Active Session Monitoring

This topic describes how to enable and disable active session monitoring.

Overview

Authorized users can monitor active sessions from their workstation and take part in controlling these sessions. Users can also suspend or terminate active sessions based on their group assignment.

By default, active session monitoring is enabled at system level for all authorized users, and can be disabled at platform level. Active session monitoring can also be disabled at system level, but when it is disabled, it cannot be enabled at platform level.

PSM can automatically suspend or terminate sessions when notified by PTA or a third party threat analytics tool.

 

Authorized users monitor or terminates an active session using the same connection method (RDP file or HTML5 Gateway) as the end user.

Required permissions for the Monitoring page

Users must be part of the Auditors group or members in the relevant Account Safes and Recording Safes with the following authorizations:

Safe type

Permissions

Account Safes

  • List accounts/files

    This authorization specifically enables users to access recordings from the Account Details page.

  • View audit

Recording Safes

  • Retrieve accounts/files

  • List accounts/files

  • View audit

Active session monitoring settings

You can enable or disable active session monitoring and set the control level that authorized users will have.

Configure active session monitoring

  1. In the PVWA, click Administration Configuration Options.

  2. In the left pane, go to ConfigurationsPrivileged Session Management > General Settings > Server Settings> Live Sessions Monitoring Settings.

  3. In the Properties pane, enter the following information, and then save your changes:

    Property

    Description

    AllowMonitor

    Permits authorized users to monitor active sessions. Set value to Yes or No.

    The exact monitoring task is determined by the MonitoringLevel property.

    MonitoringLevel

    Specifies the monitoring task that authorized users can perform. Available options:

    • View – Users can view active sessions from their own workstation, but cannot participate in the session.
    • Control – Users can participate in active sessions and can control them in the same way as the original user.

    AllowTerminate

    Permits authorized users to terminate active sessions.

    AllowPSMNotifications
    • To enable users to manually suspend a session, set to Yes.

    • To enable PSM to automatically terminate sessions or suspend and resume sessions when notified by PTA or a third party threat analytics tool, set this parameter to Yes.

      Configure automatic termination through Privileged Threat Analytics or with the Terminate an active session web service.

     

    This parameter is not supported on OPM sessions.

Enable users and groups to suspend or terminate a session

When active session monitoring is enabled, you can decide which users and groups can suspend and terminate a session.

By default, users who belong to the following group can suspend or terminate sessions:

PSMLiveSessionTerminators

To enable users to suspend or terminate a session, you can either add them to this existing group or add a new group in the Configuration Options.

To add a new group or user to the Configuration Options

  1. In the PVWA, click Administration Configuration Options.

  2. In the left pane, go to ConfigurationsPrivileged Session Management > General Settings > Server Settings> Live Sessions Monitoring Settings.

  3. Right-click either Terminating Live Sessions Users and Groups or Suspending Live Sessions Users and Groups, and then click Add User or Group.

  4. In the Properties pane, enter the name of the user or group you want to enable, and then save your changes.

Enable automatic response to high risk session activity

To enable PSM to automatically terminate sessions or suspend and resume sessions when notified by PTA or a third party threat analytics tool, do the following:

  1. Go to Options > Configurations > Privileged Session Management > General Settings > Server Settings > Live Sessions Monitoring Settings and set AllowPSMNotifications to Yes.

  2. Specify what triggers an automatic response

    1. If you are using PTA, you can configure which activities terminate or suspend a session automatically.

      For details, see Configure Suspicious Session Activities in PTA in the PTA Implementation Guide.

       

      Verify that the PTA user's group is included in the Terminating Active Sessions Users and Groups parameter.

    2. If you are using a third party threat analytics tool, create a Vault user and add that user to the Terminating Live Sessions Users and Groups and Suspending Live Sessions Users and Groups parameters. Use this Vault user when calling the Web service to trigger the automatic response.

Enable or disable active session monitoring at the platform level

You can override active sessions monitoring settings in individual platforms. you can determine whether or not authorized users can or cannot monitor active sessions during privileged sessions that use accounts managed by specific platforms, regardless of the general active sessions monitoring settings.

When active session monitoring is disabled at system level, it cannot be enabled at platform level.

To monitor active sessions at platform level, users require the Safe ownership and permissions listed above in Active Session Monitoring.

Enable or disable active session monitoring at platform level
  1. In the PVWA, click Administration, and then click Platform Management.

  2. Click the platform type that you want to edit: Targets, Dependents, Groups, or Rotational Groups.

  3. Select the platform, click the ellipsis button next to that platform, and then click Edit.

  4. In the left pane, expand UI & Workflows, right-click Privileged Session Management and select Add Override Live Sessions Monitoring Settings.

  5. In the Properties pane, enter the following information, and then save your changes:

    Property

    Description

    AllowMonitor

    Whether or not authorized users can view or control active sessions that use accounts managed by this platform. The monitoring task level (View/Control) is taken from the general active sessions monitoring settings.

    AllowTerminate

    Whether or not authorized users can terminate active sessions that use accounts managed by this platform.

Configure live monitoring notifications

When authorized users begin monitoring an active session, a notification can be displayed to indicate the session is being monitored. This is configured separately for each platform.

When authorized users suspend an active session, a notification is displayed.

This notifications are displayed at the bottom right corner of the remote active session window.

To configure an active session monitoring notification
  1. In the PVWA, click Administration, and then click Platform Management.

  2. Click the platform type that you want to edit: Targets, Dependents, Groups, or Rotational Groups.

  3. Select the platform, click the ellipsis button next to that platform, and then click Edit.

  4. In the left pane, go to UI & Workflows > Privileged Session Management.

  5. In the Properties pane, enter the following information, and save your changes:

    Property

    Description

    ShowLiveMonitoringNotification

    Whether or not authorized users can view or control active sessions that use accounts managed by this platform. The monitoring task level (View/Control) is taken from the general active sessions monitoring settings.

    LiveMonitoringNotificationDisplayTime

    Time in seconds to display the alert during active sessions, indicating that this session is being monitored. Specify ‘0’ (zero) to display it indefinitely. The default value is 5 seconds.