Ekran System v. 5.1 Program Overview
Contents About the Program Ekran Server & Management Tool Database Management Licensing Client Installation Monitoring Parameters Client Protection Advanced User Authentication Two-Factor Authentication Administrator s Approval on Login Notifying Users about Being Monitored User Blocking Viewing Sessions Alerts USB Monitoring Dashboards Interactive Monitoring Reports Page 2 of 102
About the Program Page 3 of 102
About the Program Smart user activity video recording system. Privileged Identity Management Employee Work Control Cost Saver on the Market Ekran System allows creating indexed video records of all concurrent Windows, Citrix, and Linux terminal sessions on your servers and record remote and local sessions on workstations. Are you interested in your company's security? Do you want to know what your employees do during their working hours? Do you want to control sensitive information use? Ekran System provides all popular segment features while offering much more beneficial pricing than ObserveIT or Citrix Smart Auditor. Page 4 of 102
About the Program Ekran System is an affordable user monitoring solution for enhanced cyber security. You can record all terminal, remote, and local user sessions and alert security personnel to suspicious events. Ekran System Components Ekran Management Tool Ekran Server Ekran Clients Windows/Linux/Citrix GUI part used for system management & session viewing Main component used for storing data obtained from Client computers Components installed on the target computer to monitor user activity and send it to the Server Page 5 of 102
Ekran System Structure Page 6 of 102
High Availability Mode (Enterprise Edition) The High Availability mode provides a high level of operational performance and balances the load of sent data, minimizing downtime and service interruptions. Page 7 of 102
Ekran Server & Management Tool User management, permissions, Active Directory Integration, Management Tool settings Page 8 of 102
Management Tool You can manage the whole system via the Management Tool in your browser. Page 9 of 102
User Management & Permissions Create two types of users: Internal or Active Directory (Windows domain users/groups). Use groups for easier user management. Define permissions for users. Page 10 of 102
Active Directory Integration Integration with Active Directory allows you to establish the domain trusts with multiple domains. Page 11 of 102
Active Directory Integration Integration with Active Directory allows you to do the following: Add users & user groups from trusted domains to allow them to access the Management Tool and Client machines with enabled Forced User Authentication. Create alerts for domain groups to quickly respond to suspicious user activity on the Client computers belonging to trusted domains. Page 12 of 102
Management Tool Log Audit all user activities performed in the Management Tool via the Management Tool Log with the detailed information on all changes. Page 13 of 102
Database Management Page 14 of 102
Database Configuration Page 15 of 102
Database Cleanup One-Time Cleanup Scheduled Cleanup Page 16 of 102
Database Archiving (Enterprise Edition) Archive and delete the old monitored data from the Database to not run out of space on the Server computer and to save the monitored data in a secure storage. Page 17 of 102
Database Archiving (Enterprise Edition) You can view the archived sessions from your archived database in the Session Viewer and perform searches in them in a usual way at any time. Page 18 of 102
SIEM Integration Ekran System integrates with your SIEM system using log files of the monitored events. Page 19 of 102
Advanced SIEM Integration Create a CEF log file to get access to the Ekran System alert events and monitored data via the integral ArcSight or Splunk interface. Page 20 of 102
Licensing Types of Licenses & Serial Key Management Page 21 of 102
Licensing Ekran System is licensed by the number of Ekran Clients, end-points to be monitored. All management components, including Server and Management Tool, are provided for free with any deployment. Types of Ekran Client licenses: Windows workstation license Windows server license Linux machine license Page 22 of 102
Serial Key & License Management Request a trial serial key for 30 days to deploy the system and review its basic features with a restriction of 5 workstation licenses, 1 server license, and 3 Linux licenses. To work with Ekran System for a longer period, license it by activating the serial keys on the computer with the installed Ekran Server. You can use either permanent keys, or subscription keys. Page 23 of 102
Enterprise Key Activate Enterprise serial key to get exclusive access to a set of additional, valuable features of Enterprise Edition of Ekran System. Page 24 of 102
Client Installation Page 25 of 102
Installing Ekran Clients Convenient Ekran Client installation: Local: o Linux Clients (via tar.gz file) o Windows Clients using installation file with default parameters using generated package with customized parameters Remote (for Windows Clients) Remote Installation Select computers to install Clients on Customize installation parameters The Clients are successfully installed! Page 26 of 102
Target Computers for Remote Installation Scan your local computer network Define a range of IP addresses to search the target computers Simply enter target computer names Page 27 of 102
Monitoring Parameters Page 28 of 102
Client Monitoring The data the Client sends is stored in the form of deltas (differences between a newer screen capture and an older one) to minimize storage space. Recorded information is saved in an easy-to-review and easy-tosearch form: The name of the launched application The title of the active window Entered URL Text entered via user s keyboard (keystrokes) Clipboard text data (copied and pasted text) Commands executed in Linux (both from user input & by running the scripts) The information on plugged-in USB devices Page 29 of 102
Screen Capturing Ekran Client screen capture creation is event-triggered by default. You can configure the Client to capture active window only. Page 30 of 102
URL Monitoring Ekran Client monitors URLs entered in web browsers. You can configure the Client to monitor full URLs or domains of top and second level only. Page 31 of 102
Keystroke Logging Ekran Client captures all text entered through the user s keyboard and adjusts it for better comprehension. Use a special Viewing text data permission to limit user access to this sensitive data. Page 32 of 102
Keyword-Triggered Monitoring You can configure Ekran Client to start monitoring and creating screen captures only after detecting the defined keywords entered by the user. Page 33 of 102
Clipboard Monitoring Ekran Client captures all text data, which has been copied or cut and then pasted into documents, files, applications, browser address line, etc. on the Windows Client machines. Page 34 of 102
Application Filtering Ekran System allows you to define the filtering rules for websites/applications to adjust the amount of monitored data and exclude the areas where private information can be observed to comply with corporate policy rules and country regulations related to user privacy. Page 35 of 102
Privileged User Monitoring Monitor the activity of users logging in under privileged user accounts. Page 36 of 102
Client Group Settings You can define the settings for a Client Group and then apply them to the Client to save your time. Page 37 of 102
Client Protection Page 38 of 102
Protected Mode Ekran System allows you to protect the Client and its data by enabling the Protected Mode. The usage of Protected Mode has the following advantages: Prevention of Client uninstallation. Prevention of stopping Client processes. Prevention of editing Client system files and logs. Prevention of editing Client settings in the registry of the Client computer. Prevention of modification, removal, and renaming of Client files. Page 39 of 102
Client Uninstallation Users, including privileged ones, are unable to stop the Client working on their machines, as well as remove the Client locally without the Administrator assistance. Only Ekran System Administrator knows the uninstallation key defined prior to Client installation and necessary for local removal. Page 40 of 102
Advanced User Authentication Page 41 of 102
Advanced User Authentication Advanced user authentication allows you to achieve two goals: Monitor users activity on the computer when multiple users use the same credentials to log in. Improve your security by limiting the access to the specific users who know secondary authentication credentials. Page 42 of 102
Advanced User Authentication (Windows Clients) The Ekran System Client requests entering credentials before allowing a user to work with Windows Server. Page 43 of 102
One-Time Password (Windows Clients) Enterprise Edition Ekran System provides the administrator with a unique ability to generate a one-time password for a user to login to the Client computer with Windows Server OS. Page 44 of 102
One-Time Password (Windows Clients) The user can request a one-time password directly from the secondary authentication window displayed on login to Windows Server. Page 45 of 102
Advanced User Authentication (Linux Clients) The Ekran System Client requests entering credentials before allowing a user to work with the terminal on Linux Client machines. Page 46 of 102
Two-Factor Authentication Page 47 of 102
Two-Factor Authentication Two-factor authentication allows you to enable an extra layer of security to better protect the critical endpoints in your network. Page 48 of 102
Two-Factor Authentication Add users who will be allowed to log into the Windows Server Client machines using time-based one-time passwords (TOTP) generated in the TOTP mobile applications. Page 49 of 102
Two-Factor Authentication The Ekran System Client prompts the user to enter a TOTP to start working with the system. Page 50 of 102
Administrator s Approval on Login Page 51 of 102
Administrator s Approval on Login Administrator s approval on login allows you to better protect the Client machines in your network from undesired access. Page 52 of 102
Administrator s Approval on Login Add users whose access to the Client machines needs to be restricted. Page 53 of 102
Administrator s Approval on Login When the restricted user logs into the Client machine, the Client blocks the desktop and sends the user s access request to the administrator. Page 54 of 102
Administrator s Approval on Login After the administrator confirms the user s access request, the user is allowed to start working with the system. Page 55 of 102
Notifying Users about Being Monitored Page 56 of 102
Notifying Users about Being Monitored To follow the security policy of your company or your country regulations, you can: Enable displaying an additional message on user logging in to notify the user that his or her work is being monitored. Display a Client tray icon with the notification about monitoring to the user. Page 57 of 102
Notifying Users about Being Monitored Require the users to enter the comments to the additional message displayed on their login to the Client computers. Page 58 of 102
Notifying Users about Being Monitored Required the user to enter a valid ticket number created in the integrated ticketing system to start working with the Client machine. Page 59 of 102
User Blocking Page 60 of 102
User Blocking Overview Ekran System allows you to block users performing potentially harmful and forbidden actions on computers with Windows Server operating system with Ekran Clients installed on them. Users can be blocked from both Live and Finished sessions. Page 61 of 102
User Blocking Overview The user desktop is blocked, and after the defined time interval the user is forcedly logged out. If the blocked user tries to log in to the Client computer, the system does not allow him/her to do so. Page 62 of 102
Viewing Blocked User List The Blocked User List contains information on who, where, and when was blocked. To allow the users access to the Client Computer, remove them from the list. Page 63 of 102
Viewing Sessions Page 64 of 102
Searching Data in Session List Ekran Management Tool allows searching in the recorded sessions. Search is performed by different parameters: For Windows Clients: active window title, application name, user name, Client name, visited URL, entered keystrokes, clipboard text data, user s comment to the additional message, ticket number, USB device information. For Linux Clients: commands and command parameters. Page 65 of 102
Viewing Live Session Ekran System allows you to perform monitoring of user activity in real time. You can connect to a Live session and observe the activities a user is performing at the given moment. Page 66 of 102
Magnifying Glass You can enlarge certain parts of the video in the Session Player by using the Magnifying Glass. Page 67 of 102
Forensic Export With Ekran System Forensic Export, you can: Export a monitored session or its part to a securely encrypted file. Investigate the recorded user activity in the in-built offline session viewer. Present evidence in forensic format to the third parties. Page 68 of 102
Alerts Page 69 of 102
Setting Up Alerts Ekran System allows you to enable quick incident response using alert notifications: Set up alerts about suspicious user activity on the Client computers. Specify individuals to receive instant alert notifications via email or in the Tray Notifications application. Page 70 of 102
Default Alerts Ekran System contains a set of default alerts prepared by the vendor security experts. They will alarm you about data leakage, potentially fraudulent, illicit, or work-unrelated activities. Page 71 of 102
Alerts in Session Player Monitored data associated with alert events is highlighted in different colors in the Session Player according to the alert risk level. Page 72 of 102
Alerts in Alert Viewer You can view detailed information on all alert events as well as screen captures associated with them in a special viewer. Page 73 of 102
Receiving Alerts Receive alert notifications in real time, review them in the Ekran System Tray Notifications journal, and open the session with the alert-related data in the Session Player. Page 74 of 102
USB Monitoring Page 75 of 102
USB Monitoring Overview Ekran System provides two types of monitoring USB devices plugged into the Client computer: USB-based storage monitoring, to view information on the devices detected by Windows as mass storage and receive alert notifications. Kernel-level USB monitoring, for an in-depth analysis of pluggedin devices and their blocking. Page 76 of 102
Setting Up Kernel-level USB Rules Ekran System can detect USB devices connected to a computer, alert you on device plugging in, and block their usage (either all devices of a certain class or all except the allowed devices) on a Client computer. Page 77 of 102
USB-Based Storage Monitoring USB-based storages are automatically detected on being plugged in. Page 78 of 102
Kernel-Level USB Monitoring Screen captures created on USB devices being plugged in or blocked are highlighted in the Session Viewer. Page 79 of 102
Dashboards Page 80 of 102
Dashboards Overview The dashboards offer a convenient real-time view of the most useful data grouped in one place. Customize the dashboards on the Management Tool Home page by adjusting their look and settings. Page 81 of 102
Dashboard Types There are three main types of Ekran System dashboards: System State Dashboards o Licenses o Clients o Database Storage Usage Monitoring Dashboards o Recent Alerts o Latest Live Sessions Threat Detection Dashboards o Sessions out of Work Hours o Rarely Used Computers o Rarely Used Logins Page 82 of 102
System State Dashboards Clients Database Storage Usage Licenses Page 83 of 102
Monitoring Dashboards Recent Alerts Latest Live Sessions Page 84 of 102
Threat Detection Dashboards Rarely Used Computers Rarely Used Logins Sessions out of Work Hours Page 85 of 102
Interactive Monitoring Page 86 of 102
Interactive Monitoring Overview You can filter out data by three parameters: Who: filter by a specific user logged into the Client computer. Where: filter by a specific Client. When: filter by the time period. Additionally, you can set the order of bars being displayed, using the Applications and URLs filters. Data is displayed in the form of two column charts (Application Monitoring chart and URL Monitoring chart). To see the list of application/website entries, click on the column with the application/website name. Page 87 of 102
Application Monitoring Chart This chart provides information on the application usage frequency. You can also use this chart to analyze information on the most rarely used applications and detect any threats and suspicious activity on investigated computers. Page 88 of 102
URL Monitoring Chart This chart provides information on the website visiting frequency. You can also use this chart to analyze information on the most and least visited websites and detect potentially harmful activity on investigated computers. Page 89 of 102
Reports Page 90 of 102
Reports & Statistics Ekran System Reports provide the full overview of the time spent in applications and on websites visited on the user s machine. Generate a highly customizable report ad-hoc or schedule sending reports to your email on a daily, weekly, or monthly basis. The reported activity can include alerts, launched applications, visited websites, plugged-in/blocked USB devices, and executed Linux commands. Scheduled Reports Page 91 of 102
Reports & Statistics The reports can be generated manually at any time for any time period. Manual Report Generation Page 92 of 102
Report Types Activity summary report Activity pie chart report Activity chart report Page 93 of 102
Report Types User statistics report Page 94 of 102
Report Types Session grid report Page 95 of 102
Report Types Detailed Activity report Page 96 of 102
Report Types Keystroke grid report Clipboard grid report Page 97 of 102
Report Types Alert grid report Page 98 of 102
Report Types URL summary report URL pie chart report URL chart report Page 99 of 102
Report Types USB storage grid report Kernel-level USB storage grid report Page 100 of 102
Report Types In the Linux grid report, you can view all exec* and sudo commands executed on Linux Client computers. Linux grid report Page 101 of 102
Visit us online: www.ekransystem.com Page 102 of 102