Active Session Monitoring

PSM enables authorized users to monitor active sessions from their own workstation, take part in controlling these sessions, and suspend or terminate them.

PSM can automatically suspend or terminate sessions when notified by PTA or a third party threat analytics tool.

 

The authorized user monitors or terminates an active session using the same connection method (RDP file or HTML5 Gateway) as the end user.

Permissions

Monitor Active Sessions

To access the Monitoring page, you must have membership in the Auditors group or membership in the relevant Account Safes and Recording Safes with the following authorizations:

Safe type

Permissions

Account Safes

  • List accounts/files

    This authorization specifically enables users to access recordings from the Account Details page.

  • View audit

Recording Safes

  • Retrieve accounts/files

  • List accounts/files

  • View audit

To monitor the session, in the PVWA system configuration, the Active Sessions Monitoring settings must specify the following:

Item

Description

Monitoring

The AllowMonitor property must be set to Yes

Monitor level

The MonitoringLevel property determines whether users can view or control active sessions.

Suspend active sessions

In the PVWA system configuration, the Active Sessions Monitoring settings must specify the following:

Item

Description

AllowPSMNotifications

 

Set Privileged Session Management > General settings > Server settings > Live Session Monitoring settings > AllowPSMNotifications to Yes to enable users to suspend active sessions.

 

This parameter is not supported on PSM for SSH and OPM sessions.

Suspending Active Sessions Users And Groups

Users need to be added as a user in the Suspending Active Sessions Users And Groups parameter.

Terminate active sessions

In the PVWA system configuration, the Active Sessions Monitoring settings must specify the following:

Item

Description

Terminating Active Sessions Users And Groups

Users need to be added as a user in the Terminating Active Sessions Users And Groups parameter. The default group is PSMLiveSessionTerminators.

Active session monitoring settings

The active session monitoring settings determine how users can monitor live privileged sessions and the types of activities that they can perform.

  1. Click ADMINISTRATION, then in the System Configuration page click Options; the Web Access Options are displayed.

  2. Expand the Privileged Session Management parameters, then expand General Settings.

  3. Expand the Server Settings, then expand the Live Sessions Monitoring Settings; the general Live Sessions Monitoring Settings properties are displayed in the Properties list.

  4. Specify the following properties:

    Property

    Description

    AllowMonitor

    Permits authorized users to monitor active sessions. The exact monitoring task is specified in the MonitoringLevel parameter.

    MonitoringLevel

    Specifies the monitoring task that authorized users can perform. The following options are available:

    • View – Users can view active sessions from their own workstation, but cannot participate in the session.
    • Control – Users can participate in active sessions and can control them in the same way as the original user.

    AllowTerminate

    Permits authorized users to terminate active sessions.

    AllowPSMNotifications
    • To enable users to manually suspend a session, set this parameter to Yes.

    • To enable PSM to automatically terminate sessions or suspend and resume sessions when notified by PTA or a third party threat analytics tool, set this parameter to Yes.

      Configure automatic termination through Privileged Threat Analytics or with the Terminate an active session web service.

     

    This parameter is not supported on PSM for SSH and OPM sessions.

  5. To enable users to terminate session, expand Live Sessions Monitoring Settings, and then expand Terminating Live Sessions Users and Groups; a list of Vault users and groups that are authorized to terminate active sessions is displayed.

    By default, all members of the Vault group called PSMLiveSessionTerminators are authorized to terminate active sessions.

    Make sure that the users who will terminate active sessions belong to this group,

    or,

    Create a new user or group that will be able to terminate active sessions:

    1. Right-click Terminating Active Sessions Users and Groups, then from the pop-up menu select Add User or Group; a new User or Group parameter is added.

    2. In the new User or Group parameter, then in the Properties list specify the name of the user or group to authorize.

  6. To enable users to suspend sessions, expand Live Sessions Monitoring Settings, and then expand Suspending Live Sessions Users and Groups; a list of Vault users and groups that are authorized to suspend an active sessions is displayed.

    or,

    Create a new user or group that will be able to suspend active sessions:

    1. Right-click Suspending Active Sessions Users and Groups, then from the pop-up menu select Add User or Group; a new User or Group parameter is added.

    2. In the new User or Group parameter, then in the Properties list specify the name of the user or group to authorize.

  7. Click Apply to save the new parameter values and stay in the Web Access Options page,

    or,

    Click OK to save them and return to the System Configuration page. The changes will be applied after the period of time specified in the ConfigurationRefresh Interval parameter.

To enable PSM to automatically terminate sessions or suspend and resume sessions when notified by PTA or a third party threat analytics tool, do the following:

  1. Go to Options > PIM Suite Configuration > Privileged Session Management > General Settings > Server Settings > Live Sessions Monitoring Settings and set AllowPSMNotifications to Yes.

  2. Specify what triggers an automatic response

    1. If you are using PTA, you can configure which activities terminate or suspend a session automatically.

      For details, see Configure Suspicious Session Activities in PTA in the PTA Implementation Guide.

       

      Verify that the PTA user's group is included in the Terminating Active Sessions Users and Groups parameter.

    2. If you are using a third party threat analytics tool, create a Vault user and add that user to the Terminating Live Sessions Users and Groups and Suspending Live Sessions Users and Groups parameters. Use this Vault user when calling the Web service to trigger the automatic response.

Active session monitoring at the system level

By default, active session monitoring is enabled at system level for all authorized users, and can be disabled at platform level. Active session monitoring can also be disabled at system level, but when it is disabled, it cannot be enabled at platform level.

  1. Click ADMINISTRATION, then in the System Configuration page click Options; the Web Access Options are displayed.

  2. Expand the Privileged Session Management parameters, then expand General Settings.

  3. Expand the Server Settings, then expand the Live Sessions Monitoring Settings; the general Live Sessions Monitoring Settings properties are displayed in the Properties list.

  4. In the Properties list, set the Enable parameter.

    • Set Enable to No to disable active session monitoring at system level. This cannot be overridden at platform level.

    • Set Enable to Yes to re-enable active session monitoring at system level.

  5. Click Apply to save the new parameter values and stay in the Web Access Options page,

    or,

    Click OK to save them and return to the System Configuration page. The changes will be applied after the period of time specified in the ConfigurationRefresh Interval parameter.

Active session monitoring at the platform level

You can override active sessions monitoring settings in individual platforms, enabling you to determine whether or not authorized users can or cannot monitor active sessions during privileged sessions that use accounts managed by specific platforms, regardless of the general active sessions monitoring settings.

To monitor active sessions at platform level, users require the Safe ownership and permissions listed above in Active Session Monitoring.

  1. In the System Configuration page, click Options, then configure the general Active Sessions Monitoring Settings.

  2. Click ADMINISTRATION to display the System Configuration page, then click Platform Management to display a list of supported target account platforms.

  3. Select the platform to configure, then click Edit; the settings page for the selected platform appears.

  4. Expand UI & Workflows, and then right-click Privileged Session Management, then from the pop-up menu select Add Override Live Sessions Monitoring Settings; a set of parameters is added to the PSM parameters. These parameters enable you to set Active Session Monitoring settings for this platform which will override the general Live Session Monitoring settings.

  5. Select Override Active Sessions Monitoring Settings and set the following properties:

    Property

    Description

    AllowMonitor

    Whether or not authorized users can view and/or control active sessions that use accounts managed by this platform. The monitoring task level (View/Control) is taken from the general active sessions monitoring settings.

    AllowTerminate

    Whether or not authorized users can terminate active sessions that use accounts managed by this platform.
     

    When active session monitoring is disabled at system level, it cannot be enabled at platform level.

  1. Click Apply to save the new parameter values and stay in the platform settings page,

    or,

    Click OK to save them and return to the System Configuration page. The changes will be applied after the period of time specified in the ConfigurationRefresh Interval parameter.

Live monitoring notification

When authorized users begin monitoring an active session, a notification can be displayed to indicate the session is being monitored. This is configured separately for each platform.

When authorized users suspend an active session, a notification is displayed.

This notifications are displayed at the bottom right corner of the remote active session window.

Notification type

Screenshot

Monitored session

Suspended session

When the actives session is resumed, the notification disappears.

  1. Click ADMINISTRATION to display the System Configuration page, then click Platform Management to display a list of supported target account platforms.

  2. Select the platform to configure, then click Edit; the settings page for the selected platform appears.

  3. Expand UI & Workflows, and then select Privileged Session Management.

  4. In the Properties list, set the following properties:

    Property

    Description

    ShowLiveMonitoringNotification

    Whether or not authorized users can view and/or control active sessions that use accounts managed by this platform. The monitoring task level (View/Control) is taken from the general active sessions monitoring settings.

    LiveMonitoringNotificationDisplayTime

    Time in seconds to display the alert during active sessions, indicating that this session is being monitored. Specify ‘0’ (zero) to display it indefinitely. The default value is 5 seconds.

  5. Click Apply to save the new values and stay in the platform settings page,

    or,

    Click OK to save them and return to the System Configuration page. The changes will be applied after the period of time specified in the ConfigurationRefresh Interval parameter.