server (further referred to as Server): It is the main part of the Ekran System used for storing the screen captures and associated information received from the Clients. The work of the Server can be started or stopped via Server Tray. Ekran System Management Tool (further referred to as Management Tool): It is a central administrative unit that allows you to control and manage Clients, Users, USB Monitoring Rules, Alerts, Server database, and Serial Keys. You can have access to the Management Tool from any computer in the network without having to install it on this computer. Ekran System Session Viewer provides a usable interface for quick review of the monitored data received from the Windows and Linux Clients. Ekran System Windows Clients (further referred to as Windows Clients): Being hosted on the remote computers, Windows Clients create screen captures of certain quality and defined frequency and send them to the Server. Managing the remote Windows Clients configuration and settings is performed via the Management Tool. Ekran System Linux Clients (further referred to as Linux Clients): Being hosted on the remote computers, Linux Clients capture input/output terminal data (including all executed commands) and send this interactive data to the Server. Ekran System Tray Notifications application (further referred to as Tray Notifications application): This application allows receiving notifications on alert events on Clients. 18

19 Getting Started Getting Started Deployment Process The Ekran System installation consists of several steps: 1. Installing the Server: To deploy the system, first of all you need to install the Server. The Server is used to store and process all records sent by the Clients hosted on the remote computers. During the Server installation you can select the type of the database and define administrator credentials. NOTE: You can deploy the Ekran System in the High Availability mode, which allows you to work with multiple Server instances in the Network Load Balancer cluster. This would provide a high level of operational performance, which allows minimizing downtime and service interruptions. Please refer to the High Availability Deployment Guide for more information. 2. Completing Management Tool installation prerequisites: To install and run the Management Tool, you need to turn on the Internet Information Service on your computer, add the selfsigned or trusted certificate to the Trusted Root Certification Authorities and set HTTPS binding for a default web site (or any other IIS site). 3. Installing the Management Tool: The Management Tool is used to manage Users, Clients, Alerts, and Database, as well as to view the monitored data received from Clients. Connection with the Server is required for the Management Tool to operate. 4. Activating serial keys (adding activated serial keys): To be able to receive data from the Clients, you need to license the Clients by activating purchased serial keys. 5. Installing Clients: Installing Windows Clients: The Windows Clients are usually installed remotely via the Management Tool. A Windows Client can be installed on any computer in the network. The Windows Clients collect user activity data and send it to the Server. Please note that several conditions have to be met for successful remote Client installation. Installing Linux Clients: The Linux Clients are installed locally. The Linux Clients capture input/output terminal data (including all executed commands) and send this interactive data to the Server. 6. Installing the Tray Notifications application: The Tray Notifications application can be installed on any computer and as long as there is connection to the Server; the Tray Notifications application displays notifications on all alert events received from Clients. For more information, see the Tray Notifications application help file. After installing all the system components, Ekran System is considered deployed and all its features become available. 19

20 Getting Started Working with Application The work with the application includes the following options: 1. Assigning licenses to the Clients: An available license is automatically assigned to the Client (both Windows and Linux) during its first connection to the Server. If the license hasn t been assigned to the Client, you need to assign it manually. 2. Adding Client Groups: Client Groups allow you to grant access to several Clients at the same time to your users without the necessity to grant them access to all the Clients. 3. Adding Users/User Groups and defining their permissions: To allow others to work with the Management Tool, you can create new users and define their permissions in the Management Tool. 4. Defining Windows Client configuration and Client Group Configuration. 5. Managing Alerts: Alerts are used to notify the investigators of a specific activity (potentially harmful/forbidden actions) on the target computers with installed Clients. You can create, assign, import, and export alerts. When the Ekran System is installed, it has a list of predefined alerts. 6. Creating USB blocking rules: Kernel-level USB Monitoring allows you to detect that the USB device is plugged into the computer on which the Client is installed. You can view information on the detected devices, receive notifications or block USB devices. 7. Viewing monitoring results in the Management Tool: The monitored data received from the Client computer can be viewed in the Session Viewer part of the Management Tool. 8. Exporting sessions from the Session Viewer: You can export sessions in the encrypted form to view Client sessions on any computer, even without access to the Management Tool. 9. Receiving Alert notifications: The notifications on the alert events are received via the Tray Notifications application. The notifications are displayed in the Windows notification area. 10. Generating reports: The user activity can be analysed with the help of reports generated via the Management Tool. You can schedule the reports to be generated and sent via at the specified time or generate the reports manually via Report Generator. 11. Interactive Monitoring: The user activity can be analysed with the help of the statistic data you can generate using Interactive Monitoring. You can get detailed information on the total time that has been spent in each application/on each website. 12. Managing database: Not to run out of space on the Server computer, it is recommended to cleanup or archive and cleanup the database periodically deleting old monitored data. You can enable the database archiving and cleanup and then access the archived data any time via the Management Tool. In addition, you can remove unnecessary uninstalled Clients from the database. 20

21 Server and Database Server and Database About The Server is the main component of the system, which provides interaction between other components. The Server stores all monitored data, user accounts, and system settings in the database. Database Types Comparison When installing the Server, you can choose between the two types of databases (MS SQL database and Firebird database). These databases have the following differences: Feature MS SQL Database Firebird Database Free No (has a limited free version) NOTE: Using MS SQL Express does not guarantee the stable work of the Server. Yes Processing speed High Low Remote access to database Yes No Requires additional software installation Yes No Security High Low High Availability Mode About The High Availability mode allows you to configure and deploy Ekran System in such a way that it can work with multiple Server instances in the Network Load Balancer cluster. This would allow balancing the load of data sent to the servers by Ekran Clients and ensure data integrity in case any of the instances goes offline for any number of reasons. Additionally, Ekran System deployed in the High Availability mode includes a special License Server, which manages Client licenses in the whole system. NOTE: The High Availability mode is available only if you have an activated Enterprise serial key. 21

22 Server and Database Standard and High Availability Modes Comparison The Standard and High Availability modes have the following differences: Feature Standard Mode High Availability Mode Serial key types One of the following serial keys: Standard Trial Subscription Enterprise serial key and one of the following keys: Standard Trial Subscription Database type Firebird or MS SQL MS SQL Number of Servers One Multiple System requirements Additional Ekran System components Standard system requirements. None Standard system requirements, enabled Message Queueing, and configured NLB cluster. License Server Additional Software None NLB cluster NOTE: We recommend using Windows NLB. We cannot guarantee the High Availability Mode to function with other load balancers correctly. Component connection Recommended for Physical IP address Average number of Client computers. Logical IP address Large number of Client computers. Installing/Uninstalling/Updating the Server Installing the Server To install the Server, do the following: 1. Run the EkranSystem_Components.exe installation file. 2. Click Next on the Welcome page. 22

23 Server and Database 3. Carefully read the terms of the End-User License Agreement and click I Agree. 4. On the Choose Components page, do one of the following and click Next: In the drop-down list, select Ekran System Server. Select Ekran System Server in the box. 5. On the Choose Install Location page, enter the installation path or click Browse to navigate to the Server installation folder. Click Next. 6. On the Database Type page, select the type of the database you want to use for storing data. Click Next. For more information see the Database Types Comparison chapter. 7. If you have selected MS SQL Server, on the MS SQL Server Database Configuration page, define the connection parameters and then click Next. Define the MS SQL Server instance name, which is the instance name assigned to the TCP/IP port. Define the Database name for the database. Define the User name and Password of a user account via which the connection to the Server will be established. 8. If you have selected Firebird database, on the Database Location page, enter the database path or click Browse to navigate to the database installation folder. Click Next. 9. If you already have a database created during the usage of previous program versions, you will be offered to re-use it. If you want to use the existing database, click Yes. In other case, click No and the new database will be created. NOTE: If you click No, the existing database will be deleted. 10. On the Administrator password page, define the password for the administrator (the default user of Ekran System with login admin and full permissions). Click Next. 11. On the Client Uninstallation Key page, enter the key that will be used during the Client local uninstallation and click Next. By default, the Uninstallation key is allowed. You will be able to change this key via the Management Tool any time later. 12. Click Install. 13. The installation process starts. Its progress is displayed on the Installing page. 14. After the end of the installation process, click Finish to exit the wizard. 15. In Windows Firewall, you must allow the Server executable to accept TCP connections via ports 9447 and 9449 (for the connection between the Server and the Clients), and (for the connection between the Server and the Management Tool). These rules will be added to Windows Firewall automatically if Windows Firewall is enabled during the Server installation. 23

24 Server and Database Adding Server Executable to Windows Firewall Please note that Windows Firewall will be adjusted automatically if it is enabled during the Server installation. If you use any other Firewall, it should be adjusted as well. To add the Server executable to the Windows Firewall, do the following: 1. In the Control Panel, select System and Security > Windows Firewall. 2. In the Windows Firewall window, click Advanced settings. 3. In the Windows Firewall with Advanced Security window, right-click Inbound Rules and select New rule. 4. The New Inbound Rule Wizard opens. 24

25 Server and Database 5. On the Rule Type page, select Program and click Next. 6. On the Program page, select This program path, then click Browse and navigate to the Server executable. The default path is "C:\Program Files\Ekran System\Ekran System\Server\EkranServer.exe ". Click Next. 7. On the Action page, select Allow the connection and then click Next. 25

26 Server and Database 8. On the Profile page, select the profile of the network used for connecting remote computers and the Server. Click Next. 9. On the Name page, define the Name of the rule. Click Finish. 10. The rule is created for the Server application. By default, the rule allows any connections via all ports. 11. To define the protocol and ports, double-click the created rule. The Properties window opens. 26

27 Server and Database 12. In the Protocols and Ports tab, do the following: In the Protocol Type list, select TCP. In the Local port list, select Specific Ports. Type the following port numbers in the box below: o 9447 and 9449 (for the connection between the Server and the Clients) o (for the connection between the Server and the Management Tool) 13. Click Apply to save changes. Click OK. 14. Close the Windows Firewall window. Using an External/Cloud-Based Server Computer If your Server is not in the same network as Clients or the Management Tool, do the following: 1. Make sure your Server has a unique external IP address. 2. Specify this address when installing the Management Tool and installing the Client. Updating the Server The updating of the Server is performed via the installation file of a newer version. During an update you may select to update the existing database to a newer version or simply reinstall it. To update the Server, do the following: 1. Run the EkranSystem_Components.exe installation file. 2. On the Welcome page, click Next. 3. On the Already Installed page, select Update/Add/Remove components and click Next. 4. On the Choose Components page, select Ekran System Server in the box and then click Next. 5. On the Database Update page, if you want to keep the existing database, select Update database to a new version, otherwise select Reinstall the database. Click Next. NOTE: To change the type of the database, you need to reinstall the whole system. 6. On the Administrator password page, define the password for the administrator (the default user of Ekran System with login admin and full permissions). Click Next. 7. The update process starts. 8. After the end of the update process, click Finish to exit the wizard. 27

28 Server and Database Uninstalling the Server NOTE: Before uninstalling the Server, make sure you have uninstalled all the Clients from the remote computers. If you do not uninstall the Clients, they will remain installed on the remote computers and collect the data locally. It will be impossible to remove them in a common way. To uninstall the Server from the local computer, do the following: 1. Run the EkranSystem_Components.exe installation file or click Uninstall/Change on the Ekran System application in the Programs and Features window of the Windows Control Panel. 2. The setup wizard opens. 3. Click Next on the Welcome page. 4. On the Already Installed page, select Uninstall and click Next. 5. On the Uninstall Ekran System page, click Uninstall. 6. If you want to delete the database, click Yes in the confirmation message. In other case, click No and you will be able to use the saved database during the next installation of the program. 7. Wait for the uninstallation process to complete. Server Tray The Server Tray application informs you about the Server state. This application is installed on the computer where the Server is installed. It also automatically restarts the Server in case of its failure. The first three times the restart is performed automatically. The user is informed about the Server failure in the notification area. If the Server fails for the fourth time, it does not restart. You can start/stop the Server or hide the icon from the notification area. 28

29 Server and Database Database Management About Database management is performed via the Management Tool by the user with the administrative Database management permission. During the database management process you can delete monitoring data, delete offline or uninstalled Clients, and shrink the database depending on its type. Two types of the cleanup operation are available: Cleanup: Allows deleting monitored data collected by the Clients from the database. Archiving & Cleanup: Allows saving the monitored data in the secure storage and then deleting it from the database. You can view the archived sessions in the Session Viewer any time. NOTE: The Archiving & Cleanup option is available only if you have an activated Enterprise serial key. You can configure the cleanup execution frequency as follows: Once: The one-time cleanup operation will be performed by click on Save. On schedule: The scheduled cleanup operation will be performed every few days at a specified time. Cleanup Parameters The following parameters are available for cleanup operation: Parameter Description Parameters applied to both Cleanup and Archiving & Cleanup operations Leave sessions in database (days) Sessions stored in the database longer than the defined period of time will be deleted during the cleanup process. Client exceptions The Clients whose monitoring data will not be deleted during the cleanup process. They are added on the Adding Exceptions page. Parameters applied to the Archiving & Cleanup operation for Firebird database type Archive database location Binary data location The location of the database. NOTE: If you do not have an archive database, it will be created on Archiving & Cleanup start. In case the binary data is stored separately, you have to define the binary data folder location. 29

30 Server and Database Parameter Description Parameters applied to the Archiving & Cleanup operation for MS SQL database type SQL server instance The path to the SQL server instance. Archive database name User name and Password The name of the database. NOTE: If you do not have an archive database, it will be created on Archiving & Cleanup start. Credentials of the user with access to the database. One-Time Cleanup To delete data from the Server once, do the following: 1. Log in to the Management Tool as a user with the administrative Database management permission. 2. Click the Database Management navigation link to the left. 3. On the Database Management page, select the Archiving & Cleanup Options tab. 4. In the Frequency section, select the Run once option. 5. On the Archiving & Cleanup Options tab, in the Settings section, in the Action type dropdown list, select the Cleanup option to delete the monitored data from the database or the Archive & Cleanup option to archive and then delete the monitored data. 6. Define the necessary parameters. NOTE: To check connection with the archive database before Archiving & Cleanup start, click Test Database Connection in the Archive parameters section. 7. To select the Clients whose monitoring data will not be deleted during the cleanup process, click Add Exceptions. 8. On the Adding Exceptions page, select the necessary Clients and then click Add selected. Use filters to find a specific Client. 9. When all cleanup settings are defined, click Save. 10. The cleanup process starts. Scheduled Cleanup To delete data from the Server on schedule, do the following: 1. Log in to the Management Tool as a user with the administrative Database management permission. 2. Click the Database Management navigation link to the left. 30

31 Server and Database 3. On the Database Management page, select the Archiving & Cleanup Options tab. 4. In the Frequency section, select the Repeat by scheduler option. 5. Define the following options: Perform every (days): The frequency of the cleanup operation. Start database cleanup at: The time to execute the cleanup operation. 6. On the Archiving & Cleanup Options tab, in the Settings section, in the Action type dropdown list, select the Cleanup option to delete the monitored data from the database or the Archive & Cleanup option to archive and then delete the monitored data. 7. Define the necessary parameters. NOTE: To check connection with the archive database, click Test Database Connection in the Archive parameters section. 8. To select the Clients whose monitoring data will not be deleted during scheduled cleanup process, click Add Exceptions. 9. On the Adding Exceptions page, select the necessary Clients and then click Add selected. Use filters to find a specific Client. 10. When all cleanup settings are defined, click Save. Shrinking MS SQL Database The database shrinking feature allows you to shrink the size of the MS SQL database to the actual amount of the data stored in it by cutting the space reserved by the database, but which is not used by it. NOTE: The database shrinking procedure may take some time (up to several hours) and cause performance slowdown. To shrink a database, do the following: 1. Log in to the Management Tool as a user with the administrative Database management permission. 2. Click the Database Management navigation link to the left. 3. On the Database Management page, select the Database Options tab. 4. On the Database Options tab, click Shrink database. NOTE: The progress of the database shrinking process is not displayed in the Management Tool and there is no indication of the process finishing. Firebird Database Optimization When using the Firebird database it is recommended to perform the Update statistics procedure at least every two months in order to optimize the database and increase the speed of reports generation. 31

32 Server and Database To perform the Update statistics procedure, do the following: 1. Log in to the Management Tool as a user with the administrative Database management permission. 2. Click the Database Management navigation link to the left. 3. On the Database Management page, select the Database Options tab. 4. On the Database Options tab, click Update statistics. Deleting the Client To delete the Client means to delete it completely from the database with cleaning up all its captured sessions. After this, the Client disappears from the Management Tool and its captured data is not displayed in the Session Viewer. It is possible to delete only offline or uninstalled (both after local or remote uninstallation) Clients. If after deletion the Client connects to the Server again, it will appear in the Management Tool but its deleted data will be unavailable. To delete one offline/uninstalled Client, do the following: 1. Log in to the Management Tool as a user with the administrative Database management permission. 2. Click the Client Management navigation link to the left. 3. On the Clients page, select the needed offline or uninstalled Client from the list and click Edit Client. 4. On the Editing Client page, on the Properties tab, click Delete Client. 5. In the confirmation message, click Delete. 6. The Client is deleted. To delete several offline/uninstalled Clients, do the following: 1. Log in to the Management Tool as a user with the administrative Database management permission. 2. Click the Client Management navigation link to the left. 3. On the Clients page, click Delete Clients. 32

33 Server and Database 4. On the Client Deletion page, click Add Clients to list. 5. The Client Deletion from Database page opens. It contains all Clients that can be deleted. NOTE: Only offline and uninstalled Clients are displayed in the list. 6. Select the needed Clients from the list and then click Next. To find a specific Client, enter its name in the Contains box and click Apply Filters. 7. When all Clients are selected, click Delete on the Client Deletion from Database page. 8. The Clients are deleted from the Server (with all captured sessions) and disappear from the Management Tool. 33

34 Server and Database Moving the Server Database If you are using an MS SQL database, you can move it to another location on the same computer using SQL Management Studio. If you are using the Firebird database, you can change its location to another disk/directory or rename it. To change the location for the Server Firebird database, do the following: 1. Stop the Server by clicking Stop in the context menu of the Server icon in the notification area or find the EkranServer service in the Task Manager and click Stop. 2. Open the Windows Registry Editor. 3. In the Registry Editor window, select the HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem key. 4. Find the Database values (Database and ManagedDatabase) and see where the Database files are located on your computer. 5. Move the folder with database files to a new location. NOTE: The folder contains the EKRANACTIVITYDB.FDB and MANAGEMENTDATABASE.FDB files and the Cache subfolder (unless your Cache subfolder is stored in the shared folder). 34

35 Server and Database 6. In the Registry Editor window, modify the following values: Database: Enter the full path to the EkranActivityDB.fdb file (including the file name) in its new location and then click OK. Managed Database: Enter the path to the folder with Ekran database in its new location and then click OK. 35

36 Server and Database 7. The Database location is changed. Start the EkranServer service to continue working with the program. Moving Binary Data to Shared or Local Folder If necessary, you can store binary data received from Clients in the shared or local folder on your computer. This might be necessary for storing large amounts of data. This feature has the following limitations: Shared Folders on mapped and mounted disks cannot be used for storing binary data. After you select to store binary data in the shared folder instead of MS SQL database, the already existing screenshots will no longer be displayed (only metadata will be available for them). The newly received screenshots will be displayed. To move binary data to the shared folder, do the following: 1. Stop the Server by clicking Stop in the context menu of the Server icon in the notification area or find the EkranServer service in the Task Manager and click Stop. 2. For the Firebird database, do the following (for the MS SQL database, skip this step): Open the Windows Registry Editor. In the Registry Editor window, select the HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem key. Find the Database value and check where the Database files are located on your computer. Move the Cache folder with binary file to a new location. 3. In the Registry Editor window, click Edit > New > String value and add a new value: Value type: String Value name: StorageDirectory Value data: Shared Folder location as \\<computer IP>\<folder path> or \\<computer name>\<folder path> 36

37 Server and Database 4. To access binary data in the shared folder on a different computer from your Server, it is recommended to do the following: Open Computer Management. In the Computer Management window, open Services and Applications > Services. In the Services pane, find the EkranServer service and select Properties in the context menu. In the EkranServer Properties window navigate to the Log On tab. In the Log On tab, select the This account option, specify the credentials for the EkranServer service to start under, and click Apply. Make sure the user with the specified credentials has administrator permissions on your Server computer and full access to the shared folder on the different computer. Restart the service. 5. Start the EkranServer service to continue working with the program. 37

38 Server and Database Validating Monitoring Data About If necessary, you can enable the validation of monitoring data of Windows Clients, which allows checking that data integrity in the database has not been altered. It can be enabled for both Firebird and MS SQL databases. Two types of monitoring data validation are available: Calculating hash codes for monitoring data: in this case, the hash codes will be calculated for each screen capture and metadata record received from Windows Clients. Signing monitoring data with certificate: in this case, each screen capture and metadata record received from Windows Clients will be signed with the trusted certificate. NOTE: If both types of validation are enabled, only signing monitoring data with certificate will be used. After validation of monitoring data is enabled or validation type is changed, all previously recorded sessions of Windows Clients will be considered as invalid. With enabled validation of the monitoring data, the integrity of monitoring data within a Windows Client session is checked on the session opening via the Session Player. If some screen captures or metadata records have been deleted or modified, the warning message Session data is not valid! will be displayed in the Session Player. NOTE: When the validation of monitoring data is enabled, the CPU usage will rise while viewing the Client sessions in the Session Player. Validating Monitoring Data Using Hash Codes To enable calculating of hash codes for monitoring data, do the following: 1. Stop the Server by clicking Stop in the context menu of the Server icon in the notification area or find the EkranServer service in the Task Manager and click Stop. 2. Open the Windows Registry Editor. 3. In the Registry Editor window, select the HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem key. 4. Select Edit > New > DWORD (32-bit) Value and define the following: Value name: SignMonitoredData Value data: 1 5. Start the EkranServer service to continue working with the program. Signing Monitoring Data with Certificate To enable signing of monitoring data with certificate, you have to do the following on the Ekran Server computer: Step 1. Import the trusted purchased certificate or the self-signed one. Step 2. Create a special string value in the Windows Registry. 38

39 Server and Database Step 1. Importing Trusted Certificate 1. On the Ekran Server computer, press Windows+R, type mmc in the Run text box and press Enter. 2. In the opened User Account Control window, click Yes. 3. In the Console window, select File > Add/Remove Snap-in. 4. In the Add or Remove Snap-ins window, select Certificates and click Add. 5. In the Certificates Snap-in window, select the Computer account option and click Next. 6. In the Select Computer window, select the Local computer: (the computer this console is running on) option and click Finish. 7. In the Add or Remove Snap-ins window, click OK. 8. In the Certificates (Local computer) tree-view, find the Personal node. 39

40 Server and Database 9. In the context menu of the Personal node, select All Tasks > Import. 10. The Certificate Import Wizard opens. 11. On the Certificate Import Wizard Welcome page, click Next. 12. On the File to Import page, specify the location and name of the certificate to be imported manually or click Browse, and then click Next. 40

41 Server and Database 13. If required, on the Private key protection page, enter the password for the private key and then click Next. 14. On the Certificate Store page, click Next. 15. On the last page of the Certificate Import Wizard, click Finish, and then click OK in the confirmation message. 16. Select Certificates (Local Computer) > Personal > Certificate and double-click the imported certificate. 41

42 Server and Database 17. In the Certificate window, select Details > Thumbprint and then copy the Thumbprint value. Step 2. Enabling Monitoring Data Signing with Certificate 1. Stop the Server by clicking Stop in the context menu of the Server icon in the notification area or find the EkranServer service in the Task Manager and click Stop. 2. Open the Windows Registry Editor. 3. In the Registry Editor window, select the HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem key. 4. Select Edit > New > String Value > and add a new value: Value name: SignMonitoredDataCert Value data: <copied Thumbprint value of the imported certificate (without spaces)> 5. Start the EkranServer service to continue working with the program. Moving the Server Database Signed with Certificate to another Computer About If you want to move the Ekran database whose monitoring data is signed with certificate to the new machine, you have to do the following: Step 1. On the Ekran Server computer, export the certificate used for signing the monitoring data, copy it to the new machine, and then import it. 42

43 Server and Database Step 2. Move the database to the new machine. Step 3. Install the Ekran Server on the new machine and then enable signing of monitoring data with imported certificate. Step 1. Exporting Trusted Certificate 1. On the Ekran Server computer, press Windows+R, type mmc in the Run text box and press Enter. 2. In the opened User Account Control window, click Yes. 3. In the Console window, select File > Add/Remove Snap-in. 4. In the Add or Remove Snap-ins window, select Certificates and click Add. 5. In the Certificates Snap-in window, select the Computer account option and click Next. 43

44 Server and Database 6. In the Select Computer window, select the Local computer: (the computer this console is running on) option and click Finish. 7. In the Add or Remove Snap-ins window, click OK. 8. In the Certificates (Local computer) tree-view, select Personal > Certificates. 9. Select the trusted certificate used for signing the monitoring data in the database and in its context menu select All Tasks > Export. 10. The Certificate Export Wizard opens. 11. On the Certificate Export Wizard Welcome page, click Next. 12. On the Export Private Key page, click Next. 44

45 Server and Database 13. On the Export File Format page, select the file format for the certificate and click Next. 14. On the File to Export page, specify the location to store the certificate and the certificate name manually or click Browse, and then click Next. 15. On the Completing the Certificate Export Wizard page, click Finish. 16. Copy the exported certificate to a suitable location on the new machine and then import it. 45

46 Server and Database Steps 2-3. Moving the Server Database to another Computer To move the MS SQL Server Database to another computer, do the following: 1. Stop the Server by clicking Stop in the context menu of the Server icon in the notification area or find the EkranServer service in the Task Manager and click Stop. 2. Log in to the SQL Management Studio as a user with administrative permissions. 3. In the SQL Management Studio, detach the Ekran databases (select the database and in its context menu, select Task > Detach). Default names of the databases are EkranActivityDB and EKRANManagementDatabase. 4. Navigate to the location where the Ekran databases are stored and copy the database folder. The default location is C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA. NOTE: If the binary data is stored in the shared or local folder, you have to copy it too. 5. Upload the database folder to a suitable location on the new machine. 6. On the machine the MS SQL database is moved to, log in to the SQL Management Studio as a user with administrative permissions and attach the Ekran databases as follows: In the context menu of the Database partition, click Attach. In the opened Attach Databases window, click Add and select the uploaded database. Click OK. 7. Install the Server. During Server installation, you have to define the corresponding database type, specify the SQL Server instance, activity database name (default name is EkranActivityDB), credentials of a user with access to the moved database, and then confirm usage of the moved database. 8. Enable signing of the monitoring data with the imported certificate used for signing the monitoring data on the previous machine. To move the Firebird Server Database to another computer, do the following: 1. Stop the Server by clicking Stop in the context menu of the Server icon in the notification area or find the EkranServer service in the Task Manager and click Stop. 2. Navigate to the location where the database is stored and copy the database folder. The default location is C:\ProgramData\Ekran System\Ekran System. NOTE: If the binary data is stored in the shared or local folder, you have to copy it too. 3. Upload the database folder to a suitable location on the new machine. 4. Install the Server. During Server installation, you have to define the corresponding database type, specify the exact location of the database file, and confirm usage of the moved database. NOTE: If the activity database file has been renamed, you have to specify its exact name during Server installation (its default name is EkranActivityDB). 5. Enable signing of the monitoring data with the imported certificate used for signing the monitoring data on the previous machine. 46

47 Server and Database Advanced SIEM Integration About Advanced SIEM integration provides the ability to create a separate log file in the Common Event Format (CEF), which can be then viewed and analysed with the help of the Splunk and ArcSight monitoring software. When the integration with ArcSight is enabled, the CEF log file will be created on the Ekran Server computer. The log file name is CEFLog. By default, it is stored in the Server installation folder. NOTE: The Advanced SIEM Integration functionality is available only if you have an activated Enterprise serial key. CEF Log File Contents Depending on the defined CEF log settings, different types of monitoring data can be written to the CEF log file. Event type CEF header information Log data Client events Device Event Class ID = 100 Name = EkranClientEvent cat = ClientEvents Windows Client events: username (with the secondary username), Client name, activity time, activity title, application name, URL, keystrokes, alert/usb Rule, Session Player URL, OS, domain name, IPv4, IPv6, remote IP. Linux Client events: username, Client name, activity time, command, function, parameters, alert, Session Player URL, OS, IPv4, IPv6. Alert events Device Event Class ID = 200 Name = EkranAlertEvent cat = AlertEvents Windows Client alert events: alert ID, alert name, alert description, username (with the secondary username), Client name, activity time, activity title, application name, URL, keystrokes, Session Player URL, OS, domain name, IPv4, IPv6, remote IP. Linux Client alert events: alert ID, alert name, alert description, username, Client name, activity time, command, function, parameters, Session Player URL, OS, IPv4, IPv6. 47

48 Server and Database Enabling CEF Log File Creation To enable the creation of a CEF log file, do the following: 1. Log in to the Management Tool as a user with the administrative Database management permission. 2. Click the Configuration navigation link to the left and open the ArcSight Integration tab. 3. Select the Create a log file option to enable creating a CEF log file. 4. Define the CEF log settings. 5. Click Save. CEF Log Cleanup Depending on the defined CEF log cleanup settings, the cleanup operation can be performed either daily at a specified time or every few days, hours, or minutes. During the CEF log cleanup operation the current CEF log file is renamed (the date and time of the cleanup operation is added to its name) and a new one is created in the same folder. If a CEF log file achieves its maximum size before the cleanup start time, it also will be renamed. NOTE: Not to run out of space on the computer where the CEF log files are stored, it is recommended to check the used disk space periodically and delete the log files which are no longer in use. 48

49 Management Tool Management Tool About The Management Tool is the component for managing the whole system and viewing monitored data received from Clients. It can be installed on any computer, but a network connection to the Server is required for the Management Tool to operate. There can be several computers with the installed Management Tool in the system. The work with the Management Tool is performed via your browser. Management Tool Installation Prerequisites Prerequisites Overview The following prerequisites are necessary for successful installation of the Management Tool. For Windows 7, it is important that you follow these steps in the correct order. To be able to install the Management Tool, you need to: 1. Turn on the Internet Information Service. 2. Install.NET Framework Configure the Internet Information Service. 4. Generate a self-signed certificate or import a purchased SSL certificate issued for the computer on which the Management Tool will be installed. 5. Add the certificate to the Trusted Root Certification Authorities on the computer on which the Management Tool will be installed. Otherwise a certificate error will be displayed in your browser when opening the Management Tool. 6. Set HTTPS binding for a default web site (or any other IIS site). NOTE: If you already have a certificate generated for the computer on which the Management Tool will be installed, you can skip certificate generation step and use an existing certificate. 49

50 Management Tool Turning on Internet Information Service (IIS) Turning on IIS for Windows 8 and Windows 7 To turn on the Internet Information Service for Windows 8 and Windows 7 do the following: 1. Select Control Panel > Programs and Features (Program uninstallation). 2. Click the Turn Windows features on or off navigation link. 3. The Windows Features window opens. 4. In the features tree-view, select the Internet Information Services option. 5. Click OK. 50

51 Management Tool Turning on IIS for Windows Server 2008 R2 To turn on the Internet Information Service for Windows Server 2008 R2, do the following: 1. In the Start menu, select All Programs > Administrative Tools > Server Manager. 2. In the navigation pane, select Roles, and then click Add Roles. 3. The Add Roles Wizard opens. 4. On the Before You Begin page, click Next. 5. On the Server Roles page, select Web Server (IIS), click Next, and then go to the Role Services page to start configuring Web Server (IIS). 51

52 Management Tool Turning on IIS for Windows Server 2012 The Internet Information Service can be turned on using the Windows PowerShell or Windows Server 2012 Server Manager. To turn on the Internet Information Service for Windows Server 2012 using Windows PowerShell, do the following: 1. In the Start menu, select Windows PowerShell. 2. Enter the following command and click Enter: Install-WindowsFeature -Name Web-Server, Web-Mgmt-Tools To turn on the Internet Information Service for Windows Server 2012 using Server Manager, do the following: 1. In the Start menu, select Server Manager. 2. In the navigation pane, select Dashboard, then click Manage > Add roles and features. 3. The Add Roles and Features Wizard opens. 4. On the Before You Begin page, click Next. 5. On the Installation type page, select Role-based or feature-based installation, and then click Next. 52

53 Management Tool 6. On the Server Selection page, select Select a server from the server pool, select your server from the Server Pool list, and then click Next. 7. On the Server Roles page, select Web Server (IIS), click Next and then click Add Features to start configuring Web Server (IIS). 53

54 Management Tool Installing.NET Framework NET Framework is usually installed on Windows 10 and Windows Server If you are using Windows 8.1, Windows 8, Windows 7, Windows Server 2012, Windows Server 2008, or if there is no.net Framework on other Windows versions, you can download it from the Microsoft official website and run the installation file on your computer. Alternatively, on Windows Server 2012, you can install.net Framework using Windows PowerShell. To install.net Framework and configure Internet Information Service (IIS) for Windows Server 2012 using Windows PowerShell, do the following: 1. In the Start menu, select Windows PowerShell. 2. Enter the following command and click Enter: Install-WindowsFeature -Name NET-Framework-Core, Name NET-Framework-45-ASPNET, Name Web-Asp-Net45, Name Web-ISAPI-Ext, Name Web-ISAPI-Filter Configuring Internet Information Service (IIS) Windows 8 Make sure that all the following options are selected in the Windows Features window and then click OK:.NET Framework 3.5 and.net Framework 4.5 Advanced Services; Internet Information Services > Web Management Tools > IIS Management Console; Internet Information Services > World Wide Web Services > Application Development Features > ASP.NET 3.5 and ASP.NET 4.5; Internet Information Services > World Wide Web Services > Common HTTP Features > Static Content. 54

55 Management Tool Windows 7 Make sure that all the following options are selected in the Windows Features window and then click OK: Internet Information Services > Web Management Tools > IIS Management Console; Internet Information Services > World Wide Web Services > Application Development Features > ASP.NET; Internet Information Services > World Wide Web Services > Common HTTP Features > Static Content. Windows Server In the Add Roles Wizard window, on the Role Services page, make sure that the following options are selected: Common HTTP Features > Static Content; Application Development > ASP.NET. 4. Click Next and then click Add Required Role Services. 5. On the Role Services page, make sure that the following options are selected: Management Tools > IIS Management Console. 6. Click Next and then click Install. 7. After the end of installation, click Close. 55

56 Management Tool Windows Server In the Add Roles and Features Wizard window, on the Server Roles page, make sure that the Web Server (IIS) option is selected and then click Next. 2. On the Features page, make sure that the following options are selected:.net Framework 3.5 Features (Installed) >.NET Framework 3.5;.NET Framework 4.5 (Installed) > ASP.NET Click Next. 4. On the Web Server Role IIS page, click Next. 5. On the Role Services page, select the ASP.NET 4.5 option (under Application Development). 6. Click Next and then click Add Features. 7. On the Role Services page, make sure that the following options are selected: Application Development >.NET Extensibility 4.5 > ASP > NET 4.5 > ISAPI Extensions > ISAPI Filters. 8. Click Next and then click Install. 9. After the end of installation, click Close. 56

57 Management Tool Using Certificates Generating Self-Signed Certificate To generate a self-signed certificate on the machine on which you will install the Management Tool, do the following: 1. Open the Internet Information Service Manager: For Windows 8 or Windows 7: Open Computer > Manage > Services and Applications > Internet Information Services (IIS) Manager. For Windows Server 2012 or Windows Server 2008: Press Windows+R, enter inetmgr in the Run window and then press Enter. NOTE: Using the inetmgr command is a common way of opening the Internet Information Service Manager for any version of the Windows operating system. 2. Click the main node in the Connections tree-view and then double-click the Server Certificates item under the IIS category. 3. The Server Certificates pane opens. 4. On the Actions pane (to the right), click Create Self-Signed Certificate. 5. The Create Self-Signed Certificate window opens. 57

58 Management Tool 6. Enter the name for a certificate in the Specify a friendly name for the certificate box and select Personal in the Select a certificate store for the new certificate drop-down list. Click OK. 7. The certificate is created. Exporting Self-Signed Certificate To export self-signed certificate, do the following: 1. In the Internet Information Service Manager, on the Server Certificates pane, select the generated certificate and click Export on the Actions pane or in the certificate context menu. 2. In the Export Certificate window, define the location and password for the certificate. Click OK. 3. The certificate is exported and can be added to the Trusted Root Certification Authorities. 58

59 Management Tool Importing Trusted Certificate To import a purchased certificate issued for the computer, do the following: 1. Open the Internet Information Service Manager: For Windows 8 or Windows 7: Open Computer > Manage > Services and Applications > Internet Information Services (IIS) Manager. For Windows Server 2012 or 2008: Press Windows+R, enter inetmgr in the Run window and then press Enter. NOTE: Using the inetmgr command is a common way of opening the Internet Information Service Manager for any version of the Windows operating system. 2. Click the main node in the Connections tree-view and then double-click the Server Certificates item under the IIS category. 3. The Server Certificates pane opens. 4. On the Actions pane (to the right), click Import. 5. In the Import Certificate window, click the dots ( ) to browse for the file of the purchased certificate and enter its password in the Password field. 6. Click OK. 7. The certificate is imported and displayed on the Server Certificates pane of the Internet Information Services (IIS) Manager. 59

60 Management Tool Adding Certificate to Trusted Root Certification Authorities Before adding the self-signed certificate to the Trusted Root Certification Authorities, it should be exported. For purchased certificates that were issued for your computer this procedure is not needed. To add the certificate to the Trusted Root Certification Authorities, do the following: 1. Press Windows+R, type mmc in the Run text box and press Enter. 2. In the opened User Account Control window, click Yes. 3. In the Console window, select File > Add/Remove Snap-in. 4. In the opened Add or Remove Snap-ins window, select Certificates > Add. 5. In the opened Certificates snap-in window, select Computer account and click Next. 60

61 Management Tool 6. In the opened Select Computer window, select Local computer: (the computer this console is running on) and click Finish. 7. In the Add or Remove Snap-ins window, click OK. 8. In the Console window, expand the Certificates (Local computer) node. 9. In the Certificates (Local computer) tree-view, find the Trusted Root Certification Authorities node. 61

62 Management Tool 10. In the context menu of the Trusted Root Certification Authorities node, select All Tasks > Import. 11. The Certificate Import Wizard opens. 12. On the Certificate Import Wizard Welcome page, click Next. 13. On the File to Import page, click Browse to find the certificate to be imported and then click Next. 62

63 Management Tool 14. On the Private key protection page, enter the certificate password and then click Next. 15. On the Certificate Store page, click Next. 63

64 Management Tool 16. On the last page of the Certificate Import Wizard, click Finish. 17. In the confirmation message, click OK. 18. The certificate is imported and is displayed in the Console window in the Certificates node. Please note that the Issued To field contains the name of the computer on which the Management Tool will be installed in the format that will be used when opening the Management Tool. 19. Close the Console window. Setting HTTPS Binding for a Default Web-Site To set HTTPS binding for a default web-site, do the following: 1. Open the Internet Information Service Manager: For Windows 8 or Windows 7: Open Computer > Manage > Services and Applications > Internet Information Services (IIS) Manager. For Windows Server 2012 or Windows Server 2008: Press Windows+R, enter inetmgr in the Run window and then press Enter. NOTE: Using the inetmgr command is a common way of opening the Internet Information Service Manager for any version of the Windows operating system. 2. Expand the node with the name of the target computer in the central pane. 3. Expand the Sites node. 64

65 Management Tool 4. Select the Default Web Site. NOTE: If there is no such site in the Internet Information Services (IIS) Manager of your computer, you can select any other site (the name of the site does not matter). 5. Click the Bindings navigation link to the right. 6. The Site Bindings window opens. 7. If there is no binding of HTTPS type in the Site Bindings window, click Add. 8. The Edit Site Binding window opens. 9. In the Type box, select https. 10. Next to the SSL certificate drop-down list, click Select. 65

66 Management Tool 11. The Select Certificate window opens, where the list of existing certificates is displayed. 12. In the Select Certificate window, select the certificate generated for the Management Tool and then click OK. 13. In the Add Site Binding window, click OK. 14. In the Site Bindings window, click Close. 15. Now the Internet Information Service is fully adjusted and you can start installing the Management Tool. Installing/Uninstalling/Updating the Management Tool Installing the Management Tool To install the Management Tool, do the following: 1. Run the EkranSystem_ManagementTool.exe installation file. 2. On the Welcome page, click Next. 3. Carefully read the terms of the End-User License Agreement and click I Agree. 4. On the Connection Settings page, do the following and then click Next: In the Server address box, enter the name or IP address of the computer on which the Server is installed. In the URL address field enter the folder where the Management Tool will be located within IIS. This URL will be used when opening the Management Tool. 66

67 Management Tool 5. On the Choose Install Location page, enter the destination folder in the corresponding field or click Browse and in the Browse For Folder window, define the destination folder. Click Install. 6. The installation process starts. Its progress is displayed on the Installing page. 7. After the end of the installation process, click Close to exit the wizard. 8. The Management Tool is displayed as an application of a default web site or any other site with https connection in the Internet Information Services (IIS) Manager. 9. Now you can open the Management Tool via your browser from the same computer or a remote one. 67

68 Management Tool Adjusting Computer for Remote Access If you want to open the Management Tool from the computer different from the one where the Management Tool is installed, you need to adjust Firewall settings to be able to access this computer. If the users access Management Tool only from computers where it is installed, there is no need to configure Firewall. To adjust Firewall on the computer where the Management Tool is installed, do the following: 1. In the Control Panel, select System and Security > Windows Firewall. 2. In the Windows Firewall window, click Advanced settings. 3. In the Windows Firewall with Advanced Security window, right-click Inbound Rules and select New rule. 4. The New Inbound Rule Wizard opens. 5. On the Rule Type page, select Predefined and then select Secure World Wide Web Services (HTTPS) in the list. Click Next. 68

69 Management Tool 6. On the Predefined Rules page, select the World Wide Web Services (HTTPS Traffic-In) option. Click Next. 7. On the Action page, select Allow the connection. Click Finish. 8. The new inbound rule for Firewall is created. Updating Management Tool To update the Management Tool, do the following: 1. Run the Management Tool installation file (EkranSystem_ManagementTool.exe) of a newer version. 2. On the The program is already installed page, select Update and then click Next. 3. Follow the installation instructions. 4. The Management Tool will be updated to the new version. 69

70 Management Tool Uninstalling Management Tool To uninstall the Management Tool, do the following: 1. Open the Programs and Features window of the Windows Control Panel. 2. In the Programs and Features window, find the Ekran System Management Tool application. 3. In the context menu of the application, select Uninstall. 4. The setup wizard opens and starts the uninstallation process. 5. When the process is completed, click Close to exit the setup wizard. 6. The Management Tool is uninstalled and removed from the Internet Information Service (IIS). Opening Management Tool To open the Management Tool, do the following: 1. Open the browser and enter of the computer or IP on which the Management Tool is installed>/<url address that has been specified during the Management Tool installation> in the address line. For example, NOTE: If the certificate is not added to the Trusted Root Certification Authorities or the name of the computer entered in the browser address does not match the subject (Issued To field) of the certificate, your browser will display a certificate error when opening the Management Tool. 2. The Management Tool opens. 3. Enter the credentials of the existing user added to the system: For an internal user, enter the login and password defined during user creation. For a Windows user, enter the login in the form <domain name>\<user name> and Windows authentication password. Please note, if the Active Directory user group has been added to the system, the users belonging to it can login using their Windows credentials. 4. The Management Tool Home page opens. Please note, the Management Tool may take a while to launch on first connection, since IIS is not used constantly and its processes are stopped and restarted on the connection. If you encounter any problems when opening the Management Tool, see the Troubleshooting chapter. 70

71 Management Tool Management Tool Interface The Management Tool interface is divided into the following areas: Panes Navigation pane Data View pane Filtering pane Toolbar The Navigation pane The Navigation pane allows you to navigate between different sections of the Management Tool and consists of the following navigation links: Home: Opens the page on which dashboards are displayed, containing information on the system state, recent user activity, and any suspicious user behaviour. Monitoring Results: Opens the page on which the user can view the list of all Client sessions received from Clients the user has the View monitoring results permission for. Forensic Export History: Displays the list of sessions exported via Forensic Export from the Session Viewer. A user can download any exported session and validate the already exported session. Report Generator: Opens the Report Generator page on which the user can generate the report of the required type by defined parameters and then save it or print it. Interactive Monitoring: Opens the Interactive Monitoring page on which the user can view statistic data on user activity displayed in two column charts (Applications Monitoring and URL Monitoring). Client Management: Displays the information about all Clients in the system. The number of Clients displayed on the page depends upon permissions given to users that log in to the Management Tool. Additionally, the user can navigate to the Blocked User list from the Client Management page. User Management: Displays the information about all Users in the system and is available for users that have the User management permission. Access Management: Opens the Access Management page on which the user can manage Two-Factor Authentication keys and One-Time Passwords. Alert Management: Displays the information about alerts assigned to your Clients. Kernel-level USB monitoring: Displays the list of all USB monitoring rules for all the Clients in the system and is available for the users with the administrative Client installation and management permission. Scheduled Reports: Opens the Scheduled Reports page on which the user can view and manage report generation rules, and view rule logs. Database Management: Opens the page on which the user with the Database management permission can perform archiving and cleanup of the Database. 71

72 Management Tool Serial Key Management: Displays the information about your Serial key and contains keys activating/deactivating options and is available for users that have the Serial keys management permission. Configuration: Opens the page on which the user can define the sending settings, Player link settings, CEF log settings, Ticketing system integration settings, and LDAP Targets. Management Tool Log: Contains information on all user actions performed in the Management Tool. Diagnostics: Provides quick access to Server and Management Tool log files for users that have the Database management permission. The Data View pane The Data View pane contains a grid with the information about your Clients, Users, Alerts, database, and Serial keys. The Filtering pane The Filtering pane allows you to filter the Clients, Users, and Alerts by keywords of their names and hide offline/online/uninstalled/licensed/windows/linux Clients. Toolbar The Toolbar of the Management Tool allows you to perform basic actions with Clients, Users, and Alerts. The options of the Toolbar are the following: For Client Management: Add Client Group, Install Clients, Manage Licenses, Edit Uninstallation Key, Uninstall Clients, Delete Clients, Blocked User List, and One-Time Passwords. For User Management: Add User and Add User Group. For Alert Management: Add Alert, Manage Multiple Alerts, Export Alerts, Import Alerts, and Global Alert Settings. For Access Management: Add User to the List. For Kernel-Level USB Monitoring Management: Add Rule. For Scheduled Reports: Add Rule. For Forensic Export: Validate Export Results. Changing Password for Logged in User Internal users, including the Built-in administrator, can change their passwords after logging in to the Management Tool. This action is not available for Active Directory users. To change your password, do the following: 1. Click your user name in the upper right corner of any Management Tool page. 72

73 Management Tool 2. The Manage account page opens. 3. In the Current password box, type your current password. 4. In the New password box, type the new password. 5. Re-enter the password in the Confirm password box. 6. Click Change password. 7. Your password is changed. You will need to use it during the next log in. 73

74 Licensing Licensing General Licensing Information To start receiving information from the Clients, you have to assign licenses to them. Three types of licenses are available: Workstation license: Clients with this license monitor only one session, either remote or local, on the investigated computer. NOTE: Licenses of the workstation type cannot be assigned to a computer with Server OS. Server license: Clients with this license monitor unlimited number of remote sessions and any local sessions on the investigated computer. Remote sessions include Remote Desktop sessions, terminal sessions, etc. Linux license: Linux Clients with this license monitor unlimited number of terminal sessions on the investigated computer. Each Client can have only one license assigned. During the first connection to the Server, the license corresponding to the Client computer operating system is automatically assigned to a Client. If the license has not been automatically assigned, then you will have to assign the license to the Client manually. When you log into the Management Tool for the first time, you can request a trial serial key which allows you to use 5 workstation licenses, 3 Linux licenses, and 1 server license for 30 days. The trial serial key will be sent to the address you specify in the request form. To use the system permanently and with a greater number of licenses, you have to license it with purchased serial keys on a computer with the installed Server. NOTE: After activation of any serial key, the embedded trial key expires. Four types of serial keys are available: Standard serial keys: These keys allow you to use licenses they contain during the unlimited period of time. Trial serial keys: These keys allow you to use the licenses they contain during 30 days from activation and update the product during this period. Subscription serial keys: These keys allow you to use licenses they contain during the subscription period. Enterprise serial keys: These keys allow you to get an access to the enterprise features of the Ekran System during the unlimited period of time. See the detailed information on the Standard and Enterprise Editions of Ekran System in the Appendix. 74

75 Licensing Each standard, trial, and subscription serial key contains the following data: Update & support period Server licenses for the Clients Workstation licenses for the Clients Linux licenses for the Clients The enterprise serial key does not contain any Client licenses and is active during the unlimited period of time. This key grants you an access to such valuable features of the Ekran System as Database Archiving, ArcSight Integration, One-time Password, and High-Availability. Once you have purchased serial keys, you can either activate serial keys online or add activated serial keys if you have no Internet connection on a computer with the installed Server. Contact your vendor for information on purchasing serial keys. You need the administrative Serial keys management permission to activate serial keys. Please note, after the activation, serial keys are bound to a specific computer and cannot be used on another computer. About Update & Support Period An Update & support period is a period that defines what updates can be applied to your copy of the product. Updates are defined by their release date. After the update & support period expires, you can still assign licenses to Clients, but you will be unable to update the System to versions released after the update & support period expiration date. The update & support period end date is defined during the serial key activation (either via the Management Tool or on the vendor s site). It is calculated using a serial key with the longest update & support period. Example: If you activate two keys, one with a 30 days update & support period and one with a 12 months update & support period, simultaneously, the update & support period end date will be set to 12 months from the activation date. When a new serial key is being activated, the update & support period is prolonged accordingly. Please note, if the current update & support period is longer than the one of a key being activated, current update & support period does not change. For example, if you activate a key with 12 months update & support period after a key with 30 days update & support period, the update & support end date will be set to 12 months since the activation date. But if you activate a key with 30 days update & support period after a key with 12 months update & support period, the update & support period end date will not change. If your update & support period expires, you can purchase a special subscription extension serial key, which does not contain any keys, but extends your update & support period, or you can activate any other serial key. 75

76 Licensing Viewing License State You can view the information on serial keys you have activated or added and license details on the Serial Key Management page in the Management Tool. To view the license state, open the Management Tool and click Serial Key Management navigation link to the left. The following information is displayed on the Serial Key Management page: Update & support period end date: The update & support period end date is calculated basing on dates of serial keys activation and their subscription periods. Workstation licenses used: The number of workstation licenses used out of total number, which is summed up from all activated serial keys. Server licenses used: The number of server licenses used out of total number, which is summed up from all activated serial keys. Not licensed Clients: Displays the number of installed Clients with no licenses assigned. Linux licenses used: The number of Linux licenses used out of total number, which is summed up from all activated serial keys. Enterprise key: Displays whether the target Server computer has an activated enterprise serial key. The following information is displayed in the Serial Key Management table: o Serial key o Activation date o Deactivation date (for deactivated keys only) o Number of server licenses o Number of workstation licenses o Number of Linux licenses o Key state: activated/deactivated/expired. For a trial serial key, an expiration date is displayed near the key state. 76

77 Licensing Activating Serial Keys Online To activate purchased serial keys online, do the following: 1. Make sure you have an active Internet connection on the computer with the installed Server. 2. Log in to the Management Tool as a user with the administrative Serial keys management permission. 3. Click the Serial Key Management navigation link to the left. 4. On the Serial Key Management page, click Activate keys online. 5. In the Serial Key Activation window, enter serial keys to be activated separating them with semicolons or paragraphs and click Activate. 6. The activated keys will appear on the Serial Key Management page. 7. The number of available server, workstation, and Linux licenses and the update & support period end date change. Adding Activated Serial Keys Offline If you have no Internet connection on a computer on which the serial keys are to be activated, you can activate them on the license site and then add the activated serial keys offline. For more information, send an to info@ekransystem.com NOTE: Subscription serial keys cannot be activated offline. To activate serial keys offline on the license site, do the following: 1. On the computer with the installed Server, start the UniqueIdentifierGenerator.exe file, which you can download at exe 2. The Unique Identifier Generator window opens. 3. Click Generate to generate a unique identifier for your computer. 4. When a unique identifier for your computer is generated, it will appear in a text box under the Unique Identifier group of options. 77

78 Licensing 5. Copy the unique identifier from the text box to a text file on a removable drive. 6. Go to the license site. 7. Enter the generated unique identifier in the Unique Identifier box. 8. Copy and paste the purchased serial keys to the Serial Keys box separating them with paragraphs or spaces. 9. Enter the CAPTCHA text in a text box near the CAPTCHA image. 10. Click Activate. 11. The activatedkeys.txt file will be generated. Save the file on a removable drive. 12. Copy the file to the computer on which you will open the Management Tool. NOTE: Please do not edit the generated file activatedkeys.txt. To add activated serial keys in offline mode, do the following: 1. Log in to the Management Tool as a user with the administrative Serial keys management permission. 2. Click the Serial Key Management navigation link to the left. 3. On the Serial Key Management page, click Add activated keys. 4. On the Activated Serial Key Adding page, click Choose File and navigate to the activatedkeys.txt file with activated serial keys. 5. Click Add. 6. The newly added serial keys appear on the Serial Key Management page. 7. The number of available server, workstation, and Linux licenses and the update & support period end date changes. 8. If there are both licensed and unlicensed Clients in your network and you want to license the rest of Clients with a purchased key, you will have to assign the license to the remaining unlicensed Clients manually. Deactivating Serial Keys If for some reason you decide to discontinue using Ekran System, you can deactivate serial keys. To deactivate a serial key, do the following: 1. Make sure you have an active Internet connection on the computer with the installed Server. 2. Log in to the Management Tool as a user with the administrative Serial keys management permission. 3. Click the Serial Key Management navigation link to the left. 4. On the Serial Key Management page, select a serial key to be deactivated and click Deactivate selected. NOTE: Expired serial keys can t be deactivated. 78

79 Licensing 5. In the confirmation message, click Deactivate. 6. The deactivated serial key is marked as Deactivated in the State column of the Serial Key Management page. 7. The number of available server, workstation and Linux licenses and the update & support period end date change. Client License Management The Client license management is performed in the Management Tool by the user with the administrative Client installation and management permission. You can assign a license to a Client or unassign it manually any time. The license can be assigned to an offline Client, and it will be applied after the Client is online. If the Client is uninstalled, its license becomes free and can be assigned to another Client. NOTE: When a trial serial key expires, the corresponding number of licenses is automatically unassigned from Clients. Information about the number of used and free licenses of each type is displayed on the Serial Key Management page in the Management Tool. To assign the license to one Client, do the following: 1. Log in to the Management Tool as a user with the administrative Client installation and management permission. 2. Click the Client Management navigation link to the left. 3. On the Clients page, select the needed Client from the list and then click Edit Client. 4. On the Editing Client page, on the Properties tab, in the License box, select the type of license you want to assign to the Client. 5. Click Finish. 6. The license is assigned to the Client. To manage the licenses to several Clients, do the following: 1. Log in to the Management Tool as a user with the administrative Client installation and management permission. 2. Click the Client Management navigation link to the left. 3. On the Clients page, click Manage Licenses. 4. On the License Management page, select the Clients to which the licenses should be assigned. To find a specific Client, enter its name in the Contains box and click Apply Filters. 5. When the Clients are selected, click one of the following: Assign workstation license: Assigns licenses to the selected Windows Clients installed on the computers with not Server operating system. 79

80 Licensing Assign server license: Assigns licenses to the selected Windows Clients installed on the computers with Server operating system. Assign Linux license: Assigns licenses to the selected Linux Clients. Assign recommended license: Automatically defines the type of the licenses to be assigned basing on the operating system of the computers on which the Clients are installed. Unassign license: Removes licenses from the selected Clients. NOTE: To change the Client license type, you do not need to unassign the current license. This will be done automatically. 80

81 User and User Group Management User and User Group Management About By default, there is one administrator in the system, whose login is admin and whose password is defined during the Server installation. The administrator has all the rights for work in the system. In order to grant others access to the system, you can add users and define their permissions. There are two types of users: Internal users Active Directory users (Windows domain users and Windows domain user groups) To define permissions for users, you can create user groups. One user can belong to several user groups. When the user is added to a group, they inherit all permissions from a group. If the user inherited some permissions from a group, these permissions can be removed only by removing the user from this group. Apart from permissions received from the group, you can assign other permissions to a specific user. By default, there are three user groups in the system: All Users: A group that contains all created users. Administrators: A group of users that can perform administrative functions within the system. If a user is added to this group, they receive all administrative and Client permissions within the system. Supervisors: A group of users that perform major investigative work with the Clients. If a user is added to this group, they receive the Viewing monitoring results permission for All Clients. You can also add other custom user groups and manage them yourself. Please note, user and user group management is allowed only to the users with the administrative User management permission. Viewing Users and User Groups The Users and User Groups are displayed on the User Management page in the Management Tool. Users are grouped by the User Groups which they belong to. The lists of Users contain the following information: Login First Name Last Name Description NOTE: For Active Directory users, their first name and last name will be filled automatically after the first log in to the system. 81

82 User and User Group Management To find a required User, enter a part of their user name, first name, last name or description in the Contains box and click Apply Filters. On the User Management page, you can add new Users/User Groups and edit existing Users/User Groups (including deletion). User Management Adding Users To add a new user, do the following: 1. Log in to the Management Tool as a user with the administrative User management permission. 2. Click the User Management navigation link to the left. 3. On the Users page, click Add User. 4. On the User Type tab, select the type of the user you want to add: Click Add an Internal user to create an internal application user. Click Add an Active Directory user/user group to add an existing Windows user/user group. 5. On the User Details tab, do one of the following and click Next: 82

83 User and User Group Management For an internal user, define user credentials and additional information about the user. NOTE: Login and password are required. The password must be at least 6 characters long. The maximum length of the first name, last name, and description is 200 characters. For an Active Directory user/user group, select the domain in the Domain list and then enter at least two characters into the User/User group box to search for the required user/user group. NOTE: The Active Directory user cannot be added if there is no LDAP target added for the required domain on the Configuration page or if the connection with the domain is lost (the domain is unavailable). 83

84 User and User Group Management 6. On the User Groups tab, select the user groups the user will belong to. To find a specific group, enter its name in the Contains box and click Apply Filters. Click Next. NOTE: The user is automatically added to the default All Users group and can t be removed from it. 7. On the Administrative Permissions tab, select administrative permissions that will be given to the user. Click Next. NOTE: If the user has inherited some permissions from user groups, you can only add new permissions. To remove permissions inherited from user groups, you need to remove the user from these groups. 8. On the Client Permissions tab, do the following: Select the necessary Client/Client Group. To find a specific Client/Client Group, enter its name in the Contains box and click Apply Filters. 84

85 User and User Group Management Click Edit Permissions and then, in the Client Permissions/Client Group Permissions window, define the Client permissions which will be given to a user for the corresponding Client/Client Group. When the permissions are defined, click Save to close the Client Permissions/Client Group Permissions window. 9. Click Finish. 10. The user is added and displayed on the Users page. NOTE: For an Active Directory user, the first name and last name properties will be automatically filled after the user s first login to the system. Editing Users To edit an existing user, do the following: 1. Log in to the Management Tool as a user with the administrative User management permission. 2. Click the User Management navigation link to the left. 3. On the Users page, click Edit User for the required user. 4. Edit user properties and permissions on the corresponding tabs in the same way as when adding a new user. NOTE: Click Next or Finish to save the changes on each tab. 5. The user is edited. 85

86 User and User Group Management Deleting Users Deleting a user means that a user will not be able to use the system. If you delete the user who is logged in the Management Tool, the Management Tool will become unavailable for the user at once and none of its pages will be displayed. To delete a user, do the following: 1. Log in to the Management Tool as a user with the administrative User management permission. 2. Click the User Management navigation link to the left. 3. On the Users page, click Edit User for the required user. 4. On the User Details tab, click Delete User. 5. In the confirmation message, click Delete. 6. The user is deleted. User Group Management Adding User Groups To add a new user group, do the following: 1. Log in to the Management Tool as a user with the administrative User management permission. 2. Click the User Management navigation link to the left. 3. On the Users page, click Add User Group. 4. On the Group Properties tab, define the name for the user group and, optionally, define its description. Click Next. 5. On the User Management tab, select users that will belong to the user group. To find a specific user, enter its name in the Contains box and click Apply Filters. Click Next. 6. On the Administrative Permissions tab, select administrative permissions that will be given to all users belonging to this user group. Click Next. 7. On the Client Permissions tab, find the Client/Client Group for which permissions are to be defined. To find a specific Client/ Client Group, enter its name in the Contains box and click Apply Filters. Click Edit Permissions and then, in the Client Permissions/ Client Group Permissions window, define the Client permissions which will be given to a user for the corresponding Client/Client Group. After you have defined all Client permissions, click Save to close the Client Permissions/ Client Group Permissions window. 8. On the Client Permissions tab, click Finish. 9. The user group is added. 86

87 User and User Group Management Editing User Groups To edit an existing user group, do the following: 1. Log in to the Management Tool as a user with the administrative User management permission. 2. Click the User Management navigation link to the left. 3. On the Users page, click Edit User Group for the required user group. 4. Edit user group properties and permissions on the corresponding tabs in the same way as when adding a new user group. NOTE: Click Next or Finish to save the changes on each tab. 5. The user group is edited. Deleting User Groups Deleting a user group does not delete users belonging to it. If the group is deleted, its users no longer have permissions given by this user group unless these permissions are inherited from another user group. NOTE: The user group All Users cannot be deleted. To delete a user group, do the following: 1. Log in to the Management Tool as a user with the administrative User management permission. 2. Click the User Management navigation link to the left. 3. On the Users page, click Edit User Group for the required user group. 4. On the Group Properties tab, click Delete Group. 5. In the confirmation message, click Delete. 6. The user group is deleted. Permissions About The permissions allow you to define which functions a user will be able to perform with the system and Clients. There are two types of permissions: administrative permissions and Client permissions. Administrative permissions define actions that a user can perform with the whole system. Client permissions define actions that a user can perform with selected Clients. The permissions can be defined during user and user group adding/editing. If you define permissions for the group, any user belonging to this group inherits these permissions. To remove permissions inherited by the user from a group, you need to remove 87

88 User and User Group Management the user from a group. Apart from permissions inherited from the group, you can assign a user their own permissions. Administrative Permissions The following administrative permissions are available: Serial keys management: Allows a user to activate and deactivate serial keys. User management: Allows a user to add, edit, delete Users/User groups and define permissions for them. It also allows a user to view the Management Tool log. Client installation and management: Allows a user to install Windows Clients, assign licenses to Windows Clients, add, edit, and delete Client groups, manage alerts, define alert settings, create and manage scheduled report rules, view report logs, define sending settings, create and manage the USB monitoring & blocking rules, as well as block users. Database management: Allows a user to get information on the database, perform database cleanup, delete Clients from the database, and download Server and Management Tool log files. Viewing archived data: Allows a user to view and export sessions from archive databases. Client Permissions Client permissions define which actions a user will be able to perform with the Clients. If a user does not have the administrative Client installation and management permission, in the Management Tool they will see only those Clients for which they have at least one Client permission. NOTE: Client permissions are defined for each Client or Client Group individually. The following Client permissions are available: Client configuration management: Allows a user to define Client configuration. Viewing monitoring results: Allows a user to: o View the results of Client monitoring and Forensic Export results in the Management Tool. o View Windows and Linux Client configuration. o Generate reports in the Management Tool. [Windows Clients] Viewing text data: Allows a user to view keystrokes and clipboard text data recorded during Client monitoring [Windows Clients] Client uninstallation: Allows a user to uninstall a Client. Access Client computer: Allows a user to log in to the Client machine with enabled forced user authentication. It is available for Linux and Windows Server Client machines. 88

89 User and User Group Management Permission Example You can define the permission for a user, by selecting the Edit User option and selecting the option next to the required permission on the Administrative Permissions tab. If the user belongs to several Groups, they will inherit all the permissions defined for them. For example: There is a user Joe who belongs to Group 1 and Group 2 user groups. Besides, there are Client 1 and Client 2 that belong to All Clients group. The following permissions are given to the user Joe, Group 1, and Group 2 by the administrator: User/User Group Administrative Client permissions permissions Permission For Group 1 User management Client uninstallation Client 1 Group 2 Serial keys management Viewing monitoring Client 2 results User Joe Client installation and Viewing monitoring Client 1 management Serial keys management results Client configuration management All Clients As a result, the user Joe will have the following permissions: Administrative o User management permission (Because he belongs to Group 1). o Serial keys management permission (Because he belongs to Group 2. But he also has his own Serial keys management permission, and thus will have it even if Group 2 is deleted or its permissions are edited). o Client installation and management permission (He will have this permission irrespective to user groups which he will be added to). 89

90 User and User Group Management Client permissions for Client 1 o Client uninstallation permission (Because he belongs to Group 1). o Viewing monitoring results permission (Because it is his own permission and he will have it irrespective to user groups which he will be added to). o Client configuration management permission (Because the Client belongs to All Clients group). Client permissions for Client 2 o Viewing monitoring results permission (Because he belongs to Group 2). o Client configuration management permission (Because the Client belongs to All Clients group). 90

91 User and User Group Management Management Tool Log About The Management Tool Log is a component that contains information on all user actions performed in the Management Tool. Such information might be useful for the administrator to manage and monitor the actions of all users in the system. Viewing the Management Tool Log is available only to users with the administrative User management permissions. Viewing Management Tool Log To view the log, log into the Management Tool and click the Management Tool Log navigation link to the left. On the Management Tool Log page, the Log Grid with the following data is displayed: Time: Displays the date & time the action was performed. User Name: Displays the name of the user who performed the action. User Groups: Displays the list of the User Groups the user belongs to. Category: Displays the category the action performed belongs to. Action: Displays the action performed. Object: Displays the list of the objects affected by the action. Details: Displays additional information about the action performed. You can define the number of the log entries to be displayed per page: 10/100/250/1000. All actions performed by the users in the Management Tool are grouped by the following categories: 1. Alert management. Contains the information on the alert configuration being changed, as well as exporting, importing, deleting older alerts, creating new ones, and changing the Global Alert settings. 2. Alert player viewing. Contains the information on viewing alert events in the Alert Viewer by a user. 91

92 User and User Group Management 3. Archived Sessions Viewing. Contains the information on the archived sessions being opened in the Session Viewer or being exported via Forensic Export. 4. CEF log settings. Contains the information on the CEF log settings being changed. 5. Client editing. Contains the information on the Client configuration being changed. If there were multiple configuration changes, they are combined in a single log entry. 6. Client group management. Contains the information on the Client Group configuration being changed, as well as deleting older Client Groups and creating new ones. 7. Client installation/uninstallation. Contains the information on installation and uninstallation of the Clients performed by a user, as well as the Client uninstallation key being changed. 8. Database cleanup. Contains the information on the manual & automatic cleanup being performed and the changes made to the automatic cleanup settings by a user. 9. Database management. Contains the information on the database shrinking, database archiving and cleanup, and statistics update performed by a user. 10. Diagnostics. Contains the information on downloading the server and Management Tool log files by a user sending settings. Contains the information on the sending settings being changed. 12. Forensic Export. Contains the information on users performing Forensic Export, downloading and deleting the Forensic Export results, as well as validating those results. 13. Interactive monitoring. Contains the information on Clients, users on Client computers, and time period, for which the Application Monitoring and URL Monitoring widgets were generated. 14. Kernel-level USB monitoring. Contains the information on the USB monitoring & blocking rules being changed by a user, as well as deleting older rules and creating new ones. 15. Log in / Log off. Contains the information on users logging in/logging off (including MT being closed, session expiring, etc.). 16. One-time password. Contains the information on generated, used, expired and manually terminated one-time passwords. 17. Report generation. Contains the information on the reports generated by a user, both via Report Generator and from the Scheduled rule. It also contains information about the generated reports being downloaded by a particular user. 18. Scheduled report management. Contains the information on the Scheduled Report rules being changed by a user, as well as deleting older rules and creating new ones. 19. Serial key management. Contains the information on adding, activation, and deactivation of the serial keys by a user. 20. Session Viewing. Contains the information on the sessions opened in the Session Viewer by a user. 21. Ticketing system integration. Contains the information on the ticketing system integration being enabled or disabled and on the ticketing system access parameters being edited. 22. Two-Factor Authentication. Contains the information on the users being added or deleted on the Two-Factor Authentication page. 92

93 User and User Group Management 23. User blocking. Contains the information on users being added to and removed from the Blocked User list. 24. User group management. Contains the information on the user group configuration being changed by a user, as well as deleting older user groups, creating new ones, changing the Client and administrative permissions. 25. User management. Contains the information on the user configuration being changed by a user, as well as deleting older users, creating new ones, changing the Client and administrative permissions. Management Tool Log Protection The Management Tool Log is protected against log-altering attacks, its data being encrypted in the database. The database encrypting is unique for each server. If the log has been modified, a warning is displayed that the log data is not valid, and the invalid log entries are marked red. Filtering and Sorting Log Data You can filter Management Tool log entries using the dropdown menu near the column header in the Log grid. You can filter data by multiple fields. To filter data by the not date field (User Name, User Groups, Category, Action, Object), click near the required column name, select one or several options, and then click OK. To filter data by the Time field, click near the required column name, select the From and To dates in the dropdown menu, and then click OK. To sort data in the Log grid, click the required column header. You can change column sort order from ascending to descending, and vice versa. To do this, click the Sort arrow near the column header. 93

94 Windows Clients Windows Clients About Windows Client is a program that can be installed on the target computers to monitor the activity of their users. The monitored data is sent by the Windows Client to the Server and can be viewed in the Management Tool. Depending upon their permissions, a user can install/uninstall Clients remotely, manage their configuration, and manage Client groups. Monitoring via Windows Clients The Windows Clients work as follows: Each Windows Client starts automatically on computer start. A licensed Windows Client performs the monitoring of both remote and local sessions. Clients with a server license can monitor many sessions simultaneously. Clients with a workstation license monitor only one session (local or remote). Every time the computer is restarted, the Windows Client starts recording screen captures in a new session. The maximum duration of one session can be 24 hours. At 00:00 all live sessions are terminated. After their termination (their status changes from live to finished), new live sessions automatically start. If a user works with several monitors, the Windows Client creates screen captures from all of them. The Windows Client sends its monitoring results to the Server. On the Client side, the monitoring data is compressed before sending it to the Server. To disable the data compression on the Client side, in the Windows Registry Editor, select the HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem\Client key and add a new value: o Value type: DWORD o Value name: Compression o Value data: 0 If there is no connection with the Server, the Client stores the monitored data locally and automatically sends it to the Server when the connection is renewed. The data is stored in the TempWrite.dat file in the Client folder, which is located here: C:\Program Files\Ekran System\Ekran System\Client. The Client continues offline data storing until there is the 500 MB of free space on the hard drive left. The Client can renew the offline data storing in case there will be more than 500 MB free space on the hard drive. The screen capture creation frequency of the Windows Client is the following: o If the user is typing the text, the screen capture is created once in 10 seconds. o If the user clicks a mouse, the screen capture is created once in 3 seconds. o If the user changes an active window, the screen capture is created once in 3 seconds. 94

95 Windows Clients Screen capture creation triggers usually influence each other, though the average screen capture creation frequency is higher. If the Capture screen on each event without timeout parameter is selected for the Windows Client, screen captures are created on each mouse click or keyboard key pressing without using data sending time out. WARNING! The Capture screen on each event without timeout option affects CPU usage on the Client computer and database size. It is not recommended to use this option for a great number of Clients and for a long period of time. Installing Windows Clients About During the system deployment, remote installation of the Windows Clients is used. Remote installation of the Clients is performed via the Management Tool. To ensure successful remote installation of the Windows Clients, you have to set up the network environment beforehand. If your computers belong to a workgroup but not a domain, you need to know the administrator account credentials for each remote computer. Otherwise, knowing the domain administrator credentials is enough. The Windows Clients can also be installed locally via the installation package generated in the Management Tool. Thus you can distribute the installation package of the Client with predefined settings among the network computers and install it. This kind of installation is useful when you experience difficulties with installing the Clients remotely via the Management Tool, or the computers in your network are a part of a workgroup and do not have the same administrative account for each computer. Setting up Environment for Remote Installation Windows Client Installation Prerequisites The majority of Windows Client installation/uninstallation issues are caused by incorrect system or network settings. The following conditions have to be met for successful Windows Client installation: The remote computer has to be online and accessible via network. Shared folders have to be accessible on the remote computer. Simple file sharing (Sharing Wizard) has to be disabled if the computer is in a workgroup (for domain computers this requirement can be skipped). You need to know the domain administrator or local administrator account credentials for the remote computer. The Server and the Remote Procedure Call (RPC) system services have to be running on the remote computer. 95

96 Windows Clients Windows Vista and Windows XP Firewall has to be properly set up on the remote computer during the Clients remote installation. In Windows 8, Windows 7, Windows Server 2012 and Windows Server 2008 Firewall, inbound connections have to be allowed in the Remote Service Management (RPC) rule for the remote computers and the File and Printer Sharing option has to be enabled (in this case it is not necessary to disable Windows Firewall). In Windows Firewall on the Server side, allow the Server executable to accept TCP connections via ports 9447 and 9449 (for the connection between the Server and the Clients). NOTE: These rules will be added to Windows Firewall automatically if Windows Firewall is enabled during the Server installation. Make sure the conditions mentioned above are met to avoid possible problems with Client remote installation. Disabling Simple File Sharing in Windows XP To disable simple file sharing in Windows XP, do the following: 1. Open My Computer. 2. Select Tools > Folder Options in the menu. 3. In the Folder Options window, select the View tab. 4. Clear the Use simple file sharing option. 5. Click Apply and OK to close the window. 96

97 Windows Clients Disabling Sharing Wizard in Windows 8.1, Windows 8, and Windows 7 To disable the Sharing wizard in Windows 8.1, Windows 8, and Windows 7, do the following: 1. Open the Folder options window: For Windows 8.1/Windows 8: Open the Control Panel and then select Appearance and Personalization. For Windows 7: Open Computer and then select Organize > Folder and search options. 2. In the Folder Options window, select the View tab. 3. Clear the Use Sharing Wizard option. 4. Click Apply and OK to close the window. Checking System Services To check that the Server and Remote Procedure Call (RPC) system services are running: 1. Right-click Computer and select Manage. The Computer Management window opens. 2. Expand the Services and Applications node and select Services. To quickly access Windows Services, press Windows+R, type services.msc in the Run text box and press Enter. 97

98 Windows Clients 3. Find the Server service and the Remote Procedure Call (RPC) service in the list of services. Make sure both services are running (their status is displayed as Started). 4. If one or both services are not running, start them manually. To start the service, right-click it and select Start from the context menu. The selected service is started. Setting up Windows Vista, Windows XP, and Windows Server 2003 Firewall It is not necessary to disable the Firewall in Windows Vista, Windows XP, and Windows Server For successful remote installation of the Clients, you have to enable the File and Printer Sharing option. To set up Windows Vista, Windows XP, and Windows Server 2003 Firewall, do the following: 1. Select Start > Control Panel > Windows Firewall. 98

99 Windows Clients 2. In the Windows Firewall window, select the Exceptions tab. 3. On the Exceptions tab, select the File and Printer Sharing option. 4. Click OK. Setting up Firewall for Windows 8.1, Windows 8, Windows 7, Windows Server 2012, Windows Server 2008 It is not necessary to disable the Firewall in Windows 8.1, Windows 8, Windows 7, Windows Server 2012, and Windows Server For successful remote installation of the Clients, you have to allow inbound connections in the Remote Service Management (RPC) rule for the remote computers and enable the File and Printer Sharing option. To enable inbound connections for the Remote Management Service (RPC), do the following: 1. Select Control Panel > System and Security > Windows Firewall. 2. In the Windows Firewall window, click Advanced settings. 99

100 Windows Clients 3. In the Windows Firewall with Advanced Security window, click Inbound Rules and then double-click the Remote Service Management (RPC) rule in the rules list. 4. The Remote Service Management (RPC) Properties window opens. 5. In the General tab, select Enabled under General and click Allow the connection under Action. 100

101 Windows Clients 6. In the Advanced tab, under Profiles, select the profile of the network used for connecting remote computers and the Server. 7. Click Apply and then OK to save the settings and close the Properties window. 8. Close the Windows Firewall window. To enable the File and Printer Sharing option, do the following: 1. Select Control Panel > System and Security > Windows Firewall. 2. In the Windows Firewall window, click Allow an app or feature through Windows Firewall. 3. In the opened Allowed apps window, click Change settings. 101

102 Windows Clients 4. Select the File and Printer Sharing option. 5. Click OK. Installing Windows Clients Remotely via the Management Tool About You can install the Windows Clients remotely via the Management Tool. This way of installation is very convenient if all computers in your network have the same domain administrator credentials. Remote Windows Client Installation is performed by a user who has the Client installation and management permission in two steps: 1. Selecting computers on which Clients will be installed. 2. Defining installation parameters and installing the Clients. Selecting Computers To select the computers for Client installation, do the following: 1. Log in to the Management Tool as a user with the Client installation and management permission. 2. Click the Client Management navigation link to the left. 3. On the Clients page, click Install Clients. 102

103 Windows Clients 4. The Computers without Clients page opens. On this page, you can see the computers for which the previous installations failed. 5. Select how you would like to search for computers where the Windows Clients will be installed: To select computers from the list of all computers in your network, click Deploy via network scan. To select computers by IP range (IPv4 or IPv6 addresses), click Deploy via IP range. To select computers by their names, click Deploy on specific computers. 6. In the Choose search results window: Click Start new search to look for computers with defined parameters. Click Previous search results to choose the computers found in the previous search. If you have not performed any searches yet, this option will be absent. 7. If you have selected the Deploy via IP range option, the Computers Scan page opens. In the From Address and To Address boxes, enter the IP range (either IPv4 or IPv6) for which the network should be scanned. To find only one computer, enter the same IP address in both boxes. Click Scan. 103

104 Windows Clients 8. If you have selected the Deploy on specific computers option, the Adding Computers page opens. Enter the names of computers on which Windows Clients must be installed in the box Name and click Scan. Use semicolon to separate computer names. Please note that you should enter the full name of the computer. 9. The scanning process starts. The list of found computers will be updated automatically. If it is not updated, click Refresh. 10. When the scanning process finishes, select check boxes next to the computers that you want to install the Clients on. Click Next. 11. The selected computers are added to the list on the Computers without Clients page. 12. If you want to remove some computers from this list, click Remove from list next to the selected computer. 104

105 Windows Clients Remote Windows Client Installation Process When all computers for Windows Client installation are selected, you are ready to start installation. Please make sure that all selected computers are correctly adjusted. To install the Windows Clients remotely, do the following: 1. On the Computers without Clients page, click Install. 2. On the Client Configuration page, define the name/ip of the Server to which the Windows Clients will connect, and define the Client configuration for the Clients you are installing. Click Next. NOTE: The Server IP address has to be static for Clients to connect to it successfully. Unique external IP addresses should be used for cloud-based Servers. 3. On the Installation credentials page, enter the credentials of a user with administrator permissions on the target computers for Client installation and then click Next. If the computers are in a domain, enter the domain name and domain administrator account credentials. If the computers are in workgroup, enter the credentials of a local administrator for target computers. If you leave the Domain box empty, the entered credentials will be used as the credentials of a local user of a target computer and the Client will be installed under the <target PC name>\<user name> account. NOTE: All workgroup computers must have the same administrator account credentials. Otherwise use installation via installation package method to deploy the Clients. 4. The installation process starts. The progress of installation will be updated automatically on the Client installation page. If it is not updated, click Refresh. 5. After the end of the installation, the installed Clients will appear on the Clients page in All Clients group. If the installation of some Clients fails, these computers will remain in the Computers without Clients list and you can click Retry to start the installation again. 105

106 Windows Clients Remote Installation from an Existing.INI File If you already have an.ini file with defined settings generated in the Management Tool and saved to your computer, you can use it for installing the Windows Clients. To install the Windows Clients remotely using an existing.ini file, do the following: 1. On the Computers without Clients page, click Install using existing.ini file. 2. On the INI file selection page, click Choose file to select the.ini file that will be used for configuration of new Clients. Please note, if any parameter except RemoteHost is absent or not valid, its value will be set to default. The RemoteHost parameter is ignored in this type of installation. The Windows Client will connect to the Server to which the Management Tool is connected. 3. Once the.ini file is chosen, click Next and continue the installation the same way as when installing the Clients remotely in a common way. Installing Windows Clients Locally About You can install the Windows Clients locally using the Client installation file generated in the Management Tool. You have two options for downloading the Client installation file from the Management Tool: Generate the installation package and set the Windows Client configuration during generation. Use Client installation file (.exe) to install the Client with default parameters. Windows Client Installation Package The installation package consists of 2 components: A signed agent.exe installation file. An agent.ini text configuration file that contains the Windows Client installation parameters defining the Server to which the Client will connect, and the Client configuration. The table below lists all the Windows Client installation parameters. If any parameter except RemoteHost is absent or not valid, its value will be set to default. NOTE: The Forced User Authentication parameter can be set only during Client editing. 106

107 Windows Clients Parameter Description Default Value RemoteHost ColourDepth EnableActiveWindo w MonitorUSBStorage EnableTimer Timer EnableActivity EnableWndNmChan ges SmoothMode DisplayClientIcon A name or IP address of the computer on which the Server is installed. NOTE: The Server IP address has to be static for Clients to connect to it successfully. Unique external IP addresses should be used for cloud-based Servers. A colour scheme used for screenshots saving. 7 4 bits (Grayscale), 8 8 bits, bits. Screen captures will contain active window only. If the value is 1, the option is enabled, if the value is 0 disabled. The Client will monitor plugged in USB-based storage devices. If the value is 1, the option is enabled, if the value is 0 disabled. Screenshots will be created with a certain time interval. If the value is 1, the option is enabled, if the value is 0 disabled. A period of screenshot creation in seconds. This period can t be less than 30 seconds. This parameter is needed if the EnableTimer parameter is set. A screenshot creation when an active window is changed. If the value is 1, the option is enabled, if the value is 0 disabled. A screenshot creation when a window name is changed. If the value is 1, the option is enabled, if the value is 0 disabled. A screenshot creation on each event without timeout. If the value is 1, the option is enabled, if the value is 0 disabled. WARNING! This parameter affects CPU usage on the Client computer and database size. The Client tray icon displaying. If the value is 1, the Client tray icon is displayed, if the value is 0 hidden. No 7(4 bits (Grayscal e)) Disabled Enabled Disabled 30 Enabled Enabled Disabled Disabled 107

108 Windows Clients Parameter Description Default Value EnableKBandMouse EnableProtectedMo de EnableKeystrokes StartSessionOnKey word Keywords EnableClipboardMo n URLMonitoring MonitorTopDomain FilterState A screenshot creation on clicking and a key pressing. If the value is 1, the option is enabled, if the value is 0 disabled. The mode of Client work. If the value is 1, the protected mode is enabled, if the value is 0 disabled. Logging of a keystroke. If the value is 1, the option is enabled, if the value is 0 disabled. Starting monitoring on detecting a suspicious keyword in the keystrokes. If the value is 1, the option is enabled, if the value is 0 disabled. A list of keywords, which being typed trigger the session start, separated with comma (e.g., drugs, medicine). Keywords are combined with OR logic; the LIKE operator is applied to the typed keywords (if drug is written, then drugstore will trigger the session start). Logging of copy and paste operations. If the value is 1, the option is enabled, if the value is 0 disabled. Monitoring of URL addresses. If the value is 1, the option is enabled, if the value is 0 disabled. Monitoring of top and second-level domain names. If the value is 1, the option is enabled, if the value is 0 disabled. NOTE: This parameter works only if URLMonitoring=1. Application filtering during monitoring. If the value is disabled, the application filtering is disabled and all applications are monitored. If the value is include, the application filtering is enabled in the Include mode, and only applications listed in FilterAppName or FilterAppTitle are monitored. If the value is exclude, the application filtering is enabled in the Exclude mode, and only applications not listed in FilterAppName or FilterAppTitle are monitored. Enabled Disabled Enabled Disabled Empty Enabled Enabled Enabled Disabled 108

109 Windows Clients Parameter Description Default Value FilterAppName FilterAppTitle UserFilterState UserFilterNames The list of application names separated with comma (e.g., word.exe, skype.exe). Names are combined with OR logic; the LIKE operator is applied to names (e.g., if word.exe is written then winword.exe will be monitored). The list of application titles separated with comma (e.g., Facebook, Google). Names are combined with OR logic; the LIKE operator is applied to titles (if Facebook is written, then Facebook-Messages will be monitored). User filtering during monitoring. If the value is disabled, activity of all users is monitored. If the value is include, the user filtering is enabled in the Include mode, and only activity of users listed in UserFilterNames is monitored. If the value is exclude, the application filtering is enabled in the Exclude mode, and only activity of users not listed in UserFilterNames is monitored. The list of user names separated with a semicolon (e.g., work\jane;work\john). Names are combined with OR logic. Using asterisk (*) as name/domain mask is allowed (e.g., *\administrator or *\admin*). Empty Empty Disabled Empty MonLogging Creation of monitoring logs on the Client computer. 0 - monitoring logs creation is disabled, 1 - monitoring text log will be created in the LogPath location. Disabled LogPath EnableForcedAuth The path to the monitoring logs location. Using environment variables (%appdata%, %temp%, etc.) is allowed. Additional identification of users that log in to the Client computer with server operation system. If the value is 1, the option is enabled, if the value is 0 disabled. C:\Progr amdata\ Ekran System\ MonLogs Disabled 109

110 Windows Clients Parameter Description Default Value EnableOneTimePass word EnableTwoFactorAu th NotificationMessag e EnableNotificationC omment RequireTicketNumb er Additional option that allows the user to request a onetime password to get a temporary access to the Client computer with Windows Server operating system. If the value is 1, the option is enabled, if the value is 0 disabled. The option that requires the user to enter a time-based one-time password to log in to the Client computer with Windows Server operating system. If the value is 1, the option is enabled, if the value is 0 disabled. The message that is displayed on user login to the system. Additional option that requires the user to comment the additional message displayed on login to the system. If the value is 1, the option is enabled, if the value is 0 disabled. Additional option that requires the user to enter a valid ticket number of an integrated ticketing system to start working with the Client machine. If the value is 1, the option is enabled, if the value is 0 disabled. Disabled Disabled Disabled Disabled Disabled Generating Windows Client Installation Package To generate an installation package, do the following: 1. Log in to the Management Tool as a user with the Client installation and management permission. 2. Click the Client Management navigation link to the left. 3. On the Clients page, click Install Clients. 4. On the Computers without Clients page, click Download installation file. 5. On the Installation File Download page, click Generate Client installation package (*.ini + *.exe). 6. On the Generate Installation Package page, define the name/ip of the Server to which the Clients will connect, and define the Client configuration to be applied to the Client and then click Next. NOTE: The Server IP address has to be static for Clients to connect to it successfully. Unique external IP addresses should be used for cloud-based Servers. 7. The installation package is successfully created and downloaded to your computer. The download settings depend upon the settings of your browser. 110

111 Windows Clients Installing Windows Clients Locally with Custom Monitoring Parameters To install the Windows Client locally using the installation package, do the following: 1. Copy the package (the agent.exe installation file and the agent.ini file) to the target computer. 2. Start the agent.exe installation file under the administrator account on the target computer. 3. After the package is deployed, the name of the required computer appears on the Client Management page in the Management Tool. Downloading Windows Client Installation File (.exe) To download the file for Windows Client installation, do the following: 1. Log in to the Management Tool as a user with the Client installation and management permission. 2. Click the Client Management navigation link to the left. 3. On the Clients page, click Install Clients. 4. On the Computers without Clients page, click Download installation file. 5. On the Installation File Download page, click Download default Client Installation (*.exe). 6. File downloading starts. The download settings depend upon the settings of your browser. Installing Windows Clients Locally without.ini File This type of installation allows you to install the Windows Clients with the default configuration. This way you will need only an agent.exe file for Client installation. The agent.ini file with the default parameters will be generated automatically. To install the Windows Client locally using the installation package on the target computer: 1. Copy the downloaded agent.exe file to the target computer and do one of the following: Start the agent.exe installation file under the administrator account on the target computer. Then in the opened window, enter the name or IP address of the computer on which the Server is installed and after that click Install. In the Command Prompt (cmd.exe) started under administrator, enter agent.exe /ServerName=<Server Name>. 2. After the package is deployed, the installed Client appears in the list on the Client Management page in the Management Tool. 111

112 Windows Clients Installation via Third Party Software If you want to install the Windows Client via a third-party tool (e.g., via System Center Configuration Manager, Active Directory, etc.), download the Client installation file and use the following command: agent.exe /ServerName=<Server Name>. The Client will be installed with a default configuration. Installing Windows Client on Amazon WorkSpace To install the Windows Client on Amazon Workspaces, do the following: 1. Download the Client installation file. 2. Connect to the Amazon WorkSpace and run the Client installation file (.exe). 3. Open the Windows Registry Editor and select the following key: HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem\Client 4. Double-click the AgentGUID value, or select it and click Modify in the context menu. 5. Remove the ID from the Value Data box and click OK. NOTE: You will not be able to edit the registry values in the Protected Mode. 6. In the Amazon WorkSpaces management console, do the following: Create an image of the Amazon WorkSpace with installed Windows Client. Create a bundle from the newly created image. Create new Amazon WorkSpaces from the newly created bundle. 7. All new Amazon WorkSpaces created from the bundle will automatically connect to the Ekran Server. NOTE: Make sure that Ekran Server is allowed to accept TCP connections via 9447 and 9449 ports for connection between Ekran Server and Ekran Clients. Cloning a Virtual Machine with Installed Client Each Windows Client has its own unique ID, which it receives when it connects to the Server. When you prepare a virtual machine, which is to be monitored, for cloning, you need to remove the Client ID to ensure the proper Client connection to Server. To remove the Client ID, do the following: 1. Make sure the Client is offline (does not have any connection with the Server). 2. Open the Windows Registry Editor. 3. In the Registry Editor window, select the following key: HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem\Client 4. Double-click the AgentGUID value, or select it and click Modify in the context menu. 5. Remove the ID from the Value Data box and click OK. NOTE: You will not be able to edit the registry values in the Protected Mode. 112

113 Windows Clients Unassigning License on Virtual Machine Shutdown If Ekran Windows Client is used on virtual machines, in some cases the master image might be used multiple times. To prevent wasting Client licenses when this occurs, you can configure the Client license to be unassigned on the virtual machine shutdown. Before configuring a virtual machine image, you have to create a cmd file (for example, uninstall_client.cmd) containing the following command-line command: start /wait <path to EkranClient.exe> -uninstwl <uninstallation key> For example (default installation parameters used): start /wait C:\Progra~1\EkranS~1\EkranS~1\Client\EkranClient.exe -uninstwl allowed To configure the image of the virtual machine with the Client for the license to be unassigned on shutdown: 1. Start your virtual machine image. 2. Configure the system and install the necessary software. 3. Install Ekran Client (via remote installation or locally) with the Protected Mode option disabled. 4. Open the Windows Registry Editor. 5. In the Registry Editor window, select the following key HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem\Client 6. Double-click the AgentGUID value, or select it and click Modify in the context menu. 7. Remove the ID from the Value Data box. 8. Click OK. 9. Copy uninstall_client.cmd to the target folder on your virtual machine. 10. Run the Command Prompt (cmd.exe) as administrator. 11. Enter the gpedit command. 12. In the Local Group Policy Editor window, select Computer Configuration -> Windows Settings -> Scripts (Startup/Shutdown) -> Shutdown 13. In the Shutdown Properties window, click Add and select the uninstall_client.cmd file. 14. Click OK. 15. Create the master snapshot (gold image). 16. From now on, whenever you start the virtual machine using this image, the Client is going to connect to the Server as a new Client and get a license assigned to it. Whenever the virtual machine is shutdown, the license is going to be unassigned from the Client. NOTE: If you need the license to be unassigned on Logoff, you have to edit the Logoff script in a similar way in the Local Group Policy Editor (User Configuration -> Windows Settings -> Scripts (Logon/Logoff) -> Logoff -> Properties). 113

114 Windows Clients Updating Windows Clients The Client updating is performed automatically when a Windows Client connects to the Server of a newer version. When the Windows Client is updated, you will still be able to access its monitored data that was received before the update. NOTE: During the Windows Client updating, the Client status in the Management Tool is offline. In some cases, if you install a newer version of the Server, Windows Clients of very old versions will not be able to update. In this case you need to uninstall the old Client and install a new version of a Client manually. Reconnecting Windows Clients to another Server If you want to reconnect the Windows Clients to another Server, start the remote installation from that Server. The Clients will be reconnected. Please note that this way of reconnection can be used only for the Clients that work in the nonprotected mode. If your Clients work in the protected mode, first disable the protected mode and then reconnect the Clients. Uninstalling Windows Clients About Windows Clients can be uninstalled locally or remotely. It is possible to uninstall the Windows Client locally only with the help of the Uninstallation key. After remote uninstallation, the Client stops sending its data to the Server, but its data is not deleted from the Server and the Client is displayed in the Management Tool. After local uninstallation, the Client stops sending its data to the Server, but the Client is not marked as uninstalled on the Server. That is why the Client status in the Management Tool becomes offline after local uninstallation. To delete the Client from the Server (with all its captured data) and from the Management Tool, follow the steps described in the Deleting the Windows Client section. Client Uninstallation Key During the Server installation, it is possible to define the Client Uninstallation key. By default, this key is allowed. The Client Uninstallation key is used during the local Client uninstallation. The user is able to view or change the Client Uninstallation key in the Management Tool. If you change the Uninstallation key, the Windows Client will receive it after connection to the Server. If the Client has not connected to the Server yet, then its Uninstallation key is 114

115 Windows Clients allowed. If the Client has not connected to the Server after the Uninstallation key has been changed, the Client has to be uninstalled with the help of an old Uninstallation key. To change the uninstallation key, do the following: 1. Log in to the Management Tool as a user with the Client uninstallation permission. 2. Click the Client Management navigation link to the left. 3. On the Clients page, click Edit Uninstallation Key. 4. On the Custom Uninstall Key page, enter the new uninstallation key in the New Key field. 5. Re-enter the new uninstallation key in the Confirm Key field and then click Save. 6. The uninstallation key is changed. Uninstalling Windows Clients Remotely To uninstall a Windows Client, do the following: 1. Log in to the Management Tool as a user that has the Client uninstallation permission. 2. Click the Client Management navigation link to the left. 3. On the Clients page, select the Client you want to uninstall and click Edit Client. 4. On the Editing Client page on the Properties tab, click Uninstall Client. NOTE: This option is not displayed if the Client is already uninstalled or you do not have the Client uninstallation permission for it. 5. In the confirmation message, click Uninstall. 6. The Client is uninstalled. To uninstall several Windows Clients, do the following: 1. Log in to the Management Tool as a user with the Client uninstallation permission. 2. Click the Client Management navigation link to the left. 3. On the Clients page, select Uninstall Clients. 4. On the Client Uninstallation page, click Add Clients to list. 5. The page with the Clients for which you have the Client uninstallation permission opens. 6. Select the Clients that you want to uninstall and click Next. To find a specific Client, enter its name or a part of its name in the Contains box and click Apply Filters. 7. Make sure you have added all necessary Clients to the uninstallation list and click Uninstall. 8. The selected Clients are uninstalled. 115

116 Windows Clients Uninstalling Windows Clients Locally It is possible to uninstall the Windows Client locally only with the help of the Uninstallation key that is defined during the Server installation or in the Management Tool. To uninstall the Windows Client locally, do the following: 1. Run the Command Prompt (cmd.exe) as administrator. 2. In the Command Prompt, go to the Client installation folder. By default, it is located here: C:\Program Files\Ekran System\Ekran System 3. Enter the following command: UninstallClient.exe /key=<uninstallation key> /s. 4. Press Enter. 5. The Client is successfully uninstalled. NOTE: If you do not add the /s parameter to the uninstallation command, the confirmation message for uninstalling the Client will be displayed on the Client computer. Viewing Windows Clients Windows Clients are displayed in groups on the Client Management page. If the user has an administrative Client installation and management permission, they will see all Clients. In other case, the user will see only those Clients for which they have at least one Client permission. The list of Clients contain the following information: Client name Status Domain IPv4 IPv6 Description Please note, if there are several network cards on the Client computer, only those IPv4 and IPv6 addresses used by Windows Clients will be displayed in the Management Tool. You can filter Windows Clients in the following ways: To sort Clients by operating system, click the OS column header. To find Windows Clients only, select the Hide Linux Clients option and click Apply Filters. To find Clients by their host name or description, enter the name/description or a part of it in the Contains box and click Apply Filters. To hide offline/online/uninstalled/licensed Clients, select the corresponding option in the Filtering pane and click Apply Filters. On the Client Management page you have the following options: Add Client Group, Install Clients, Manage Licenses, Edit Uninstallation Key, Uninstall Clients, Delete Clients, Edit Client Configuration and Edit Client Groups. The number of available options depends upon permissions. 116

117 Windows Clients Windows Client Description Client description is used as additional information about your Windows Clients, which makes it easier to find a specific Client. You can filter your Clients by their descriptions as well as by their names. Client description can be defined on the Editing Client page on the Properties tab. To edit the description for the Windows Client, enter it in the Description box and click Finish. Windows Client Configuration About Windows Client Configuration includes its monitoring parameters (screen capture creation, keystrokes logging, Client mode, etc.). The Client configuration can be defined in the.ini file, which is included to the installation package. You can set the Client configuration during remote installation and during Client editing. NOTE: The Forced User Authentication and One-Time Password parameters can be set only during Client editing. Protected Mode Parameter The Windows Client can work in two modes: Non-protected mode: a regular mode without enhanced Client security. Protected mode: a mode with enhanced Client security: the user is not able to edit Client data (log files, generated screen captures), edit Client settings in the registry, edit/remove/modify/rename Client files (*.exe and *.dlls). The protected mode can be enabled when installing, updating, or editing the Client. If the protected mode is enabled during Client installation, this change will come into effect immediately. If the protected mode is enabled during Client editing, this change will come into effect after the computer is rebooted. NOTE: It is impossible to reconnect the Client working in protected mode to another Server. In such situation, you will have to uninstall the Client locally or change its mode to nonprotected. 117

118 Windows Clients Client Tray Icon Parameter The Client tray icon is displayed to notify the users that their actions are being monitored when they log into the Client computer and while they are working on it. This feature can be enabled during Clients installation and editing in the Management Tool. If the Display Client tray icon option is enabled, the Client will display a tray notification to inform the logged-in users that they are being monitored by a Server. Screen Capture Creation Parameters Screen captures are the main result of the Windows Client monitoring activity. You can define the following parameters of Client screen captures: Screen capture settings: o Bit depth: By default, screen captures are grayscale with 4 bit colour depth. This guarantees the smallest database size with a normal screen capture quality. You can also set colour depth to 8 bits or 24 bits. o Capture active window only: By default, screen captures of the complete screen are created. If this option is selected, only the current active window will be displayed on a screen capture. This option is recommended to be used along with the application filtering to fully prevent sensitive data from being monitored. Screen capture frequency settings: These options allow you to define how often the screen captures on the Client computer will be created. Screen capture creation can be initiated by one of the following triggers: o Time interval: Screen captures are created with a certain time interval, irrespective to whether something changes on the screen or not. The minimal time interval is 30 seconds. o Active window change: Screen captures are created on the change of the active window. For example, a new window opens (program starts), a new tab in the browser opens, any secondary window opens, etc. (influences the keystroke logging as well). o Active window title change: Screen captures are created on the change of the name of the active window (influences the keystroke logging as well). o Clicking or key pressing: Screen captures are created on each mouse click or keyboard key pressing. Please note, the screen captures in this mode are sent not oftener than once in 3 seconds to avoid affecting the performance of the Client computer and database size increasing. o Each event without timeout: Screen captures are created on each mouse click or keyboard key pressing without using data sending time out. WARNING! The Capture screen on each event without timeout option affects CPU usage on the Client computer and database size. It is not recommended to use this option for a great number of Clients and for a long period of time. 118

119 Windows Clients Keystroke Logging Parameter If Enable keystroke logging option is enabled, the Windows Client logs keystrokes along with the screen capture creation. The Windows Client logs the following types of keystrokes: Character keys: Keys that contain alphabet symbols (upper or lower case), numerals (0-9), all kinds of punctuation symbols, and space. Modifiers: This group of keys includes Control key, Shift key, Alt key, and Windows key. Navigation and typing modes: The arrow keys, Home/End, Page Up/Page Down, Tab, Insert, Delete/Backspace, Enter, and Lock keys (Num Lock, Scroll Lock, and Caps Lock). System commands: Print Screen, Menu, Escape, and Break/Pause key. Function keys: Keys that perform some functions, such as printing or saving files. Usually, they are labelled as F1- F12 and are located along the top of the keyboard. Start Monitoring on Keyword Parameter If the Start monitoring after detecting one of the following keywords option is enabled, the Client starts recording the user activities only after the user enters one of the specified keywords. The Client continues recording the user activities until the session is finished. A new session will be recorded after detecting one of the specified keywords again. For the sessions start to be triggered by specific words or phrases, define them separating from each other with comma (,), semicolon (;), or paragraph. The words in phrases must be always separated with spaces. Clipboard Monitoring Parameter The clipboard monitoring allows you to monitor the Cut, Copy, and Paste operations performed on the Client computers. If the Enable clipboard monitoring option is enabled, the Client logs the text data, which has been copied or cut, and then pasted by using either the context menu commands or such key combinations as Ctrl+C, Ctrl+Ins, Ctrl+X, Shift+Del, etc. The logged text data is displayed in the Text Data column in the Session Player. For more information, see the Viewing clipboard text data chapter. Monitoring Log Parameter Monitoring logs are text files created on the Client computer. If the Enable creating log files of the monitored events option is enabled, two log files will be created on the Client computer: Client_<yyyy_mm_dd>: The log includes the following information on monitored activities on the Client computer: activity time, session ID, Client computer name (host name), user name, activity title, and application name. 119

120 Windows Clients Login_<yyyy_mm_dd>: The log includes the following information on all user logins to the Client computer: login time, Client computer name (host name), and user name. Both logs are stored in the user defined location. You can use the environment variables (%appdata%, %temp%, etc.) when defining the path. If this location is not accessible or write-protected, logs are saved to <systemdisk>\programdata\ekran System\MonLogs. If you change the log files location via the Management Tool, the new log files will be created in the defined location and the old log files (if any) will remain in the previous location. NOTE: Please do not confuse monitoring logs with Client activity logs (service logs for internal use) stored in <client installation folder>\activitylogs. Parameters examples:.ini File Parameters Parameters Set in Management Tool Do not create monitoring logs [ActivityLogsParameters] MonLogging=0 LogPath= On the Monitoring options tab, make sure that the Enable creating log files of the monitored events option is not selected. Create monitoring logs in the default location %ProgramData%\EKRAN\MonLogs [ActivityLogsParameters] MonLogging=1 LogPath= On the Monitoring options tab, make sure that the Enable creating log files of the monitored events option is selected. Create monitoring logs in the C:\1\Logs folder [ActivityLogsParameters] MonLogging=1 LogPath=C:\1\Logs On the Monitoring options tab, do the following: 1. Select the Enable creating log files of the monitored events option. 2. In the Log files creation field, type C:\1\Logs. Create monitoring logs in the <current user profile>\appdata\ekran_logs 120

121 Windows Clients.ini File Parameters [ActivityLogsParameters] MonLogging=1 LogPath=%AppData%\EKRAN_Logs Parameters Set in Management Tool On the Monitoring options tab, do the following: 1. Select the Enable creating log files of the monitored events option. 2. In the Log files creation field, type =%AppData%\EKRAN_Logs. URL Monitoring Parameters The URL monitoring option enables recording the text entered in the browser address line at the moment of screen capture creation and allows the investigator to receive information about websites visited by the user of the Client computer. This feature also allows you to set an alert to send notifications each time when the user opens the forbidden URL. The monitored URL addresses are displayed in the Management Tool on the Session Viewer page in the URL column and in the Details pane. There are several restrictions for the URL monitoring option in the current version of the program: Only URLs from the standard browsers (Firefox, Chrome, Opera, and Internet Explorer) are monitored. URLs from Metro versions of browsers Chrome/Internet Explorer are not monitored. URLs entered in web anonymizers are not monitored. Please note that proxy server anonymizers are supported. If there is no address line in the browser (e.g., due to user s settings), URLs are not monitored. Unicode symbols in domain names (e.g., Russian) are not monitored. If the Enable URL monitoring option is selected in the Management Tool, you can also select the Monitor top and second-level domain names only option. In this case only the main part of the URL (e.g., example.com) will be monitored. 121

122 Windows Clients Parameters examples:.ini File Parameters [AgentParameters] URLMonitoring=0 MonitorTopDomain=0 [AgentParameters] URLMonitoring=1 MonitorTopDomain=0 [AgentParameters] URLMonitoring=1 MonitorTopDomain=1 Parameters Set in Management Tool On the Editing Client page, on the Monitoring Options tab, clear the Enable URL monitoring option. On the Editing Client page, on the Monitoring Options tab, select the Enable URL monitoring option. On the Editing Client page, on the Monitoring Options tab, select the Enable URL monitoring option, then select the Monitor top and second-level domain names only option. Example of monitored data (activity title) John Doe - Google Chrome John Doe - Google Chrome (URL: John.doe) John Doe - Google Chrome (URL: Application Filtering Parameters Application filtering allows you to reduce the amount of information received from the Windows Client by defining applications whose data will be skipped during the monitoring. The Application filtering can be in one of three states: Disabled: User activity in all applications is monitored (screen captures are created and keystrokes are logged). Include: User activity in predefined applications is monitored. Information on all other activity is skipped. This mode allows you to enable monitoring only of the important applications. Exclude: User activity in all applications except predefined ones is monitored. This mode allows you to skip information about user activity in non-suspicious applications (for example, Word). The applications are identified by name or window title. Both parameters are combined with OR logic, i.e., if activity meets at least one of conditions, it s recorded in the Include mode or skipped in the Exclude mode. Application filtering is recommended to be used along with the enabled Capture active window only option to fully prevent sensitive data from being monitored. 122

123 Windows Clients Parameters examples:.ini File Parameters Parameters Set in Management Tool Monitor all data without applying filters [FilterParameters] FilterState=disable FilterAppTitle= FilterAppName= On the Application Filtering tab, in the Filter State box, select Disabled. Monitor only data from all applications containing Facebook or Gmail in the title [FilterParameters] FilterState=include FilterAppTitle=Facebook,Gmail FilterAppName= On the Application Filtering tab, do the following: In the Filter State box, select Monitor only activity matching defined parameters. In the Active window title contains box, type Facebook, Gmail. Monitor only data from all applications containing Firefox or Internet in the application names [FilterParameters] FilterState=include FilterAppTitle= FilterAppName=Firefox,Internet On the Application Filtering tab, do the following: 1. In the Filter State box, select Monitor only activity matching defined parameters. 2. In the Application name contains box, type Firefox, Internet. Monitor only data from applications containing Firefox, Chrome or Internet in the application names (any title) and applications with the Facebook word in the title (any name) 123

124 Windows Clients.ini File Parameters [FilterParameters] FilterState=include FilterAppTitle=Facebook FilterAppName=Firefox,Chrome,Inter net Parameters Set in Management Tool On the Application Filtering tab, do the following: 1. In the Filter State box, select Monitor only activity matching defined parameters. 2. In the Active window title contains box, type Facebook. 3. In the Application name contains box, type Firefox, Chrome, Internet. Monitor all data except data from applications containing words Work or Doc in the title [FilterParameters] FilterState=exclude FilterAppTitle=work,doc FilterAppName= On the Application Filtering tab, do the following: 1. In the Filter State box, select Monitor all activity except. 2. In the Active window title contains box, type Work, doc. Monitor all data except data from applications containing words Word or Excel in the application names [FilterParameters] FilterState=exclude FilterAppTitle= FilterAppName=word,excel On the Application Filtering tab, do the following: 1. In the Filter State box, select Monitor all activity except. 2. In the Application name contains box, type Word, Excel. Monitor all data except data from applications containing the Word word in the application name or the doc word in the title [FilterParameters] FilterState=exclude FilterAppTitle=doc FilterAppName=word On the Application Filtering tab, do the following: 1. In the Filter State box, select Monitor all activity except. 2. In the Active window title contains box, type doc. 3. In the Application name contains box, type Word. 124

125 Windows Clients User Filtering Parameters User filtering allows you to reduce the amount of information received from the Windows Client by defining computer users whose data will be skipped during the monitoring. User filtering affects both primary and secondary users. The User filtering can be in one of three states: Disabled: Activity of all users is monitored. Include: Activity of predefined users is monitored. Information on the activity of all other users is skipped. Exclude: Activity of all users except predefined ones is monitored. This mode allows you to skip information about the activity of particular users (for example, administrator). You can define user names for filtering entering them manually or by clicking Add Users and selecting users from the list. When you enter user names manually, they must be entered as <domain name>\<user name> and separated with comma (,), semicolon (;), or paragraph. You can also use asterisk (*) as name/domain mask (e.g., *\administrator or *\admin*). When you click Add Users, the Adding Users page opens. Please note, only those users whose activities have already been monitored are listed. Select the user names to be added and click Add selected. NOTE: If you select a user with the Forced User Authentication on the Adding Users page e.g., WORK\janet (jan), you need to change parentheses in the User names box to semicolon, i.e., WORK\janet;jan. 125

126 Windows Clients Parameters examples:.ini File Parameters Parameters Set in Management Tool Monitor all user activity without applying filters [FilterParameters] UserFilterState=disable UserFilterNames= On the User Filtering tab, in the Filter State box, select Disabled. Monitor only the activity of the janet user or joe user in the work domain [FilterParameters] UserFilterState=include UserFilterNames=WORK\janet;WORK \joe On the User Filtering tab, do the following: In the Filter State box, select Monitor only activity of selected users. In the User names box, enter work\janet,work\joe manually or select the users from the list. Monitor the activity of all users except the users with administrator login (both local and domain) [FilterParameters] UserFilterState=exclude UserFilterNames=*\administrator On the User Filtering tab, do the following: In the Filter State box, select Monitor activity of all users except. In the User names box, enter *\administrator, using asterisk (*) as a name/domain mask Monitor only the activity of the janet Ekran system user name used for secondary authentication [FilterParameters] UserFilterState=include UserFilterNames=WORK\janet;janet On the User Filtering tab, do the following: In the Filter State box, select Monitor only activity of selected users. In the User names box, enter work\janet;janet manually or select the user from the list. 126

127 Windows Clients Forced User Authentication Parameter Forced User Authentication provides a method for an additional identification of users that log in to the Client computer. This feature can be enabled only for Clients installed on computers with Windows Server operating system and it cannot be set during Client installation. If the Enable secondary user authentication on log-in option is enabled, the Client will display the secondary authentication window on the user login to Windows. NOTE: Forced User Authentication can only be enabled during Client editing in the Management Tool. One-Time Password Parameter One-time password option provides a possibility for a user to request a one-time password in order to log in to the Client computer. This feature can be enabled only for Clients installed on computers with Windows Server operating system. The Allow using one-time password option is available only if the Enable secondary user authentication on log-in option is selected. The users requests for one-time passwords are sent to the addresses specified for the Client during the Client editing. For more information, see the Forced user authentication on Clients chapter. NOTE: The one-time password option is available only if you have an activated Enterprise serial key. Two-Factor Authentication Parameter Two-Factor Authentication option allows you to require the users to additionally enter the time-based one-time passwords (TOTP) generated via their mobile applications (e.g., Google Authenticator) to log in to the Windows Server Client machines. If the Enable two-factor authentication option is enabled, the Client will display the additional TOTP window on the user login to Windows. NOTE: Two-Factor Authentication can only be enabled only during Client editing in the Management Tool. Additional Message on User Login Parameter The additional message on user login allows you to inform the user that their actions are being monitored and also notify them about corporate policies or the country law. If the Enable displaying additional message option is enabled, the Client will display the additional notification message on the user login to Windows. After the user confirms acknowledging the message, they will be allowed to log in and continue working. For more information, see the Enable displaying additional message chapter. 127

128 Windows Clients User s Comment Parameter The user s comment option allows you to require the user to comment the additional message displayed on login in order to allow the Ekran System administrator to be informed about the user activity. The user s comment option is available only if the Enable displaying additional message option is selected. If the Require user s comment option is enabled, the Client will prompt the user to comment the additional message displayed on login. After the user enters a comment, they will be allowed to start working with the system. For more information, see the Enabling user s comment option chapter. Ticket Number Parameter The ticket number option allows you to require the user to enter a valid ticket number created in the integrated ticketing system to start working with the Client machine. The ticket number option is available only if the Require user s comment option is selected. If the Require ticket number option is enabled, the Client will prompt the user to enter a valid ticket number in the additional message window displayed on login. After the user enters a valid ticket number and comments the additional message, they will be allowed to start working with the system. NOTE: The Require ticket number option is available only if you have an activated Enterprise serial key. Editing Windows Client Configuration You can edit the Client configuration for online and offline Clients. The configuration for online Clients will be applied immediately. The configuration for offline Clients will be applied as soon as the Client is online. The newly installed Clients have Custom configuration that can be edited for each Client individually. When the Clients are added to the group, they can either still have their Custom configuration or they can inherit configuration from the group. If the group configuration is changed, the Client configuration that is inherited from this group is changed as well. To edit the Windows Client custom configuration, do the following: 1. Log in to the Management Tool as a user with the Client configuration management permission. 2. Click the Client Management navigation link to the left. 3. On the Clients page, select the Windows Client for which you want to edit the configuration, and click Edit Client. To find a specific Client, enter its name in the Contains box and click Apply Filters. NOTE: If you do not have the Client configuration management permission for this Client, the configuration options will be disabled. 128

129 Windows Clients 4. On the Editing Client page, on the Properties tab, do the following: Optionally, define the description for the Client. Select the type of license to be assigned to the Client. Select the type of settings to be applied to the Client: o If the Custom settings type is selected, you can edit all Client settings. o If the Inherited from <Client group> settings type is selected, the Client settings are inherited from the selected Client group and these settings cannot be changed. 5. On the Screen Capture Options tab, do the following: Define screen captures creation frequency. WARNING! The Capture screen on each event without timeout option affects CPU usage on the Client computer and database size. It is not recommended to use this option for a great number of Clients and for a long period of time. Define the required screen capture quality. Select the Capture active window only option if you want the Client to create screen captures of the active window only. 6. On the Monitoring Options tab, do the following: Select the Enable keystroke logging option to enable the keystroke logging. Select the Start monitoring after detecting one of the following keywords option if you want the Client to start recording the user activities only after the user enters one of the specified keywords on the Client computer. Select the Enable clipboard monitoring option to enable monitoring of the Windows Clipboard text data. Select the Enable creating log files of the monitored events option to enable creation of monitoring logs on the Client computer and define log files location. Select the Enable URL monitoring option to receive information about websites visited by the user of the Client computer. Select the Monitor top and second-level domain names only option to monitor only the main part of the URL (e.g., example.com). 129

130 Windows Clients 7. On the Application Filtering tab, define the application filtering parameters for the Client. 8. On the User Filtering tab, define the user filtering parameters for the Client. 130

131 Windows Clients 9. On the Authentication options tab, do the following: Select the Enable displaying additional message option if you want to enable additional message on user login, and then enter the message to be displayed to a user. Select the Require user s comment option if you want the user to comment the additional message displayed on login. Select the Require ticket number option if you want the user to enter a valid ticket number to start working with the system. For Clients installed on the computer with server operation system, select the Enable secondary user authentication on log-in option if you want to enable the additional authorization for users that log in to the Client computer. Select the Allow using one-time password option if you want to allow users to use one-time passwords to login to the Client computer with Windows Server operating system. Then define the address of the administrator to receive user s requests. You can define several addresses separating them with semicolon (;). Select the Enable two-factor authentication option if you want to require the users to enter the time-based one-time passwords to log in to the Client computers with Windows Server operating system. 10. After defining the configuration, click Next to proceed to defining Client Groups to which the Client belongs and permissions on working with it or click Finish to except changes. 11. A new configuration will be immediately applied to the Client. Viewing Windows Client Configuration The Windows Client configuration can be viewed by a user that has an administrative Client installation and management permission or any Client permission. To view the Windows Client configuration, do the following: 1. Log in to the Management Tool. 2. Click the Client Management navigation link to the left. 3. On the Clients page, select the required Client and click Edit Client. 4. On the opened page, you will see the tabs with the corresponding configuration parameters. 131

132 Windows Clients Forced User Authentication on Windows Clients About If the Client is installed on the computer with Windows Server operating system and several users may use the same account to log in to this computer, it is important to identify the person using the account. The identification can be performed by means of Forced User Authentication, which requires the user to enter additional credentials in the pop-up dialog after logging in. The user can either enter the credentials of the Ekran System user, which has the Access Client computer permission, or use their and the generated one-time password (if such option is enabled for the Client computer). The secondary login will then be displayed in the Client Sessions list in brackets next to the primary login under which the user is logged in to Windows. NOTE: The one-time password feature is available only if you have an activated Enterprise serial key. The forced user authentication works only if there is a connection between the Client computer and the Server computer. If the connection with the Server computer is lost (the Server is unavailable), the pop-up dialog for entering secondary credentials will not be displayed. NOTE: In some situations (e.g., after the forced restart) the Client service does not start during one minute after the computer turning on. In these situations forced authentication will not work. Enabling Forced User Authentication on Windows Client The Forced User Authentication parameter can be set only during Client editing and is available only for the Clients installed on the computers with Windows Server operating system. To enable Forced User Authentication on the Client, do the following: 1. Log in to the Management Tool as a user with the Client configuration management permission. 2. Click the Client Management navigation link to the left. 3. On the Clients page, select the Client for which you want to enable Forced User Authentication, and click Edit Client. To find a specific Client, enter its name in the Contains box and click Apply Filters. 4. On the Editing Client page, on the Authentication options tab, select the Enable secondary user authentication on log-in option. 5. Optionally, select the Allow using one-time password option and enter the administrator address into the Send s to box. The requests for the one-time passwords will be sent on the specified addresses. You can enter several addresses, separating them with semicolon. 132

133 Windows Clients 6. Click Finish. 7. If the Client is installed on Windows Server 2003, the computer must be restarted after enabling or disabling the forced authentication mode. On Windows Server 2016, Windows Server 2012, and Windows Server 2008, the forced authentication mode is enabled immediately. Granting the User Permission to Log In To grant an Ekran System user a permission to log in to the Client computer with a server operating system and enabled forced user authentication, do the following: 1. Log in to the Management Tool as a user with the administrative User management permission. 2. Edit the Active Directory or internal user who will log into the Client computer to the system or add a new one. 3. During the user adding, on the Client Permissions tab, click Edit Permissions for the required Client. To find a specific Client, enter its name in the Contains box and click Apply Filters. 4. In the opened Client Permissions window, select the Access Client computer option and then click Save. 5. Click Finish. 133

134 Windows Clients Managing One-Time Passwords About The one-time password can be generated either on user s request or without it by the Ekran System user with the Client configuration management permission. The one-time password option can be enabled only along with the forced user authentication option during Client editing in the Management Tool. NOTE: The one-time password option is available only if you have an activated Enterprise serial key. Generating One-Time Password Generating One-Time Password on User Request When the user requests a one-time password for logging into the Client computer, the user request is sent to the address of the administrator defined for the Client in the Client configuration. On the Access Management page, on the One-time Password tab, the requested password is displayed with the Requested state. NOTE: For the administrator to receive the requests correctly, make sure that on the Authentication Options tab of the Clients the valid addresses are defined. To generate a one-time password using the link, open the received with a request for a one-time password and click the navigation link for the password generation. The onetime password will be automatically generated and sent to the user s address. To generate a one-time password via the One-Time Passwords page, do the following: 1. Log in to the Management Tool as a user with the Client configuration management permission. 2. Click the Access Management navigation link to the left. 3. On the Access Management page, open the One-Time Passwords tab. 4. On the One-Time Passwords tab, click the Generate link for the user request with the Requested state. 5. The one-time password is automatically generated and sent to the user address. Generating One-Time Password without User Request To generate a one-time password without user request, do the following: 1. Log in to the Management Tool as a user with the Client configuration management permission. 2. Click the Access Management navigation link to the left. 3. On the Access Management page, open the One-Time Passwords tab. 4. On the One-Time Passwords tab, click Generate Password. 134

135 Windows Clients 5. The One-Time Password Generation window opens. 6. Enter the following parameters and then click Generate: Client name: Select the needed Client from the list. User name: Optionally, enter the user name. User s confirmation Define the user address, on which the generated one-time password will be sent. Comment: Enter your own comment or leave the default one. The default comment is Generated without request. 7. The one-time password is generated and sent to the specified address. Viewing One-Time Passwords On the Access Management page, on the One-time Passwords tab, the grid with the following information is displayed: Time Requested: Displays the date and time the one-time password was requested. For one-time passwords, which were generated without the user s request, the N/A value is displayed. Time Generated: Displays the date and time the one-time password was generated. Client Name: Displays the name of the Client computer for which the one-time password was requested or generated. User: Displays the user name of a user for which the one-time password was generated. Login: Displays the name of the user who requested a one-time password to log into the Client computer. User s Displays the user address for the one-time password to be sent to. Generated by: Displays the name of the administrator who generated the one-time password. It is empty for the one-time password with the Requested state. State: Displays the current state of the one-time password. It can be Requested, Generated & Sent, Sending Failed, Used, Expired, or Manually Expired. Time Used: Displays the date and time when the one-time password was used. It is empty for not used passwords that are not expired. For expired passwords, the N/A value is displayed. Comment: Displays the user s comment entered in the Request Password window or admin s comment entered in the One-time Password Generation window. The one-time password can have one of the following states: State Description Possible Actions Requested The user has requested a onetime password, but it has not been generated yet. Generate: Allows autogenerating and sending of the one-time password. Generated The one-time password has been generated and sent to the user, but the user has not used Expire: Allows terminating a one-time password manually. Resend Allows resending the previously sent

136 Windows Clients State Description Possible Actions it yet and the password has not auto-expired. Sending Failed The one-time password has been generated, but the sending has failed. Expire: Allows terminating a one-time password manually. Resend Allows resending the previously sent . Used The one-time password has been generated and sent to the user, and the user has used it. Open Session: Allows opening a session of the user logged into the Client computer with a onetime password. Expired The one time password has been generated and sent to the user, but the user has not used it during 24 hours. Manually Expired The generated one-time password has been manually terminated by the administrator. Resending the To resend the with the generated one-time password, do the following: 1. Log in to the Management Tool as a user with the Client configuration management permission. 2. Click the Access Management navigation link to the left. 3. On the Access Management page, open the One-time Passwords tab. 4. On the One-Time Passwords tab, click the Resend link for the target one-time password. 5. In the confirmation message, click OK. 6. A new one-time password is generated and sent to the user s address. NOTE: You can resend the s with one-time passwords with the Generated & Sent or Sending Failed states only. Terminating One-Time Password Manually In case, the one-time password has been generated for the wrong user or sent to the wrong address, you can terminate it manually. 136

137 Windows Clients To terminate a one-time password manually, do the following: 1. Log in to the Management Tool as a user with the Client configuration management permission. 2. Click the Access Management navigation link to the left. 3. On the Access Management page, open the One-time Passwords tab. 4. On the One-time Passwords tab, click the Expire link for the target one-time password. NOTE: You can manually terminate the one-time passwords with the Generated & Sent or Sending Failed states only. 5. In the confirmation message, click OK. 6. The state of the one-time password changes to Manually Expired and the user will not be able to use it. Logging In Logging in Using the Ekran System User Additional Credentials The process of logging in to the Client computer with enabled forced user authentication is performed as follows: 1. The user logs in to Windows in a common way (locally or remotely). 2. On the user login to Windows, the Client displays the secondary authentication window requesting a user to enter their secondary credentials. 3. The user enters the credentials of the Ekran System user that has the Access to Client computer permission. 4. These credentials are sent to the Server and the Server returns the response on whether the access to this computer is allowed. If the user has the required permission for the Client computer and their entered credentials are correct, the user is allowed to continue working with the System. In other case, the user will receive a corresponding message. 5. As soon as the user starts working with the system, the Client will start recording their activity and the user s name will be displayed in the Management Tool on the Monitoring Results page in the User name column in brackets: <logged in Windows user> (<forced authentication user>). Logging in Using a One-Time Password The process of logging in to the Client computer with enabled forced user authentication and the one-time password option is performed as follows: 1. The user logs in to Windows in a common way (locally or remotely). 2. On the user login to Windows, the Client displays the secondary authentication window requesting a user to enter their credentials or a one-time password. 3. The user enters their address into the Login box and the one-time password received via into the Password box. 4. These credentials are sent to the Server and the Server returns the response on whether the access to this computer is allowed. If the entered address and the one-time 137

138 Windows Clients password are correct and the one-time password was generated for this Client computer and for this primary Windows user, the user is allowed to continue working with the System. In other case, the user will receive a corresponding message. 5. As soon as the user starts working with the system, the Client will start writing their activity and the user s will be displayed in the Management Tool in the Client Sessions list in the User name column in brackets: <logged in Windows user> (<user s address>). NOTE: After the one-time password has been used, it is automatically terminated and cannot be used to log into the Client computer again Requesting a One-Time Password While logging into the Client computer with the enabled forced user authentication and a onetime password option, the user can request a one-time password to get a temporary access to the Client computer with Windows Server operating system, as follows: 1. In the secondary authentication window, the user clicks Request Password. 2. In the opened Request Password window, the user enters their address and then, optionally, enters a comment to be displayed to the administrator. 3. The user clicks Request. 4. The request is sent to the Ekran System administrators addresses defined for the Client while turning on the one-time password option. 5. The administrator will generate a one-time password and the generated password will be sent to the address defined in the Request Password window. 6. In a while, the user checks the box for with the generated password. In case the with the generated password has not been received, the user can request it again. NOTE: The one-time password for logging into the same Client computer cannot be requested more often than once per hour. The received one-time password can be used only once during 24 hours since its generation and only for logging into the Client computer from which it has been requested. If the user does not use a one-time password during 24 hours, it automatically expires. Informing about Monitoring About If you want the user to be informed that their session will be monitored, you can enable displaying the Client tray icon option in Management Tool. You can also enable the additional message option to set the message to be displayed to a user, who must confirm acknowledging the message in order to log in to the computer. The additional message is displayed when: Windows is started, restarted, or shut down. The user gets logged out or switched. The user logs in via the remote connection. 138

139 Windows Clients In addition, you can enable the user s comment option, which will require the user to comment the additional message displayed on login. The entered comments are displayed in the Client Sessions list. If both forced user authentication and additional message features are enabled for the Windows Client, the additional message will be displayed after the user enters the additional credentials in the secondary authentication window. The Client tray icon is always displayed to the user. The tray notification is displayed when: The user logs in. The user clicks the icon. NOTE: The additional message and Client tray icon are not displayed for unlicensed Windows Clients. Enabling Displaying Additional Message The additional message displaying can be enabled when editing Client/Client Group configuration and defining the Client settings during the remote installation or Client installation package generation for local installation. By default, the additional message text is: According to company policy you must agree to the terms in order to continue working on this computer. You can enter the custom message to be displayed to users. NOTE: The message can be up to symbols. To enable displaying the additional message when installing the Windows Client, select the Enable displaying additional message option on the Client configuration page (if the Client is to be installed remotely) or on the Generate Installation Package page (if the Client is to be installed via the installation package). When the Client is installed, the user will receive the default notification message on their login until the text of the message is changed when editing the Client. To enable displaying the additional message when editing the Windows Client, do the following: 1. Log in to the Management Tool as a user with the Client configuration management permission. 2. Click the Client Management navigation link to the left. 3. On the Clients page, select the Client for which you want to edit the configuration, and click Edit Client. To find a specific Client, enter its name in the Contains box and click Apply Filters. 4. On the Authentication options tab, select the Enable displaying additional message option, and then, optionally, enter the message to be displayed to a user. 5. Click Finish. 139

140 Windows Clients Enabling User s Comment Option The user s comment option can be enabled when editing Client/Client Group configuration and defining the Client settings during the remote installation or Client installation package generation for local installation. To enable the user s comment option when installing the Windows Client, select the Enable displaying additional message option and then select the Require user s comment option on the Client configuration page (if the Client is to be installed remotely) or on the Generate Installation Package page (if the Client is to be installed via the installation package). To enable the user s comment option when editing the Windows Client, do the following: 1. Log in to the Management Tool as a user with the Client configuration management permission. 2. Click the Client Management navigation link to the left. 3. On the Clients page, select the Client for which you want to edit the configuration, and click Edit Client. To find a specific Client, enter its name in the Contains box and click Apply Filters. 4. On the Authentication options tab, select the Enable displaying additional message option, and then, optionally, enter the message to be displayed to a user. Select the Require user s comment option. 5. Click Finish. Enabling Displaying Client Tray Icon The Client tray icon displaying can be enabled when editing Client/Client Group configuration and defining the Client settings during the remote installation or Client installation package generation for local installation. When the option is enabled, the Client icon is displayed in the notification area of the Client computer. When the user clicks the icon, the notification displayed is the following: Your actions are being monitored by <Server name> To enable displaying the Client tray icon when installing the Windows Client, select the Display Client tray icon option on the Client configuration page (if the Client is to be installed remotely) or on the Generate Installation Package page (if the Client is to be installed via the installation package). When the Client is installed, the notification message will be displayed to the user after their login. To enable displaying the Client tray icon when editing the Windows Client, do the following: 1. Log in to the Management Tool as a user with the Client configuration management permission. 2. Click the Client Management navigation link to the left. 3. On the Clients page, select the Client for which you want to edit the configuration, and click Edit Client. To find a specific Client, enter its name in the Contains box and click Apply Filters. 4. On the Properties tab, select the Display Client tray icon option. 5. Click Finish. The Client tray icon will be displayed on the next user login. 140

141 Windows Clients Logging In The process of logging in to the Windows Client computer with enabled additional message option is performed as follows: 1. The user logs in to Windows in a common way (locally or remotely). 2. If the Forced User Authentication is enabled, the Client prompts the user to enter the secondary credential. 3. After the user is logged in, the notification message is displayed. NOTE: If the user logs in to the Citrix XenApp or Microsoft Shared App, the additional message will be shown to them every eight hours. 4. If the Require user s comment option is enabled, the user will be required to enter their comment to the additional message to start working with the Windows Client computer. 5. If the user clicks I Agree, they are allowed to continue working with the system. If the user clicks Cancel, they return to the Windows login screen. 6. If the Client tray icon displaying option is enabled for the Client, the tray notification is displayed to the user. Integration with Ticketing Systems About Integration with ticketing systems allows you to require the users to provide ticket numbers to start working with Windows Client machines. If integration with ticketing systems is enabled, the Client will prompt the user to enter a valid ticket number in the additional message window displayed on login. Currently, integration with the SysAid ticketing system is available. If you want Ekran System to be integrated with any other ticketing system, contact our support team: support_team@ekransystem.com. NOTE: The integration with ticketing systems is available only if you have an activated Enterprise serial key. Enabling Ticket Number Option The ticket number option can be enabled when editing Client/Client Group configuration and defining the Client settings during the remote installation or Client installation package generation for local installation. To enable the ticket number option when installing the Windows Client, select the Enable displaying additional message and Require user s comment options and then select the Required ticket number option on the Client configuration page (if the Client is to be installed remotely) or on the Generate Installation Package page (if the Client is to be installed via the installation package). 141

142 Windows Clients To enable the ticket number option when editing the Windows Client, do the following: 1. Log in to the Management Tool as a user with the Client configuration management permission. 2. Click the Client Management navigation link to the left. 3. On the Clients page, select the Client for which you want to edit the configuration, and click Edit Client. To find a specific Client, enter its name in the Contains box and click Apply Filters. 4. On the Authentication options tab, select the Enable displaying additional message and Require user s comment options, and then the Require ticket number option. 5. Click Finish. Logging In The process of logging in to the Windows Client computer with enabled ticket number option is performed as follows: 1. The user logs in to Windows in a common way (locally or remotely). 2. On the user login to Windows, the notification message is displayed. NOTE: If the user logs in to the computer with Server operation system on which forced user authentication is enabled, they enter credentials in the additional authentication form and then the additional message is displayed. 3. The user enters a valid ticket number, comments the additional message, and then clicks I Agree to start working with the system. 4. In the ticketing system, a comment is added to the corresponding ticket. It contains information on who and when logged in to the Client machine. Additionally, it contains the user s comment entered in the additional message window and the link to the user session. 142

143 Linux Clients Linux Clients About The Linux Client is a program that can be installed on the target computers to monitor the activity of their users in the terminal. The monitored data is sent by the Linux Client to the Server and can be viewed via the Session Viewer in the Management Tool. Monitoring via Linux Clients The Linux Client monitors the following actions: 1. User actions (input commands and responses from the terminal) 2. System calls in: SSH (local and remote) Telnet (local and remote) Local terminal sessions 3. Commands being executed in the running script. A Client with a Linux license can monitor multiple sessions simultaneously, both remote and local. A new monitoring session is created each time the terminal is opened. There is no time limitation for a Linux Client session. The session status becomes Finished whenever the terminal is closed or the Linux Client is disconnected from the Server. Whenever the Linux Client reconnects to the Server, the session status changes from Finished back to Live. Installing Linux Client About You can install the Linux Clients locally from the command line using the EkranSystemLinuxClient.tar.gz package, respectively: EkranSystemLinuxClientx64.tar.gz for the 64-bit system EkranSystemLinuxClientx86.tar.gz for the 32-bit system Downloading Linux Client Installation File To download the file for Linux Client installation, do the following: 1. Log in to the Management Tool as a user with the Client installation and management permission. 2. Click the Client Management navigation link to the left. 3. On the Clients page, click Install Clients. 4. On the Computers without Clients page, click Download installation file. 143

144 Linux Clients 5. On the Installation File Download page, click Download Linux x86 Client Installation (.tar.gz) or Download Linux x64 Client Installation (.tar.gz). 6. File downloading starts. The download settings depend upon the settings of your browser. Installing Linux Clients This type of installation allows you to install the Linux Clients locally from the command line using the downloaded EkranSystemLinuxClient.tar.gz package. To install the Linux Client on the target computer with a Linux operating system from the command line: 1. Copy the installation package to any folder. Make sure you use the correct installation package (x64 or x86). 2. Run the command-line terminal. 3. Navigate to the folder with the installation package by entering the following command: $ cd path/to/folder 4. Unpack the installation package using the following command: $ tar xvfz <installation package name> 5. Navigate to the unpacked EkranClient folder using the following command: $ cd EkranClient The EkranClient folder contains the install.sh script used to install the Client. 144

145 Linux Clients 6. Run the Linux Client installation script specifying the Server name or Server IP address and the port used for connection to the Server (9447 is recommended): $ sudo./install.sh <server_name/ip> <Agent_port>. 7. After the Client is installed, it starts monitoring the new terminal sessions. If you want to monitor the older terminal sessions, restart them. 8. The installed Linux Client appears in the list on the Client Management page in the Management Tool. Uninstalling Linux Clients To uninstall the Linux Client from the command line, do the following: 1. Run the command line terminal. 2. Navigate to the folder with the Linux Client by entering the command: $ cd /opt/.ekran 3. The.Ekran folder contains the uninstall.sh script used to uninstall the Client. 4. Run the uninstallation script by entering the following command: $ sudo./uninstall.sh and press Enter. 5. Enter the password of the superuser. 6. Linux Client is successfully uninstalled. Viewing Linux Clients The Linux Clients are displayed in the Management Tool in the Clients list along with the Windows Clients. If the users have an administrative Client installation and management permission, they will see all Clients. In other case, the user will see only those Clients for which they have at least one Client permission. The Client list contains the following information: Client name Status IPv4 IPv6 Description The Domain column is empty for Linux Clients. Please note, if there are several network cards on the Client computer, only the IPv4 and IPv6 addresses used by Linux Client will be displayed in the Management Tool. 145

146 Linux Clients You can filter Linux Clients in the following ways: To sort Clients by operating system, click the column header. To find Linux Clients only, select the Hide Windows Clients option and click Apply Filters. To find Clients by their host name or description, enter the name/description or a part of it in the Contains box and click Apply Filters. To hide offline/online/uninstalled/licensed Clients, select the corresponding option in the Filtering pane and click Apply Filters. Linux Client Description Client description is used as additional information about your Linux Clients, which makes it easier to find a specific Client. You can filter your Clients by their descriptions as well as by their names. Client description can be defined on the Editing Client page on the Properties tab. Only users with the Client configuration management permission can edit the Linux Client description. To edit the description for the Linux Client, enter it in the Description box and click Finish. Forced User Authentication on Linux Clients About If several users may use the same account (e.g., root ) to work with the terminal, it might be important to identify the person using the account. The identification can be performed by means of Forced User Authentication, which requires the user to enter additional credentials when they open the terminal. The user has to enter the credentials of the Ekran System user who has the Access Client computer permission. The secondary user login will then be displayed in the Client Sessions list in brackets next to the primary user name under which the terminal is launched. The forced user authentication works only if there is a connection between the Client computer and the Server computer. If the connection with the Server computer is lost (the Server is unavailable), the user will not be prompted to enter the secondary credentials. Enabling Forced User Authentication on Linux Client The Forced User Authentication parameter can be set only during Client editing. To enable Forced User Authentication on the Client, do the following: 1. Log in to the Management Tool as a user with the Client configuration management permission. 2. Click the Client Management navigation link to the left. 146

147 Linux Clients 3. On the Clients page, select the Linux Client for which you want to enable Forced User Authentication, and click Edit Client. To find a specific Client, enter its name in the Contains box and click Apply Filters. 4. On the Editing Client page, on the Authentication options tab, select the Enable secondary user authentication on log-in option. 5. Click Finish. 6. The forced authentication mode is enabled immediately. During the next login, the user will be prompted to enter the secondary credentials. Granting the User Permission to Work with the Terminal To grant an Ekran System user a permission to work with the terminal on the Linux Client computer with enabled forced user authentication, do the following: 1. Log in to the Management Tool as a user with the administrative User management permission. 2. Edit an existing internal user who will log into the Client computer to the system or add a new one. 3. During the user adding, on the Client Permissions tab, click Edit Permissions for the required Linux Client. To find a specific Client, enter its name in the Contains box and click Apply Filters. 4. In the opened Client Permissions window, select the Access Client computer option and then click Save. 5. Click Finish. Launching the Terminal The process of launching the terminal on the Linux Client computer with enabled forced user authentication is performed as follows: 1. The user launches the terminal. 2. The Client requests the user to enter their secondary credentials. 3. The user enters the credentials of the Ekran System user that has the Access to Client computer permission. 4. These credentials are sent to the Server and the Server returns the response on whether the access to the terminal is allowed. If the user has the required permission for the Client computer and their entered credentials are correct, the user is allowed to continue working with the terminal. In other case, the user will receive a corresponding message. 5. As soon as the user starts working with the terminal, the Client will start recording their activity. The user s name will be displayed in the Client Sessions list in the User name column in brackets: <Linux user> (<forced authentication user>). 147

148 Two-Factor Authentication Two-Factor Authentication About The Two-Factor Authentication feature allows you to better protect the critical endpoints in your network. When the Two-Factor Authentication feature is enabled, the Client will require the user to enter a time-based one-time password (TOTP) on their login to Windows. TOTPs are generated via special mobile applications (e.g., Google Authenticator). For users to be able to use TOTP, you have to provide them with a two-factor authentication key generated in the Management Tool. The Two-Factor Authentication option can be enabled only for Windows Server Client machines during Client editing. In addition, if you have at least one serial key activated, the Two-Factor Authentication option can be enabled even for unlicensed Clients. Allowing the User to Log In If on the Windows Server Client machine, only the Two-Factor Authentication is enabled, you have to allow local and domain users to use TOTPs for logging into this machine. If the Two- Factor Authentication is enabled along with the Forced User Authentication, you have to allow the secondary users to use TOTPs. To allow the users to log into Windows Server Client machines with enabled Two-Factor Authentication, do the following: 1. Log in to the Management Tool as a user with the User management permission. 2. Click the Access Management navigation link to the left. 3. On the Access Management page, open the Two-Factor Authentication tab and then click Add User. 4. In the Add User window, select the user type and define the following information: For Active Directory user, define the user login and domain name. For Local computer user, define the user login and computer name. For Ekran user for secondary authentication, define the user name. 5. Enter the key manually or click Auto-Generate. NOTE: The key must be at least 16 characters long and can contain only the following symbols: A-Z, a-z, Copy the key to your clipboard to send it to the corresponding user. Alternatively, make a note of it to provide it to the user later. The user will have to enter this key into their TOTP mobile application. For security reasons, after you navigate off this page, no one will be able to see the generated key again. 7. Click Save. Deleting User from the List To forbid the user to log into Windows Server Client machines with enabled Two-Factor Authentication, do the following: 1. Log in to the Management Tool as a user with the User management permission. 148

149 Two-Factor Authentication 2. Click the Access Management navigation link to the left. 3. On the Access Management page, open the Two-Factor Authentication tab. 4. Click Delete user for the required user and then click OK in the confirmation message. 5. The user is deleted from the list and will be unable to log in to Client machines using TOTP. Editing Key for Two-Factor Authentication To edit the key for the target user, do the following: 1. Log in to the Management Tool as a user with the User management permission. 2. Click the Access Management navigation link to the left. 3. On the Access Management page, open the Two-Factor Authentication tab. 4. Click Edit user for the required user. To find a specific user, enter their name in the Contains box and click Apply Filters. 5. In the Edit User window, type the new key manually or click Auto-Generate. NOTE: The key must be at least 16 characters long and can contain only the following symbols: A-Z, a-z, Copy the key to your clipboard to send it to the corresponding user. Alternatively, make a note of it to provide it to the user later. The user will have to update their two-factor authentication key in the TOTP mobile application. For security reasons, after you navigate off this page, no one will be able to see the generated key again. 7. Click Save. Enabling Two-Factor Authentication on Windows Server Clients The Two-Factor Authentication parameter can be set only during Client editing. To enable Two-Factor Authentication on the Windows Server Client, do the following: 1. Log in to the Management Tool as a user with the Client configuration management permission. 2. Click the Serial Key Management navigation link to the left and make sure you have at least one serial key activated. 3. Click the Client Management navigation link to the left. 4. On the Clients page, select either the licensed Windows Server Client or the unlicensed one and then click Edit Client. To find a specific Client, enter its name in the Contains box and click Apply Filters. 5. On the Editing Client page, on the Authentication options tab, select the Enable two-factor authentication option. 6. Click Finish. 7. The Two-Factor Authentication is enabled immediately. During the next login, the user will be prompted to enter a TOTP generated in their mobile application to start working with the system. 149

150 Two-Factor Authentication Logging in Using Time-Based One-Time Password To log into the Client machine with enabled Two-Factor Authentication: 1. The user enters a two-factor authentication key in their TOTP mobile application. 2. The mobile application starts generating TOTPs. Each TOTP is valid for 5 minutes since the moment of its generation. 3. The user logs in to Windows in a common way (locally or remotely). 4. If Forced User Authentication is enabled, the user enters their secondary credentials. 5. The Client displays the TOTP window requesting a user to enter a TOTP generated in their mobile application. 6. The user specifies a valid TOTP and clicks OK. If the user has been authenticated via the Forced User Authentication, they have to specify a TOTP generated for the secondary user. NOTE: For the user to be authenticated using TOTP, the time on the Ekran Server and on the user s device must be synchronized. 7. The user name and TOTP are sent to the Server for validation. If the user is allowed to log in to Client computers with enabled Two-Factor Authentication and the TOTP is valid, they get logged in to the system and can start working with it. 8. As soon as the user logs into the system, the Client will start writing their activity. 150

151 User Blocking User Blocking About Ekran System allows you to block users performing potentially harmful and forbidden actions on the Clients installed on the computers with Windows Server operating system. You can add the user to the blocked user list on the selected Client computer or all Client computers in the system. A blocked user is forcedly logged out of the Client and is not allowed to log back in. You can block users while viewing their session, live or finished. You need to have the Client installation and management permission to block users. Blocking User from Live Session To block a user while watching their live session, do the following: 1. Open the user session in the Session Viewer. 2. Click on the red lock in the Session Player. NOTE: The Lock is disabled for the users already on the Blocked User list and Ekran System users without the Client installation and management permission. 3. The Block User window opens. 4. Define the following settings: o Select On all computers if you want this user to be blocked on all computers with installed Clients. o Select On computer if you want the user to be blocked only on a current Client computer. 5. Define the forced log out time if necessary. 6. Enter the message to display to the user if necessary. 151

152 User Blocking 7. Click Block. 8. On the Client computer, the warning message is displayed and the desktop is blocked. 9. After the defined time interval, the user is forcedly logged out of the Client computer. If the user tries to log in to the Client computer, the system does not allow them to do so, and the following message is displayed: You have been blocked. Contact your system administrator. NOTE: If you have selected to block the user on all computers, they will be logged out on all computers where they are logged in at the time of blocking. Blocking User from Finished Session To block the user while watching their finished session, do the following: 1. Open the user session in the Session Viewer. 2. Click on the red lock in the Session Player. If the user is logged into the Client computer at that point, the blocking process is the same as for the Live sessions. NOTE: The Lock is disabled for the users already on the Blocked User list and Ekran System users without the Client installation and management permission. 3. The Block User window opens. 4. Define the following settings: o Select On all computers if you want this user to be blocked on all computers with installed Clients. o Select On computer if you want the user to be blocked only on a current Client computer. 5. Click Block. 6. The user blocked with the default parameters. If the user tries to log in to the Client computer, the system does not allow them to do so, and the following message is displayed: You have been blocked. Contact your system administrator. NOTE: If you have selected to block the user on all computers, then they will be logged out on all computers where they are logged in at the time of blocking. 152

153 User Blocking Blocking User on Client with Secondary Authentication If the Client has secondary user authentication enabled, the system blocks the primarysecondary user combination. After such user logs in to Windows, the Client displays the secondary authentication window. When the blocked user enters their credentials and tries to log in, the system does not allow them to do so, and the following message is displayed: You have been blocked. Contact your system administrator. Blocked User List A blocked user is added to the blocked user list for the selected Client or all Clients in the system (depending on your choice while blocking the user). The list of blocked users is stored on the Server. If you edited the blocked user list, the Client receives it from the Server immediately. If the connection with the Server computer is lost (the Server is unavailable), the Client does not block users that are on the blocked user list. Once the connection is re-established, the Client receives the latest edited list of blocked users from the Server. Viewing Blocked User List To view the blocked user list, go to Client Management, and then click Blocked User List. You need to have the Client installation and management permission to view the blocked user list. A list of blocked users is displayed, with the following information available for each record: Windows User name: has one of the following formats: o <domain>\<user name> o <domain>\<primary user name>(<secondary user name>) (for Clients with secondary user authentication enabled) Blocked on: Displays a specific computer name or All computers. Blocked by: Displays a specific Ekran user that has blocked the Windows user. Date: Displays the date when the user was blocked. 153

154 User Blocking Removing User from Blocked User List You can remove users from the blocked user list, one by one or all at once. The user removed from the Blocked User list can log in to their computer with installed Client on again. To remove a user from the blocked user list, do the following: Click Remove in the corresponding blocked user record in the grid. Click Remove in the confirmation message. To remove all users from the blocked user list, do the following: Click Remove All in the blocked user grid. Click Remove in the confirmation message. 154

155 Client Group Management Client Group Management About Client Groups allow you to grant access to several Clients at the same time to your users without the necessity to grant them access to all the Clients (both Windows and Linux). By default, there is one Client Group in the system, which contains all installed Clients. You cannot remove Clients from this group. NOTE: One Client can belong to several groups. Adding Client Groups To add a new Client Group, do the following: 1. Log in to the Management Tool as a user with the administrative Client installation and management permission. 2. Click the Client Management navigation link to the left. 3. On the Clients page, click Add Client Group. 4. On the Group Settings tab, define the following and then click Next: The name for the Client Group. Optionally, the Client Group description. The configuration that can be applied to the Windows Clients in the same way as defining Client configuration. NOTE: The maximum length of the Client Group name and description is 200 characters. 5. On the Client Management tab, add Clients to the group. Click Next. 6. On the Permissions tab, select users/user groups which will have access to the Client Group and define their permissions: To find a specific user/user group, enter its name in the Contains box and click Apply Filters. To define user/user group permissions, click Define Permissions for the required users/user groups and select the check boxes near the corresponding permissions in the opened Client Permissions window. After you have defined all permissions, click Save. NOTE: Permissions inherited by the user from user groups to which they belong are displayed as disabled check boxes with a user group name near them. 7. Click Next. 8. On the Assigned Alerts tab, select the check boxes near the alerts that must be assigned to the group. 9. Click Finish. 10. The Client Group is created. 155

156 Client Group Management Editing Client Groups To edit an existing Client Group, do the following: 1. Log in to the Management Tool as a user with the administrative Client installation and management permission. 2. Click the Client Management navigation link to the left. 3. On the Clients page, click Edit Client Group for the required Client group. 4. Edit Client Group properties, permissions, and alerts on the corresponding tabs in the same way as when adding a new Client group. 5. Click Next or Finish to save the changes on each tab. Adding Clients to Groups Adding Clients to Groups during Client Group Editing 1. Log in to the Management Tool as a user with the administrative Client installation and management permission. 2. Click the Client Management navigation link to the left. 3. On the Clients page, click Edit Client Group for the required Client group. 4. On the Editing Client Group page, on the Client Management tab, click Add Clients. 5. The drop-down list containing the Clients that have not been added to the Group opens. NOTE: Only the first 10 Clients are displayed in the list. To view all Clients, click the link in the bottom of the list. 6. Select the check boxes next to the Clients to be added to the Client Group. To find a specific Client, enter its name, description or a part of it in the Find Clients field above the Clients list. The list is filtered along with typing. 7. Select the Apply group settings to new Clients option if you want the added Clients to inherit Group settings. 8. Click Add. 9. The added Clients are displayed in the grid. 10. Click Finish. Adding Clients to Groups during Client Editing To add a Client to the group, do the following: 1. Log in to the Management Tool as a user with the administrative Client installation and management permission. 2. Click the Client Management navigation link to the left. 3. On the Clients page, click Edit Client for the selected Client. 4. On the Editing Client page, on the Client Groups tab, click Add to Group. 5. The drop-down list containing the groups to which the Client has not been added opens. 156

157 Client Group Management NOTE: Only the first 10 groups are displayed in the list. To view all groups, click the Click to view all results link. 6. Select the option next to the group to which you want to add the Client. NOTE: To find a specific group, enter its name or a part of it in the Find Groups field. The list is filtered along with typing. 7. Click Add. 8. The group to which the Client was added is displayed in the grid. 9. Click Finish. Applying Group Settings to Client When the Client belongs to the target Client Group, the Client settings can be inherited from this Group. In this case, the Client settings are changed together with the Group settings. To edit the Windows Client configuration by changing the Client Group settings, do the following: 1. Log in to the Management Tool as a user with the Client configuration management permission. 2. Click the Client Management navigation link to the left. 3. On the Clients page, click Edit Client Group for the required Group. To find a specific Client Group, enter its name in the Contains box and click Apply Filters. 4. Edit Client Group properties, permissions, and alerts on the corresponding tabs. 5. Click Finish. To edit the Windows Client configuration by applying group settings to a Client, do the following: 1. Log in to the Management Tool as a user with the Client configuration management permission. 2. Click the Client Management navigation link to the left. 3. On the Clients page, select the Windows Client for which you want to edit the configuration, and click Edit Client. To find a specific Client, enter its name in the Contains box and click Apply Filters. NOTE: If you do not have the Client configuration management permission for this Client, the configuration options editing will be disabled. 4. On the Editing Client page, on the Client Groups tab, add the Client to the group from which you want the Client to inherit configuration. 5. Click the Apply link for the group. 6. The Client settings type changes to Inherited from <group name> and the Applied value is displayed for this group in the grid. 7. Click Finish. 157

158 Client Group Management Removing Clients from Groups Removing Clients from Groups during Client Group Editing To remove a Client from the group, do the following: 1. Log in to the Management Tool as a user with the administrative Client installation and management permission. 2. Click the Client Management navigation link to the left. 3. On the Clients page, click Edit Client Group for the required Client group. 4. On the Client Management tab, click the Remove link for the corresponding Client or click Remove all to remove all Clients from the group. 5. In the confirmation message, click OK. 6. The Client is removed from the Group. NOTE: The Client can be removed from all Groups except the All Clients group. 7. If settings of the removed Client were inherited from this group, they are changed to Custom. The Client settings remain the same but they become editable. Removing Clients from Groups during Client Editing To remove a Client from the group, do the following: 1. Log in to the Management Tool as a user with the administrative Client installation and management permission. 2. Click the Client Management navigation link to the left. 3. On the Clients page, click Edit Client for the selected Client. 4. On the Editing Client page, on the Client Groups tab, click the Remove link for the corresponding Client group or click Remove from All to remove the Client from all groups. 5. In the confirmation message, click OK. 6. The Client is removed from the Group. NOTE: The Client can be removed from all Groups except the All Clients group. 7. If settings of the removed Client were inherited from the Client Group, their type is changed to Custom. In this case, the Client settings remain the same but they become editable. Deleting Client Groups If you delete a Client group, the Clients belonging to it will not be deleted, but the permissions of users defined for the deleted Client Group will change. The All Clients group cannot be deleted. To delete a Client Group, do the following: 1. Log in to the Management Tool as a user with the administrative Client installation and management permission. 158

159 Client Group Management 2. Click the Client Management navigation link to the left. 3. On the Clients page, click Edit Client Group for the required Client group. 4. On the Group Properties tab, click Delete Client Group. 5. In the confirmation message, click Delete. 6. The Client Group is deleted. 7. When the group is deleted, the configuration of all Clients that was inherited from this group changes to Custom. 159

160 Alerts Alerts About Alerts are instances that notify the investigator of a specific activity (potentially harmful/forbidden actions) on the target computers with installed Clients and allow the investigator to respond to such activity quickly without performing searches. The notifications can be received via or in the Tray Notifications application. Besides, monitored activity associated with alert events is marked as alert in the Session Viewer. Alert system can be used for two purposes: Immediate response: This allows the investigator to get immediate information about the forbidden action and respond to it quickly (almost at once). Delayed response: This allows the investigator to get information on a batch of forbidden actions on multiple Clients, analyse them, and then respond. Viewing Alerts The alerts are displayed on the Alert Management page in the Management Tool. A list of alerts contains the following information: Name Description Risk Level: Indicates the risk level of an alert, which can be Normal, High or Critical. Assigned To: Indicates Clients/Client Groups the alert is assigned to. Alert State: Indicates if the alert is enabled. Notification Type: Indicates how the investigators are notified about alert events (by s or via Tray Notifications application). Recipient: The address of the investigator who will be notified about alert events. To view the latest 100 events for an alert in the Alert Viewer, click View alert events in the corresponding entry. To find a required alert, you can use a filtering option on the top of the page. On the Alert Management page, you can add new alerts, edit existing alerts (including deleting), and define Global Alert Settings. 160

161 Alerts Default Alerts The Ekran System contains a set of default alerts for the potentially harmful applications and websites visited on the Windows Client computers and for the important commands executed on the Linux Client computers. The default alerts are automatically added when the Ekran Server is installed or updated to a new version. These alerts are enabled by default but there are no Clients to which they are assigned. You can assign an alert to Clients by clicking Edit alert for the required alert and selecting the needed Clients on the Assigned Clients tab or while editing multiple alerts. Default alerts have the High risk level by default. You can do the following with default alerts: 1. Enable/disable them. 2. Change the alert risk level. 3. Define the notification options. 4. Delete them. Alerts Management Adding Alerts To add an alert, do the following: 1. Log in to the Management Tool as a user with the administrative Client installation and management permission. 2. Click the Alert Management navigation link to the left and click Add Alert. 3. On the Add Alert page, on the Alert Properties tab, define the following alert properties and then click Next: Enter a unique name for an alert. Optionally, enter the alert description. Select the Enabled option to enable an alert. Select the alert risk level. It can be Critical, Normal, or High. 4. On the Alert Rules tab, define the rules to be applied and then click Next: Select the Parameter of the rule. Select the Comparison operator. Enter the Value to which Parameter will be compared. Click Add Rule to create one more rule. To delete a rule, clear its Value box or click Delete. 161

162 Alerts 5. On the Assigned Clients tab, select the Clients/Client Groups to which the alert will be assigned and click Next. To find specific Clients/Client Groups, enter their names in the Contains box and click Apply Filters. 6. On the Notification Options tab, select how you would like to receive the alert notifications: Select the Send s to option and then enter the address to which the notifications will be sent. You can enter several addresses separating them with semicolon. NOTE: To receive notifications correctly, make sure that Sending Settings contain correct parameters for sending. Select the Show warnings in Tray Notifications application option to activate the tray notifications. The alert notifications will then pop up from the tray. 7. Click Finish to save the created alert. 8. The alert is added. 162

163 Alerts Rules About Alert rules allow you to determine what events on the investigated computer will be considered an alert. Each alert has to have at least one rule. Each rule consists of the Parameter, Comparison operator, and Value, to which the Parameter will be compared. The following parameters are available for rules: Parameter Description Example Parameters applied to both Windows and Linux Clients Username The name of the user whose work is to be monitored. Set this parameter type for alert to be activated whenever the specified user uses the Client computer. If forced user authentication is enabled and the secondary user login matches the user name alert parameter, the Client marks corresponding events as an alert. For example: The alert parameter is Login LIKE John. The user logs in to Windows as Guest and then enters John as the secondary login. The first record in the session of this user (Guest (John)) is marked as alert. John Parameters applied to Windows Clients Application Title/URL The name of the started application on the investigated computer. Select this parameter type for alert to be triggered whenever the specified value is identified as the name of a launched application. The name that appears in the title of a window. Select this parameter type for alert to be triggered whenever the specified value is identified in any title on the screen. If the URL monitoring option is enabled for the Client, the Title/URL parameter will be applied not only to window titles, but also to URL addresses. skype.exe My document or facebook.com Parameters applied to Linux Clients 163

164 Alerts Parameter Description Example Command Parameter The command entered in the Linux terminal. Set this parameter type for alerts to be activated whenever the specified command is entered. The parameter of the entered Linux command. Set this parameters type for alerts to be activated when the user enters the command with specified parameters. sudo ImportantDoc ument Parameters of Active Directory Groups Computer Belonging to Domain Group User Belonging to Domain Group The name of the domain group. Select this parameter type for an alert to be triggered on the Client machines belonging to this group. NOTE: Alerts containing this parameter need to be assigned to the All Clients group to work properly. The name of the domain group. Select this parameter type for alert to be activated whenever the users of specified domain user group use the Client computers. Accounting Support Comparison operators For all parameters except for Active Directory groups, you can use the following comparison operators: Equals: The defined value fully corresponds to the found result (e.g., John will find John, but will not find Johny) Like: The found result includes the defined value (e.g., John will find Johny, Johnatan, but will not find Johan) Rules defined for Windows and Linux parameters do not influence one another. Thus you can have rules for Windows and Linux Clients defined in one alert and the alert will work correctly. For example: Rule 1. Command is su. Rule 2. URL is facebook.com. The alert will be triggered by user entering the su command in the Linux terminal or visiting the facebook.com site from the computer with Windows operating system. When several rules are defined for the same parameter within one alert, the alert will work if the conditions of at least one rule are met. 164

165 Alerts For example: Rule 1. Application name is skype.exe Rule 2. Application name is winword.exe The alert will be triggered by user launching either Skype or Microsoft Word. When the rules are defined for the different parameters within one alert, the alert will work if the conditions of all the rules are met. For example: Rule 1. Application name is skype.exe Rule 2. User name is Nancy The alert will be triggered by launching Skype by the user Nancy. When you have multiple rules defined for one parameter and one rule defined for the other parameter, the alert will work if conditions of any rule from the first group and the conditions of the rule defined for a different parameter are met. For example: Rule 1. Application name is skype.exe Rule 2. Application name is winword.exe Rule 3. User name is Nancy The alert will by triggered by user Nancy launching Skype or Microsoft Word. Rule Examples 1. To set up the alert notification about any user opening the facebook.com site on the investigated computer, select the Title/URL parameter and, in the Value field, enter facebook.com. NOTE: URL monitoring must be enabled. 165

166 Alerts 2. To set up the alert notification about a specific user (e.g., Stefan) opening Facebook on the investigated computer, define the following parameters: If you enter more than one name, the alert notification will then appear if any of them (Stefan or Rick) opens Facebook. 3. To set up the alert notification about any user launching skype.exe application on the investigated computer, define the following parameters: 166

167 Alerts 4. To set up the alert notification about a specific user (e.g., Stefan) opening facebook.com in Chrome, define the following parameters: 5. To set up the alert notification about USB-based storages plugging in, define the following parameters: 6. To set up the alert notification about entering any command with sudo or a command su, define the following parameters: 167

168 Alerts 7. To set up the alert notification about accessing the Client computers by users belonging to the target domain group, define the following parameters: 8. To set up alert notification about opening Facebook on the investigated computer, which belongs to the domain group, define the following parameters: NOTE: Such alerts need to be assigned to the All Clients group to work properly. 9. To set up the alert notification about launching the skype.exe application by the users belonging to the target domain group on the Client machines belonging to the target domain group, define the following parameters: 168

169 Alerts Enabling/Disabling Alerts If you do not need to receive notifications on a specific alert which you do not want to delete, you can disable it in the Management Tool by clearing the Enabled option on the Alert Properties tab of the Edit alert page. This option can be enabled again later, by selecting the Enabled option on the same page. You can enable/disable multiple alerts at once by clicking Manage Multiple Alerts on the Alert Management page. Editing Alerts Editing Single Alert To edit a single alert, do the following: 1. Log in to the Management Tool as a user with the administrative Client installation and management permission. 2. Click the Alert Management navigation link to the left. 3. Click Edit alert for the required alert. 4. Edit alert properties and rules on the corresponding tabs in the same way as when adding a new alert. NOTE: Click Next or Finish to save the changes on each tab. 5. The alert is edited. Editing Multiple Alerts To edit multiple alerts, do the following: 1. Log in to the Management Tool as a user with an administrative Client installation and management permission. 2. Click the Alert Management navigation link to the left. 3. Click Manage Multiple Alerts. 4. On the Alert Selection page, select the alerts to be edited, enable/disable the required alerts, and then click Next. 6. On the Assigned Clients tab, select the Clients/Client Groups to which the alerts will be assigned and click Next. To find specific Clients/Client Groups, enter their names in the Contains box and click Apply Filters. 7. On the Notification Options tab, select how you would like to receive the alert notifications and click Finish. 8. The alerts settings are edited. 169

170 Alerts Assigning Alerts to Clients Assigning Alerts to Clients during Alert Editing To assign an alert to a specific Client, do the following: 1. Log in to the Management Tool as a user with an administrative Client installation and management permission. 2. Click the Alert Management navigation link to the left. 3. On the Alert Management page, click Edit alert for the required alert. 4. On the Assigned Clients tab, select the Clients or Client Groups to which the alerts will be assigned and click Next. To find a specific Client, enter its name in the Contains box and click Apply Filters. 5. Click Finish to save the changes. 6. The alert is assigned to the selected Client. Assigning Alerts to Clients during Editing Multiple Alerts To assign an alert to a specific Client, do the following: 1. Log in to the Management Tool as a user with an administrative Client installation and management permission. 2. Click the Alert Management navigation link to the left. 3. On the Alert Management page, click Manage Multiple Alerts. 4. On the Alert Selection tab, select the alerts to be assigned to the Client. 5. On the Assigned Clients tab, select the Client to which the selected alerts will be assigned and click Next. To find a specific Client, enter its name in the Contains box and click Apply Filters. 6. Click Finish to save the changes. 7. The alerts are assigned to the Client. Assigning Alerts to Clients during Client/Client Group Editing To assign an alert to a specific Client or Client Group, do the following: 1. Log in to the Management Tool as a user with an administrative Client installation and management permission. 2. Click the Client Management navigation link to the left. 3. On the Clients page, click Edit Client for the required Client or Edit Client Group for the required Client Group. 4. On the Editing Client/Editing Client Group page, on the Assigned Alerts tab, select the alerts to be assigned to the Client/Client Group and click Finish. 5. The alerts are assigned to the Client/Client Group. 170

171 Alerts Exporting and Importing Alerts Exporting Alerts To export an alert, do the following: 1. Log in to the Management Tool as a user with the administrative Client installation and management permission. 2. Click the Alert Management navigation link to the left. 3. On the Alert Management page, click Export Alerts. 4. Select the alerts to be exported and click Export. 5. The Alerts.xml file containing the selected alerts and their parameters is downloaded to your computer. Importing Alerts To import an alert, do the following: 1. Log in to the Management Tool as a user with the administrative Client installation and management permission. 2. Click the Alert Management navigation link to the left. 3. On the Alert Management page, click Import Alerts. 4. On the Import Alerts page, click Choose File. 5. In the opened window, select the required.xml file containing the alerts to be imported and click Open. 6. The imported alerts are added. These alerts are enabled by default but there are no Clients to which they are assigned. The name, description, risk level, and rules of the imported alerts are defined according to the.xml file. NOTE: If Ekran Server contains an alert that has the same ID as one of the imported alerts, it will be updated. 7. Click Define Imported Alerts Settings to assign the imported alerts to Clients/Client Groups and to define the notification options. Deleting Alerts To delete an alert, do the following: 1. Log in to the Management Tool as a user with the administrative Client installation and management permission. 2. Click the Alert Management navigation link to the left. 3. On the Alert Management page, click Edit Alert for the required alert. 4. On the Alert Properties tab, click Delete Alert. 5. In the confirmation message, click Delete. 6. The alert is deleted. All alert events that were detected by this alert are not marked as alert anymore. 171

172 Alerts Defining Global Alert Settings Global Alert Settings allow you to define notification settings for all alerts. Their editing is available for users with the administrative Client installation and management permission. These settings are applied to all alerts. To define Global Alert Settings, click Global Alert Settings on the Alert Management page. Frequency Settings The Frequency settings group allows you to define how frequently the alert notifications will appear in the Tray Notifications application and be sent via . Minimal interval between notifications sent for the same alert event. This option defines how frequently the notifications about the same alert event will appear. For example, if this parameter is set to 10 minutes and a user has started Skype and works in it, the investigator will receive one notification every 10 minutes instead of receiving 10 notifications every minute or even more. Define how often the notification will be sent: - Send notifications on every alert event option allows you to notify the investigator on every alert event. - Send batch notification every (min) option allows you to notify the investigator about all alert events that occurred during defined time interval. Time counting starts when the Server starts if this option is selected. Notifications are then sent with the defined frequency. Receiving Information on Alert Events You can receive information on alert events in the following ways: In the Session Viewer, the alert events are marked with a special icon. The name of an alert is displayed in the Alert/USB Rule column. Also the alert events are highlighted in different colours depending on the detected alert risk level: o The alerts with the Critical risk level are highlighted in red colour. o The alerts with the High risk level are highlighted in yellow colour. o The alerts with the Normal risk level are highlighted in blue colour. In the Session List, the sessions that contain alert events have a special icon, which you can click to view the alert events in the Alert Viewer. The colour of the alert icon depends on the highest alert risk level detected in the session. On the Recent Alerts dashboard containing information on alerts triggered within a specific time period and a list of notifications for each alert. The colour of the alert bars depends on the alert risk level and the dashboard settings. If notifications are enabled in the Alert Parameters, the information on alert events will be sent to defined recipients. To receive notifications via , define Sending Settings. Each contains metadata of the alert event (user name, Client name, time, application name, alert risk level, and activity title) and the link for viewing this alert in the Session Viewer. 172

173 Alerts If the tray notifications are enabled in the Alert Parameters, the information on alert events will be sent via Tray Notifications component. To receive alert notifications in the Tray Notifications, do the following: 1. Install the Tray Notifications on the computer where alert notifications are to be received. 2. Log in to the Tray Notifications as a user of the Ekran System. 3. Start receiving alert notifications in the Windows Tray. 4. Use the Tray Notifications journal to view the history of received tray notifications and get more information on the alert event by opening the session in the Session Viewer. See the Tray Notifications application help file for more information. 173

174 Advanced Reports Advanced Reports About The user activity can be analysed with the help of reports generated via the Management Tool. These reports allow you to receive the information on the activity of multiple Clients, alert events, detected URLs, and executed Linux commands, and get statistics on time spent by the user in each application or on each web-page. You can schedule the reports to be generated and sent via at the specified time or manually generate the reports, which can be saved or printed, via Report Generator. The reports can be generated in any of the following formats: PDF (*.pdf), Web Page (*.html), Single File Web Page (*.mht), Rich Text Format (*.rtf), Plain Text (*.txt), Excel Workbook (*.xlsx), Excel Workbook (*.xls), XPS Document (*.xps), CSV Document (*.csv), and XML (*.xml). Report Types The following types of reports are available in the Management Tool: Report type Grid Reports Contains the information about Consists of the following columns Alert Grid Report All alert events on all selected Clients for the defined users and defined time interval. Activity time Alert name Alert risk Details Clipboard Grid Report All Clipboard text data of all selected Clients for the defined users and defined time interval. Activity time Activity title Application name Clipboard Operation Clipboard Text Detailed Activity Report Information on all activities performed by a user on any Client computer in the network during the defined time interval. Activity time Activity title Application name URL Text data 174

175 Advanced Reports Report type Contains the information about Consists of the following columns Kernel-level USB Grid Report All USB-device-related events detected by the kernel-level USB monitoring rules. Time Rule Name Action (Blocked/Detected) Risk Level Device Class Device Details Keystroke Grid Report All keystrokes of all selected Clients for the defined users and defined time interval. Activity time Activity title Application name Keystrokes (Smart) Keystrokes (Raw) Linux Grid Report (for Linux Clients) All commands executed on Linux Clients. NOTE: Linux reports include only exec* and sudo commands. Time Command Parameters Function Session Grid Report All sessions for all selected Clients for the defined users and defined time interval. User name Total time spent (hrs) Session Start Time Last Activity Time Remote IP USB Storage Grid Report All detected USB devices on all selected Clients for the defined users and defined time interval. Time (date and time of the USB Storage event) Details (Description of the USB devices plugged into the Client computers) User Statistics Report The statistic information on the user s total working time, on all user s sessions, and on all Client computers used by the user. User name Total time spent (hrs) Session Count Computers Remote IPs Summary Reports 175

176 Advanced Reports Report type Activity Summary Report (for Windows Clients) URL Summary Report (for Windows Clients) Chart Reports Contains the information about Time spent by the user in each application (by application name) for the defined users and defined time interval. Idle time. Time spent by the user on each site (by domain name) for the defined users and defined time interval. Consists of the following columns Application Time spent (hrs) URL only the main part of the URL (e.g., example.com) will be added to the report. Time spent (hrs) Activity Chart Report (for Windows Clients) The same information as in the Activity Summary Report, but in the form of a bar chart. Application title Total time spent (minutes) Activity Pie Chart Report (for Windows Clients) The same information as in the Activity Summary Report, but in the form of a pie chart. Application title Time spent in the application (%) URL Chart Report (for Windows Clients) The same information as in the URL Summary Report, but in the form of a bar chart. URL only the main part of the URL (e.g., example.com) will be added to the report. Total time spent (minutes) URL Pie Chart Report (for Windows Clients) The same information as in the URL Summary Report, but in the form of a pie chart. URL only the main part of the URL (e.g., example.com) will be added to the report. Time spent on the website (%). Scheduled Reports About The Management Tool allows creating reports via Report Scheduler and sending them the defined addresses with the defined time interval. The reports creation is available to the user with the administrative Client installation and management permission. The report creation and sending options are defined in rules, which include the following parameters: rule name and description, report type and format, state (enabled or disabled), generation frequency (daily, weekly, or monthly), Windows Clients/Client groups, and Users on Clients to which the rule must be applied. 176

177 Advanced Reports The created rules are displayed on the Scheduled Reports page in the grid with the following columns: Name Description Assigned To Monitored Users State Frequency Recipients Adding Report Rules To add a rule, do the following: 1. Log in to the Management Tool as a user with the administrative Client installation and management permission. 2. Click the Scheduled Reports navigation link to the left and click Add rule. 3. On the Add rule page, on the Rule Properties tab, enter a unique name for the created rule and then optionally enter its description and select the Enable scheduled report generation option. Click Next. 4. On the Report Options tab, do the following and then click Next: Select one or several Report Types. Define the Report Parameters: o In the Report format field, select the format for the report. o In the Generate report filed, select the frequency of report generation (Daily, Weekly, or Monthly). o In the Start report generation at field, define the time at which the report generation must be started. NOTE: Depending upon the Server load, the report generation can start a few minutes later than the set time. You can select the value from the drop-down list and edit it manually if you need to set your own number of minutes. If the Weekly parameter is selected in the Generate report field, select the day of the week on which the report will be generated in the Day of week drop-down list. If the Monthly parameter is selected in the Generate report filed, select the day of the month on which the report will be generated in the Day of month dropdown list. NOTE: If the Monthly parameter is selected and you want the report to be generated on the 31 st day of the month, it will be generated only in those months where there are 31 days. Define the custom header and footer for the report in the Header text and Footer text fields (the maximum length of the header and footer text is 1000 symbols). Enter the addresses to which the report will be sent in the s field. NOTE: Define the Sending Settings to receive the scheduled reports via

178 Advanced Reports 5. On the Assigned Clients tab, select the Windows Clients/Client Groups to which the rule will be applied and click Next. To find specific Windows Clients/Client Groups, enter their names in the Contains box and click Apply Filters. 6. On the Monitored Users tab, define the users whose activity will be included in the report: Select the Any user option if you do not need to specify the user whose activity will be added. In other case, select the Selected users option, click Add Users, and then do the following: 1) Select the Display only users detected on selected Clients option above the grid in order to view only the list of users on Clients selected in the Clients section. 2) Select the required users and then click Add selected. NOTE: Only those users whose activities have already been monitored are listed. 7. Click Finish. 8. The rule is added. NOTE: The scheduled report rule can also be created by clicking Create Scheduled Report Rule on the Report Generator page. Editing Report Rules To edit a rule, do the following: 1. Log in to the Management Tool as a user with the administrative Client installation and management permission. 2. Click the Scheduled Reports navigation link to the left. 3. Click Edit Rule for the required rule. 4. Edit rule properties, report options, and define assigned Windows Clients and monitored users on the corresponding tabs in the same way as when adding a new rule. NOTE: Click Next or Finish to save the changes on each tab. 5. The rule is edited. Deleting Report Rules To delete a rule, do the following: 1. Log in to the Management Tool as a user with the administrative Client installation and management permission. 2. Click the Scheduled Reports navigation link to the left. 3. Click Edit Rule for the required rule. 4. On the Rule Properties tab, click Delete Rule. 5. In the confirmation message, click Delete. 6. The rule is deleted. 178

179 Advanced Reports Generating Reports from the Scheduled Report Rule Once the scheduled report rule is created, you can generate a report from the Rule Properties tab any time. To generate a report from the Scheduled Report Rule, do the following: 1. Log in to the Management Tool as a user with the administrative Client installation and management permission. 2. Click the Scheduled Reports navigation link to the left. 3. Click Edit Rule for the required rule. 4. On the Rule Properties tab, click Generate Report. 5. The generation of the report starts. 6. The report can be viewed on the Scheduled Reports Generation Log page as soon as it is generated. If the s field contains one or more addresses defined in the rule, the report will be sent to those addresses. NOTE: If the generated report is not displayed on the Scheduled Reports Generation Log page, it is still being generated. Reload the page by pressing the F5 key until the report is displayed. Frequency and Time Interval for Report Creation The time interval of the data that is added to the report depends upon the report generation frequency. If the report is generated on a daily basis, it will include the data that was monitored starting from the specified time of the previous day up till the specified time of the current day. For example: If the Daily parameter is set and the report is to be generated on June, 13, at 17:00, the time interval of the data for this report will start on June, 12, at 17:00 and end on June, 13, at 17:00. If the report is generated on a weekly basis, it will include the data that was monitored starting from the specified time and day of the previous week up till the specified time and day of the current week. For example: If the Weekly parameter is set and the report is to be generated on Monday at 18:00, the time interval of the data for this report will start on Monday of the previous week at 18:00 and end on Monday of the current week at 18:00. If the report is generated on a monthly basis, it will include the data that was monitored starting from the specified time and day of the previous month up till the specified time and day of the current month. 179

180 Advanced Reports For example: If the Monthly parameter is set and the report is to be generated on January, 20, at 19:00, the time interval of the data for this report will start on December, 20, at 19:00 and end on January, 20, at 19:00. NOTE: If the Monthly parameter is selected and you want the report to be generated on the 31 st day of the month, it will not be generated in those months where there are 30 days or less. If the monthly report is set to be generated on the 31 st day of month, but there were less than 31 days in the previous month, the time interval of the data for this report will start on the last day of the previous month and end on the 31 st day of the current month. For example: If the report is generated on March, 31, the time interval of the data for this report will start February, 28, or February, 29, and end on March, 31. If the report is generated from the scheduled report rule, the time interval of the data for the report will depend upon the current date and time. For example: If the Daily parameter is set in the rule and the Start report generation parameter is set to 15:00, and you want to generate the report at 14:00, the time interval of the data for the report will start from 14:00 of the previous day and end at 14:00 of the current day. If the Weekly parameter is set in the rule and the Day of week parameter is set to Wednesday, and you want to generate the report on Friday at 12:00, the time interval of the data for the report will start from Friday of the previous week at 12:00 and end on the current day at 12:00. If the Monthly parameter is set in the rule and the Day of month parameter is set to the 15 th day of month, and you want to generate the report on May, 10, at 10:00, the time interval of the data for the report will start from April, 10, at 10:00 and end on the current day at 10:00. NOTE: If there are too many activities in the defined time interval, the report may become too large. The generated report file cannot exceed the size of allowed SMTP server attachments. Viewing Logs For each rule, the user can see the log which contains the information on time when the report was generated, report name (file name) and type, report generation result (status), number of results in the report, and the s to which the report was sent. NOTE: Only the last 100 records are stored. To view the logs, do the following: 1. Log in to the Management Tool as a user with the administrative Client installation and management permission. 180

181 Advanced Reports 2. Click the Scheduled Reports navigation link to the left. 3. Click View Log for the required rule. 4. On the Scheduled Reports Generation Log page, the logs are displayed in the grid with the following columns: Generated (Time when the report was generated) File Name (Report name) Report Type Status (Finished, In Progress, or an error reason in case the error occurred during report generation) Results Count (Number of results in the report) Sent To 5. Click the Download link to download the report to your computer. 6. Click the Delete link to delete the report from the log and from the Server. Report Generator About The reports can be generated on the Report Generator page by the user with the Viewing monitoring results permission and can be previewed before printing. The main difference between Report Scheduler and Report Generator is that Report Generator allows you to create reports for the time interval of any length. Though it may take you much time to generate a report for a long time interval and for a big number of Windows Clients. NOTE: You can generate only one type of report at a time via Report Generator. Report Parameters The following parameters are defined in the Management Tool when creating a report: 1. Report parameters This option allows you to select the type of the report and enter its custom Footer text and Header text. 2. Date filters This option allows you to define the time interval for which the report will be generated. 3. Clients This option allows you to select the Clients/Client groups, whose monitored data will be added to the report. NOTE: Only Clients for which the user has the Viewing monitoring results are displayed. 4. Users This option allows you to select the users of Client computers whose activity will be included in the report. 181

182 Advanced Reports Generating Report To generate a report, do the following: 1. Log in to the Management Tool as a user with the Viewing monitoring results permission. 2. Click the Report Generator navigation link to the left. 3. Define the report parameters: Select the type of the report and enter its Footer and Header text. In the From and To fields, enter the dates and time within which the data of the monitored Clients should be added. Click Add Clients and on the opened Adding Clients page select the check boxes next to the corresponding Clients/Client groups. Once the Clients are selected, click Add selected. Define the users whose activity will be included in the report: o Select the Any user option if you do not need to specify the user whose activity will be added. o In other case, select the Selected users option, click Add Users, and then do the following: 1) Select the Display only users detected on selected Clients option above the grid in order to view only the list of users on Clients selected in the Clients section. 2) Select the required users and then click Add selected. NOTE: Only those users whose activities have already been monitored are listed. 4. Click Generate Report. 5. On the opened Report Preview page, click the corresponding icons located on the toolbar above the report to perform the following actions: Print the report Print the current page Export and save the report to the disk Export a report to *.xml format and save it to the disk You can also navigate between the pages of the report by clicking the blue arrows and choose the format of the report by clicking the black arrow that opens a drop-down list with all supported formats. Creating a Scheduled Report Rule from the Report Generator Page Once the parameters for the report are defined, you can create a scheduled report rule basing on the defined parameters. To create a rule, do the following: 1. Log in to the Management Tool as a user with the Viewing monitoring results permission. 2. Click the Report Generator navigation link to the left. 3. Define the report parameters. 4. On the Report Generator page, click Create Scheduled Report Rule. 182

183 Advanced Reports 5. The Editing Rule page opens. 6. On the Rule Properties tab, enter a unique name for the created rule and then optionally enter its description. The default name of the rule is GeneratorRule<number of rule>. 7. Click Next. 8. On the Report Options tab, enter the corresponding values in the Report Parameters fields and the s field the same as when adding a new report rule. The other parameters like Report Type, Header and Footer text, Clients, and Users were defined in Report Generator, but you can edit them if you want. 9. Click Finish. 183

184 USB Monitoring & Blocking USB Monitoring & Blocking About There are two types of monitoring of USB devices available: USB-based storage monitoring: allows you to view information on the plugged-in devices detected by Windows as mass storage. This monitoring is performed automatically and does not require enabling any additional settings for a Client. The information on detected USB devices is displayed in the Session Viewer. Kernel-level USB monitoring: provides you with the means for an in-depth analysis of plugged-in devices. By adding kernel-level USB rules, you can perform the following actions: o Monitoring allows you to view information on the detected devices in the Session Viewer. o Sending notifications allows you to receive notifications (by or in the Tray Notifications app) when a device is connected to the Client computer. o Blocking allows you to block the USB device from using. In this case, the user may be informed that the device on their computer is blocked. It is also possible to create a list of devices that must not be monitored or blocked. WARNING! It is recommended to add all the allowed USB devices to exceptions in order not to block them from using accidentally. Monitored Devices For USB-based storage monitoring: the following mass storage devices are automatically monitored and alerted external magnetic hard drives, external optical drives (including CD and DVD reader and writer drives), portable flash memory devices, solid-state drives, adapters between standard flash memory cards and USB connections, digital cameras, digital audio and portable media players, card readers, PDAs, and mobile phones. For kernel-level USB monitoring: the following classes of devices are monitored, blocked, and alerted: Mass storage devices external magnetic hard drives, external optical drives (including CD and DVD reader and writer drives), portable flash memory devices, solid-state drives, adapters between standard flash memory cards and USB connections, digital cameras, digital audio and portable media players, card readers, PDAs, and mobile phones. Windows portable devices audio players, phones, and other devices that use nonstandard identifier. Wireless connection devices Bluetooth adapter, Microsoft RNDIS. Modems and Network adapters network interface controllers. 184

185 USB Monitoring & Blocking Audio devices speakers, microphones, sound cards, MIDIs, etc. Video devices web cameras. Human interface devices keyboards, computer mouse devices, joysticks. Printer devices laser printers, inkjet printers, CNC machines. Composite devices devices that consist of one or a few more devices (e.g. keyboards with USB ports). Vendor-specific devices devices which require vendor-specific drivers and whose class is defined by the vendor. WARNING! Selecting this type of device might result in blocking any USB device. Each class has its own name (e.g., 00, 01, 02, etc.), which can be viewed in the device properties. The name of class allows you to define to what class the detected device belongs. For more information, check these links:

186 USB Monitoring & Blocking To view the name of the USB device class, do the following: 1. Plug the device into your computer. 2. Right-click Computer and select Manage. 3. The Computer Management window opens. 4. Expand the Device Manager node. 5. Expand the node with the name of the computer in the central pane. 6. Select the Universal Serial Bus controllers node in the list and expand it. 7. Find the device, the class of which you want to view, right-click it and select Properties. 8. In the opened window, select the Details tab, then select Compatible Ids in the Property drop-down list, and view the necessary information in the Value field. 9. Click OK or Cancel to close the window. Kernel-Level USB Monitoring Rules About In order to monitor and block the devices which are plugged into the computer, the user needs to create rules in the Management Tool. The rules can be created and assigned to the Clients by the user with the administrative Client installation and management permission. The created USB Monitoring rules are displayed on the USB Monitoring Management page in the Management Tool in a grid with the following columns: Name Description Risk State Action Assigned to (Clients group) 186

187 USB Monitoring & Blocking Adding USB Monitoring Rules To add a new rule, do the following: 1. Log in to the Management Tool as a user with the Client installation and management permission. 2. Click the USB Monitoring Management navigation link to the left. 3. On the USB Monitoring Management page, click Add Rule. 4. On the Add USB Rule page, on the USB Rule Properties tab, define the following properties and then click Next: Enter a unique name for the rule. Optionally enter the rule description. Select the Enable USB rule option to enable the rule. Select the risk level. 5. On the Rule Conditions tab, do the following: Add the classes of devices to be monitored to the Monitored Devices list. Define the exceptions for the devices to be skipped while monitoring. 6. On the Action tab, define what happens when a device from the list of monitored devices is used on target computer by selecting the following options: Block USB device allows you to prevent the user from using the USB device from the Monitored Devices list on the target computer. This option affects all the users, regardless of the user filtering settings. Notify the user on target computer about device blocking allows you to define the custom text to be displayed in a balloon notification on the Client computer (maximum 250 characters). Send notification to allows you to receive an alert notification on USB device detection via . NOTE: To receive notifications correctly, make sure that Sending Settings contain correct parameters for sending. Display tray notification allows you to receive an alert notification on USB device detection via the Tray Notification app. 187

188 USB Monitoring & Blocking If you do not select any of the actions, the detected USB devices will be monitored and displayed in the Session Viewer only. 7. On the Assigned Clients tab, select the Clients/Client Groups, to which the rule will be applied, and click Next. To find specific Clients/Client Groups, enter their names in the Contains box and click Apply Filters. 8. Click Finish. 9. The rule is added. Editing USB Monitoring Rules To edit a rule, do the following: 1. Log in to the Management Tool as a user with the Client installation and management permission. 2. Click the USB Monitoring Management navigation link to the left. 3. On the USB Monitoring Management page, click Edit Rule for the required rule. 4. Edit rule properties on the corresponding tabs in the same way as when adding a new rule and click Finish. 5. The rule is edited. 188

189 USB Monitoring & Blocking Deleting USB Monitoring Rules To delete a rule, do the following: 1. Log in to the Management Tool as a user with the administrative Client installation and management permission. 2. Click the USB Monitoring Management navigation link to the left. 3. On the USB Monitoring Management page, click Edit Rule for the required rule. 4. On the USB Rule Properties tab, click Delete Rule. 5. In the confirmation message, click Delete. 6. The rule is deleted. In case some plugged-in devices were blocked in accordance with the rule, the user will have to remove the devices and plug them back in. Defining Exceptions for USB Rules The list of exceptions for USB devices includes the devices are not monitored or blocked. Unlike the Monitored Devices list that contains the classes of devices, the exceptions include the separate devices added individually. The exceptions can be added on the Rule Conditions tab when adding or editing the rule. In case you want to block vendor-specific devices, make sure you have added all allowed user devices to the list of exceptions. To add an exception, do the following: 1. On the Rule Conditions tab, click Add. 2. On the Add Exception page, select one of the following radio buttons: Quick selection allows you to enter your Device Hardware ID. Custom selection allows you to enter the Vendor ID (VID), Product ID (PID), Revision, and Serial in the corresponding fields. NOTE: The Vendor ID (VID) and the Product ID (PID) are required fields, Revision and Serial are optional fields. 3. Optionally, enter a description in the Description field. 189

190 USB Monitoring & Blocking 4. Click Add. 5. The specified device is added to the list of exceptions. 6. Click Finish to save the USB monitoring rule. 7. The rule is edited. Viewing Device Hardware ID To view the Device hardware ID, do the following: 1. Plug the device into your computer. 2. Right-click Computer and select Manage. 3. The Computer Management window opens. 4. Expand the Device Manager node. 5. Expand the node with the name of the computer in the central pane. 6. Select the Universal Serial Bus Controllers node in the list and expand it. 7. Find the device, the information of which you want to view, right-click it and select Properties. 8. In the opened window, select the Details tab, then select Hardware Ids in the Property drop-down list, and view the necessary information in the Value field. 9. Click OK or Cancel to close the window. 190

191 Configuration Configuration Defining Sending Settings sending settings allow you to define the options of sending notifications for all alerts, USB monitoring, and reports via . Their editing is available for users with the administrative Client installation and management permission. To define sending settings, click the Configuration navigation link to the left and open the sending settings tab. The settings include: 1. Connection Settings Server: This option allows you to define an existing SMTP mail server. NOTE: The delivery of notifications via mail servers with only NTLM authentication, such as Microsoft Exchange Server, is not supported. From: This option allows you to define an existing account from which the notifications will be sent. Port: This option allows you to define the server port number via which the s will be sent. Encrypted connection type: This option allows you to define the type of encrypted connection via which the notifications will be sent. You can choose between: - None - SSL - TLS 2. Connection Credentials This option allows you to define the login details (User and Password) for the server. NOTE: For the notifications to be sent correctly, you have to define the credentials of the account specified in the From field under the Connection Settings. If the mail server does not require entering any credentials, you can select the No authentications option. 3. Connection Test This option allows you to send a test to a specified address to check if all connection settings are correctly defined. Defining Player Link Settings This option allows you to define the Management Tool domain name that will be used in the link to the Session Viewer in alert notifications, in Tray Notifications application journal, and s. The domain name must be entered in the following format: Tool computer name or IP>/EkranSystem. 191

192 Configuration Defining CEF Log Settings CEF log settings allow you to enable creation of a CEF log file, define the data to be written to it, and the cleanup frequency. CEF log files can be viewed and analysed with the help of the Splunk and ArcSight monitoring software. Editing of CEF log settings is available for users with the administrative Database management permission. NOTE: The Advanced SIEM Integration functionality is available only if you have an activated Enterprise serial key. To define CEF log settings, click the Configuration navigation link to the left and open the ArcSight Integration tab. The settings include: 1. CEF Log Settings Create a log file: This option allows you to enable a CEF log file creation. Log file location: This option allows you to define the location to store a CEF log file. Date format: This option allows you to define the date format to be used in a CEF log file. 2. CEF Log Contents In this section, you can define the data to be written to a CEF log file. Windows and Linux Client records: This option allows adding all session records of Windows and Linux Clients to a CEF log file. Alert events: This option allows adding all alert events of Windows and Linux Clients to a CEF log file. 3. CEF Log Cleanup Settings In this section, you can define the parameters for the cleanup operation. Cleanup daily at: This option allows you to define the time to execute the cleanup operation on a daily basis. Cleanup every: This option allows you to define the frequency of the cleanup operation. Maximum file size (GB): This option allows you to define the maximum size of a CEF log file. NOTE: During each cleanup operation, the current CEF log file is renamed (the date and time of the cleanup operation is added to its name) and a new one is created in the same folder. Not to run out of space on the Server computer where the CEF log files are stored, it is recommended to check the used disk space regularly and delete the log files, which are no longer in use. 192

193 Configuration Defining Ticketing System Integration Settings Ticketing system integration settings allow you to enable integration with the ticketing system and define the access parameters for it. Currently, integration with the SysAid ticketing system is available. If you want Ekran System to be integrated with any other ticketing system, contact our support team: Editing of ticketing system integration settings is available for users with the administrative Database management permission. NOTE: The Ticketing System Integration functionality is available only if you have an activated Enterprise serial key. The settings include: Enable authentication via ticketing system: This option allows you to enable integration with the ticketing system. Ticketing system URL: This option allows you to define a valid URL address for the ticketing system. NOTE: For the SysAid ticketing system, URL must be entered in the following format: <SysAid URL>/services/SysaidApiService Account name: This option allows you to define the name of the account the serial key is associated with. Login: This option allows you to define the login of the user account to get the access to the ticketing system. Password: This option allows you to define the password of the user account to get the access to the ticketing system. Defining LDAP Targets About You can integrate Ekran System with various domains by creating a connection with their Active Directory Domain Controllers. In such a way, you can add domain users/user groups allowing them to access the Management Tool and Client computers with enabled Forced User Authentication. For each LDAP target, you have to specify the LDAP path and credentials of a domain user for the Ekran Server to be able to establish connection with the domain controller. Automatic LDAP Target If Ekran System Server is to be installed on the machine that is a member of an Active Directory domain, this domain will be automatically added to the LDAP targets during the Server installation. It will be marked as automatic LDAP target. If the machine with Ekran System Server has been added to a domain after the Server installation or has been moved to another domain, you can add/update the automatic LDAP 193

194 Configuration target manually. In addition, you can change the credentials of the domain user, which are saved for the automatic LDAP target, by clicking Edit for this target and specifying new credentials on the Edit LDAP Target page. To add/update the automatic LDAP target manually, do the following: 1. Log in to the Management Tool as a user with the administrative Database management permission. 2. Click the Configuration navigation link to the left. 3. On the Configuration page, select the LDAP Targets tab and then click Refresh Automatic LDAP Target. 4. If there is no automatic LDAP target, it will be added. If there is an automatic LDAP target added, it will be updated. Adding LDAP Target Manually To add a new LDAP target manually, do the following: 1. Log in to the Management Tool as a user with the administrative Database management permission. 2. Click the Configuration navigation link to the left. 3. On the Configuration page, select the LDAP Targets tab and then click Add LDAP Target. 4. On the Add LDAP Target page, define the following parameters and then click Finish: LDAP Path: Define the LDAP path for the Active Directory domain controller you want to connect to in the following format: LDAP://<Domain Controller name or IP address>/dc=<domain name>,dc=<suffix> User: Define the name of the user belonging to the Active Directory domain you want to connect to. Password: Define the password of the user account belonging to the Active Directory domain you want to connect to. 5. On the LDAP Targets tab, a new LDAP target is displayed in the grid. Editing LDAP Target To edit the existing LDAP target, do the following: 1. Log in to the Management Tool as a user with the administrative Database management permission. 2. Click the Configuration navigation link to the left. 3. On the Configuration page, select the LDAP Targets tab and then click Edit in the grid. 4. On the Edit LDAP Target page, edit the LDAP target parameters and then click Finish. 194

195 Configuration Deleting LDAP Target To delete the existing LDAP target, do the following: 1. Log in to the Management Tool as a user with the administrative Database management permission. 2. Click the Configuration navigation link to the left. 3. On the Configuration page, select the LDAP Targets tab and then click Delete in the grid. 4. In the confirmation message, click Delete. 5. The LDAP target is deleted from the grid. The users from the corresponding domain will be unable to access the Management Tool and the Client computers as Forced Authentication users anymore. 195

196 Viewing Monitoring Results Viewing Monitoring Results Session List About Monitored data received from Windows and Linux Clients is organized in the session. The Windows Client session includes screen captures and metadata associated with them (application name, activity title, captured keystrokes, clipboard text data, and URLs). Windows Clients start recording screen captures in a new session every time the computer is restarted. The maximum duration of one session can be 24 hours. At 00:00 all live sessions are terminated. After their termination (their status changes from live to finished), new live sessions automatically start. The Linux Client session contains the list of executed commands, their parameters, and functions. Linux Clients start recording a new monitoring session each time the terminal is opened. There is no time limitation for a Linux Client session. Client Sessions List To view monitored sessions, click the Monitoring Results navigation link to the left and then open the Client Sessions tab. The Client Sessions tab is divided into two panes: Search & Filtering pane Sessions grid The search pane allows you to perform search in the session data. The list of all sessions is displayed in the form of grid. The grid includes the following information: Alerts: Allows opening all alert events for the session in the Alert viewer. The colour of the alert icon corresponds to the highest alert risk level detected in the session. User name: Displays the name of the user logged in to the Client computer. NOTE: If Forced User Authentication is enabled on the Client installed on the computer with Windows Server operating system, the user name is displayed as: <logged in Windows user> (<secondary authentication user> or <user s >). Client Name: Displays the name of the computer on which the Client is installed. OS: Displays the operating system type (Windows or Linux). Type: Displays the session type (Live or Finished). Start: Displays the date and time when the session started. Last Activity: Displays the date and time of the last made screen capture or executed Linux command. Finish: Displays the date and time when the session finished. If the session has the Live status, this field is empty. IPv4: Displays the IPv4 address of the Client computer. 196

197 Viewing Monitoring Results IPv6: Displays the IPv6 address of the Client computer. Remote IP: Displays the address used to log into the Client computer from. Domain: Displays the name of the domain to which the Client belongs. User s comment: Displays user s comment entered on the login to the Client computer. Client Description: Displays the custom Client description. Client Group: Displays the name of the Client Group to which the Client belongs. If the Client belongs to the All Clients group only, the column is empty. NOTE: If the user logs into the current session of the Client computer remotely using one of the following remote desktop applications, the remote IP-address will not be detected: DameWare, Radmin, UltraVNC, or TightVNC. Filtering Sessions A user can filter out sessions by metadata in one of the following ways: By specific parameters By searching in session data Filtering by Specific Parameters This type of filtering allows you to filter sessions by a set of specific parameters. The filtering parameters are applied instantly. You can filter sessions by multiple criteria. For each non-date filter, you can select more than one filtering parameter. With each selected parameter, the session list is re-filtered. By default, the following filters are displayed: Who: Allows filtering sessions by a specific user logged into the Client computer. Where: Allows filtering sessions by a specific Client. When: Allows filtering sessions by the time period. The result session list includes all sessions containing the activities for the set period. To set the time period, select one of the following: - Define the number of latest hours, days, or weeks. - Define the start date and the end date of the time period. To add other filters, click More criteria and select a filter from the opened list: Type: Allows filtering sessions by their type (Live or Finished). OS: Allows filtering sessions by the operating system type (Windows or Linux). Start: Allows filtering sessions by the date and time the session started. Last Activity: Allows filtering sessions by the date and time of the last screen capture or executed Linux command. Finish: Allows filtering sessions by the date and time the session finished. If the session has the Live status, this field is empty. IPv4: Allows filtering sessions by the IPv4 address of the Client computer. IPv6: Allows filtering sessions by the IPv6 address of the Client computer. 197

198 Viewing Monitoring Results Remote IP: Allows filtering sessions by the IP-address used to log into the Client computer from. Domain: Allows filtering sessions by the name of the domain to which the Client belongs. Client Description: Allows filtering sessions by the custom Client description. Client Group: Allows filtering sessions by the name of the Client Group to which the Client belongs. User s Comment: Allows filtering sessions by the comment entered to the additional message. To remove the extra filter from the filtering pane, click X on the filter button. Searching in the Session Data You can search for sessions using a search expression (keyword). You can find sessions containing the search expression in: Application names Activity titles Keystrokes Clipboard text data URLs Linux commands and parameters Alert names USB rule names In the dropdown list, you can define the number of sessions to perform search in. The search is performed in the sessions displayed in the Session grid in accordance with the session sorting order. Sorting Sessions To sort sessions in the Session grid, click the required column header. You can change column sort order from ascending to descending, and vice versa. To do this, click the Sort arrow near the column header. If data is not sorted by this column, the Sort arrow is hidden. 198

199 Viewing Monitoring Results Playing Sessions About The Session Viewer is a part of the Management Tool that provides the possibility to view monitored data within one selected session. To open the Session Viewer, select one of the sessions in the Sessions grid on the Monitoring Results page and click on it. Session Viewer Interface By default, the Session Viewer interface is divided into the following areas: Session Player pane: Allows viewing screen captures made from the computer on which the Windows Client is installed, or visually recreated interactive data of the recorded Linux terminal (input and output as the user sees them in the terminal). The navigation section allows you to manage the playback of the video of screen captures or commands. [Windows Client] Details pane: Allows you to view the keystrokes and the clipboard text data associated with the selected screen capture, USB device information, and URL addresses of websites visited by a user. Metadata pane: Displays the session data in the form of grid, which includes: o Activity time, Activity title, Application name, Text data, Alert/USB rule name, and URLs for Windows Clients; o Activity time, Command, Function, Parameters, and Alert name for Linux Clients. 199

200 Viewing Monitoring Results Session Player The Session Player allows viewing screen captures made from the computer on which the Windows Client is installed, or graphic representation of the recorded Linux terminal (input and output as the user sees them in the terminal). You can view them separately by selecting the required record from the Metadata grid or play all monitored data in the form of video. The following actions are available: To play/pause the video playback, click Play/Pause. To move from one record to another, click To the beginning, To the end, Previous, or Next. To open the Player to the full-screen mode, double-click the Player or. To return from the full-screen mode, double-click the Player or. To move from one monitor to another in the Client sessions with multiple monitors, click All, 1, 2, etc. To define the speed with which monitored data changes in the Player area, click. The available speed options are 1/2/4/8/16 frame(s) per second. To block the user, click. To view the list of alert events for this session in the Alert viewer, click. To receive the link to a certain position in the session, click. To download a displayed screen capture, click. To perform forensic export, click. To view the Live session in the real-time, click. Magnifier If you need to view data displayed in the Player in detail, use the Magnifying Glass option. To enlarge the certain part of the played data, do the following: 1. Click the Magnifying Glass. 2. The Magnifier window opens on the right. 3. Move the rectangle across the displayed data. To turn off the Magnifying Glass, click the Magnifying Glass again. 200

201 Viewing Monitoring Results Getting Data URL The Get data URL feature allows receiving the link of the certain position of the session. You can use this URL to: Open the Session Viewer for playing the required session from the same position; Bookmark certain position in the session using the browser bookmarking mechanism. To get data URL, do the following: 1. Click on the Navigation pane under the Player. 2. The URL Data window opens. 3. Copy the URL and click Close. 4. Enter the copied URL into the browser address bar. 5. The Session Viewer opens. NOTE: If you are logged out, the login page opens before Session Viewer. 6. The Player starts playing records from the selected position in the session. Metadata Grid Metadata grid is located to the right of the Player. It contains detailed information on monitored user activity. Information is displayed in the grid with the following columns: [Windows Client] Activity Time: Displays the date and time when the screen capture was executed. Activity Title: Displays the name of the active window that is associated with the screen capture. Application Name: Displays the name of the application started on the Client computer. URL: Displays the top and second-level domain name of the visited web resource. Text Data: Displays the keystrokes typed by the user and clipboard text data. Alert/USB Rule: Displays the name of the triggered alert or USB rule. The colour of an alert highlighting corresponds to the alert risk level. o The alerts with the critical risk level will be highlighted in red colour. o The alerts with the high risk level will be highlighted in yellow colour. o The alerts with the normal risk level will be highlighted in blue colour. [Linux Client] Activity Time: Displays the date and time when the command was executed. Command: Displays the command being executed. Function: Displays the system call made. Parameters: Displays the full parameters of the executed command. 201

202 Viewing Monitoring Results Alert: Displays the name of the triggered alert. The colour of an alert highlighting corresponds to the alert risk level. o The alerts with the critical risk level will be highlighted in red colour. o The alerts with the high risk level will be highlighted in yellow colour. o The alerts with the normal risk level will be highlighted in blue colour. By default, the data is sorted by Activity Time. You can change the order and size of the columns. Player and Metadata Synchronization The Session Viewer can work in two modes: In the Synced View mode, data in the Metadata grid and Player are synchronized while session playing, i.e., metadata associated with the data being currently played is highlighted in the Metadata grid. This mode is available unless any filtering and searching is performed in the Metadata grid. In the Filtered View mode, data in the Metadata grid and Player are not synchronized while session playing. In this mode, the Player displays all data in the session, whereas data is Metadata grid is being filtered and searched. After selecting the session in the Client Sessions list without previous searching, the Player opens in the Synced View mode. As soon as you perform any filtering or searching, the Synced View mode is automatically changed to the Filtered View mode. To switch the modes, click Back to Synced View/Back to Filtered View above the Metadata grid. Filtering Data You can filter the metadata in the Metadata grid on the Player page in one of the following ways: Via searching Via filtering by column After data filtering, the Session Player switches to the Filtered View mode. Filtering via searching The Search field allows you to find metadata containing search expression in: Activity title Application Name Keystrokes Clipboard text data USB Device Info URL Linux Command 202

203 Viewing Monitoring Results Linux Command Parameters Linux Functions To find the required metadata, enter the keyword into the Search field and press Enter. Data in the Metadata grid is filtered according to the search expressions. Filtering by Column You can filter sessions using the dropdown menu near the column header in the Sessions grid. To filter sessions by the not date field (Client name, OS, User name, etc.), click required column name, select one or several options, and then click OK. near the To filter sessions by the date field (Start, Last Activity, or Finish), click near the required column name, select the From and To dates in the dropdown menu, and then click OK. You can filter data by multiple fields. Sorting Data To sort metadata in the Metadata grid, click the required column header. You can change column sort order from ascending to descending, and vice versa. To do this, click the Sort arrow next to the column header. If the data is not sorted in this column, the Sort arrow is hidden. Live Sessions The Session Viewer allows you to view Client Live sessions in the real time, i.e., while the monitoring of the Client computer is still in progress. To play a live session, do the following: 1. Click on the session with the type Live in the Client Sessions grid. 2. The Session Player opens in the full screen mode. The Metadata grid is hidden. 3. Data in the Player will be refreshed as soon as a new monitored data is received from the Client. To stop playing the Live session, click. After this, data stops auto-updating and the session can be played in the same way as Finished sessions. To resume playing the Live session, click. NOTE: If you are viewing the session of the Windows Client with the enabled Capture screen on each event without timeout option, it may affect CPU usage and cause performance slowdown due to the great number of received screen captures. 203

204 Viewing Monitoring Results Windows Client Sessions Playing Windows Sessions A user starts playing Windows Session by clicking the required Session on in the Client Sessions list. The session is opened in the new tab or new window depending on your browser settings. While playing Windows sessions, you can view screenshots in the Player pane and associated metadata (Application name, Activity title, URL, keystrokes, clipboard text data) in the Metadata grid. If data containing keystrokes or clipboard text data is selected in the Metadata grid, the detailed information is displayed in the Details pane. Viewing Keystrokes The captured keystrokes are displayed in the Text data column in the Metadata grid. When you select a record in the Metadata grid, the keystrokes associated with it are displayed in the Details pane below the Player pane. By default, only text characters are displayed. You can enable displaying all keystrokes logged (e.g., navigation keys, functions keys, etc.) by clearing the Show only text characters option. Then any other keys and key combinations will be displayed in square brackets. If a key was pressed repeatedly, it will be displayed with an "x" sign and the number of reiterations (e.g., [F12 x 24]). If the user types the text, using arrows (left/right) and Backspace or Delete keys, these keys are processed by the system to edit the logged keystrokes. When the keystrokes are edited, only the end result of text that was meant to be typed by the user is displayed in the Details pane. To see this result, the Show only text characters option must be selected. For example: If the user types Helo and then uses the left arrow to go back and correct the word by typing another l, the word Hello will be displayed in the Details pane, with Helol. Presentation of keystrokes with the selected Show only text characters option. 204

205 Viewing Monitoring Results Presentation of keystrokes with the unselected Show only text characters option. Please note that if the SmoothMode parameter (a screenshot creation on each event without timeout) is enabled for the Client, the keystrokes are not edited. If the user corrects the word using a mouse, the keystrokes are not edited. For example: If the user types Fried and then uses the mouse to go back and correct the word by typing letter n, the word Friedn will be displayed in the Details pane, instead of Friend. If the user types the text in different applications, the logged keystrokes are split according to screen captures. For example: If the user types Hello in Skype and then opens Word and types Ok, the word Hello will be displayed next to the screen capture associated with Skype, and the word Ok will be displayed next to the screen capture associated with Word, instead of HelloOk. NOTE: If the Enter key was pressed during input, the log will be split in the list of screen captures. Though to maintain text integrity, in the keystrokes box, the keystrokes lines having the same Title-Application pair will be put together. Viewing Clipboard Text Data The captured clipboard text data includes text, which has been copied or cut and then pasted into documents, files, applications, browser address line, etc. on the Client computers. The Client monitors the Copy, Cut, and Paste operations performed by using either the context menu commands or such key combinations as Ctrl+C, Ctrl+Ins, Ctrl+X, Shift+Del, etc. The captured clipboard text data is displayed in the Text data column in the Metadata grid. It has a label specific to the performed operation: [Clipboard (Copy)] [Clipboard (Paste)] When you select a record in the Metadata grid, the clipboard text data associated with it is displayed in the Details pane below the Player pane. 205

206 Viewing Monitoring Results Metadata grid Text placed to the clipboard Text pasted from the clipboard Viewing USB Device Info During the monitoring process, a screen capture is created every time the mass storage USB device is plugged in. Along with the screen capture, the information on the plugged in device is displayed in the Metadata grid as follows: Activity title: USBStorage - <device details> Application name: [Monitoring event] 206

207 Viewing Monitoring Results If you are using rules for kernel-level USB monitoring according to which the devices are detected or blocked, each time the alert event occurs, a screen capture is created. In the Metadata grid, this is indicated by highlighting the activity in the grid. When you select a USB-device-related screen capture or a row in the Metadata grid, the USB device info associated with it is displayed in the Details pane below the Player pane. If the device was blocked, it is marked as BLOCKED in the parentheses. Viewing URLs If the URL monitoring option is enabled for the Windows Client, then each time the screen capture is created while the user is working in the browser, the URL address is saved and displayed in the URL column in the Metadata grid. If there are several screenshots created while the user is viewing one page on a certain website, then all of them contain the same URL information. The URL column contains only top and second-level domain names even if the parameter is not selected in the URL monitoring settings for the Windows Client. The full URL address is displayed in the Details pane. NOTE: As getting a URL address to be monitored may take about 600 milliseconds, there is a possibility that the screen capture and its activity title along with URL address may be not properly synchronized in the Session Viewer (e.g., the user may see a screen capture with a URL address that belongs to the previous one). Viewing Idle State Windows Client activity will be marked as Idle if there has been no activity on the target computer for a long time. The activity is displayed as Idle in the Metadata grid in two cases: On computers with Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows Server 2016, Windows Server 2012, and Windows Server 2008: If the user is inactive for more than 15 minutes, computer is in sleep or hibernation modes, or the screen is set to be turned off automatically. On computers with Windows XP and Windows Server 2003: If the computer is in sleep or hibernation modes, or the screen is set to be turned off automatically. 207

208 Viewing Monitoring Results Linux Client Sessions Playing Linux Sessions A user starts playing Linux Session by clicking on the required session in the Client Sessions list. The session is opened in the new tab or new window depending on your browser settings. While playing Linux sessions, you can view all visually recreated interactive data in a form of a video in the Player pane and function and system calls, as well as the executed commands with parameters in the metadata grid. Filtering EXEC Commands By default, the commands are filtered by exec function to display only the command executed after user input. To display the list of all commands, including system ones, discard the filtering by clearing the Show only execution commands option. Viewing Alerts About The Alert viewer is a part of the Management Tool which allows viewing detailed information on alert events. You can open the Alert Viewer from the following places: The Session Player: The Alert viewer displays all alert events for the session. The list of Client sessions: The Alert viewer displays all alert events for the selected session. The Recent Alerts dashboard: The Alert viewer displays all alert events that happened within the defined time interval for the selected alert. The Alert Management page: The Alert viewer displays the latest 100 events for the selected alert. 208

209 Viewing Monitoring Results Alert Viewer Interface The Alert viewer displays the following information for each alert notification: Alert Risk Level: The colour of the alert icon in the upper left corner of the Alert Viewer corresponds to the alert risk level. o The alerts with the critical risk level will be highlighted in red colour. o The alerts with the high risk level will be highlighted in yellow colour. o The alerts with the normal risk level will be highlighted in blue colour. Alert name: The name of the alert that has triggered the event. Alert viewing pane: A screen capture made from the computer on which the Windows Client is installed, or graphic representation of the recorded Linux data (input and output as the user sees them in the terminal). Metadata information: o Who: The name of the user associated with the alert event. o Where: The name of the Client for which the alert was triggered. o When: The time and date of the alert event. o What: For Windows Clients: The activity title, the application name, and the URL (if available) For Linux Clients: The command name and the parameters For USB events: The device class, the status (detected/blocked), and the device details. 209

210 Viewing Monitoring Results Using Alert Viewer You can do the following in the Alert Viewer: To display/hide the metadata associated with the alert event, click below the metadata information. To move between the alert events, use the Previous, Next, First, and Last buttons. To enlarge a certain part of the played data, click the Magnifying Glass. The Magnifier window opens on the right. Move the rectangle across the displayed data. To open the session in the Session Player, click Open Session. The Session Player opens in a new tab. The session playback starts with the selected alert event. To view the Alert events for the Windows Clients, select Windows Events tab. To view the Alert events for the Linux Clients, select Linux Events tab. Archived Sessions About During the archiving & cleanup operation all the old Client sessions are archived and then deleted from the current Ekran database. This allows saving the monitored data in a secure storage and viewing the archived sessions in the Session Viewer any time. Changing Investigated Database To change the archive database, do the following: 1. Log in to the Management Tool as a user with the administrative Viewing archived data permission. 2. Click the Database Management navigation link to the left. 3. On the Database Management page, select the Archived Sessions tab. 4. On the Archived Sessions tab, click Change Investigated Database. 5. In the Change Investigated Database window, select the Use current archive database option if you want to view sessions from the current database or the Use another database option if you want to view sessions from another archive database. 6. Define the following parameters: For My SQL database, define the instance of the SQL server, the name of the archive database, and the user name and password. For Firebird database, define the location of the archive database and the location of binary data. NOTE: You can attach the archive database only of the same type as your current one. 7. If necessary, click Test Database Connection to check that there is a connection with the archive database. 8. Click Save. 210

211 Viewing Monitoring Results Viewing Archived Sessions To play an archived session, do the following: 1. Log in to the Management Tool as a user with the administrative Viewing archived data permission. 2. Click the Database Management navigation link to the left. 3. On the Database Management page, select the Archived Sessions tab. 4. On the Archived Sessions tab, a list of sessions of an archive database is displayed. 5. Click on the target session to open it in the Session Viewer. 6. Work with sessions from the archive databases is the same way as with Client Sessions. 211

212 Dashboards Dashboards About Ekran System allows viewing certain types of information using dashboards displayed on the Home page. Dashboards provide you with convenient real-time view of the most important data. The following dashboards are available: Licenses Clients Database Storage Usage Recent Alerts Latest Live Sessions Sessions out of Work Hours Rarely Used Computers Rarely Used Logins With the dashboards, you can see several types of data grouped in one place. The dashboards are customizable, with the customization settings stored on the Server. Thus, if you log into the Management Tool from any other computer, your dashboards will look the same way as you have previously customized them. You can choose which dashboards to show or hide, rearrange the dashboards on the screen, add several dashboards of the same type to see the same data in different variations, and more. Dashboard Types Licenses The Licenses dashboard allows you to view statistics on the number of available licenses, free licenses, and unlicensed computers. The dashboard is updated every 5 minutes. 212

213 Dashboards The dashboard contains the following elements: Three pie charts: o Workstation Licenses, where you can see the number of Clients with a Workstation license, the number of free Workstation licenses, and the number of Clients without a Workstation license. o Server Licenses, where you can see the number of Clients with a Server license, the number of free Server licenses, and the number of Clients without a Server license. o Linux Licenses, where you can see the number of Clients with a Linux license, the number of free Linux licenses, and the number of Clients without a Linux license. The Assign Licenses to Clients button that redirects you to the License Management page where you can assign licenses to Clients. You can define the following settings for the Licenses dashboard: Used Licenses sector colour. Free Licenses sector colour. Not Licensed Clients sector colour. To view the dashboard, you need to have the administrative Serial Key Management permission. If you do not have this permission, you will see an empty dashboard with the text saying you do not have the permissions for viewing this data. Also, the dashboard will not be displayed in the Add dashboard drop-down list. Clients The Clients dashboard allows you to view statistics on the number of Clients which are currently online and offline. The dashboard is updated every minute. 213

214 Dashboards The Clients dashboard contains the following elements: A pie chart that presents statistics on the number of Clients which are currently online and offline. The Install More Clients button that redirects you to the Computers without Clients page where you can install Clients on the computers. You can define the following settings for the Clients dashboard: Online Clients sector colour. Offline Clients sector colour. To view the dashboard, you need to have one of the following permissions: The administrative Client Installation and Management permission. With this permission, you can see information on all the clients in the system. At least one of the Client permissions. In this case, you will see only the Clients for which you have the Client permission(s). If you do not have the administrative Client Installation and Management permission or any Client permissions, you will see an empty dashboard with the text saying you do not have the permissions for viewing this data. Also, the dashboard will not be displayed in the Add dashboard drop-down list. Database Usage Storage The Database Usage Storage dashboard allows you to view statistics on the disk space used by the binary data. By default, your binary files are stored in the same place as the database. However, you can store them in a separate location. The Database Storage Usage dashboard contains the following elements: A pie chart that displays statistics on how much space is used and free on the disk the binary files are stored at. The Database Cleanup button that redirects you to the Database Cleanup page. 214

215 Dashboards You can define the following settings for this dashboard: Critical free space size: the free size limit at which you are alerted that available space is running low. Used storage size sector colour (indicating how much storage space is used). Total storage size sector colour. Warning storage size sector colour (indicating that the free space size has fallen below the critical free space size threshold). To view the dashboard, you need to have the administrative Database Management permission. If you do not have this permission, you will see an empty dashboard with the text saying you do not have the permissions for viewing this data. Also, the dashboard will not be displayed in the Add dashboard drop-down list. Recent Alerts The Recent Alerts dashboard contains a bar chart that presents information on alerts triggered within a specific time period. The dashboard is updated every 15 minutes. Each bar in the graph corresponds to an enabled alert. The length of each bar corresponds to the number of notifications received within a specific time interval. The colour of each bar corresponds to the alert risk level. The alerts with the critical risk level are highlighted in red colour. The alerts with the high risk level are highlighted in yellow colour. The alerts with the normal risk level are highlighted in blue colour. To see the list of alert events, click on the bar with the alert name. In the opened window, the following information is displayed: Time Client name User name To open a corresponding session in the Session Viewer, click Play. To view the alert events in the Alert Viewer, click Open Alert Viewer. 215

216 Dashboards You can define the following settings for the Recent Alerts dashboard: Time interval: the period for which the alerts are selected. Sort type: the category by which the alerts are sorted: o Count: allows sorting the alerts by amount of alert notifications. o Alphabetic: allows sorting by the alert name. Sort direction: the order in which the alerts are listed. Critical risk level: the colour of the bars for the alerts with the Critical risk level. High risk level: the colour of the bars for the alerts with the High risk level. Normal risk level: the colour of the bars for the alerts with the Normal risk level. Only information about the Clients the user has Client Viewing Monitoring Results permission for is displayed in the dashboard. If you do not have this permission for any of the Clients, you will see an empty dashboard with the text saying you do not have the permissions for viewing this data. Also, the dashboard will not be displayed in the Add dashboard drop-down list. Latest Live Sessions The Latest Live Sessions dashboard contains a grid that displays the list of the sessions which are currently live and were the latest to start. The dashboard is updated every 5 minutes. The grid has the following columns: Start Client name User name To open the session in the Session Viewer, click Play. In the settings, you can define the number of sessions to be displayed in the list. 216

217 Dashboards Only information about the Clients the user has Client Viewing Monitoring Results permission for is displayed in the dashboard. If you do not have this permission for any of the Clients, you will see an empty dashboard with the text saying you do not have the permissions for viewing this data. Also, the dashboard will not be displayed in the Add dashboard drop-down list. Sessions out of Work Hours The Sessions out of Work Hours dashboard contains a column chart that displays the statistics on the computers used during non-work hours and days for a defined time period. The dashboard is updated every hour. Each column corresponds to the day with the sessions out of work hours. The height of the columns corresponds to the number of sessions recorded on the date. To see the number of sessions recorded on a specific date, hover over the corresponding column. To see the list of sessions recorded on a specific date, click the corresponding column. In the opened window, the following information is displayed: Client Name User Name Start Last Activity Finish To see the session in the Session Viewer, click Play. You can define the following settings for the Sessions out of Work Hours dashboard: Period: set the specific time period for which the alerts are selected. Colour: set the specific colour for the columns. Work hours & Work days: set the hours and days of the week to be considered as a working schedule. Only the sessions with the activities out of the defined schedule are displayed in the dashboard. 217

218 Dashboards To view the dashboard, you need to have the administrative Client Installation and Management permission. If you do not have this permission, you will see an empty dashboard with the text saying you do not have the permissions for viewing this data. Also, the dashboard will not be displayed in the Add dashboard drop-down list. Rarely Used Computers The Rarely Used Computers dashboard contains a grid with statistics on the Client computers that have the fewest sessions for the defined time interval. The dashboard is updated every hour. The grid has the following columns: Client Name Sessions To view detailed information on the sessions, click the target Client Name link. In the opened window, the following information is displayed: User Name Start Last Activity Finish To open a session in the Session Viewer, click Play. You can define the following settings for the Rarely Used Computers dashboard: Period: the period for which the sessions are selected. Sessions fewer than: the number of sessions the computer must have not to be considered rarely used. Only information about the Clients the user has Client Viewing Monitoring Results permission for is displayed in the dashboard. If you do not have this permission, you will see an empty dashboard with the text saying you do not have the permissions for viewing this data. Also, the dashboard will not be displayed in the Add dashboard drop-down list. Rarely Used Logins The Rarely Used Logins dashboard contains a grid with statistics on the users that have the fewest logins for the defined time interval. If Forced User Authentication is enabled, the <logged in Windows user> (<secondary authentication user>) pair is accounted for. The dashboard is updated every hour. 218

219 Dashboards The grid has the following columns: User Name Sessions To view detailed information on the sessions, click the target Client Name link. In the opened window, the following information is displayed: Client Name Start Last Activity Finish To open a session in the Session Viewer, click Play. You can define the following settings for the Rarely Used Computers dashboard: Period: the period for which the sessions are selected. Sessions fewer than: the number of sessions the user must have not to be considered rarely logging in. Only information about the Clients the user has Client Viewing Monitoring Results permission for is displayed in the dashboard. If you do not have this permission, you will see an empty dashboard with the text saying you do not have the permissions for viewing this data. Also, the dashboard will not be displayed in the Add dashboard drop-down list. Customizing Dashboards The dashboard layout is customizable. You can choose which dashboards you want to see on the Home page. The following options are available: Add a dashboard. Click Add dashboard over the dashboard area and then select the desired dashboard from the drop-down list. You can add several dashboards of the same type to view the desired information in different variations. You can have up to eight dashboards on the Home page. Hide a dashboard. Click the icon in the top right corner to hide the dashboard. Collapse/expand a dashboard. Use the and icons in the top left corner of the dashboard to collapse or expand it. You can also choose what your dashboards will look like. The following options are available: Rearrange the dashboards. Click on the dashboard you want to move and drag it to a new location. 219

220 Dashboards Resize a dashboard. Click on one of the bottom corners of the dashboard and drag the border of the dashboard. Define the settings for a dashboard. Click the icon in the top right corner of the dashboard to change its settings. The customization settings are user-specific and are stored on the Server. To restore the default settings, click Restore Layout over the dashboard area. 220

221 Interactive Monitoring Interactive Monitoring About Interactive Monitoring allows viewing the detailed information on the total time spent by the user in each application/on each website. Viewing Data The information on all applications and URL monitored data is displayed in the form of two column charts (Applications Monitoring chart and URL Monitoring chart). The number of columns corresponds to the number of applications used and websites visited. Only information on the Clients the user has Client Viewing Monitoring Results permission for is displayed. To view the monitored data, do the following: 1. Define the specific parameters to filter out the data: Who: filter by a specific user logged into the Client computer. Where: filter by a specific Client. When: filter by the time period. To set the time period, select one of the following: - Define the number of latest days or weeks. If you define 1 day, sessions recorded during the current day will be displayed. - Define the start date and the end date of the time period. 2. Click Generate. 3. The filtered out monitored data is displayed in both charts. To zoom in and out of the Application Monitoring and URL Monitoring charts, use mouse scroll. Applications Monitoring Chart The Applications Monitoring chart displays information on the applications the users have worked with on Client computers. Each column in the chart corresponds to an application. The length of a column corresponds to the amount of time spent in that application within a specified time interval. The total time spent by the user in all applications is displayed in the top right corner of the chart. To set the order of application bars being displayed, in the Applications filter select one of the following: 20 least used: 20 least used applications sorted in the ascending order. 20 most used: 20 most used applications sorted in the descending order. All (descending): all bars in the descending order. All (ascending): all bars in the ascending order. 221

222 Interactive Monitoring To see the list of sessions containing information on the target application, click on the column with the application name. In the opened window, the following information is displayed: Client Name: the name of the Client computer on which the target application was launched. User Name: the name of the user logged in to the Client computer. NOTE: If Forced User Authentication is enabled on the Client computer with Windows Server operating system, the user name is displayed as: <logged in Windows user> (<secondary authentication user>). Start: the start time of a session. Last Activity: the date and time of the last made screen capture or executed Linux command. Finish: the date and time when the session finished. To open a corresponding session in the Session Viewer, click Play. URL Monitoring Chart The URL Monitoring chart displays information on the websites users have visited on Client computers. Each column in the chart corresponds to a website. The height of a column corresponds to the amount of time spent on that website within a specified time interval. The total time spent on all websites is displayed in the top right corner of the chart. To set the order of URL bars being displayed, in the URLs filter select one of the following: 20 most visited: 20 most visited sites sorted in the descending order. 20 least visited: 20 least visited sites sorted in the ascending order. All (descending): all bars in the descending order. All (ascending): all bars in the ascending order. To see the list of sessions containing information on the target website, click on the column with the website name. In the opened window, the following information is displayed: Client Name: the name of the Client computer on which the target application was launched. User Name: the name of the user logged in to the Client computer. NOTE: If Forced User Authentication is enabled on the Client computer with Windows Server operating system, the user name is displayed as: <logged in Windows user> (<secondary authentication user>). Start: the start time of a session. Last Activity: the date and time of the last made screen capture or executed Linux command. Finish: the date and time when the session finished. To open a corresponding session in the Session Viewer, click Play. 222

223 Forensic Export Forensic Export About Forensic Export allows exporting the session in the encrypted form for viewing monitored session on any computer, even without access to the Management Tool. The session is exported into the signed executable file, which contains the embedded player for displaying graphical information and metadata. The validity of forensic export results can be checked via Management Tool. The results of export are stored on the Server until you delete them. Exporting Session Fragment To export the session fragment, do the following: 1. Open the Session Viewer page for the selected session. 2. In the Player, select the start point of the session fragment. 3. Click Session Forensic Export under the Player. 4. The Session Forensic Export window opens. 5. Select the Export session fragment from current Player position option and enter the required fragment length in minutes. 6. Select the Include keystrokes option if necessary. 7. Click Export. 8. The Forensic Export History page opens, displaying export progress. 9. As soon as export process finishes, the resulting file become available for downloading. 10. Click Download to download the file with Forensic Export results. Exporting Full Session To export the session, do the following: 1. On the Session Viewer page for the selected session, click Session Forensic Export under the Player. 2. The Session Forensic Export window opens. 3. Select the Export full session option and the Include keystrokes option if necessary. 223

224 Forensic Export 4. Click Export. 5. The Forensic Export History page opens, displaying export progress. 6. As soon as export process finishes, the resulting file become available for downloading. 7. Click Download to download the file with Forensic Export results. Viewing Forensic Export History The Forensic Export History page displays the grid with all results of export for Clients you have permissions for. You can see exports performed both by you and other users. The Forensic Export History grid contains the following information: Export Date: Displays the date and time when the session was exported. Client Name: Displays the name of the computer on which the Client is installed. User: Displays the name of the user logged in to the Client computer. Session Start Date: Displays the date and time when the session started. Session End Date: Displays the date and the time when the session finished. Export Type: Displays the export type, which can be one of the following: o Full: For the full exported session. o Full (no keystrokes): For the full exported session without keystrokes. o Truncated Full: For the exported session that has more than activities and while exporting has been truncated to 1 GB. o From To: For the time interval included in the exported session. Status: Displays the status of session export (Generated or Generation failed). Full Size: Displays the size of the resulting file (n/a for failed session exporting). To download the exported session, click Download in the Forensic Export History grid. To delete the exported session from Server, click Delete in the Forensic Export History grid. Playing Exported Session To view exported data, download it and start the downloaded executable file. NOTE: To view exported data on computers with Linux or Mac operating system, you need to install Mono Framework on them. Follow the instructions at to install Mono Framework on your computer. Sessions are played in the Forensic Export Player. 224

225 Forensic Export The Forensic Export Player interface is divided into the following parts: Player pane: Allows viewing screen captures made from the computer on which the Windows Client is installed, or visually recreated interactive data of the recorded Linux terminal (input and output as the user sees them in the terminal). The navigation section allows you to manage the playback of the video of screen captures or commands. [Windows Client] Details pane: Allows you to view the text data (keystrokes and clipboard text data) associated with the selected screen capture, USB device information, and URL addresses of websites visited by a user. Metadata pane: Displays the session data in the form of grid, which includes: o Activity time, Activity title, Application name, Text data, and URLs for Windows Clients; o Activity time, Command, Function, and Parameters for Linux Clients. NOTE: If the user performing export does not have the Viewing text data permission for this Client, Forensic Export results will contain no text data. You can do one of the following while viewing: To play/pause the video, click Play/Pause in the Player pane. To move from one record to another, use the control buttons in the Player pane. To open the monitored data to the full-screen mode, double-click the monitored data in the Player pane or. To define the speed with which monitored data will change in the Player pane, click. The available speed options are 1/2/4/8/16 frame(s) per second. 225

226 Forensic Export To enlarge a certain part of the played data, click the Magnifying Glass. To move from one monitor to another in the Client session with multiple monitors, click All, 1, 2, etc. Validating Exported Data Using Management Tool, you can check that exported data is valid and its integrity has not been altered. Please note that data validity must be checked only in the Management Tool connected to the Server via which data has been exported. Any other Server will consider data not valid. To validate exported data, do the following: 1. Click the Forensic Export History navigation link to the left and then click Validate Export Results. 2. On the Forensic Export Results validation page, click Choose File to select the.exe file with forensic export results. 3. The file is uploaded to the Server and validated. 4. If file validity is confirmed, you will see a message: The file is validated successfully! 226

227 Troubleshooting Troubleshooting Quick Access to Log Files Log files contain information that might be useful for administrator for detecting problems in the system if any. You can either analyse the log files yourself to get more information on what is happening in your system or send them to the Support team to help them in detecting the source of problems in your system. In case the log files contain the information on some errors, the warning message will be displayed on the Diagnostics page. To download the Server log file, login as the user with the Database Management permission, click the Diagnostics navigation link to the left and then click Download Server log file. The log file will be downloaded to your computer. NOTE: On the Server computer, the Server log (Server.log) is stored in the Server installation folder. The default location of the Server installation folder is C:\Program Files\Ekran System\Ekran System). To download the Management Tool log file, login as the user with the Database Management permission, click the Diagnostics navigation link to the left and then click Download Management Tool log file. The log file will be downloaded to your computer. Database/Server Database/Server Related Issues Issue I cannot start the Server from the Server tray. There are too many records in the database. I have defined a new database, what happened to the old one? I need to transfer the data from an old database to a new one/i want to change the type of the database without losing data. Cause/Solution To start the Server, the Server tray service must be started under the administrator account. Use the automatic or manual database cleanup feature to remove the old records from the database. To do this, in the Management Tool, click the Database Management navigation link and define the cleanup settings on the corresponding tabs. The old database remains in place and is not changed. Unfortunately, the data cannot be transferred from one database to another. 227

228 Troubleshooting Issue I have transferred the SQL database to another computer. I have changed the location of the Firebird database. I have installed a new version of the Server and I want to use the old database. I have used the database cleanup feature, but the size of the database didn t change. I have accidentally removed the database from the MS SQL Server. Cause/Solution Unfortunately, you can t relocate the SQL database to another computer. Though you can move it to another location on the same PC with SQL means. To redefine the location of the Firebird database, move it to another location and change the corresponding values in the Windows Registry Editor. See Moving the Server Database chapter for more details. If you have updated the Server, your old database will remain. If you have reinstalled the Server, you need to use a new database. The cleanup feature only removes data from the database, but does not change the size reserved by it. To reduce the size of the database, click Shrink database on the Database Options tab on the Database Management page of the Management Tool. You need to define a new database. To do this, you need to reinstall the Server. I cannot shrink the database: the Shrink database button is absent in the Management Tool on the Database Options tab. Make sure you use the MS SQL Server database. The shrinking cannot be performed if the cleanup procedure is in progress. My antivirus blocks the Server uninstallation/update. Due to the uninstaller specifics some anti-viruses might detect it as a false positive during virus scan. In this case, it is recommended to disable your anti-virus during Server uninstallation/update. Database/Server Related Error Messages The following table provides the list of error messages related to databases and the Server and their causes and possible solutions. These messages may appear in the Management Tool, from the Server tray service, or during the installation of the Server. Message Cause/Solution If you get the following message in the Management Tool: "Connection with MS SQL database is lost. Please check The Server has lost the connection to the MS SQL Server. Please make sure that the MS SQL Server is running 228

229 Troubleshooting Message that the database is accessible and try again." If you get the following message when trying to restart the Server service: Not enough permissions to restart the Server. Cause/Solution and it is online and accessible. To check that the MS SQL Server computer is accessible, enter the following command in the Windows command line: ping <name of the MS SQL Server computer> The connection to the MS SQL Server is blocked by the Firewall. Try disabling the Firewall on the MS SQL Server side. You can restart the Server service only under the administrator account. If you get the following error while trying to clean up the database: "Error occurred while clearing the database. Please try again." If you get the following message from the Server tray service: "The Server connection with the database has been lost. Click to view logs." The program encountered an unexpected error while trying to clear the database. Try clearing the database again. Make sure the Server service is running. There was a problem with connection to the database. Please make sure that the computer on which the database is installed is online and accessible. To check that the computer is accessible, enter the following command in the Windows command line: ping <name of the computer with installed database> If the problem comes up again, please, send us logs (the Server Service file), which you can find in the Server sub-folder of the Ekran System installation folder. The Server has lost the connection to the database. Please make sure that the computer on which the database is installed is online and accessible. To check that the computer is accessible, enter the following command in the Windows command 229

230 Troubleshooting Message Cause/Solution line: ping <name of the computer with installed database> If the problem comes up again, please, send us logs (the Server Service file), which you can find in the Server sub-folder of the Ekran System installation folder. If you get one of the following messages while trying to perform an action with database: "An error occurred when shrinking database. Please try again." "Error occurred while retrieving database info. Please try again." The program encountered an unexpected error while trying to perform an action with database. Please try performing the action again. There was a problem with connection to the database. Please make sure that the computer on which the database is installed is online and accessible. To check that the computer is accessible, enter the following command in the Windows command line: ping <name of the computer with installed database> If the problem comes up again, please, send us logs (the Server Service file), which you can find in the Server sub-folder of the Ekran System installation folder. Management Tool Management Tool Related Issues Issue HTTP 500 Internal Server error is displayed when I try to connect to the Management Tool. Cause/Solution For Windows 7, follow these instructions: 1. Make sure that all the following options are selected in the Windows Features window: Net Framework 3.5> Windows Communication Foundation HTTP Activation and Windows Communication Foundation non-http Activation. 2. Run the Command Prompt (cmd.exe) as administrator: 230

231 Troubleshooting Issue The license management function is unavailable and I cannot add server/workstation licenses to Clients. I have no Internet connection on the computer with the installed Server and cannot activate serial keys. Cause/Solution Enter %windir%\microsoft.net\framework\v4.0.xxxxx\ aspnet_regiis.exe iru (for 32 bit machine) or %windir%\microsoft.net\framework64\v4.0.xxx xx\aspnet_regiis.exe iru (for 64 bit machine). Example: C:\Windows\Microsoft.NET\Framework64\v \aspnet_regiis.exe iru 3. Press Enter. For Windows 8.0 or 8.1, make sure that all the following options are selected in the Windows Features window: Net Framework 3.5> Windows Communication Foundation HTTP Activation and Windows Communication Foundation non-http Activation. Make sure you have the administrative Client installation and management permission. If you have this permission, but the license management function is still unavailable, then your copy of the program is not licensed. Please purchase serial keys and activate them online or activate them on your vendor s license site and add them offline. You can activate the serial on the license site of your vendor and then add activated keys on the computer with the installed Server. I have reinstalled/updated the Server and now there are no activated serial keys in it. If you activated serial keys online, after you reinstall or update the Server, activated serial keys will be automatically synchronized. For this purpose, you need to have an active Internet connection during the first start of the Server. If you used an offline activation (added activated serial keys), you need to add them in the Management Tool again. The list of the domain computers is empty during the Client installation. This problem can be caused by network or Windows issues (e.g., your computer cannot connect to the local network). If there are no network problems, try searching for computers via the Add computers by IP option. To install Clients in such a way, on the Computers without Clients page click Add computers by IP. 231

232 Troubleshooting Issue The list of the domain computers is not complete during the Client installation. The target computer is out of the domain. I have assigned a server license instead of a workstation license to the Client or I have assigned a license to the wrong Client. There are some Clients that I did not install. I do not receive notifications, although the parameters are correct. Some of the Management Tool functions are unavailable. I do not want to provide the user with access to all Clients. I forgot the password of the internal user. The user is able to perform actions that are supposed to be prohibited for them (e.g., the user sees the Clients that they do not have a permission for). Cause/Solution Ekran System obtains the list of domain computers using standard Windows methods, which do not always provide the full list of computers. If DNS settings of your computer network allow, you can: Search for computers using the Add computers by IP option. To install Clients in such a way, on the Computers without Clients page, click Add computers by IP. Create an installation package and install a Client locally on the target computer. To generate an installation package, on the Computers without Clients page, click Download installation file and then select the type of the installation file you want to download. When the installation file is downloaded to your computer, you can start the installation process. Any license can be unassigned from a Client anytime. These may be old Clients that were installed earlier. You can uninstall them remotely via the Management Tool or locally on the Client computer. Make sure you do not use Microsoft Exchange Server 2010, which is not supported. Make sure that you have the corresponding permissions for these functions. By defining the Client permissions for the user in the Management Tool, you can define which Clients the user will have the access to. Contact the administrator and ask them to change the password. Check the groups which the user belongs to. They might have inherited some new permissions from these groups. 232

233 Troubleshooting Issue I haven t received any reports or alert notifications by . Cause/Solution Check the Spam folder. Management Tool Error Messages The following table provides the list of error messages that you may see while working in the Management Tool and their causes and possible solutions. Message If you get the following message when trying to connect to the Management Tool: Server is unavailable. Please contact administrator. If you get the following message when trying to connect to the Management Tool: Wrong password or username. Cause/Solution The program encountered an unexpected error while trying to perform an action. Please refresh the Management Tool. Please make sure that the Server is running. Please restart the Server and try again. If the problem comes up again, please contact the support. Please make sure that your login and the password are correct. If you are logging in as a Windows user, do not forget to enter <domain name>\<login>. Viewing Monitored Data Issue Cause/Solution I have successfully logged into the Management Tool but I cannot see any captured data from the Windows Client. An alert event does not trigger an alert notification and is not displayed as alert in the Management Tool. Please check the section Possible Problems with Receiving Data from Clients. Contact the administrator and check if you have the Viewing monitoring results permission for the Client. Please check that the defined alert parameters are correct on the Alert Rules tab on the Edit alert page of the Management Tool (e.g., Process name may be defined instead of Window title). To do this, open the Alert Management page of Management Tool, click Edit alert for the required alert and select the Alert Rules tab. 233

234 Troubleshooting Issue I don t receive alert notifications about all the events that correspond to notification settings. Cause/Solution The alert might be disabled. Please make sure the alert is enabled on the Alert properties tab in the Management Tool. Please check the Minimal interval between notifications sent for the same alert event parameter. If less time than defined in the settings has passed since the moment when the last notification for the same alert event had been received, you will not receive the notification. Some screen captures are blank. If a user types something continuously, stops typing, and then switches the window during the 3 seconds period, the keystrokes will be attached to a blank screen capture. If a user accesses the Client computer via the Remote Desktop Protocol (RDP) and minimizes the Remote Desktop Connection window, a blank screen capture is created. Some screen captures look like they consist of two parts. There are two monitors on the Client computer and you see the screen captures from both of them. The Text data column is empty, although the text was entered on the Client computer. The Text data column is empty, although the text was copied, cut, and pasted on the Client computer. Check that you have Viewing text data permission for this Client. Please check that you have enabled the keystroke logging in the Client configuration. The keystrokes are logged only after the user presses Enter or switches to another window. So they might be attached to another screen capture. Check that you have Viewing text data permission for this Client. Please check that you have enabled the clipboard monitoring in the Client configuration. The screen captures are sent more frequently than I defined. If in the Client configuration you have enabled options other than Capture screen periodically, the screen captures may be created more frequently 234

235 Troubleshooting Issue Screen capture image is blurry. The screen capture image is black and white. The screen capture time does not correspond to time on my computer. The screen capture time does not correspond to the time that should be displayed on Client computer. Cause/Solution depending on the user activity. Check the Client configuration. The Client computer may have smooth interface animation the screen capture may have been taken when the animation was in progress. The Client is configured to capture screen in greyscale images. Please check the Client configuration in the Management Tool. The screen capture time corresponds to the time displayed on the Client computer. Please check that the Client computer time settings have not been changed. Windows Client Checking that the Client Is Installed If the Client is successfully installed, it will appear on the Clients page of the Management Tool in the Data View pane. If there is no Client in the Management Tool, you have to check whether the Client has been installed. You can check if the Client is installed on the investigated computer in one of the following ways: The EkranService.exe process is running. The EkranClient and EkranController services are started. There is a <system disk>:\program Files\Ekran System\Ekran System\Client\ folder with executable files. 235

236 Troubleshooting The HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem\Client key has the following values: Clients Installation/Uninstallation Issues and Error Messages The common reasons of issues with remote installation or uninstallation of Clients are the inadequate network configuration or system settings. If you are sure that a user has administrative rights on the Client computer, please check whether all of the conditions for successful installation are met. 236

237 Troubleshooting Remote Installation Error Messages During remote Client installation you can get the following error messages: The user does not have enough permission on the remote host. The network name cannot be found. Client machine must be rebooted before agent installation. The host is unavailable now or turned off. Try again later. Solving Remote Installation Issues If you receive the following error message during the remote Client installation: The User doesn t have enough permission on the remote host, as a rule, such issue may be caused by the following reasons: There is no access to network shares. DNS service is unavailable. UAC is enabled (Windows 7/8/Vista). Errors in Active Directory. Issues with the Service Principle Name for the domain. Two computers have the same computer name. Issue: There is No Access to Network Shares For successful remote installation, Ekran System needs to access the administrative shares on the target computers. At first, please check that you have access to administrative shares and if there is no access, enable it. How to Check: To check the administrative shares availability, do the following: 1. Open Windows Explorer. 2. In the address bar type \\<target_computer_ip/name>\admin$ and press Enter. 237