Académique Documents
Professionnel Documents
Culture Documents
0
Help File
Table of Contents
About................................................................................................................................. 15
System Requirements .................................................................................................... 16
Program Structure........................................................................................................... 19
Getting Started................................................................................................................. 21
Deployment Process ...............................................................................................................21
Working with Application ........................................................................................................22
Server and Database ....................................................................................................... 23
About .........................................................................................................................................23
Database Types Comparison ................................................................................................23
High Availability Mode ............................................................................................................23
About ......................................................................................................................................23
Standard and High Availability Modes Comparison .......................................................24
Installing/Uninstalling/Updating the Server ..........................................................................24
Installing the Server .............................................................................................................24
Backing up Ekran Master Certificate.................................................................................26
Deleting Ekran Master Certificate ......................................................................................30
Importing Ekran Master Certificate ....................................................................................30
Installing the Server in the Cloud .......................................................................................31
Adding Server Executable to Windows Firewall..............................................................31
Using an External/Cloud-Based Server Computer .........................................................34
Updating the Server .............................................................................................................34
Uninstalling the Server ........................................................................................................35
Server Tray ...............................................................................................................................35
Database Management ..........................................................................................................35
About ......................................................................................................................................35
Cleanup Parameters ............................................................................................................36
One-Time Cleanup ...............................................................................................................37
Scheduled Cleanup..............................................................................................................37
Shrinking MS SQL Database .............................................................................................38
Firebird Database Optimization .........................................................................................38
Deleting the Client ................................................................................................................39
Moving the Server Database ..............................................................................................40
About ...................................................................................................................................40
2
Moving the Server Database on the Same Computer ................................................40
Moving the Server Database to Another Computer ....................................................43
Moving Binary Data to Shared or Local Folder ...............................................................44
Validating Monitoring Data..................................................................................................45
About ...................................................................................................................................45
Validating Monitoring Data Using Hash Codes ............................................................46
Signing Monitoring Data with Certificate .......................................................................46
Moving the Server Database Signed with Certificate to another Computer ............50
Advanced SIEM Integration ...................................................................................................54
About ......................................................................................................................................54
Log File Contents .................................................................................................................54
Enabling Log File Creation .................................................................................................55
Log Cleanup ..........................................................................................................................55
Management Tool ............................................................................................................ 56
About .........................................................................................................................................56
Management Tool Installation Prerequisites .......................................................................56
Prerequisites Overview .......................................................................................................56
Turning on Internet Information Service (IIS) ..................................................................57
Turning on IIS for Windows 8 and Windows 7 .............................................................57
Turning on IIS for Windows Server 2008 R2 ................................................................58
Turning on IIS for Windows Server 2012 ......................................................................59
Installing .NET Framework .................................................................................................61
Configuring Internet Information Service (IIS) .................................................................61
Using Certificates .................................................................................................................65
Generating Self-Signed Certificate ................................................................................65
Exporting Self-Signed Certificate ...................................................................................67
Importing Trusted Certificate ...........................................................................................67
Adding Certificate to Trusted Root Certification Authorities ..........................................68
Setting HTTPS Binding for a Default Web-Site ...............................................................73
Installing/Uninstalling/Updating the Management Tool .....................................................75
Installing the Management Tool .........................................................................................75
Adjusting Computer for Remote Access ..........................................................................77
Updating Management Tool ...............................................................................................78
Uninstalling Management Tool ..........................................................................................79
Opening Management Tool ...................................................................................................79
Management Tool Interface ...................................................................................................80
3
Changing Password for Logged in User ..............................................................................81
Multi-Tenant Mode/Single-Tenant Ekran System Mode ............................................. 83
About .........................................................................................................................................83
User Types in Ekran System Deployed in Multi-Tenant Mode ........................................83
Admin of the default tenant (Technician)..........................................................................83
Tenant Admin........................................................................................................................83
Tenant User ..........................................................................................................................84
Tenant Management ...............................................................................................................85
Viewing Tenants ...................................................................................................................85
Adding Tenants ....................................................................................................................85
Editing Tenants .....................................................................................................................87
Resending Email to the Tenant Admin .............................................................................87
Deleting Tenants ..................................................................................................................88
Switching to Tenant Account ..............................................................................................88
Granting Technician Access to Tenant Account Info .........................................................89
Licensing .......................................................................................................................... 90
General Licensing Information ..............................................................................................90
Getting Licenses by the Default Tenant Admin (Technician) ...........................................91
Serial Keys ............................................................................................................................91
About Update & Support Period ........................................................................................92
Viewing License State .........................................................................................................92
Activating Serial Keys Online .............................................................................................93
Adding Activated Serial Keys Offline ................................................................................94
Deactivating Serial Keys .....................................................................................................95
License Management..............................................................................................................95
Client License Management ...............................................................................................95
Viewing Granted Licenses ...............................................................................................96
User and User Group Management .............................................................................. 97
About .........................................................................................................................................97
Viewing Users and User Groups ...........................................................................................97
User Management ...................................................................................................................98
Adding Users ........................................................................................................................98
Editing Users .......................................................................................................................102
Deleting Users ....................................................................................................................103
User Group Management .....................................................................................................103
Adding User Groups ..........................................................................................................103
4
Editing User Groups ..........................................................................................................104
Deleting User Groups ........................................................................................................104
Permissions ............................................................................................................................104
About ....................................................................................................................................104
Administrative Permissions ..............................................................................................105
Client Permissions .............................................................................................................105
Permission Example ..........................................................................................................106
Management Tool Log ..........................................................................................................108
About ....................................................................................................................................108
Viewing Management Tool Log .......................................................................................108
Management Tool Log Protection ...................................................................................110
Filtering and Sorting Log Data .........................................................................................110
Windows Clients ............................................................................................................ 111
About .......................................................................................................................................111
Monitoring via Windows Clients ..........................................................................................111
Installing Windows Clients ...................................................................................................112
About ....................................................................................................................................112
Setting up Environment for Remote Installation ............................................................112
Windows Client Installation Prerequisites ...................................................................112
Disabling Simple File Sharing in Windows XP ...........................................................113
Disabling Sharing Wizard in Windows 8.1, Windows 8, and Windows 7 ...............114
Checking System Services............................................................................................115
Setting up Firewall for Windows Vista, Windows XP, and Windows Server
2003 ..................................................................................................................................116
Setting up Firewall for Windows 10, Windows 8.1, Windows 8, Windows 7,
Windows Server 2012, Windows Server 2008 ...........................................................117
Installing Windows Clients Remotely via the Management Tool ................................120
About .................................................................................................................................120
Selecting Computers ......................................................................................................120
Remote Windows Client Installation Process .............................................................122
Remote Installation from an Existing .INI File ............................................................123
Installing Windows Clients Locally ..................................................................................123
About .................................................................................................................................123
Windows Client Installation Package ...........................................................................123
Generating Windows Client Installation Package ......................................................128
Installing Windows Clients Locally with Custom Monitoring Parameters ..............128
5
Downloading Windows Client Installation File (.exe) ................................................129
Installing Windows Clients Locally without .ini File....................................................129
Installation via Third Party Software................................................................................129
Installing Windows Client on Amazon WorkSpace .......................................................130
Cloning a Virtual Machine with Installed Client .............................................................130
Unassigning License on Virtual Machine Shutdown ....................................................130
Updating Windows Clients ...................................................................................................131
About ....................................................................................................................................131
Windows Client Status after Server Update ..................................................................132
Updating Windows Clients Automatically .......................................................................132
Updating Windows Client Manually .................................................................................132
Reconnecting Windows Clients to another Server ...........................................................133
Uninstalling Windows Clients ..............................................................................................133
About ....................................................................................................................................133
Client Uninstallation Key ...................................................................................................133
Uninstalling Windows Clients Remotely .........................................................................134
Uninstalling Windows Clients Locally..............................................................................134
Viewing Windows Clients .....................................................................................................135
Windows Client Description .................................................................................................135
Windows Client Configuration .............................................................................................136
About ....................................................................................................................................136
Protected Mode Parameter ..............................................................................................136
Automatic Client Update Parameter................................................................................136
Client Tray Icon Parameter ...............................................................................................136
Custom Path for Client Installation Folder Parameter ..................................................137
Offline Cache Size Parameter..........................................................................................137
User Activity Recording Parameters ...............................................................................137
Keystroke Logging Parameter..........................................................................................138
Start Monitoring on Keyword Parameter ........................................................................139
Detect system IDLE event Parameter ............................................................................139
Register IDLE event Parameter .......................................................................................139
Clipboard Monitoring Parameter ......................................................................................139
Monitoring Log Parameter ................................................................................................140
URL Monitoring Parameters .............................................................................................141
Application Filtering Parameters ......................................................................................142
User Filtering Parameters .................................................................................................144
6
Monitoring Time Filtering Parameters .............................................................................146
Forced User Authentication Parameter ..........................................................................147
Two-Factor Authentication Parameter ............................................................................148
Additional Message on User Login Parameter ..............................................................148
User’s Comment Parameter .............................................................................................148
Ticket Number Parameter .................................................................................................148
Editing Windows Client Configuration ................................................................................149
Viewing Windows Client Configuration ..............................................................................152
Forced User Authentication on Windows Clients .............................................................153
About ....................................................................................................................................153
Enabling Forced User Authentication on Windows Client ...........................................153
Granting User Permission to Log In ................................................................................154
Managing One-Time Passwords .....................................................................................154
About .................................................................................................................................154
Generating One-Time Password ..................................................................................155
Viewing One-Time Passwords......................................................................................156
Resending the Email ......................................................................................................157
Terminating One-Time Password Manually ...............................................................157
Logging In ............................................................................................................................158
Logging in Using Ekran System User Additional Credentials ..................................158
Logging in Using One-Time Password ........................................................................158
Requesting One-Time Password .................................................................................159
Login Approved by Administrator ........................................................................................159
About ....................................................................................................................................159
Approving User Access on Login ....................................................................................160
Defining Email Address for User Access Approval .......................................................160
Managing Restricted User List .........................................................................................160
Adding User to Restricted List ......................................................................................160
Deleting User from Restricted List ...............................................................................161
Logging In ............................................................................................................................161
Privileged User Accounts .....................................................................................................162
About ....................................................................................................................................162
Adding Privileged User ......................................................................................................162
Deactivating Privileged Account ......................................................................................163
Using Privileged Account ..................................................................................................163
Password Vault Configuration ..........................................................................................164
7
Informing about Monitoring ..................................................................................................165
About ....................................................................................................................................165
Enabling Displaying Additional Message .......................................................................165
Enabling User’s Comment Option ...................................................................................166
Enabling Displaying Client Tray Icon ..............................................................................166
Logging In ............................................................................................................................167
Integration with Ticketing Systems .....................................................................................167
About ....................................................................................................................................167
Enabling Ticket Number Option .......................................................................................168
Logging In ............................................................................................................................168
macOS Clients ............................................................................................................... 169
About .......................................................................................................................................169
Monitoring via macOS Clients .............................................................................................169
Installing macOS Client ........................................................................................................170
About ....................................................................................................................................170
Downloading macOS Client Installation File ..................................................................170
Installing macOS Clients ...................................................................................................170
Uninstalling macOS Clients .................................................................................................171
About ....................................................................................................................................171
Uninstalling macOS Clients Remotely ............................................................................171
Uninstalling macOS Clients Locally ................................................................................172
Viewing macOS Clients ........................................................................................................172
macOS Client Description ....................................................................................................173
macOS Client Configuration ................................................................................................173
About ....................................................................................................................................173
User Activity Recording Parameters ...............................................................................173
URL Monitoring Parameters .............................................................................................174
Linux Clients .................................................................................................................. 175
About .......................................................................................................................................175
Monitoring via Linux Clients .................................................................................................175
Installing Linux Client ............................................................................................................175
About ....................................................................................................................................175
Downloading Linux Client Installation File......................................................................175
Installing Linux Clients .......................................................................................................176
Uninstalling Linux Clients .....................................................................................................177
Viewing Linux Clients ............................................................................................................177
8
Linux Client Description ........................................................................................................178
Forced User Authentication on Linux Clients ....................................................................178
About ....................................................................................................................................178
Enabling Forced User Authentication on Linux Client ..................................................178
Granting the User Permission to Work with the Terminal............................................179
Launching the Terminal .....................................................................................................179
Two-Factor Authentication for Windows Clients ...................................................... 180
About ....................................................................................................................................180
Allowing User to Log In .....................................................................................................180
Deleting User from the List ...............................................................................................181
Enabling Two-Factor Authentication ...............................................................................182
Logging in Using Time-Based One-Time Password ....................................................182
User Blocking ................................................................................................................ 183
About .......................................................................................................................................183
Blocking User from Live Session ........................................................................................183
Blocking User from Finished Session ................................................................................184
Blocking User on Alert Triggering .......................................................................................185
Blocking User on Client with Secondary Authentication .................................................185
Blocked User List ...................................................................................................................185
Viewing Blocked User List ................................................................................................186
Removing User from Blocked User List..........................................................................186
Client Group Management ........................................................................................... 187
About .......................................................................................................................................187
Adding Client Groups ............................................................................................................187
Editing Client Groups ............................................................................................................188
Adding Clients to Groups .....................................................................................................188
Adding Clients to Groups during Client Group Editing .................................................188
Adding Clients to Groups during Client Editing .............................................................188
Applying Group Settings to Client .......................................................................................189
Removing Clients from Groups ...........................................................................................190
Removing Clients from Groups during Client Group Editing .......................................190
Removing Clients from Groups during Client Editing ...................................................190
Deleting Client Groups..........................................................................................................190
Alerts ............................................................................................................................... 192
About .......................................................................................................................................192
Viewing Alerts ........................................................................................................................192
9
Default Alerts ..........................................................................................................................193
Alerts Management ...............................................................................................................193
Adding Alerts .......................................................................................................................193
Rules ....................................................................................................................................196
About .................................................................................................................................196
Rule Examples ................................................................................................................199
Enabling/Disabling Alerts ..................................................................................................205
Editing Alerts .......................................................................................................................205
Editing Single Alert .........................................................................................................205
Editing Multiple Alerts.....................................................................................................206
Assigning Alerts to Clients ................................................................................................206
Assigning Alerts to Clients during Alert Editing ..........................................................206
Assigning Alerts to Clients during Editing Multiple Alerts .........................................206
Assigning Alerts to Clients during Client/Client Group Editing ................................207
Exporting and Importing Alerts .........................................................................................207
Exporting Alerts ...............................................................................................................207
Importing Alerts ...............................................................................................................207
Deleting Alerts ....................................................................................................................208
Defining Global Alert Settings..............................................................................................208
Receiving Information on Alert Events ...............................................................................209
Advanced Reports......................................................................................................... 210
About .......................................................................................................................................210
Report Types ..........................................................................................................................210
Scheduled Reports ................................................................................................................212
About ....................................................................................................................................212
Adding Report Rules..........................................................................................................213
Editing Report Rules ..........................................................................................................214
Deleting Report Rules .......................................................................................................214
Generating Reports from the Scheduled Report Rule .................................................214
Frequency and Time Interval for Report Creation ........................................................215
Viewing Logs .......................................................................................................................216
Report Generator ...................................................................................................................217
About ....................................................................................................................................217
Report Parameters .............................................................................................................217
Generating Report..............................................................................................................217
Creating a Scheduled Report Rule from the Report Generator Page .......................218
10
USB Monitoring & Blocking ......................................................................................... 220
About .......................................................................................................................................220
Monitored Devices .................................................................................................................220
Kernel-Level USB Monitoring Rules ...................................................................................222
About ....................................................................................................................................222
Adding USB Monitoring Rules..........................................................................................223
Editing USB Monitoring Rules ..........................................................................................224
Deleting USB Monitoring Rules .......................................................................................225
Defining Exceptions for USB Rules .................................................................................225
Viewing Device Hardware ID............................................................................................226
Configuration ................................................................................................................. 227
Defining Email Sending Settings .........................................................................................227
Defining Player Link Settings ...............................................................................................228
Defining System Settings .....................................................................................................228
Defining SIEM Logs ..............................................................................................................228
Defining Ticketing System Integration Settings ................................................................229
Defining LDAP Targets .........................................................................................................230
About ....................................................................................................................................230
Automatic LDAP Target ....................................................................................................230
Adding LDAP Target Manually .........................................................................................230
Editing LDAP Target ..........................................................................................................231
Deleting LDAP Target........................................................................................................231
Defining Date & Time Format ..............................................................................................231
Defining Server Settings .......................................................................................................232
Viewing Monitoring Results ......................................................................................... 233
Session List ............................................................................................................................233
About ....................................................................................................................................233
Client Sessions List............................................................................................................233
Filtering Sessions ...............................................................................................................234
Filtering by Specific Parameters ...................................................................................234
Searching in the Session Data .....................................................................................235
Export Sessions..................................................................................................................236
Sorting Sessions ................................................................................................................236
Playing Sessions ...................................................................................................................236
About ....................................................................................................................................236
Session Viewer Interface ..................................................................................................237
11
Session Player ....................................................................................................................237
Magnifier ..............................................................................................................................238
Getting Data URL ...............................................................................................................238
Metadata Grid .....................................................................................................................239
Player and Metadata Synchronization ............................................................................240
Filtering Data .......................................................................................................................240
Sorting Data ........................................................................................................................241
Live Sessions .........................................................................................................................241
Windows Client Sessions .....................................................................................................242
Playing Windows Sessions ...............................................................................................242
Viewing Keystrokes............................................................................................................242
Viewing Clipboard Text Data ............................................................................................243
Viewing USB Device Info ..................................................................................................244
Viewing URLs .....................................................................................................................245
Viewing Idle State ..............................................................................................................245
macOS Client Sessions ........................................................................................................246
Playing macOS Sessions..................................................................................................246
Viewing URLs .....................................................................................................................246
Linux Client Sessions............................................................................................................247
Playing Linux Sessions .....................................................................................................247
Filtering EXEC Commands ...............................................................................................247
Viewing Alerts ........................................................................................................................248
About ....................................................................................................................................248
Alert Viewer Interface ........................................................................................................248
Using Alert Viewer..............................................................................................................249
Archived Sessions .................................................................................................................250
About ....................................................................................................................................250
Changing Investigated Database ....................................................................................250
Viewing Archived Sessions ..............................................................................................250
Dashboards .................................................................................................................... 251
About .......................................................................................................................................251
Dashboard Types ..................................................................................................................251
Licenses ...............................................................................................................................251
Clients ..................................................................................................................................252
Database Usage Storage..................................................................................................253
Recent Alerts ......................................................................................................................254
12
Latest Live Sessions ..........................................................................................................255
Sessions out of Work Hours .............................................................................................255
Rarely Used Computers ....................................................................................................256
Rarely Used Logins............................................................................................................257
Customizing Dashboards .....................................................................................................258
Interactive Monitoring................................................................................................... 259
About .......................................................................................................................................259
Viewing Data ..........................................................................................................................259
Applications Monitoring Chart ..............................................................................................259
URL Monitoring Chart ...........................................................................................................260
Forensic Export ............................................................................................................. 261
About ....................................................................................................................................261
Exporting Session Fragment ............................................................................................261
Exporting Full Session .......................................................................................................261
Exporting Multiple Sessions .............................................................................................262
Viewing Forensic Export History ......................................................................................262
Playing Exported Session .................................................................................................263
Validating Exported Data ..................................................................................................264
Troubleshooting ............................................................................................................ 265
Quick Access to Log Files ....................................................................................................265
Database/Server ....................................................................................................................265
Database/Server Related Issues .....................................................................................265
Database/Server Related Error Messages ....................................................................266
Management Tool..................................................................................................................268
Management Tool Related Issues ...................................................................................268
Management Tool Error Messages .................................................................................271
Viewing Monitored Data ....................................................................................................271
Windows Client ......................................................................................................................273
Checking that the Client Is Installed ................................................................................273
Clients Installation/Uninstallation Issues and Error Messages ...................................275
Possible Problems with Receiving Data from Clients ..................................................280
Possible USB Monitoring Problems ................................................................................281
Linux Client .............................................................................................................................281
Possible Problems with Receiving Data from Clients ..................................................281
Checking the State of the Linux Client............................................................................282
Restarting Linux Client ......................................................................................................282
13
Appendix ........................................................................................................................ 283
Default Alerts ..........................................................................................................................283
Fraud Activity ......................................................................................................................283
Data Leakage......................................................................................................................284
Potentially Illicit Activity .....................................................................................................285
Not Work-related Activity ..................................................................................................286
Standard and Enterprise Edition Comparison Chart........................................................288
14
About
Welcome to Ekran System!
Ekran System is an application that allows you to record the activity of the target computers
with installed Clients and to view the screenshots from these computers in the form of video.
15
System Requirements
Ekran System claims different system requirements for each of its components. Make sure your
hardware and software meet the following system requirements to avoid possible component
malfunctions.
Server requirements:
2 GHz or higher CPU
4GB or more RAM
Enterprise-level Ethernet card
Minimum 1 Gbit/s network adapter
Windows Server 2016, Windows Server 2012, and Windows Server 2008 R2 (x64
platform)
Universal C Runtime and Visual C++ Runtime (starting with Ekran System 5.5). Both can
be installed via the Microsoft Visual C++ 2015 Redistributable:
https://www.microsoft.com/en-gb/download/details.aspx?id=48145
NOTE: The Universal C Runtime needs to be initially installed via update KB2999226:
https://support.microsoft.com/en-us/help/2999226/update-for-universal-c-runtime-in-
windows
.Net Framework 4.5.2 or higher
NOTE: If the Server and the Management Tool are to be installed on the same
computer, make sure you turn on the Internet Information Service before the
installation of .Net Framework 4.5.2.
[When using MS SQL Database]: Full edition of MS SQL Server 2008R2 SP1 or higher.
Standard license or higher is required.
NOTE: If you want to deploy the Ekran System in the High Availability mode, enabled
Message Queueing and configured NLB cluster are required. Please refer to the High
Availability Deployment Guide for more information.
16
Mozilla Firefox 32 or higher
Internet Explorer 10 or higher
Safari S6 and Safari S5
Opera 15 or higher
NOTE: The Management Tool might be opened in other browsers, but its compatibility with
other browsers is not guaranteed.
17
Distributor Base OS Versions Supported
openSUSE Suse Linux Enterprise Server 11(SP2, SP3, SP4), 12(SP1, SP2,
SP3)
NOTE: When the Client is installed to the terminal server, hardware requirements depend on
the number of active user sessions and may increase drastically. For example, hardware
requirements for the Client deployed on the terminal server hosting 10 active user sessions
will be as follows:
Intel Core i3 or similar AMD CPU
2048 MB RAM
18
Program Structure
Ekran System is an application specially designed to control user activity remotely.
Ekran System Server (further referred to as Server): It is the main part of the Ekran
System used for storing the screenshots and associated information received from the
Clients. The work of the Server can be started or stopped via Server Tray.
Ekran System Windows Clients (further referred to as Windows Clients): Being hosted
on the remote computers, Windows Clients create screenshots with the defined
frequency and send them to the Server along with metadata information such as user
name, host name, activity time, active window titles, application names, URL addresses,
clipboard text data, keystrokes, etc. Managing the remote Windows Clients
configuration and settings is performed via the Management Tool.
Ekran System macOS Clients (further referred to as macOS Clients): Being hosted on
the remote computers, macOS Clients create screenshots with the defined frequency
and send them to the Server along with metadata information such as user name, host
name, activity time, active window titles, application names, URL addresses, etc.
Managing the remote macOS Clients configuration and settings is performed via the
Management Tool.
19
20
Getting Started
Getting Started
Deployment Process
The Ekran System installation consists of several steps:
1. Installing the Server: To deploy the system, first of all you need to install the Server. The
Server is used to store and process all records sent by the Clients hosted on the remote
computers. During the Server installation you can select the type of the database and define
administrator credentials.
NOTE: You can deploy the Ekran System in the High Availability mode, which allows you
to work with multiple Server instances in the Network Load Balancer cluster. This would
provide a high level of operational performance, which allows minimizing downtime and
service interruptions. Please refer to the High Availability Deployment Guide for more
information.
2. Completing Management Tool installation prerequisites: To install and run the Management
Tool, you need to turn on the Internet Information Service on your computer, add the self-
signed or trusted certificate to the Trusted Root Certification Authorities and set HTTPS
binding for a default web site (or any other IIS site).
3. Installing the Management Tool: The Management Tool is used to manage Users, Clients,
Alerts, and Database, as well as to view the monitored data received from Clients.
Connection with the Server is required for the Management Tool to operate.
4. Activating serial keys (adding activated serial keys): To be able to receive data from the
Clients, you need to license the Clients by activating purchased serial keys. You can also
activate an Enterprise serial key to get an access to the enterprise features of the Ekran
System during the unlimited period of time.
5. Installing Clients:
Installing Windows Clients: The Windows Clients are usually installed remotely via the
Management Tool. A Windows Client can be installed on any computer in the network.
Please note that several conditions have to be met for successful remote Client
installation.
Installing macOS Clients: The macOS Clients are installed locally.
Installing Linux Clients: The Linux Clients are installed locally.
6. Installing the Tray Notifications application: The Tray Notifications application can be
installed on any computer and as long as there is connection to the Server; the Tray
Notifications application displays notifications on all alert events received from Clients.
For more information, see the Tray Notifications application help file.
After installing all the system components, Ekran System is considered deployed and all its
features become available.
21
Getting Started
22
Server and Database
NOTE: The High Availability mode is available only if you have an activated Enterprise serial
key.
23
Server and Database
Serial key types One of the following Enterprise serial key and one of the
serial keys: following keys:
Permanent Permanent
Trial Trial
Update and Update and support
support
24
Server and Database
25
Server and Database
17. In Windows Firewall, you must allow the Server executable to accept TCP connections
via ports 9447 and 9449 (for the connection between the Server and the Clients), and
22713 (for the connection between the Server and the Management Tool). These
rules will be added to Windows Firewall automatically if Windows Firewall is enabled
during the Server installation.
4. In the Add or Remove Snap-ins window, select Certificates and click Add.
26
Server and Database
5. In the Certificates Snap-in window, select the Computer account option and click Next.
6. In the Select Computer window, select the Local computer option and click Finish.
27
Server and Database
28
Server and Database
15. On the Security page, select the Password option and enter the password in the Password
and the Confirm password fields. Click Next.
NOTE: Make sure that you remember the password since you will need it when restoring
the certificate or transferring it to another server.
16. On the File to Export page, specify the location to store the certificate and the certificate
name manually or click Browse, and click Next.
17. On the Completing the Certificate Export Wizard page, click Finish.
NOTE: You will need the certificate for reinstalling the Server, moving it to another
computer, or creating the High Availability cluster.
29
Server and Database
3. In the Windows Firewall with Advanced Security window, right-click Inbound Rules
and select New rule.
31
Server and Database
6. On the Program page, select This program path, then click Browse and navigate to
the Server executable. The default path is "C:\Program Files\Ekran System\Ekran
System\Server\EkranServer.exe ". Click Next.
7. On the Action page, select Allow the connection and then click Next.
32
Server and Database
8. On the Profile page, select the profile of the network used for connecting remote
computers and the Server. Click Next.
9. On the Name page, define the Name of the rule. Click Finish.
10. The rule is created for the Server application. By default, the rule allows any
connections via all ports.
11. To define the protocol and ports, double-click the created rule. The Properties
window opens.
33
Server and Database
34
Server and Database
Server Tray
The Server Tray application informs you about the Server state. This application is installed on
the computer where the Server is installed.
It also automatically restarts the Server in case of its failure. The first three times the restart is
performed automatically. The user is informed about the Server failure in the notification area.
If the Server fails for the fourth time, it does not restart.
You can start/stop the Server or hide the icon from the notification area.
Database Management
About
Database management is performed via the Management Tool by the user with the
administrative Database management permission. During the database management process
you can delete monitoring data, delete offline or uninstalled Clients, shrink the database
depending on its type, and enable using the password vault.
35
Server and Database
NOTE: The Archiving & Cleanup option is available only if you have an activated Enterprise
serial key.
You can configure the cleanup execution frequency as follows:
Cleanup Parameters
The following parameters are available for cleanup operation:
Parameter Description
Leave sessions in Sessions stored in the database longer than the defined period of
database (days) time will be deleted during the cleanup process.
Client exceptions The Clients whose monitoring data will not be deleted during the
cleanup process. They are added on the Adding Exceptions page.
Parameters applied to the Archiving & Cleanup operation for Firebird database type
Binary data location In case the binary data is stored separately, you have to define
the binary data folder location.
Parameters applied to the Archiving & Cleanup operation for MS SQL database type
36
Server and Database
Parameter Description
User name and Credentials of the user with access to the database.
Password
One-Time Cleanup
To delete data from the Server once, do the following:
1. Log in to the Management Tool as a user with the administrative Database management
permission.
2. Click the Database Management navigation link to the left.
3. On the Database Management page, select the Archiving & Cleanup Options tab.
4. In the Frequency section, select the Run once option.
5. On the Archiving & Cleanup Options tab, in the Settings section, in the Action type drop-
down list, select the Cleanup option to delete the monitored data from the database or the
Archive & Cleanup option to archive and then delete the monitored data.
6. Define the necessary parameters.
NOTE: To check connection with the archive database before Archiving & Cleanup start, click
Test Database Connection in the Archive parameters section.
7. To select the Clients whose monitoring data will not be deleted during the cleanup
process, click Add Exceptions.
8. On the Adding Exceptions page, select the necessary Clients and then click Add
selected. Use filters to find a specific Client.
9. When all cleanup settings are defined, click Save.
10. The cleanup process starts.
Scheduled Cleanup
To delete data from the Server on schedule, do the following:
1. Log in to the Management Tool as a user with the administrative Database management
permission.
2. Click the Database Management navigation link to the left.
3. On the Database Management page, select the Archiving & Cleanup Options tab.
4. In the Frequency section, select the Repeat by scheduler option.
5. Define the following options:
Perform every (days): The frequency of the cleanup operation.
Start database cleanup at: The time to execute the cleanup operation.
6. On the Archiving & Cleanup Options tab, in the Settings section, in the Action type drop-
down list, select the Cleanup option to delete the monitored data from the database or the
Archive & Cleanup option to archive and then delete the monitored data.
37
Server and Database
38
Server and Database
4. On the Editing Client page, on the Properties tab, click Delete Client.
5. In the confirmation message, click Delete.
6. The Client is deleted.
39
Server and Database
5. The Client Deletion from Database page opens. It contains all Clients that can be deleted.
NOTE: Only offline and uninstalled Clients are displayed in the list.
6. Select the needed Clients from the list and then click Next. To find a specific Client, enter its
name in the Contains box and click Apply Filters.
7. When all Clients are selected, click Delete on the Client Deletion from Database page.
8. The Clients are deleted from the Server (with all captured sessions) and disappear from the
Management Tool.
40
Server and Database
3. In the SQL Management Studio, detach the Ekran databases (select the database and in its
context menu, select Task > Detach). Default names of the databases are EkranActivityDB
and EKRANManagementDatabase.
4. Navigate to the location where the Ekran databases are stored. The default location is
C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA.
5. Move the following files to another location: EkranAlphaActivityDB,
EKRANManagementDatabase, EkranAlphaActivityDB_log, and
EKRANManagementDatabase_log.
6. In the SQL Management Studio, reattach the Ekran databases as follows:
In the context menu of the Database partition, click Attach.
In the opened Attach Databases window, click Add and select the moved database.
Click OK.
7. The Database location is changed. Start the EkranServer service to continue working with
the program.
To change the location for the Server Firebird database, do the following:
1. Stop the Server by clicking Stop in the context menu of the Server icon in the notification
area or find the EkranServer service in the Task Manager and click Stop.
2. Open the Windows Registry Editor.
3. In the Registry Editor window, select the HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem
key.
4. Find the Database values (Database and ManagedDatabase) and see where the Database
files are located on your computer.
41
Server and Database
Managed Database: Enter the path to the folder with Ekran database in its new location
and then click OK.
42
Server and Database
7. The Database location is changed. Start the EkranServer service to continue working with the
program.
43
Server and Database
7. On the computer the MS SQL database is moved to, log in to the SQL Management Studio
as a user with the administrative permissions and attach the Ekran databases as follows:
In the context menu of the Database partition, click Attach.
In the opened Attach Databases window, click Add and select the uploaded
database.
Click OK.
8. Uninstall the Server on the original computer.
9. Install the Server:
If you are reinstalling the Server on the original computer, select the MS SQL
database, configure the connection to the moved database, and confirm its usage.
If you are installing the Server on the computer with the moved database, do the
following:
- Copy the certificates from the Server installation folder on the original computer.
- Reinstall all Clients.
- Contact the support team at support@ekransystem.com to change the HWID
associated with your serial keys to a new one.
10. The Database location is changed. Start the EkranServer service to continue working with
the program.
44
Server and Database
4. To access binary data in the shared folder on a different computer from your Server, it is
recommended to do the following:
Open Computer Management.
In the Computer Management window, open Services and Applications > Services.
In the Services pane, find the EkranServer service and select Properties in the context
menu.
In the EkranServer Properties window navigate to the Log On tab.
In the Log On tab, select the This account option, specify the credentials for the
EkranServer service to start under, and click Apply. Make sure the user with the
specified credentials has administrator permissions on your Server computer and full
access to the shared folder on the different computer.
Restart the service.
45
Server and Database
Calculating hash codes for monitoring data: in this case, the hash codes will be
calculated for each screenshot and metadata record received from Windows Clients.
Signing monitoring data with certificate: in this case, each screenshot and metadata
record received from Windows Clients will be signed with the trusted certificate.
NOTE: If both types of validation are enabled, only signing monitoring data with certificate
will be used.
After validation of monitoring data is enabled or validation type is changed, all previously
recorded sessions of Windows Clients will be considered as invalid.
With enabled validation of the monitoring data, the integrity of monitoring data within a
Windows Client session is checked on the session opening via the Session Player. If some
screenshots or metadata records have been deleted or modified, the warning message
“Session data is not valid!” will be displayed in the Session Player.
NOTE: When the validation of monitoring data is enabled, the CPU usage will rise while
viewing the Client sessions in the Session Player.
NOTE: After the enabling validation of monitoring data, for existing sessions, that were not
viewed before, screenshots will not be shown.
1. On the Ekran Server computer, press Windows+R, type mmc in the Run text box and press
Enter.
2. In the opened User Account Control window, click Yes.
46
Server and Database
4. In the Add or Remove Snap-ins window, select Certificates and click Add.
5. In the Certificates Snap-in window, select the Computer account option and click Next.
6. In the Select Computer window, select the Local computer: (the computer this console is
running on) option and click Finish.
7. In the Add or Remove Snap-ins window, click OK.
8. In the Certificates (Local computer) tree-view, find the Personal node.
47
Server and Database
9. In the context menu of the Personal node, select All Tasks > Import.
48
Server and Database
13. If required, on the Private key protection page, enter the password for the private key and
then click Next.
15. On the last page of the Certificate Import Wizard, click Finish, and then click OK in the
confirmation message.
16. Select Certificates (Local Computer) > Personal > Certificate and double-click the imported
certificate.
49
Server and Database
17. In the Certificate window, select Details > Thumbprint and then copy the Thumbprint
value.
1. Stop the Server by clicking Stop in the context menu of the Server icon in the notification
area or find the EkranServer service in the Task Manager and click Stop.
2. Open the Windows Registry Editor.
3. In the Registry Editor window, select the HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem
key.
4. Select Edit > New > String Value > and add a new value:
Value name: SignMonitoredDataCert
Value data: <copied Thumbprint value of the imported certificate (without
spaces)>
5. Start the EkranServer service to continue working with the program.
If you want to move the Ekran database whose monitoring data is signed with certificate to the
new computer, you have to do the following:
Step 1. On the Ekran Server computer, export the certificate used for signing the monitoring
data, copy it to the new computer, and then import it.
50
Server and Database
1. On the Ekran Server computer, press Windows+R, type mmc in the Run text box and press
Enter.
2. In the opened User Account Control window, click Yes.
3. In the Console window, select File > Add/Remove Snap-in.
4. In the Add or Remove Snap-ins window, select Certificates and click Add.
5. In the Certificates Snap-in window, select the Computer account option and click Next.
51
Server and Database
6. In the Select Computer window, select the Local computer: (the computer this console is
running on) option and click Finish.
7. In the Add or Remove Snap-ins window, click OK.
8. In the Certificates (Local computer) tree-view, select Personal > Certificates.
9. Select the trusted certificate used for signing the monitoring data in the database and in its
context menu select All Tasks > Export.
52
Server and Database
14. On the File to Export page, specify the location to store the certificate and the certificate
name manually or click Browse, and then click Next.
15. On the Completing the Certificate Export Wizard page, click Finish.
16. Copy the exported certificate to a suitable location on the new computer and then import
it.
53
Server and Database
When SIEM integration is enabled, the log file will be created on the Ekran Server computer. By
default, the log file name is EventLog and it is stored in the Server installation folder.
NOTE: The Advanced SIEM Integration functionality is available only if you have an activated
Enterprise serial key.
Client events
54
Server and Database
Device Event Class ID = EventID = 300 Management Log entry ID, time,
300 Ekran System username, user
Cat = MTLogEvents groups, category, action, object,
Name = details.
EkranMTLogEvent
cat = MTLogEvents
Log Cleanup
Depending on the defined log cleanup settings, the cleanup operation can be performed either
daily at a specified time or every few days, hours, or minutes. During the log cleanup operation
the current log file is renamed (the date and time of the cleanup operation is added to its
name) and a new one is created in the same folder. If a log file achieves its maximum size
before the cleanup start time, it also will be renamed.
NOTE: Not to run out of space on the computer where the log files are stored, it is
recommended to check the used disk space periodically and delete the log files that are no
longer in use.
55
Management Tool
Management Tool
About
The Management Tool is the component for managing the whole system and viewing
monitored data received from Clients. It can be installed on any computer, but a network
connection to the Server is required for the Management Tool to operate. There can be several
computers with the installed Management Tool in the system. The work with the Management
Tool is performed via your browser.
56
Management Tool
5. Click OK.
57
Management Tool
58
Management Tool
To turn on the Internet Information Service for Windows Server 2012 using Windows
PowerShell, do the following:
1. In the Start menu, select Windows PowerShell.
2. Enter the following command and press Enter:
Install-WindowsFeature - Web-Server, Web-Mgmt-Tools
To turn on the Internet Information Service for Windows Server 2012 using Server Manager,
do the following:
1. In the Start menu, select Server Manager.
2. In the navigation pane, select Dashboard, then click Manage > Add roles and features.
59
Management Tool
6. On the Server Selection page, select Select a server from the server pool, select your server
from the Server Pool list, and then click Next.
7. On the Server Roles page, select Web Server (IIS), click Next and then click Add Features to
start configuring Web Server (IIS).
60
Management Tool
61
Management Tool
Windows 8 Make sure that all the following options are selected in the
Windows Features window and then click OK:
.NET Framework 3.5 and .NET Framework 4.5 Advanced
Services;
Windows 7 Make sure that all the following options are selected in the
Windows Features window and then click OK:
Internet Information Services > Web Management Tools >
IIS Management Console;
62
Management Tool
Windows 3. In the Add Roles Wizard window, on the Role Services page,
Server 2008 make sure that the following options are selected:
Common HTTP Features > Static Content;
Application Development > ASP.NET.
Windows 1. In the Add Roles and Features Wizard window, on the Server
Server 2012 Roles page, make sure that the Web Server (IIS) option is
selected and then click Next.
2. On the Features page, make sure that the following options are
selected:
.NET Framework 3.5 Features (Installed) > .NET
Framework 3.5;
.NET Framework 4.5 (Installed) > ASP.NET 4.5.
3. Click Next.
4. On the Web Server Role IIS page, click Next.
5. On the Role Services page, select the ASP.NET 4.5 option
(under Application Development).
63
Management Tool
Windows 1. In the Add Roles and Features Wizard window, on the Server
Server 2016 Roles page, make sure that the Web Server (IIS) option is
selected and then click Next.
2. On the Features page, make sure that the following options are
selected:
.NET Framework 3.5 Features > .NET Framework 3.5
.NET Framework 4.6 Features > .NET Framework 4.6 and
ASP.NET 4.6
3. Click Next.
4. On the Web Server Role IIS page, click Next.
5. On the Role Services page, select the ASP.NET 4.6 option
(under Application Development).
64
Management Tool
Using Certificates
Generating Self-Signed Certificate
To generate a self-signed certificate on the computer on which you will install the
Management Tool, do the following:
1. Open the Internet Information Service Manager:
For Windows 8 or Windows 7: Open Computer > Manage > Services and Applications >
Internet Information Services (IIS) Manager.
For Windows Server 2012 or Windows Server 2008: Press Windows+R, enter inetmgr
in the Run window and then press Enter.
NOTE: Using the inetmgr command is a common way of opening the Internet Information
Service Manager for any version of the Windows operating system.
2. Click the main node in the Connections tree-view and then double-click the Server
Certificates item under the IIS category.
65
Management Tool
66
Management Tool
3. The certificate is exported and can be added to the Trusted Root Certification Authorities.
Importing Trusted Certificate
To import a purchased certificate issued for the computer, do the following:
1. Open the Internet Information Service Manager:
For Windows 8 or Windows 7: Open Computer > Manage > Services and
Applications > Internet Information Services (IIS) Manager.
For Windows Server 2012 or 2008: Press Windows+R, enter inetmgr in the Run
window and then press Enter.
NOTE: Using the inetmgr command is a common way of opening the Internet
Information Service Manager for any version of the Windows operating system.
2. Click the main node in the Connections tree-view and then double-click the Server
Certificates item under the IIS category.
3. The Server Certificates pane opens.
4. On the Actions pane (to the right), click Import.
67
Management Tool
5. In the Import Certificate window, click the Browse button to browse for the file of the
purchased certificate and enter its password in the Password field.
6. Click OK.
7. The certificate is imported and displayed on the Server Certificates pane of the Internet
Information Services (IIS) Manager.
To add the certificate to the Trusted Root Certification Authorities, do the following:
1. Press Windows+R, type mmc in the Run text box and press Enter.
2. In the opened User Account Control window, click Yes.
3. In the Console window, select File > Add/Remove Snap-in.
68
Management Tool
4. In the opened Add or Remove Snap-ins window, select Certificates > Add.
5. In the opened Certificates snap-in window, select Computer account and click Next.
6. In the opened Select Computer window, select Local computer: (the computer this console
is running on) and click Finish.
69
Management Tool
10. In the context menu of the Trusted Root Certification Authorities node, select All Tasks >
Import.
13. On the File to Import page, click Browse to find the certificate to be imported and then click
Next.
14. On the Private key protection page, enter the certificate password and then click Next.
71
Management Tool
16. On the last page of the Certificate Import Wizard, click Finish.
17. In the confirmation message, click OK.
18. The certificate is imported and is displayed in the Console window in the Certificates node.
Please note that the Issued To field contains the name of the computer on which the
Management Tool will be installed in the format that will be used when opening the
Management Tool.
72
Management Tool
73
Management Tool
7. If there is no binding of HTTPS type in the Site Bindings window, click Add.
8. The Edit Site Binding window opens.
9. In the Type box, select https.
74
Management Tool
3. Carefully read the terms of the End-User License Agreement and click I Agree.
4. On the Connection Settings page, do the following and then click Next:
In the Server address box, enter the name or IP address of the computer on which
the Server is installed.
In the URL address field enter the folder where the Management Tool will be
located within IIS. This URL will be used when opening the Management Tool.
5. On the Choose Install Location page, enter the destination folder in the corresponding
field or click Browse and in the Browse For Folder window, define the destination
folder. Click Install.
75
Management Tool
6. The installation process starts. Its progress is displayed on the Installing page.
7. After the end of the installation process, click Close to exit the wizard.
8. The Management Tool is displayed as an application of a default web site or any other
site with https connection in the Internet Information Services (IIS) Manager.
9. Now you can open the Management Tool via your browser from the same computer
or a remote one.
76
Management Tool
To adjust Firewall on the computer where the Management Tool is installed, do the
following:
1. In the Control Panel, select System and Security > Windows Firewall.
2. In the Windows Firewall window, click Advanced settings.
3. In the Windows Firewall with Advanced Security window, right-click Inbound Rules
and select New rule.
4. The New Inbound Rule Wizard opens.
5. On the Rule Type page, select Predefined and then select Secure World Wide Web
Services (HTTPS) in the list. Click Next.
77
Management Tool
6. On the Predefined Rules page, select the World Wide Web Services (HTTPS Traffic-In)
option. Click Next.
78
Management Tool
Please note, the Management Tool may take a while to launch on first connection, since
IIS is not used constantly and its processes are stopped and restarted on the connection.
If you encounter any problems when opening the Management Tool, see the
Troubleshooting chapter.
79
Management Tool
80
Management Tool
Serial Key Management: Displays the information about your Serial key and contains
keys activating/deactivating options and is available to users that have the Serial keys
management permission.
Configuration: Opens the page on which the user can define the Email sending settings,
Player link settings, System settings, Log settings, Ticketing system integration settings,
LDAP Targets, Date & Time Format, and Server settings.
Management Tool Log: Contains information on all user actions performed in the
Management Tool.
Diagnostics: Provides quick access to Server and Management Tool log files for users
that have the Database management permission.
The Data View pane
The Data View pane contains a grid with the information about your Clients, Users, Alerts,
database, and Serial keys.
The Filtering pane
The Filtering pane allows you to filter the Clients, Users, and Alerts by keywords of their names
and hide offline/online/uninstalled/licensed/Windows/macOS/Linux Clients.
Toolbar
The Toolbar of the Management Tool allows you to perform basic actions with Clients, Users,
and Alerts. The options of the Toolbar are the following:
For Client Management: Add Client Group, Install Clients, Manage Licenses, Edit
Uninstallation Key, Uninstall Clients, Delete Clients, Blocked User List, and One-Time
Passwords.
For User Management: Add User and Add User Group.
For Alert Management: Add Alert, Manage Multiple Alerts, Export Alerts, Import Alerts,
and Global Alert Settings.
For Kernel-Level USB Monitoring Management: Add Rule.
For Scheduled Reports: Add Rule.
For Forensic Export: Validate Export Results.
81
Management Tool
7. Your password is changed. You will need to use it during the next log in.
82
Multi-Tenant Mode/Single-Tenant Ekran System Mode
Tenant Admin
Tenant Admin is the account created by the technician during tenant creation. Tenant-Admins
are able to perform such actions:
Manage tenant users and define their permissions
Manage user groups containing tenant users
Generate Client installation packages (and view the automatically generated token for
manual definition during the Offline Client installation).
83
Multi-Tenant Mode/Single-Tenant Ekran System Mode
Tenant User
Tenant User is able to perform the same actions as the Tenant Admin according to granted
permissions.
84
Multi-Tenant Mode/Single-Tenant Ekran System Mode
Tenant Management
Viewing Tenants
The Tenants are displayed on the Tenant Management page in the Management Tool. The list
of Tenant contains the following information:
Tenant Name
Tenant Admin
Description
Tenant Key
On the Tenant Management page, you can add new Tenants and edit existing Tenants
(including deletion).
Adding Tenants
To add a new tenant, do the following:
1. Log in to the Management Tool as a user with the administrative Tenant management and
system configuration permission.
2. Click the Tenant Management navigation link to the left.
3. On the Tenants page, click Add Tenant.
4. On the Tenant Settings tab, define the tenant name and the description.
5. You can register the tenant admin via email or select an admin from the domain users.
6. To register the tenant admin via email or select the tenant admin from the domain user,
select the corresponding option and do the next:
For registering the tenant admin via email, define the email of the tenant admin. The
email with credentials will be sent to the tenant admin
For selecting the tenant admin from the domain users, select the domain and user
from the drop-down lists.
85
Multi-Tenant Mode/Single-Tenant Ekran System Mode
7. On the Licenses tab, enter the amount of licenses of each type to be granted to the tenant.
86
Multi-Tenant Mode/Single-Tenant Ekran System Mode
8. Click Finish.
9. The tenant is added and displayed on the Tenants page.
Editing Tenants
To edit an existing tenant, do the following:
1. Log in to the Management Tool as a user with the administrative Tenant management and
system configuration permission.
2. Click the Tenant Management navigation link to the left.
3. On the Tenants page, click Edit Tenant for the required tenant.
4. Edit tenant properties on the corresponding tabs in the same way as when adding a new
tenant. If the user unassigned the licenses, they will return in the license pool.
5. The tenant is edited.
87
Multi-Tenant Mode/Single-Tenant Ekran System Mode
Deleting Tenants
Deleting a tenant means that a tenant admin will not be able to use the system and all data
and users. If you delete the tenant when its admin is logged in the Management Tool, the
Management Tool will become unavailable to the tenant admin at once and none of its pages
will be displayed.
NOTE: If the tenant has at least one Client, it cannot be deleted.
To delete a tenant, do the following:
1. Log in to the Management Tool as a user with the administrative Tenant management and
system configuration permission.
2. Click the Tenant Management navigation link to the left.
3. On the Tenants page, click Edit Tenant for the required tenant.
4. On the Tenant Settings tab, click Delete Tenant.
5. In the confirmation message, click Delete.
6. The tenant is deleted.
5. You will be logged out and automatically logged in as selected tenant admin. In the
Management Tool you can see and perform all actions available for the selected tenant
account.
6. To switching back to the technician account, log off and login with your credentials.
88
Multi-Tenant Mode/Single-Tenant Ekran System Mode
89
Licensing
Licensing
General Licensing Information
To start receiving information from the Clients, you have to assign licenses to them. Five types
of licenses are available:
Infrastructure
- 2
Server Client
installed
Remote Desktop
Services/Terminal Services
Terminal
or unlimited
Server Client
Windows Server Citrix Server
or
Published App Server
deployed on
Cloud Server Microsoft Azure
2
Client or
Amazon Web Services
NOTE: Licenses of the workstation type cannot be assigned to a computer with Server OS.
Each Client can have only one license assigned. During the first connection to the Server, the
license corresponding to the Client computer operating system is automatically assigned to a
Client. If the license has not been automatically assigned, then you will have to assign the
license to the Client manually.
90
Licensing
Each permanent, trial, and update and support serial key contains the following data:
Update & support period
Licenses for the Clients
The enterprise serial key does not contain any Client licenses and is active during the unlimited
period of time. This key grants you an access to such valuable features of the Ekran System as
Database Archiving, Advanced SIEM Integration, One-Time Password, High Availability, and
Multi-Tenant Mode.
Once you have purchased serial keys, you can either activate serial keys online or add activated
serial keys if you have no Internet connection on a computer with the installed Server. Contact
your vendor for information on purchasing serial keys.
You need the administrative Serial keys management permission to activate serial keys.
Please note, after the activation, serial keys are bound to a specific computer and cannot be
used on another computer.
91
Licensing
92
Licensing
o Activation date
o Type: Enterprise/Permanent/Update and Support/Trial/Trial Enterprise
o State: activated/deactivated/expired
o Details: expiration/deactivation date, type and number of licenses
6. The activated keys will appear on the Serial Key Management page.
7. The number of available licenses and the update & support period end date change.
93
Licensing
License Management
Client License Management
The Client license management is performed in the Management Tool by the user with the
administrative Client installation and management permission.
You can assign a license to a Client or unassign it manually any time. The license can be
assigned to an offline Client, and it will be applied after the Client is online. If the Client is
uninstalled, its license becomes free and can be assigned to another Client.
NOTE: When a trial serial key expires, the corresponding number of licenses is automatically
unassigned from Clients.
Information about the number of used and free licenses of each type is displayed on the
License Management page in the Management Tool.
95
Licensing
NOTE: To change the Client license type, you do not need to unassign the current license.
This will be done automatically.
96
User and User Group Management
97
User and User Group Management
NOTE: For Active Directory users, their first name and last name will be filled automatically
after the first log in to the system.
To find a required User, enter a part of their user name, first name, last name or description in
the Contains box and click Apply Filters.
On the User Management page, you can add new Users/User Groups and edit existing
Users/User Groups (including deletion).
User Management
Adding Users
To add a new user, do the following:
10. Log in to the Management Tool as a user with the administrative User management
permission.
11. Click the User Management navigation link to the left.
12. On the Users page, click Add User.
13. On the User Type tab, select the type of the user you want to add:
Click Add an Internal user to create an internal application user.
Click Add an Active Directory user/user group to add an existing Windows user/user
group.
98
User and User Group Management
14. On the User Details tab, do one of the following and click Next:
For an internal user, define user credentials and additional information about the
user.
NOTE: Login and password are required. The password must be at least 6 characters long.
The maximum length of the first name, last name, and description is 200 characters.
For an Active Directory user/user group, select the domain in the Domain list and
then enter at least two characters into the User/User group box to search for the
required user/user group.
99
User and User Group Management
NOTE: The Active Directory user/user group cannot be added if there is no LDAP target
added for the required domain on the Configuration page or if the connection with the
domain is lost (the domain is unavailable).
15. On the User Groups tab, select the user groups the user will belong to. To find a specific
group, enter its name in the Contains box and click Apply Filters. Click Next.
NOTE: The user is automatically added to the default All Users group and can’t be
removed from it.
16. On the Administrative Permissions tab, select administrative permissions that will be given
to the user. Click Next.
NOTE: If the user has inherited some permissions from user groups, you can only add new
permissions. To remove permissions inherited from user groups, you need to remove the
user from these groups.
100
User and User Group Management
101
User and User Group Management
Editing Users
To edit an existing user, do the following:
6. Log in to the Management Tool as a user with the administrative User management
permission.
7. Click the User Management navigation link to the left.
8. On the Users page, click Edit User for the required user.
9. Edit user properties and permissions on the corresponding tabs in the same way as when
adding a new user.
NOTE: Click Next or Finish to save the changes on each tab.
10. The user is edited.
102
User and User Group Management
Deleting Users
Deleting a user means that a user will not be able to use the system. If you delete the user who
is logged in the Management Tool, the Management Tool will become unavailable to the user
at once and none of its pages will be displayed.
To delete a user, do the following:
7. Log in to the Management Tool as a user with the administrative User management
permission.
8. Click the User Management navigation link to the left.
9. On the Users page, click Edit User for the required user.
10. On the User Details tab, click Delete User.
11. In the confirmation message, click Delete.
12. The user is deleted.
103
User and User Group Management
Permissions
About
The permissions allow you to define which functions a user will be able to perform with the
system and Clients. There are two types of permissions:
Administrative permissions define actions that a user can perform with the whole system.
Client permissions define actions that a user can perform with selected Clients.
The permissions can be defined during user and user group adding/editing.
If you define permissions for the group, any user belonging to this group inherits these
permissions. To remove permissions inherited by the user from a group, you need to remove
the user from a group. Apart from permissions inherited from the group, you can assign a user
their own permissions.
104
User and User Group Management
Administrative Permissions
The following administrative permissions are available:
Serial keys management: Allows a user to activate and deactivate serial keys.
User management: Allows a user to add, edit, delete Users/User groups and define
permissions for them. It also allows a user to view the Management Tool log.
Client installation and management: Allows a user to install Clients, assign licenses to
Clients, add, edit, and delete Client groups, manage alerts, define alert settings, create
and manage scheduled report rules, view report logs, define Email sending settings,
create and manage the USB monitoring & blocking rules, as well as block users.
Database management: Allows a user to get information on the database, perform
database cleanup, delete Clients from the database, and download Server and
Management Tool log files.
Viewing archived data: Allows a user to view and export sessions from archive
databases.
Tenant management and system configuration: Allows a user to add, edit, delete
Tenants and grant licenses to them. This permission is available only for the users of the
default tenant.
Client Permissions
Client permissions define which actions a user will be able to perform with the Clients.
If a user does not have the administrative Client installation and management permission, in
the Management Tool they will see only those Clients for which they have at least one Client
permission.
NOTE: Client permissions are defined for each Client or Client Group individually.
105
User and User Group Management
Permission Example
You can define the permission for a user, by selecting the Edit User option and selecting the
option next to the required permission on the Administrative Permissions tab.
If the user belongs to several Groups, they will inherit all the permissions defined for them.
For example:
There is a user Joe who belongs to Group 1 and Group 2 user groups.
Besides, there are Client 1 and Client 2 that belong to All Clients group.
The following permissions are given to the user Joe, Group 1, and Group 2 by the administrator:
User/User Group Administrative Client permissions
permissions Permission For
Group 1 User management Client uninstallation Client 1
Group 2 Serial keys management Viewing monitoring Client 2
results
User Joe Client installation and Viewing monitoring Client 1
management results
Serial keys management Client configuration All Clients
management
As a result, the user Joe will have the following permissions:
Administrative
o User management permission (Because he belongs to Group 1).
o Serial keys management permission (Because he belongs to Group 2. But he also
has his own Serial keys management permission, and thus will have it even if
Group 2 is deleted or its permissions are edited).
o Client installation and management permission (He will have this permission
irrespective to user groups which he will be added to).
106
User and User Group Management
107
User and User Group Management
All actions performed by the users in the Management Tool are grouped by the following
categories:
1. Alert management. Contains the information on the alert configuration being changed,
as well as exporting, importing, deleting older alerts, creating new ones, and changing
the Global Alert settings.
2. Alert player viewing. Contains the information on viewing alert events in the Alert
Viewer by a user.
108
User and User Group Management
3. Archived Sessions Viewing. Contains the information on the archived sessions being
opened in the Session Viewer or being exported via Forensic Export.
4. Log settings. Contains the information on the log settings being changed.
5. Client editing. Contains the information on the Client configuration being changed. If
there were multiple configuration changes, they are combined in a single log entry.
6. Client group management. Contains the information on the Client Group configuration
being changed, as well as deleting older Client Groups and creating new ones.
7. Client installation/Uninstallation. Contains the information on installation and
uninstallation of the Clients performed by a user, as well as the Client uninstallation key
being changed.
8. Database cleanup. Contains the information on the manual & automatic cleanup being
performed and the changes made to the automatic cleanup settings by a user.
9. Database management. Contains the information on the database shrinking, database
archiving and cleanup, and statistics update performed by a user.
10. Date & Time Format. Contains the information on the date and time format settings
being changed.
11. Diagnostics. Contains the information on downloading the server and Management Tool
log files by a user.
12. Email sending settings. Contains the information on the email sending settings being
changed.
13. Forensic Export. Contains the information on users performing Forensic Export,
downloading and deleting the Forensic Export results, as well as validating those results.
14. Interactive monitoring. Contains the information on Clients, users on Client computers,
and time period, for which the Application Monitoring and URL Monitoring widgets
were generated.
15. Kernel-level USB monitoring. Contains the information on the USB monitoring &
blocking rules being changed by a user, as well as deleting older rules and creating new
ones.
16. LDAP targets. Contains the information on the added, edited, and deleted LDAP targets.
17. Log in / Log off. Contains the information on users logging in/logging off (including MT
being closed, session expiring, etc.).
18. One-time password. Contains the information on generated, used, expired and
manually terminated one-time passwords.
19. Report generation. Contains the information on the reports generated by a user, both
via Report Generator and from the Scheduled rule. It also contains information about
the generated reports being downloaded by a particular user.
20. Scheduled report management. Contains the information on the Scheduled Report
rules being changed by a user, as well as deleting older rules and creating new ones.
21. Serial key management. Contains the information on adding, activation, and
deactivation of the serial keys by a user.
22. Session Viewing. Contains the information on the sessions opened in the Session Viewer
by a user.
23. Ticketing system integration. Contains the information on the ticketing system
integration being enabled or disabled and on the ticketing system access parameters
being edited.
109
User and User Group Management
24. Two-Factor Authentication. Contains the information on the users being added or
deleted on the Two-Factor Authentication page and on editing of two-factor
authentication keys.
25. User blocking. Contains the information on users being added to and removed from the
Blocked User list.
26. User group management. Contains the information on the user group configuration
being changed by a user, as well as deleting older user groups, creating new ones,
changing the Client and administrative permissions.
27. User management. Contains the information on the user configuration being changed
by a user, as well as deleting older users, creating new ones, changing the Client and
administrative permissions.
To filter data by the Time field, click near the required column name, select the From and
To dates, and then click OK.
To sort data in the Log grid, click the required column header. You can change column sort
order from ascending to descending, and vice versa. To do this, click the Sort arrow near the
column header.
110
Windows Clients
Windows Clients
About
Windows Client is a program that can be installed on the target computers to monitor the
activity of their users. The monitored data is sent to the Server and can be viewed in the
Management Tool.
Depending upon their permissions, a user can install/uninstall Clients remotely, manage their
configuration, and manage Client groups.
111
Windows Clients
112
Windows Clients
You need to know the domain administrator or local administrator account credentials
for the remote computer.
The Server and the Remote Procedure Call (RPC) system services have to be running on
the remote computer.
Windows Vista and Windows XP Firewall has to be properly set up on the remote
computer during the Clients remote installation.
In Windows 8, Windows 7, Windows Server 2012 and Windows Server 2008 Firewall,
inbound connections have to be allowed in the Remote Service Management (RPC) rule
for the remote computers and the File and Printer Sharing option has to be enabled (in
this case it is not necessary to disable Windows Firewall).
Due to the new SHA-256 code signing, on Windows 7 SP1 and Windows Server 2008 R2
SP1, the Microsoft Security Advisory update 3033929 needs to be installed:
https://technet.microsoft.com/en-us/library/security/3033929.aspx.
In Windows Firewall on the Server side, allow the Server executable to accept TCP connections
via ports 9447 and 9449 (for the connection between the Server and the Clients).
NOTE: These rules will be added to Windows Firewall automatically if Windows Firewall is
enabled during the Server installation.
Make sure the conditions mentioned above are met to avoid possible problems with Client
remote installation.
113
Windows Clients
114
Windows Clients
115
Windows Clients
4. If one or both services are not running, start them manually. To start the service,
right-click it and select Start from the context menu. The selected service is started.
116
Windows Clients
To enable inbound connections for the Remote Management Service (RPC), do the following:
1. Select Control Panel > System and Security > Windows Firewall.
2. In the Windows Firewall window, click Advanced settings.
3. In the Windows Firewall with Advanced Security window, click Inbound Rules and
then double-click the Remote Service Management (RPC) rule in the rules list.
117
Windows Clients
6. On the Advanced tab, under Profiles, select the profile of the network used for
connecting remote computers and the Server.
7. Click Apply and then OK to save the settings and close the Properties window.
8. Close the Windows Firewall window.
118
Windows Clients
4. Select the File and Printer Sharing option and then click OK.
119
Windows Clients
Selecting Computers
To select the computers for Client installation, do the following:
1. Log in to the Management Tool as a user with the Client installation and management
permission.
2. Click the Client Management navigation link to the left.
3. On the Clients page, click Install Clients.
4. The Computers without Clients page opens. On this page, you can see the computers for
which the previous installations failed.
5. Select how you would like to search for computers where the Windows Clients will be
installed:
To select computers from the list of all computers in your network, click Deploy via
network scan.
To select computers by IP range (IPv4 or IPv6 addresses), click Deploy via IP range.
To select computers by their names, click Deploy on specific computers.
6. In the Choose search results window:
Click Start new search to look for computers with defined parameters.
120
Windows Clients
Click Previous search results to choose the computers found in the previous search.
If you have not performed any searches yet, this option will be absent.
7. If you have selected the Deploy via IP range option, the Computers Scan page opens. In the
From Address and To Address boxes, enter the IP range (either IPv4 or IPv6) for which the
network should be scanned. To find only one computer, enter the same IP address in both
boxes. Click Scan.
8. If you have selected the Deploy on specific computers option, the Adding Computers page
opens. Enter the names of computers on which Windows Clients must be installed in the
box Name and click Scan. Use semicolon to separate computer names.
Please note that you should enter the full name of the computer.
9. The scanning process starts. The list of found computers will be updated automatically. If it
is not updated, click Refresh. To stop the scanning process, click Stop.
10. When the scanning process finishes, select check boxes next to the computers that you
want to install the Clients on. Click Next.
11. The selected computers are added to the list on the Computers without Clients page.
12. If you want to remove some computers from this list, click Remove from list next to the
selected computer.
121
Windows Clients
4. The installation process starts. The progress of installation will be updated automatically on
the Client installation page. If it is not updated, click Refresh.
122
Windows Clients
NOTE: If the connection with the Server fails, the Client will be not installed.
5. After the end of the installation, the installed Clients will appear on the Clients page in All
Clients group. If the installation of some Clients fails, these computers will remain in the
Computers without Clients list and you can click Retry to start the installation again.
3. Once the .ini file is chosen, click Next and continue the installation the same way as when
installing the Clients remotely in a common way.
123
Windows Clients
ColourDepth A colour scheme used for screenshots saving. 7— 4 bits 7(4 bits
(Grayscale), 8 — 8 bits, 16 — 24 bits. (Grayscal
e))
124
Windows Clients
DisplayClientIcon The Client tray icon displaying. If the value is 1, the Disabled
Client tray icon is displayed, if the value is 0 – hidden.
125
Windows Clients
UserFilterNames The list of user names separated with a semicolon (e.g., Empty
work\jane;work\john). Names are combined with OR
logic. Using asterisk (*) as name/domain mask is
allowed (e.g., *\administrator or *\admin*).
MonitorTimeFilterSt Filtering the time of recording user activity. If the value Disabled
ate is “disabled”, the user activity is recorded twenty-four
seven. If the value is “include”, the user activity is
recorded only on days defined in MonitoringDays and
only during hours defined in MonitoringHours. If the
value is “exclude”, the user activity is not recorded on
days defined in MonitoringDays and during hours
defined in MonitoringHours.
126
Windows Clients
MonitoringDays The days of the week during which the Client will or will Mon,
not record users' activity. The days of the week are Tue,
combined by OR logic. Wed,
Thu, Fri
MonitoringHours The hours during which the Client will or will not record 8:00 –
users' activity. 18:00
EnableOneTimePass Additional option that allows the user to request a one- Disabled
word time password to get a temporary access. If the value is
1, the option is enabled, if the value is 0 — disabled.
EnableTwoFactorAu The option that requires the user to enter a time-based Disabled
th one-time password to log in. If the value is 1, the
option is enabled, if the value is 0 — disabled.
RequireTicketNumb Additional option that requires the user to enter a valid Disabled
er ticket number of an integrated ticketing system to start
working with the Client computer. If the value is 1, the
option is enabled, if the value is 0 – disabled.
127
Windows Clients
UpdateAutomaticall The Client update mode. If the value is 1, the automatic Enabled
y Client update is enabled, if the value is 0 – disabled and
the Client requires manual update.
128
Windows Clients
3. After the package is deployed, the name of the required computer appears on the Client
Management page in the Management Tool.
To install the Windows Client locally using the installation package on the target computer:
1. Copy the downloaded EkranSystemClient.exe file to the target computer and do one of the
following:
Start the EkranSystemClient.exe installation file under the administrator account on the
target computer. Then in the opened window, enter the names and IP addresses of the
computer on which the Server is installed and click Install.
In the Command Prompt (cmd.exe) started under administrator, enter
EkranSystemClient.exe /ServerName=<Server Name>.
NOTE. If there is no connection with the server, installation will failed and error
message will be displayed.
2. After the package is deployed, the installed Client appears in the list on the Client
Management page in the Management Tool.
129
Windows Clients
130
Windows Clients
To configure the image of the virtual machine with the Client for the license to be unassigned
on shutdown:
NOTE: If you need the license to be unassigned on Logoff, you have to edit the Logoff script in
a similar way in the Local Group Policy Editor (User Configuration -> Windows Settings ->
Scripts (Logon/Logoff) -> Logoff -> Properties).
131
Windows Clients
If you want to control the update of target Client computers yourself, you can disable the
automatic update on the required Clients and update them via the Management Tool.
After the Windows Client is updated, you will still be able to access the monitored data
received before its update.
NOTE: Windows Clients of very old versions might not be able to update. In this case, you
need to re-install the Clients.
132
Windows Clients
133
Windows Clients
134
Windows Clients
135
Windows Clients
To edit the description for the Windows Client, enter it in the Description box and click Finish.
136
Windows Clients
If the Display Client tray icon option is enabled, the Client will display a tray notification to
inform the logged-in users that they are being monitored by a Server.
137
Windows Clients
o Bit depth: By default, screenshots are grayscale with 4 bit colour depth. This
guarantees the smallest database size with a normal screenshot quality. You can
also set colour depth to 8 bits or 24 bits.
Frequency settings for user activity recording: These options allow you to define how
often the user activity on the Client computer will be captured. User activity recording
can be can be triggered by the following events:
o Time interval: User activity is captured with a certain time interval, irrespective to
whether something changes on the screen or not. The minimal time interval is 30
seconds.
o Active window change User activity is captured on the change of the active
window. For example, a new window opens (program starts), a new tab in the
browser opens, any secondary window opens, etc. (influences the keystroke logging
as well).
o Active window title change: User activity is captured on the change of the name of
the active window (influences the keystroke logging as well).
o Clicking or key pressing: User activity is captured on each mouse click or keyboard
key pressing. Please note, by default, in this mode, the recorded user activity is sent
not oftener than once in 3 seconds to avoid affecting the performance of the Client
computer and database size increasing.
138
Windows Clients
Navigation and typing modes: The arrow keys, Home/End, Page Up/Page Down, Tab,
Insert, Delete/Backspace, Enter, and Lock keys (Num Lock, Scroll Lock, and Caps Lock).
System commands: Print Screen, Menu, Escape, and Break/Pause key.
Function keys: Keys that perform some functions, such as printing or saving files.
Usually, they are labelled as F1- F12 and are located along the top of the keyboard.
139
Windows Clients
Parameters examples:
140
Windows Clients
141
Windows Clients
Parameters examples:
142
Windows Clients
Monitor only data from all applications containing Facebook or Gmail in the title
Monitor only data from all applications containing Firefox or Internet in the application
names
Monitor only data from applications containing Firefox, Chrome or Internet in the application
names (any title) and applications with the Facebook word in the title (any name)
Monitor all data except data from applications containing words Work or Doc in the title
143
Windows Clients
Monitor all data except data from applications containing words Word or Excel in the
application names
Monitor all data except data from applications containing the Word word in the application
name or the doc word in the title
144
Windows Clients
You can define user names for filtering entering them manually or by clicking Add Users
and selecting users from the list.
When you enter user names manually, they must be entered as <domain name>\<user
name> and separated with comma (,), semicolon (;), or paragraph. You can also use
asterisk (*) as name/domain mask (e.g., *\administrator or *\admin*).
When you click Add Users, the Adding Users page opens. Please note, only those users
whose activities have already been monitored are listed. Select the user names to be
added and click Add selected.
NOTE: If you select a user with the Forced User Authentication on the Adding Users
page e.g., WORK\janet (jan), you need to change parentheses in the User names box to
semicolon, i.e., WORK\janet;jan.
Parameters examples:
Monitor only the activity of the janet user or joe user in the work domain
Monitor the activity of all users except the users with administrator login (both local and
domain)
145
Windows Clients
Monitor only the activity of the janet Ekran system user name used for secondary
authentication
NOTE: In the .ini file, the monitoring hours must be defined in the 24-hour time format only.
146
Windows Clients
Parameters examples:
Record user activity only on Monday, Tuesday, Wednesday, Thursday, and Friday from 8 AM
to 6 PM
147
Windows Clients
148
Windows Clients
149
Windows Clients
150
Windows Clients
7. On the Application Filtering tab, define the application filtering parameters for the
Client.
8. On the User Filtering tab, define the user filtering parameters for the Client.
9. On the Monitoring Time Filtering tab, define the monitoring time filtering parameters
for the Client.
151
Windows Clients
152
Windows Clients
153
Windows Clients
6. Click Finish.
7. If the Client is installed on Windows Server 2003, the computer must be restarted after
enabling or disabling the forced authentication mode. On other Windows versions the forced
authentication mode is enabled immediately.
NOTE: Forced user authentication does not work on Windows XP operating system.
154
Windows Clients
The one-time password option can be enabled only along with the forced user authentication
option during Client editing in the Management Tool.
NOTE: The one-time password option is available only if you have an activated Enterprise
serial key.
When the user requests a one-time password for logging into the Client computer, the user
request is sent to the email address of the administrator defined for the Client in the Client
configuration. On the Access Management page, on the One-time Password tab, the requested
password is displayed with the Requested state.
NOTE: For the administrator to receive the email requests correctly, make sure that on the
Authentication Options tab of the Clients the valid email addresses are defined.
To generate a one-time password using the email link, open the received email with a request
for a one-time password and click the navigation link for the password generation. The one-
time password will be automatically generated and sent to the user’s email address.
To generate a one-time password via the One-Time Passwords page, do the following:
1. Log in to the Management Tool as a user with the Client configuration management
permission.
2. Click the Access Management navigation link to the left.
3. On the Access Management page, open the One-Time Passwords tab.
4. On the One-Time Passwords tab, click the Generate link for the user request with the
Requested state.
5. The one-time password is automatically generated and sent to the user email address.
155
Windows Clients
User’s confirmation email: Define the user email address, on which the generated
one-time password will be sent.
Comment: Enter your own comment or leave the default one. The default comment
is “Generated without request”.
7. The one-time password is generated and sent to the specified email address.
156
Windows Clients
Used The one-time password has been Open Session: Allows opening a
generated and sent to the user, and session of the user logged into
the user has used it. the Client computer with a one-
time password.
157
Windows Clients
NOTE: You can manually terminate the one-time passwords with the Generated & Sent or
Sending Failed states only.
5. In the confirmation message, click OK.
6. The state of the one-time password changes to Manually Expired and the user will not be
able to use it.
Logging In
Logging in Using Ekran System User Additional Credentials
The process of logging in to the Client computer with enabled forced user authentication is
performed as follows:
1. The user logs in to Windows in a common way (locally or remotely).
2. On the user login to Windows, the Client displays the secondary authentication window
requesting a user to enter their secondary credentials.
3. The user enters the credentials of the Ekran System user that has the Access to Client
computer permission.
4. These credentials are sent to the Server and the Server returns the response on whether
the access to this computer is allowed. If the user has the required permission for the Client
computer and their entered credentials are correct, the user is allowed to continue working
with the System. In other case, the user will receive a corresponding message.
5. As soon as the user starts working with the system, the Client will start recording their
activity and the user’s name will be displayed in the Management Tool on the Monitoring
Results page in the User name column in brackets: <logged in Windows user> (<forced
authentication user>).
158
Windows Clients
list in the User name column in brackets: <logged in Windows user> (<user’s email
address>).
NOTE: After the one-time password has been used, it is automatically terminated and cannot
be used to log into the Client computer again
159
Windows Clients
160
Windows Clients
Logging In
The process of logging into the Client computer with the approval of the administrator is
performed as follows:
1. The user logs in to the Windows computer with installed Client in a common way (locally or
remotely).
2. If Forced User Authentication is enabled, the user enters their secondary credentials.
3. If the additional message on login is enabled, the user acknowledges it. Additionally, if the
corresponding options are enabled, the user comments on the message and enters a valid
ticket number.
4. An email with the request and user information is sent to the defined email address. The
administrator receives an email with the request.
5. In the received email, the administrator clicks the Grant access hyperlink to allow the user
to log in.
If the user is not allowed to log in, the administrator clicks the Block access hyperlink and
the user is logged out.
161
Windows Clients
162
Windows Clients
For the Local computer user select the user login and computer name.
For the Ekran System user select the user login.
6. Select a computer or computer group to access and domain.
NOTE: The selected domain must be the same as domain of user who gets access.
7. Select a domain group from which the account will inherit permissions.
8. Define the access expiration date.
9. Add comment, if necessary.
10. Click Grant Access.
11. The privileged account is generated in the selected domain user group.
163
Windows Clients
164
Windows Clients
165
Windows Clients
To enable displaying the additional message when editing the Windows Client, do the
following:
1. Log in to the Management Tool as a user with the Client configuration management
permission.
2. Click the Client Management navigation link to the left.
3. On the Clients page, select the Client for which you want to edit the configuration, and click
Edit Client. To find a specific Client, enter its name in the Contains box and click Apply
Filters.
4. On the Authentication options tab, select the Enable displaying additional message option,
and then, optionally, enter the message to be displayed to a user.
5. Click Finish.
or on the Generate Installation Package page (if the Client is to be installed via the installation
package).
When the Client is installed, the notification message will be displayed to the user after their
login.
To enable displaying the Client tray icon when editing the Windows Client, do the following:
1. Log in to the Management Tool as a user with the Client configuration management
permission.
2. Click the Client Management navigation link to the left.
3. On the Clients page, select the Client for which you want to edit the configuration, and click
Edit Client. To find a specific Client, enter its name in the Contains box and click Apply
Filters.
4. On the Properties tab, select the Display Client tray icon option.
5. Click Finish. The Client tray icon will be displayed on the next user login.
Logging In
The process of logging in to the Windows Client computer with enabled additional message
option is performed as follows:
1. The user logs in to Windows in a common way (locally or remotely).
2. If the Forced User Authentication is enabled, the Client prompts the user to enter the
secondary credential.
3. After the user is logged in, the notification message is displayed.
NOTE: If the user logs in to the Citrix XenApp or Microsoft Shared App, the additional
message will be shown to them every eight hours.
4. If the Require user’s comment option is enabled, the user will be required to comment on
the additional message to start working with the Windows Client computer.
5. If the user clicks I Agree, they are allowed to continue working with the system. If the user
clicks Cancel, they return to the Windows login screen.
6. If the Client tray icon displaying option is enabled for the Client, the tray notification is
displayed to the user.
167
Windows Clients
Logging In
The process of logging in to the Windows Client computer with enabled ticket number option is
performed as follows:
1. The user logs in to Windows in a common way (locally or remotely).
2. If the Forced User Authentication is enabled, the Client prompts the user to enter the
secondary credential.
3. After the user is logged in, the notification message is displayed.
4. The user enters a valid ticket number, comments on the additional message, and then clicks
I Agree to start working with the system. If the user clicks Cancel, they return to the
Windows login screen.
5. In the ticketing system, a comment is added to the corresponding ticket. It contains
information on who and when logged in to the Client computer. Additionally, it contains the
user’s comment entered in the additional message window and the link to the user session.
168
macOS Clients
macOS Clients
About
macOS Client is a program that can be installed on the target computers to monitor the activity
of their users. The monitored data is sent to the Server and can be viewed via the Session
Viewer in the Management Tool.
169
macOS Clients
To install the macOS Client on the target computer with a macOS operating system from the
command line:
1. Make sure that there is only one user logged in to the computer.
2. Copy the installation package to any folder.
3. Run the Terminal.
4. Navigate to the folder with the installation package by entering the following command:
cd path/to/folder
5. Unpack the installation package using the following command:
tar xvfz <installation package name>
6. Navigate to the unpacked EkranClient folder using the following command:
cd EkranClient
The EkranClient folder contains the install.sh script used to install the Client.
7. Run the macOS Client installation script specifying the Server name or Server IP address
and the port used for connection to the Server (9447 is recommended):
./install.sh <server_name/IP> <Agent_port>.
8. After the end of the installation, macOS Client will appear in the list on the Clients page in
the Management Tool.
170
macOS Clients
171
macOS Clients
172
macOS Clients
173
macOS Clients
o Active window title change: User activity is captured on the change of the name of
the active window.
o Clicking or key pressing: User activity is captured on each mouse click or keyboard
key pressing. Please note, in this mode, the recorded user activity is sent not
oftener than once in 3 seconds to avoid affecting the performance of the Client
computer and database size increasing.
174
Linux Clients
Linux Clients
About
The Linux Client is a program that can be installed on the target computers to monitor the
activity of their users in the terminal. The monitored data is sent by the Linux Client to the
Server and can be viewed via the Session Viewer in the Management Tool.
5. On the Installation File Download page, click Download Linux x86 Client Installation
(.tar.gz) or Download Linux x64 Client Installation (.tar.gz).
6. File downloading starts. The download settings depend upon the settings of your
browser.
To install the Linux Client on the target computer with a Linux operating system from the
command line:
1. Copy the installation package to any folder. Make sure you use the correct installation
package (x64 or x86).
2. Run the command-line terminal.
3. Navigate to the folder with the installation package by entering the following
command:
$ cd path/to/folder
4. Unpack the installation package using the following command:
$ tar xvfz <installation package name>
176
Linux Clients
6. Run the Linux Client installation script specifying the Server name or Server IP address
and the port used for connection to the Server (9447 is recommended):
$ sudo ./install.sh <server_name/IP> <Agent_port>.
7. After the Client is installed, it starts monitoring the new terminal sessions. If you want
to monitor the older terminal sessions, restart them.
8. The installed Linux Client appears in the list on the Client Management page in the
Management Tool.
$ cd /opt/.Ekran
3. The .Ekran folder contains the uninstall.sh script used to uninstall the Client.
4. Run the uninstallation script by entering the following command: $ sudo ./uninstall.sh and
press Enter.
5. Enter the password of the superuser.
6. Linux Client is successfully uninstalled.
177
Linux Clients
Please note, if there are several network cards on the Client computer, only the IPv4 and IPv6
addresses used by Linux Client will be displayed in the Management Tool.
You can filter Linux Clients in the following ways:
To sort Clients by the type of operating system, click the Type column header.
To find Linux Clients only, select Hide Windows Clients and Hide macOS Clients and
click Apply Filters.
To find Clients by their host name or description, enter the name/description or a part
of it in the Contains box and click Apply Filters.
To hide offline/online/uninstalled/licensed Clients, select the corresponding option in
the Filtering pane and click Apply Filters.
178
Linux Clients
179
Two-Factor Authentication for Windows Clients
180
Two-Factor Authentication for Windows Clients
4. In the Add User window, select the user type and define the following information:
For Active Directory user, define the domain name and user login.
For Local computer user, define the computer name and user login.
For Ekran user for secondary authentication, define the user login.
5. Click Generate to generate QR code and key.
6. Save the QR code or copy the key to your clipboard to send it to the corresponding user.
Alternatively, make a note of it to provide it to the user later. The user will have to enter
this key or scan the QR-code with their TOTP mobile application (i.e., Google Authenticator).
For security reasons, after you navigate off this page, no one will be able to see the
generated key again.
7. Click Save.
181
Two-Factor Authentication for Windows Clients
182
User Blocking
User Blocking
About
Ekran System allows you to block users performing potentially harmful and forbidden actions
on Windows Clients. You can add the user to the blocked user list on the selected Client
computer or all Client computers in the system. A blocked user is forcibly logged out of the
Client and is not allowed to log back in. You can block users while viewing their session, live or
finished. You can also enable an option that allows blocking a user or killing the process when a
certain alert is triggered. You need to have the Client installation and management permission
to block users.
183
User Blocking
184
User Blocking
6. The user blocked with the default parameters. If the user tries to log in to the Client
computer, the system does not allow them to do so, and the following message is
displayed: “You have been blocked. Contact your system administrator.”
NOTE: If you have selected to block the user on all computers, then they will be logged out
on all computers where they are logged in at the time of blocking.
185
User Blocking
A list of blocked users is displayed, with the following information available for each record:
Windows User: has one of the following formats:
o <domain>\<user name>
o <domain>\<primary user name>(<secondary user name>) (for Clients with
secondary user authentication enabled)
Blocked on: Displays a specific computer name or All computers.
Blocked by: Displays a specific Ekran user that has blocked the Windows user.
Date: Displays the date when the user was blocked.
Reason: Displays the reason for blocking the user.
To remove all users from the blocked user list, do the following:
Click Remove All in the blocked user grid.
Click Remove in the confirmation message.
186
Client Group Management
187
Client Group Management
NOTE: Only the first 10 groups are displayed in the list. To view all groups, click the
Click to view all results link.
6. Select the option next to the group to which you want to add the Client.
NOTE: To find a specific group, enter its name or a part of it in the Find Groups field.
The list is filtered along with typing.
7. Click Add.
8. The group to which the Client was added is displayed in the grid.
9. Click Finish.
To edit the Windows Client configuration by changing the Client Group settings, do the
following:
1. Log in to the Management Tool as a user with the Client configuration management
permission.
2. Click the Client Management navigation link to the left.
3. On the Clients page, click Edit Client Group for the required Group. To find a specific
Client Group, enter its name in the Contains box and click Apply Filters.
4. Edit Client Group properties, permissions, and alerts on the corresponding tabs.
5. Click Finish.
To edit the Windows Client configuration by applying group settings to a Client, do the
following:
1. Log in to the Management Tool as a user with the Client configuration management
permission.
2. Click the Client Management navigation link to the left.
3. On the Clients page, select the Windows Client for which you want to edit the
configuration, and click Edit Client. To find a specific Client, enter its name in the
Contains box and click Apply Filters.
NOTE: If you do not have the Client configuration management permission for this
Client, the configuration options editing will be disabled.
4. On the Editing Client page, on the Client Groups tab, add the Client to the group from
which you want the Client to inherit configuration.
5. Click the Apply link for the group.
6. The Client settings type changes to Inherited from <group name> and the Applied
value is displayed for this group in the grid.
7. Click Finish.
189
Client Group Management
190
Client Group Management
191
Alerts
Alerts
About
Alerts are instances that notify the investigator of a specific activity (potentially
harmful/forbidden actions) on the target computers with installed Clients and allow the
investigator to respond to such activity quickly without performing searches.
The notifications can be received via email or in the Tray Notifications application. Besides,
monitored activity associated with alert events is marked as alert in the Session Viewer.
Alert system can be used for two purposes:
Immediate response: This allows the investigator to get immediate information about
the forbidden action and respond to it quickly (almost at once). You can set an alert to
automatically block a user or kill the process.
Delayed response: This allows the investigator to get information on a batch of
forbidden actions on multiple Clients, analyse them, and then respond.
Viewing Alerts
The alerts are displayed on the Alert Management page in the Management Tool. A list of
alerts contains the following information:
Name
Description
Risk Level: Indicates the risk level of an alert, which can be Normal, High or Critical.
Assigned To: Indicates Clients/Client Groups the alert is assigned to.
Alert State: Indicates if the alert is enabled.
Notification Type: Indicates how the investigators are notified about alert events (by
emails or via Tray Notifications application).
Email Recipient: The email address of the investigator who will be notified about alert
events.
To view the latest 100 events for an alert in the Alert Viewer, click View alert events in the
corresponding entry.
To find a required alert, you can use a filtering option on the top of the page.
Select the Hide Enabled/Disabled/Default Alerts options and then click Apply Filters to hide
the alerts.
On the Alert Management page, you can add new alerts, edit existing alerts (including
deleting), and define Global Alert Settings.
192
Alerts
Default Alerts
The Ekran System contains a set of default alerts for the potentially harmful applications and
websites visited on the Windows Client computers and for the important commands executed
on the Linux Client computers.
The default alerts are automatically added when the Ekran Server is installed or updated to a
new version. These alerts are enabled by default but there are no Clients to which they are
assigned. You can assign an alert to Clients by clicking Edit alert for the required alert and
selecting the needed Clients on the Assigned Clients tab or while editing multiple alerts.
Default alerts have the High risk level by default.
You can do the following with default alerts:
- Enable/disable them.
- Change the alert risk level.
- Define the notification options.
- Enable showing a warning message, blocking the user or killing the process.
- Delete them.
To hide default alerts, select the Hide Default Alerts option and then click Apply Filters.
Alerts Management
Adding Alerts
To add an alert, do the following:
1. Log in to the Management Tool as a user with the administrative Client installation
and management permission.
2. Click the Alert Management navigation link to the left and click Add Alert.
3. On the Add Alert page, on the Alert Properties tab, define the following alert
properties and then click Next:
Enter a unique name for an alert.
193
Alerts
5. On the Assigned Clients tab, select the Clients/Client Groups to which the alert will be
assigned and click Next. To find specific Clients/Client Groups, enter their names in the
search box.
194
Alerts
6. On the Actions tab, select how you would like to receive the alert notifications and
additional actions to be performed when the alert is triggered:
Select the Send emails to option and then enter the email address to which the
notifications will be sent. You can enter several email addresses separating them with
semicolon.
NOTE: To receive email notifications correctly, make sure that Email Sending
Settings contain correct parameters for email sending.
Select the Show warnings in Tray Notifications application option to activate the tray
notifications. The alert notifications will then pop up from the tray.
Select the Show warning message to user option if you want a warning message to be
displayed to the user when the alert is triggered. You can use the default message or
enter your own text in the box below.
In the Additional actions box, select the Block user on all computers option if you want
to automatically block the user performing forbidden actions, or select the Kill
application option if you want to forcibly stop the detected application.
195
Alerts
Rules
About
Alert rules allow you to determine what events on the investigated computer will be
considered an alert. Each alert has to have at least one rule.
Each rule consists of the Parameter, Comparison operator, and Value, to which the Parameter
will be compared.
Username The name of the user whose work is to be monitored. Set John
this parameter type for alert to be activated whenever
the specified user uses the Client computer.
If forced user authentication is enabled and the
secondary user login matches the user name alert
parameter, the Client marks corresponding events as an
alert.
For example:
The alert parameter is Login LIKE “John”. The user logs in
to Windows as Guest and then enters John as the
secondary login. The first record in the session of this user
(Guest (John)) is marked as alert.
Title The name that appears in the title of a window. Select this My document
parameter type for alert to be triggered whenever the
specified value is identified in any title on the screen.
URL URL entered in the browser address line or visited by the facebook.com
user. Select this parameter type for alert to be triggered
whenever the specified value is identified as the URL
address.
196
Alerts
Keystrokes The keystrokes entered by the user. Select this parameter download
type for alert to be triggered whenever the specified
value is entered.
Command The command entered in the Linux terminal. Set this sudo
parameter type for alerts to be activated whenever the
specified command is entered.
Parameter The parameter of the entered Linux command. Set this ImportantDoc
parameters type for alerts to be activated when the user ument
enters the command with specified parameters.
Computer The name of the domain group. Select this parameter Accounting
Belonging type for an alert to be triggered on the Client computers
to Domain belonging to this group.
Group NOTE: Alerts containing this parameter need to be
assigned to the All Clients group to work properly.
User The name of the domain group. Select this parameter Support
Belonging type for alert to be activated whenever the users of
to Domain specified domain group use the Client computers.
Group
197
Alerts
Comparison operators
For all parameters except for Active Directory groups, you can use the following comparison
operators:
Not equals The found result does not match John Oliver, John
the defined value. Johny
Not like The found result does not John Oliver, Johny,
include the defined value. Johan John
Rules defined for Windows/mac OS and Linux parameters do not influence one another. Thus
you can have rules for Windows/macOS and Linux Clients defined in one alert and the alert will
work correctly.
For example:
Parameter Operator Value
Rule 1 Command Equals su
Rule 2 URL Like facebook.com
Result The alert will be triggered by user entering the su command in the Linux
terminal or visiting the facebook.com site from the computer with Windows
or macOS operating system.
When several rules are defined for the same parameter within one alert, using Like or Equals
operators, the alert will be triggered if the conditions of at least one rule are met.
For example:
Parameter Operator Value
Rule 1 Application Equals skype.exe
Rule 2 Application Equals winword.exe
Result The alert will be triggered by user launching either Skype or Microsoft Word.
198
Alerts
When the rules are defined for the different parameters within one alert, the alert will be
triggered if the conditions of all the rules are met.
For example:
Parameter Operator Value
Rule 1 Application Equals skype.exe
Rule 2 Username Like Nancy
Result The alert will be triggered by the user Nancy launching Skype application.
When you have multiple rules defined for one parameter and one rule defined for the other
parameter, using Like or Equals operators, the alert will be triggered if conditions of any rule
from the first group and the conditions of the rule defined for a different parameter are met.
For example:
Parameter Operator Value
Rule 1 Application Equals skype.exe
Rule 2 Application Equals winword.exe
Rule 3 Username Equals Nancy
Result The alert will by triggered by user Nancy launching Skype or Microsoft Word.
When you have multiple rules defined for one parameter, using Not equals/Not like operators,
the alert will be triggered if the found result does not match to/include all of the defined
values.
For example:
Parameter Operator Value
Rule 1 Application Not equals skype.exe
Rule 2 Application Not equals winword.exe
Result The alert will be triggered by the user launching any application except for
Skype and Microsoft Word.
Rule Examples
1. To set up the alert notification about any user opening the facebook.com site on the
investigated computer, select the URL parameter and, in the Value field, enter
facebook.com.
199
Alerts
NOTE: The URL monitoring option must be enabled for the Client.
2. To set up the alert notification about any user opening opening any other site except
Facebook on the investigated computer, select the Not like operator:
3. To set up the alert notification about a specific user (e.g., Stefan) opening Facebook on
the investigated computer, define the following parameters:
200
Alerts
If you enter more than one name, the alert notification will then appear if any of them
(Stefan or Rick) opens Facebook.
If you use the Not like operator for the entered names, the alert notification will appear if
any user except for Stefan or Rick opens Facebook.
201
Alerts
4. To set up the alert notification about any user launching skype.exe application on the
investigated computer, define the following parameters:
If you use the Not equals operator, the alert notification will appear if any application except
for Skype is opened.
202
Alerts
5. To set up the alert notification about a specific user (e.g., Stefan) opening
facebook.com in Chrome, define the following parameters:
6. To set up the alert notification about USB-based storages plugging in, define the
following parameters:
203
Alerts
7. To set up the alert notification about entering any command with sudo or a command
su, define the following parameters:
8. To set up the alert notification about accessing the Client computers by users
belonging to the target domain group, define the following parameters:
NOTE: Such alerts need to be assigned to the All Clients group to work properly.
204
Alerts
10. To set up the alert notification about launching the skype.exe application by the users
belonging to the target domain group on the Client computers belonging to the target
domain group, define the following parameters:
Enabling/Disabling Alerts
If you do not need to receive notifications on a specific alert which you do not want to
delete, you can disable it in the Management Tool by clearing the Enabled option on the
Alert Properties tab of the Edit alert page. This option can be enabled again later, by
selecting the Enabled option on the same page.
To enable/disable multiple alerts, do one of the following:
On the Alert Management page, select alerts and click Enable/Disable.
On the Alert Management page, click Manage Multiple Alerts. On the opened
Manage Multiple Alerts page, click Enable/Disable next to alerts or Enable
All/Disable All in the last column header.
Editing Alerts
Editing Single Alert
To edit a single alert, do the following:
1. Log in to the Management Tool as a user with the administrative Client installation
and management permission.
2. Click the Alert Management navigation link to the left.
3. Click Edit alert for the required alert.
4. Edit alert properties and rules on the corresponding tabs in the same way as when
adding a new alert.
NOTE: Click Next or Finish to save the changes on each tab.
5. The alert is edited.
205
Alerts
206
Alerts
5. On the Assigned Clients tab, select the Client to which the selected alerts will be assigned
and click Next. To find a specific Client, enter its name in the Contains box and click Apply
Filters.
6. Click Finish to save the changes.
7. The alerts are assigned to the Client.
Importing Alerts
To import an alert, do the following:
1. Log in to the Management Tool as a user with the administrative Client installation
and management permission.
2. Click the Alert Management navigation link to the left.
3. On the Alert Management page, click Import Alerts.
4. On the Import Alerts page, click Choose File.
5. In the opened window, select the required .xml file containing the alerts to be imported and
click Open.
207
Alerts
6. The imported alerts are added. These alerts are enabled by default but there are no Clients
to which they are assigned. The name, description, risk level, and rules of the imported
alerts are defined according to the .xml file.
NOTE: If Ekran Server contains an alert that has the same ID as one of the imported alerts,
it will be updated.
7. Click Define Imported Alerts Settings to assign the imported alerts to Clients/Client Groups
and to define the notification options.
Deleting Alerts
To delete an alert, do the following:
1. Log in to the Management Tool as a user with the administrative Client installation
and management permission.
2. Click the Alert Management navigation link to the left.
3. On the Alert Management page, click Edit Alert for the required alert.
4. On the Alert Properties tab, click Delete Alert.
5. In the confirmation message, click Delete.
6. The alert is deleted. All alert events that were detected by this alert are not marked as
alert anymore.
Frequency Settings
The Frequency settings group allows you to define how frequently the alert notifications will
appear in the Tray Notifications application and be sent via email.
Minimal interval between notifications sent for the same alert event. This option
defines how frequently the notifications about the same alert event will appear. For
208
Alerts
example, if this parameter is set to 10 minutes and a user has started Skype and works
in it, the investigator will receive one notification every 10 minutes instead of receiving
10 notifications every minute or even more.
Define how often the notification will be sent:
- Send notifications on every alert event option allows you to notify the
investigator on every alert event.
- Send batch notification every (min) option allows you to notify the investigator
about all alert events that occurred during defined time interval. Time counting
starts when the Server starts if this option is selected. Notifications are then sent
with the defined frequency.
209
Advanced Reports
Advanced Reports
About
The user activity can be analysed with the help of reports generated via the Management Tool.
These reports allow you to receive the information on the activity of multiple Clients, alert
events, detected URLs, and executed Linux commands, and get statistics on time spent by the
user in each application or on each web-page.
You can schedule the reports to be generated and sent via email at the specified time or
manually generate the reports, which can be saved or printed, via Report Generator.
The reports can be generated in any of the following formats: PDF (*.pdf), Web Page (*.html),
Single File Web Page (*.mht), Rich Text Format (*.rtf), Plain Text (*.txt), Excel Workbook
(*.xlsx), Excel 97-2003 Workbook (*.xls), XPS Document (*.xps), CSV Document (*.csv), and
XML (*.xml).
Report Types
The following types of reports are available in the Management Tool:
Grid Reports
210
Advanced Reports
Session Grid Report All sessions for all selected User name
Clients for the defined users Total time spent (hrs)
and defined time interval. Session Start Time
Last Activity Time
Remote IP
USB Storage Grid All detected USB devices on Time (date and time of the USB
Report (for all selected Clients for the Storage event)
Windows Clients) defined users and defined Details (Description of the USB
time interval. devices plugged into the Client
computers)
211
Advanced Reports
Summary Reports
Chart Reports
URL Chart Report The same information as in URL – only the main part of the URL
(for Windows and the URL Summary Report, (e.g., example.com) will be added to
macOS Clients) but in the form of a bar the report.
chart. Total time spent (minutes)
URL Pie Chart The same information as in URL – only the main part of the URL
Report (for the URL Summary Report, (e.g., example.com) will be added to
Windows and but in the form of a pie the report.
macOS Clients) chart. Time spent on the website (%).
Scheduled Reports
About
The Management Tool allows creating reports via Report Scheduler and sending them the
defined email addresses with the defined time interval. The reports creation is available to
users with the administrative Client installation and management permission.
The report creation and sending options are defined in rules, which include the following
parameters: rule name and description, report type and format, state (enabled or disabled),
212
Advanced Reports
generation frequency (daily, weekly, or monthly), Clients/Client groups, and Users on Clients to
which the rule must be applied.
The created rules are displayed on the Scheduled Reports page in the grid with the following
columns:
Name
Description
Assigned To
Monitored Users
State
Frequency
Email Recipients
213
Advanced Reports
5. On the Assigned Clients tab, select the Windows Clients/Client Groups to which the rule will
be applied and click Next. To find specific Windows Clients/Client Groups, enter their names
in the Contains box and click Apply Filters.
6. On the Monitored Users tab, define the users whose activity will be included in the report:
Select the Any user option if you do not need to specify the user whose activity will be
added.
In other case, select the Selected users option, click Add Users, and then do the
following:
1) Select the Display only users detected on selected Clients option above the grid
in order to view only the list of users on Clients selected in the Clients section.
2) Select the required users and then click Add selected.
NOTE: Only those users whose activities have already been monitored are
listed.
7. Click Finish.
8. The rule is added.
NOTE: The scheduled report rule can also be created by clicking Create Scheduled Report
Rule on the Report Generator page.
214
Advanced Reports
If the report is generated on a weekly basis, it will include the data that was monitored starting
from the specified time and day of the previous week up till the specified time and day of the
current week.
For example:
If the Weekly parameter is set and the report is to be generated on Monday at 18:00, the time
interval of the data for this report will start on Monday of the previous week at 18:00 and end
on Monday of the current week at 18:00.
If the report is generated on a monthly basis, it will include the data that was monitored
starting from the specified time and day of the previous month up till the specified time and
day of the current month.
For example:
If the Monthly parameter is set and the report is to be generated on January, 20, at 19:00, the
time interval of the data for this report will start on December, 20, at 19:00 and end on January,
20, at 19:00.
NOTE: If the Monthly parameter is selected and you want the report to be generated on the
31st day of the month, it will not be generated in those months where there are 30 days or
less.
215
Advanced Reports
If the monthly report is set to be generated on the 31st day of month, but there were less than
31 days in the previous month, the time interval of the data for this report will start on the last
day of the previous month and end on the 31st day of the current month.
For example:
If the report is generated on March, 31, the time interval of the data for this report will start
February, 28, or February, 29, and end on March, 31.
If the report is generated from the scheduled report rule, the time interval of the data for the
report will depend upon the current date and time.
For example:
If the Daily parameter is set in the rule and the Start report generation parameter is set
to 15:00, and you want to generate the report at 14:00, the time interval of the data for
the report will start from 14:00 of the previous day and end at 14:00 of the current day.
If the Weekly parameter is set in the rule and the Day of week parameter is set to
Wednesday, and you want to generate the report on Friday at 12:00, the time interval
of the data for the report will start from Friday of the previous week at 12:00 and end
on the current day at 12:00.
If the Monthly parameter is set in the rule and the Day of month parameter is set to the
15th day of month, and you want to generate the report on May, 10, at 10:00, the time
interval of the data for the report will start from April, 10, at 10:00 and end on the
current day at 10:00.
NOTE: If there are too many activities in the defined time interval, the report may become
too large. The generated report file cannot exceed the size of allowed SMTP server
attachments.
Viewing Logs
For each rule, the user can see the log which contains the information on time when the report
was generated, report name (file name) and type, report generation result (status), number of
results in the report, and the emails to which the report was sent.
NOTE: Only the last 100 records are stored.
216
Advanced Reports
Status (Finished, In Progress, or an error reason in case the error occurred during
report generation)
Results Count (Number of results in the report)
Sent To
5. Click the Download link to download the report to your computer.
6. Click the Delete link to delete the report from the log and from the Server.
Report Generator
About
The reports can be generated on the Report Generator page by the user with the Viewing
monitoring results permission and can be previewed before printing.
The main difference between Report Scheduler and Report Generator is that Report Generator
allows you to create reports for the time interval of any length. Though it may take you much
time to generate a report for a long time interval and for a big number of Windows Clients.
NOTE: You can generate only one type of report at a time via Report Generator.
Report Parameters
The following parameters are defined in the Management Tool when creating a report:
1. Report parameters
This option allows you to select the type of the report and enter its custom Footer text and
Header text.
2. Date filters
This option allows you to define the time interval for which the report will be generated.
3. Clients
This option allows you to select the Clients/Client groups, whose monitored data will be added
to the report.
NOTE: Only Clients for which the user has the Viewing monitoring results are displayed.
4. Users
This option allows you to select the users of Client computers whose activity will be included in
the report.
Generating Report
To generate a report, do the following:
1. Log in to the Management Tool as a user with the Viewing monitoring results permission.
2. Click the Report Generator navigation link to the left.
3. Define the report parameters:
Select the type of the report and enter its Footer and Header text.
217
Advanced Reports
In the From and To fields, enter the dates and time within which the data of the
monitored Clients should be added.
Click Add Clients and on the opened Adding Clients page select the check boxes
next to the corresponding Clients/Client groups. Once the Clients are selected, click
Add selected.
Define the users whose activity will be included in the report:
o Select the Any user option if you do not need to specify the user whose
activity will be added.
o In other case, select the Selected users option, click Add Users, and then do
the following:
1) Select the Display only users detected on selected Clients option above
the grid in order to view only the list of users on Clients selected in the
Clients section.
2) Select the required users and then click Add selected.
NOTE: Only those users whose activities have already been monitored
are listed.
4. Click Generate Report.
5. On the opened Report Preview page, click the corresponding icons located on the toolbar
above the report to perform the following actions:
Print the report
Print the current page
Export and save the report to the disk
Export a report to *.xml format and save it to the disk
You can also navigate between the pages of the report by clicking the blue arrows
and choose the format of the report by clicking the black
arrow that opens a drop-down list with all supported formats .
218
Advanced Reports
Report Type, Header and Footer text, Clients, and Users were defined in Report Generator,
but you can edit them if you want.
9. Click Finish.
219
USB Monitoring & Blocking
Monitored Devices
For USB-based storage monitoring: the following mass storage devices are automatically
monitored and alerted – external magnetic hard drives, external optical drives
(including CD and DVD reader and writer drives), portable flash memory devices, solid-state
drives, adapters between standard flash memory cards and USB connections, digital cameras,
digital audio and portable media players, card readers, PDAs, and mobile phones.
For kernel-level USB monitoring: the following classes of devices are monitored, blocked, and
alerted:
Mass storage devices – external magnetic hard drives, external optical drives
(including CD and DVD reader and writer drives), portable flash memory devices, solid-state
drives, adapters between standard flash memory cards and USB connections, digital
cameras, digital audio and portable media players, card readers, PDAs, and mobile phones.
Windows portable devices – audio players, phones, and other devices that use
nonstandard identifier.
Wireless connection devices – Bluetooth adapter, Microsoft RNDIS.
Modems and Network adapters – network interface controllers.
220
USB Monitoring & Blocking
Each class has its own name (e.g., 00, 01, 02, etc.), which can be viewed in the device
properties. The name of class allows you to define to what class the detected device belongs.
For more information, check these links: http://en.wikipedia.org/wiki/USB,
http://www.usb.org/developers/defined_class.
221
USB Monitoring & Blocking
222
USB Monitoring & Blocking
If you do not select any of the actions, the detected USB devices will be monitored and
displayed in the Session Viewer only.
7. On the Assigned Clients tab, select the Clients/Client Groups, to which the rule will be
applied, and click Next. To find specific Clients/Client Groups, enter their names in the
Contains box and click Apply Filters.
8. Click Finish.
9. The rule is added.
224
USB Monitoring & Blocking
225
USB Monitoring & Blocking
4. Click Add.
5. The specified device is added to the list of exceptions.
6. Click Finish to save the USB monitoring rule.
7. The rule is edited.
226
Configuration
Configuration
Defining Email Sending Settings
Email sending settings allow you to define the options of sending email notifications for all
alerts, USB monitoring, and reports via email. Their editing is available to users with the
administrative Client installation and management permission.
To define email sending settings, click the Configuration navigation link to the left and open
the Email sending settings tab.
The settings include:
1. Email Connection Settings
Server: This option allows you to define an existing SMTP mail server.
NOTE: The delivery of email notifications via mail servers with only NTLM
authentication, such as Microsoft Exchange Server, is not supported.
From: This option allows you to define an existing email account from which the email
notifications will be sent.
Port: This option allows you to define the email server port number via which the
emails will be sent.
Encrypted connection type: This option allows you to define the type of encrypted
connection via which the email notifications will be sent. You can choose between:
- None
- SSL
- TLS
2. Email Connection Credentials
This option allows you to define the login details (User and Password) for the email server.
NOTE: For the email notifications to be sent correctly, you have to define the credentials
of the email account specified in the From field under the Email Connection Settings.
If the mail server does not require entering any credentials, you can select the No
authentications option.
3. Email Connection Test
This option allows you to send a test email to a specified email address to check if all email
connection settings are correctly defined.
4. Administrator Email
This option allows you to define the administrator’s email address to which the access
requests of restricted users will be sent. You can define several email addresses separating
them with semicolon (;).
227
Configuration
228
Configuration
Windows and Linux Client records: This option allows adding all session records of
Windows and Linux Clients to a log file.
Alert events: This option allows adding all alert events of Windows and Linux Clients to
a log file.
Management Tool Log Events: This option allows adding all Management Tool Log
records to a log file.
3. Cleanup Settings
In this section, you can define the parameters for the cleanup operation.
Cleanup daily at: This option allows you to define the time to execute the cleanup
operation on a daily basis.
Cleanup every: This option allows you to define the frequency of the cleanup
operation.
Maximum file size (GB): This option allows you to define the maximum size of a log file.
NOTE: During each cleanup operation, the current log file is renamed (the date and time of
the cleanup operation is added to its name) and a new one is created in the same folder. Not
to run out of space on the Server computer where the log files are stored, it is recommended
to check the used disk space regularly and delete the log files, which are no longer in use.
229
Configuration
230
Configuration
Domain NetBIOS Name: Define the NetBIOS name of the domain you want to connect
to.
User: Define the name of the user belonging to the Active Directory domain you want
to connect to.
Password: Define the password of the user account belonging to the Active Directory
domain you want to connect to.
5. On the LDAP Targets tab, a new LDAP target is displayed in the grid.
To define date & time format, click the Configuration navigation link to the left and open the
Date & Time Format tab.
The settings include:
1. Management Tool Date & Time Format
These user-specific settings apply to all the pages available in the Management Tool.
The Management Tool date format option allows you to define the date format for the
Management Tool.
231
Configuration
The Management Tool time format option allows you to define the time format for the
Management Tool.
2. Server Date & Time Format
These settings apply to the features processed on the Server: Forensic Export, Email Alert
Notifications, Email USB Alerts, and Reports (generated via the Report Generator &
Scheduled Reports).
The Server date format option allows you to define the date format for the Server.
The Server time format option allows you to define the time format for the Server.
The settings allow you to choose between the following date formats:
dd/mm/yyyy 23/02/2017
mm/dd/yyyy 02/23/2017
yyyy/mm/dd 2017/02/23
The settings allow you to choose between the following time formats:
HH/mm/ss 08:20:15
H/mm/ss 8:20:15
hh/mm/ss tt 08:20:15 AM
h/mm/ss tt 8:20:15 AM
232
Viewing Monitoring Results
it to be in the grid. To hide the columns in a grid, click Hidden columns , and drag the
header of the corresponding column to the Hidden columns area.
NOTE: If the user logs into the Client computer remotely, when the Client session has already
been started, via one of the following remote desktop applications, the remote IP-address
will not be detected: DameWare, Radmin, UltraVNC, or TightVNC.
Filtering Sessions
A user can filter out sessions by metadata in one of the following ways:
By specific parameters
By searching in session data
To add other filters, click More criteria and select a filter from the opened list:
Type: Allows filtering sessions by their type (Live or Finished).
234
Viewing Monitoring Results
OS: Allows filtering sessions by the operating system type (Windows or Linux).
Start: Allows filtering sessions by the date and time the session started.
Last Activity: Allows filtering sessions by the date and time of the last screenshot or
executed Linux command.
Finish: Allows filtering sessions by the date and time the session finished. If the session
has the Live status, this field is empty.
IPv4: Allows filtering sessions by the IPv4 address of the Client computer.
IPv6: Allows filtering sessions by the IPv6 address of the Client computer.
Remote IP: Allows filtering sessions by the IP-address used to log into the Client
computer from.
Domain: Allows filtering sessions by the name of the domain to which the Client
belongs.
Client Description: Allows filtering sessions by the custom Client description.
Client Group: Allows filtering sessions by the name of the Client Group to which the
Client belongs.
User’s Comment: Allows filtering sessions by the comment entered to the additional
message.
To remove the extra filter from the filtering pane, click X on the filter button.
235
Viewing Monitoring Results
The search is performed in the sessions displayed in the Session grid in accordance with the
session sorting order.
Export Sessions
To perform forensic export of all filtered out sessions, click . In the confirmation window,
click Export. The Forensic Export History page opens, displaying the export progress.
As soon as the export process finishes, the resulting files become available for downloading.
Click Download to download the file with Forensic Export results.
Sorting Sessions
To sort sessions in the Session grid, click the required column header. You can change column
sort order from ascending to descending, and vice versa. To do this, click the Sort arrow near
the column header.
Playing Sessions
About
The Session Viewer is a part of the Management Tool that provides the possibility to view
monitored data within one selected session.
To open the Session Viewer, select one of the sessions in the Sessions grid on the Monitoring
Results page and click on it.
236
Viewing Monitoring Results
By default, the Session Viewer interface is divided into the following areas:
Session Player pane: Allows viewing screenshots made on the computer with the
Windows Client installed, or visually recreated interactive data of the recorded Linux
terminal (input and output as the user sees them in the terminal). The navigation
section allows you to manage the playback of the video of screenshots or commands.
NOTE: If the screenshot creation is not enabled on the Windows Client, sessions of
this Client will contain no screenshots.
[Windows Client] Details pane: Allows viewing the keystrokes and the clipboard text
data associated with the selected record, USB device information, and URL addresses of
websites visited by a user.
Metadata pane: Displays the session data in the form of grid, which includes:
o Activity time, Activity title, Application name, Text data, Alert/USB rule name,
and URLs for Windows Clients;
o Activity time, Command, Function, Parameters, and Alert name for Linux Clients.
Session Player
The Session Player allows viewing screenshots made on the computer with the Windows Client
installed, or graphic representation of the recorded Linux terminal (input and output as the
user sees them in the terminal).
You can view them separately by selecting the required record from the Metadata grid or play
all monitored data in the form of video.
The following actions are available:
To play/pause the video playback, click Play/Pause.
237
Viewing Monitoring Results
To move from one record to another, click To the beginning, To the end, Previous, or
Next.
To define the speed with which monitored data changes in the Player area, click
. The available speed options are 1/2/4/8/16 frame(s) per second.
To block the user, click .
To view the list of alert events for this session in the Alert viewer, click .
To receive the link to a certain position in the session, click .
To download a displayed screenshot, click .
To perform forensic export, click .
Magnifier
If you need to view data displayed in the Player in detail, use the Magnifying Glass option.
To enlarge the certain part of the played data, do the following:
To turn off the Magnifying Glass, click the Magnifying Glass again.
238
Viewing Monitoring Results
Metadata Grid
Metadata grid is located to the right of the Player. It contains detailed information on
monitored user activity. Information is displayed in the grid with the following columns:
[Windows Client]
Activity Time: Displays the date and time or the recorded activity.
Activity Title: Displays the name of the active window that is associated with recorded
activity.
Application Name: Displays the name of the application started on the Client computer.
URL: Displays the top and second-level domain name of the visited web resource.
Text Data: Displays the keystrokes typed by the user and the clipboard text data.
Alert/USB Rule: Displays the name of the triggered alert or USB rule. The colour of an
alert highlighting corresponds to the alert risk level.
o The alerts with the critical risk level will be highlighted in red colour.
o The alerts with the high risk level will be highlighted in yellow colour.
o The alerts with the normal risk level will be highlighted in blue colour.
[macOS Client]
Activity Time: Displays the date and time or the recorded activity.
Activity Title: Displays the name of the active window that is associated with recorded
activity.
Application Name: Displays the name of the application started on the Client computer.
URL: Displays the top and second-level domain name of the visited web resource.
Alert: Displays the name of the triggered alert. The colour of an alert highlighting
corresponds to the alert risk level.
o The alerts with the critical risk level will be highlighted in red colour.
o The alerts with the high risk level will be highlighted in yellow colour.
o The alerts with the normal risk level will be highlighted in blue colour.
[Linux Client]
Activity Time: Displays the date and time when the command was executed.
239
Viewing Monitoring Results
Filtering Data
You can filter the metadata in the Metadata grid on the Player page in one of the following
ways:
Via searching
Via filtering by column
After data filtering, the Session Player switches to the Filtered View mode.
Filtering via searching
The Search field allows you to find metadata containing search expression in:
Activity title
Application Name
Keystrokes
Clipboard text data
240
Viewing Monitoring Results
To filter sessions by the not date field (Client name, OS, User name, etc.), click near the
required column name, select one or several options, and then click OK.
To filter sessions by the date field (Start, Last Activity, or Finish), click near the required
column name, select the From and To dates, and then click OK.
Sorting Data
To sort metadata in the Metadata grid, click the required column header. You can change
column sort order from ascending to descending, and vice versa. To do this, click the Sort arrow
next to the column header.
If the data is not sorted in this column, the Sort arrow is hidden.
Live Sessions
The Session Viewer allows you to view Client Live sessions in the real time, i.e., while the
monitoring of the Client computer is still in progress.
To play a live session, do the following:
1. Click on the session with the type Live in the Client Sessions grid.
2. The Session Player opens in the full screen mode. The Metadata grid is hidden.
3. Data in the Player will be refreshed as soon as a new monitored data is received from the
Client.
To stop playing the Live session, click . After this, data stops auto-updating and the
session can be played in the same way as Finished sessions.
241
Viewing Monitoring Results
NOTE: If you are viewing the session of the Windows Client with the enabled Capture screen
on each event without timeout option, it may affect CPU usage and cause performance
slowdown due to the great number of received screenshots.
Viewing Keystrokes
The captured keystrokes are displayed in the Text data column in the Metadata grid. When you
select a record in the Metadata grid, the keystrokes associated with it are displayed in the
Details pane below the Player pane. By default, only text characters are displayed. You can
enable displaying all keystrokes logged (e.g., navigation keys, functions keys, etc.) by clearing
the Show only text characters option. Then any other keys and key combinations will be
displayed in square brackets. If a key was pressed repeatedly, it will be displayed with an "x"
sign and the number of reiterations (e.g., [F12 x 24]).
If the user types the text, using arrows (left/right) and Backspace or Delete keys, these keys are
processed by the system to edit the logged keystrokes. When the keystrokes are edited, only
the end result of text that was meant to be typed by the user is displayed in the Details pane.
To see this result, the Show only text characters option must be selected.
For example:
If the user types “Helo” and then uses the left arrow to go back and correct the word by typing
another “l”, the word “Hello” will be displayed in the Details pane as “Helol”.
Presentation of keystrokes with the selected Show only text characters option.
242
Viewing Monitoring Results
Presentation of keystrokes with the unselected Show only text characters option.
If the user corrects the word using a mouse, the keystrokes are not edited.
For example:
If the user types “Fried” and then uses the mouse to go back and correct the word by typing
letter “n”, the word “Friedn” will be displayed in the Details pane, instead of “Friend”.
If the user types the text in different applications, the logged keystrokes are split according to
screenshots.
For example:
If the user types “Hello” in Skype and then opens Word and types “Ok”, the word “Hello” will
be displayed next to the screenshot associated with Skype, and the word “Ok” will be displayed
next to the screenshot associated with Word, instead of “HelloOk”.
NOTE: If the Enter key was pressed during input, the log will be split in the metadata grid.
Though to maintain text integrity, in the keystrokes box, the keystroke lines having the same
Title-Application pair will be put together.
For security reasons, Ekran System is hiding the keystrokes entered in the password fields in
Windows forms and most popular browsers. The passwords entered by the user are displayed
in the Metadata grid as asterisks.
When you select a record in the Metadata grid, the clipboard text data associated with it is
displayed in the Details pane below the Player pane.
Metadata grid
244
Viewing Monitoring Results
If you are using rules for kernel-level USB monitoring according to which the devices are
detected or blocked, each time the alert event occurs, a screenshot is created. In the Metadata
grid, this is indicated by highlighting the activity in the grid.
NOTE: If the screenshot creation is not enabled on the Windows Client, sessions of this Client
will contain no screenshots.
When you select a USB-device-related screenshot or a row in the Metadata grid, the USB
device info associated with it is displayed in the Details pane below the Player pane.
If the device was blocked, it is marked as BLOCKED in the parentheses.
Viewing URLs
If the URL monitoring option is enabled for the Windows Client, then each time the user activity
is captured while the user is working in the browser, the URL address is saved and displayed in
the URL column in the Metadata grid. If there are several records made while the user is
viewing one page on a certain website, then all of them contain the same URL information.
NOTE: If the screenshot creation is not enabled on the Windows Client, sessions of this Client
will contain no screenshots.
The URL column contains only top and second-level domain names even if the parameter is not
selected in the URL monitoring settings for the Windows Client. The full URL address is
displayed in the Details pane.
NOTE: As getting a URL address to be monitored may take about 600 milliseconds, there is a
possibility that the screenshot and its activity title along with URL address may be not
properly synchronized in the Session Viewer (e.g., the user may see a screenshot with a URL
address that belongs to the previous one).
245
Viewing Monitoring Results
Viewing URLs
If the URL monitoring option is enabled for the macOS Client, then each time the user activity is
captured while the user is working in the browser, the URL address is saved and displayed in
the URL column in the Metadata grid. If there are several records made while the user is
viewing one page on a certain website, then all of them contain the same URL information.
The URL column contains only top and second-level domain names even if the parameter is not
selected in the URL monitoring settings for the Windows Client. The full URL address is
displayed in the Details pane.
NOTE: As getting a URL address to be monitored may take about 600 milliseconds, there is a
possibility that the screenshot and its activity title along with URL address may be not
properly synchronized in the Session Viewer (e.g., the user may see a screenshot with a URL
address that belongs to the previous one).
246
Viewing Monitoring Results
247
Viewing Monitoring Results
Viewing Alerts
About
The Alert viewer is a part of the Management Tool which allows viewing detailed information
on alert events.
You can open the Alert Viewer from the following places:
The Session Player: The Alert viewer displays all alert events for the session.
The list of Client sessions: The Alert viewer displays all alert events for the selected
session.
The Recent Alerts dashboard: The Alert viewer displays all alert events that happened
within the defined time interval for the selected alert.
The Alert Management page: The Alert viewer displays the latest 100 events for the
selected alert.
248
Viewing Monitoring Results
To display/hide the metadata associated with the alert event, click below the
metadata information.
To move between the alert events, use the Previous, Next, First, and Last buttons.
To enlarge a certain part of the played data, click the Magnifying Glass . The
Magnifier window opens on the right. Move the rectangle across the displayed data.
To open the session in the Session Player, click Open Session. The Session Player opens
in a new tab. The session playback starts with the selected alert event.
To view the Alert events for the Windows Clients, select Windows Events tab.
To view the Alert events for the Linux Clients, select Linux Events tab.
249
Viewing Monitoring Results
Archived Sessions
About
During the archiving & cleanup operation all the old Client sessions are archived and then
deleted from the current Ekran database. This allows saving the monitored data in a secure
storage and viewing the archived sessions in the Session Viewer any time.
250
Dashboards
Dashboards
About
Ekran System allows viewing certain types of information using dashboards displayed on the
Home page. Dashboards provide you with convenient real-time view of the most important
data. The following dashboards are available:
Licenses
Clients
Database Storage Usage
Recent Alerts
Latest Live Sessions
Sessions out of Work Hours
Rarely Used Computers
Rarely Used Logins
With the dashboards, you can see several types of data grouped in one place.
The dashboards are customizable, with the customization settings stored on the Server. Thus, if
you log into the Management Tool from any other computer, your dashboards will look the
same way as you have previously customized them.
You can choose which dashboards to show or hide, rearrange the dashboards on the screen,
add several dashboards of the same type to see the same data in different variations, and
more.
Dashboard Types
Licenses
The Licenses dashboard allows you to view statistics on the number of available licenses, free
licenses, and unlicensed computers. The dashboard is updated every 5 minutes.
Clients
The Clients dashboard allows you to view statistics on the number of Clients which are
currently online and offline. The dashboard is updated every minute.
252
Dashboards
To view the dashboard, you need to have one of the following permissions:
The administrative Client Installation and Management permission. With this
permission, you can see information on all the clients in the system.
At least one of the Client permissions. In this case, you will see only the Clients for which
you have the Client permission(s).
If you do not have the administrative Client Installation and Management permission or any
Client permissions, you will see an empty dashboard with the text saying you do not have the
permissions for viewing this data. Also, the dashboard will not be displayed in the Add
dashboard drop-down list.
saying you do not have the permissions for viewing this data. Also, the dashboard will not be
displayed in the Add dashboard drop-down list.
Recent Alerts
The Recent Alerts dashboard contains a bar chart that presents information on alerts triggered
within a specific time period. The dashboard is updated every 15 minutes.
Each bar in the graph corresponds to an enabled alert. The length of each bar corresponds to
the number of notifications received within a specific time interval. The colour of each bar
corresponds to the alert risk level.
The alerts with the critical risk level are highlighted in red colour.
The alerts with the high risk level are highlighted in yellow colour.
The alerts with the normal risk level are highlighted in blue colour.
To see the list of alert events, click on the bar with the alert name. In the opened window, the
following information is displayed:
Time
Client name
User name
To open a corresponding session in the Session Viewer, click Play.
To view the alert events in the Alert Viewer, click Open Alert Viewer.
You can define the following settings for the Recent Alerts dashboard:
Time interval: the period for which the alerts are selected.
254
Dashboards
255
Dashboards
Each column corresponds to the day with the sessions out of work hours. The height of the
columns corresponds to the number of sessions recorded on the date.
To see the number of sessions recorded on a specific date, hover over the corresponding
column.
To see the list of sessions recorded on a specific date, click the corresponding column. In the
opened window, the following information is displayed:
Client Name
User Name
Start
Last Activity
Finish
To see the session in the Session Viewer, click Play.
You can define the following settings for the Sessions out of Work Hours dashboard:
Period: set the specific time period for which the alerts are selected.
Colour: set the specific colour for the columns.
Work hours & Work days: set the hours and days of the week to be considered as a
working schedule.
Only the sessions with the activities out of the defined schedule are displayed in the
dashboard.
To view the dashboard, you need to have the administrative Client Installation and
Management permission. If you do not have this permission, you will see an empty dashboard
with the text saying you do not have the permissions for viewing this data. Also, the dashboard
will not be displayed in the Add dashboard drop-down list.
256
Dashboards
257
Dashboards
To view detailed information on the sessions, click the target Client Name link. In the opened
window, the following information is displayed:
Client Name
Start
Last Activity
Finish
To open a session in the Session Viewer, click Play.
You can define the following settings for the Rarely Used Computers dashboard:
Customizing Dashboards
The dashboard layout is customizable. You can choose which dashboards you want to see on
the Home page. The following options are available:
Add a dashboard. Click Add dashboard over the dashboard area and then select the
desired dashboard from the drop-down list. You can add several dashboards of the
same type to view the desired information in different variations. You can have up to
eight dashboards on the Home page.
Hide a dashboard. Click the icon in the top right corner to hide the dashboard.
Collapse/expand a dashboard. Use the and icons in the top left corner of the
dashboard to collapse or expand it.
You can also choose what your dashboards will look like. The following options are available:
Rearrange the dashboards. Click on the dashboard you want to move and drag it to a
new location.
Resize a dashboard. Click on one of the bottom corners of the dashboard and drag the
border of the dashboard.
Define the settings for a dashboard. Click the icon in the top right corner of the
dashboard to change its settings.
The customization settings are user-specific and are stored on the Server.
To restore the default settings, click Restore Layout over the dashboard area.
258
Interactive Monitoring
Interactive Monitoring
About
Interactive Monitoring allows viewing the detailed information on the total time spent by the
user in each application/on each website.
Viewing Data
The information on all applications and URL monitored data is displayed in the form of two
column charts (Applications Monitoring chart and URL Monitoring chart). The number of
columns corresponds to the number of applications used and websites visited. Only
information on the Clients the user has Client Viewing Monitoring Results permission for is
displayed.
To view the monitored data, do the following:
1. Define the specific parameters to filter out the data:
Who: filter by a specific user logged into the Client computer.
Where: filter by a specific Client.
When: filter by the time period.
To set the time period, select one of the following:
- Define the number of latest days or weeks. If you define 1 day, sessions
recorded during the current day will be displayed.
- Define the start date and the end date of the time period.
2. Click Generate.
3. The filtered out monitored data is displayed in both charts.
To zoom in and out of the Application Monitoring and URL Monitoring charts, use mouse
scroll.
259
Interactive Monitoring
To see the list of sessions containing information on the target application, click on the
column with the application name. In the opened window, the following information is
displayed:
Client Name: the name of the Client computer on which the target application was
launched.
User Name: the name of the user logged in to the Client computer.
NOTE: If Forced User Authentication is enabled on the Client computer, the user name
is displayed as: <logged in Windows user> (<secondary authentication user>).
Start: the start time of a session.
Last Activity: the date and time of the last made screenshot or executed Linux
command.
Finish: the date and time when the session finished.
To open a corresponding session in the Session Viewer, click Play.
260
Forensic Export
Forensic Export
About
Forensic Export allows exporting the session in the encrypted form for viewing monitored
session on any computer, even without access to the Management Tool. The session is
exported into the signed executable file, which contains the embedded player for displaying
graphical information and metadata. The validity of forensic export results can be checked via
the Management Tool. The results of export are stored on the Server until you delete them.
5. Select the Export session fragment starting from current Player position option and
enter the required fragment start and end time of the required fragment.
6. Select the Include keystrokes option if necessary.
7. Click Export.
8. The Forensic Export History page opens, displaying export progress.
9. As soon as export process finishes, the resulting file becomes available for downloading.
10. Click Download to download the file with Forensic Export results.
261
Forensic Export
1. Log in to the Management Tool as a user with the Viewing monitoring results
permission.
2. Сlick the Monitoring Results navigation link to the left.
3. On the Client Sessions page, filter sessions by necessary criteria.
4. Click the Export button in the search pane.
5. In the opened message, click Export to continue.
6. The Forensic Export History page opens, displaying export progress.
7. As soon as export process finishes, the resulting files become available for downloading.
All exported sessions include keystrokes.
8. Click Download for each exported session to download the Forensic Export results.
NOTE: Forensic export of a large number of sessions might take much time and affect the
Server performance.
To download the exported session, click Download in the Forensic Export History grid.
To delete the exported session from Server, click Delete in the Forensic Export History grid.
262
Forensic Export
The Forensic Export Player interface is divided into the following parts:
Player pane: Allows viewing screenshots made from the computer on which the
Windows Client is installed, or visually recreated interactive data of the recorded Linux
terminal (input and output as the user sees them in the terminal). The navigation
section allows you to manage the playback of the video of screenshots or commands.
NOTE: If the screenshot creation is not enabled on the Windows Client, sessions of
this Client will contain no screenshots.
[Windows Client] Details pane: Allows you to view the text data (keystrokes and
clipboard text data) associated with the selected event, USB device information, and
URL addresses of websites visited by a user.
Metadata pane: Displays the session data in the form of grid, which includes:
o Activity time, Activity title, Application name, Text data, and URLs for Windows
Clients;
o Activity time, Command, Function, and Parameters for Linux Clients.
NOTE: If the user performing export does not have the Viewing text data permission for this
Client, Forensic Export results will contain no text data.
You can do one of the following while viewing:
To play/pause the video, click Play/Pause in the Player pane.
263
Forensic Export
To move from one record to another, use the control buttons in the Player pane.
To open the monitored data to the full-screen mode, double-click the monitored data
264
Troubleshooting
Troubleshooting
Quick Access to Log Files
Log files contain information that might be useful for administrator for detecting problems in
the system if any.
You can either analyse the log files yourself to get more information on what is happening in
your system or send them to the Support team to help them in detecting the source of
problems in your system.
In case the log files contain the information on some errors, the warning message will be
displayed on the Diagnostics page.
To download the Server log file, login as the user with the Database Management permission,
click the Diagnostics navigation link to the left and then click Download Server log file. The log
file will be downloaded to your computer.
NOTE: On the Server computer, the Server log (Server.log) is stored in the Server installation
folder. The default location of the Server installation folder is C:\Program Files\Ekran
System\Ekran System.
To download the Management Tool log file, login as the user with the Database Management
permission, click the Diagnostics navigation link to the left and then click Download
Management Tool log file. The log file will be downloaded to your computer.
Database/Server
Database/Server Related Issues
Issue Cause/Solution
I cannot start the Server from the To start the Server, the Server tray service must be
Server tray. started under the administrator account.
There are too many records in the Use the automatic or manual database
database. cleanup feature to remove the old records
from the database. To do this, in the
Management Tool, click the Database
Management navigation link and define the
cleanup settings on the corresponding tabs.
I have defined a new database, what The old database remains in place and is not
happened to the old one? changed.
I need to transfer the data from an old Unfortunately, the data cannot be
database to a new one/I want to transferred from one database to another.
change the type of the database
without losing data.
265
Troubleshooting
Issue Cause/Solution
I have transferred the SQL database to Unfortunately, you can’t relocate the SQL
another computer. database to another computer. Though you can
move it to another location on the same PC with
SQL means.
I have changed the location of the To redefine the location of the Firebird
Firebird database. database, move it to another location and
change the corresponding values in the
Windows Registry Editor. See Moving the
Server Database chapter for more details.
I have installed a new version of the If you have updated the Server, your old
Server and I want to use the old database will remain. If you have reinstalled
database. the Server, you need to use a new database.
I have used the database cleanup The cleanup feature only removes data from
feature, but the size of the database the database, but does not change the size
didn’t change. reserved by it. To reduce the size of the
database, click Shrink database on the
Database Options tab on the Database
Management page of the Management Tool.
I cannot shrink the database: the Make sure you use the MS SQL Server
Shrink database button is absent in the database.
Management Tool on the Database The shrinking cannot be performed if
Options tab. the cleanup procedure is in progress.
My antivirus blocks the Server Due to the uninstaller specifics some anti-viruses
uninstallation/update. might detect it as a false positive during virus scan.
In this case, it is recommended to disable your
anti-virus during Server uninstallation/update.
Message Cause/Solution
If you get the following message in the The Server has lost the connection to
Management Tool: "Connection with the MS SQL Server. Please make sure
MS SQL database is lost. Please check that the MS SQL Server is running
266
Troubleshooting
Message Cause/Solution
that the database is accessible and try and it is online and accessible. To
again." check that the MS SQL Server
computer is accessible, enter the
following command in the Windows
command line:
ping <name of the MS SQL Server
computer>
The connection to the MS SQL Server
is blocked by the Firewall. Try
disabling the Firewall on the MS SQL
Server side.
If you get the following message when You can restart the Server service only under
trying to restart the Server service: the administrator account.
“Not enough permissions to restart
the Server.”
If you get the following message from The Server has lost the connection to
the Server tray service: "The Server the database. Please make sure that
connection with the database has the computer on which the database
been lost. Click to view logs." is installed is online and accessible.
To check that the computer is
accessible, enter the following
command in the Windows command
267
Troubleshooting
Message Cause/Solution
line:
ping <name of the computer with
installed database>
If the problem comes up again,
please, send us logs (the Server
Service file), which you can find in
the Server sub-folder of the Ekran
System installation folder.
Management Tool
Management Tool Related Issues
Issue Cause/Solution
HTTP 500 Internal Server error is For Windows 7, follow these instructions:
displayed when I try to connect to 1. Make sure that all the following options are
the Management Tool. selected in the Windows Features window: Net
Framework 3.5> Windows Communication
Foundation HTTP Activation and Windows
Communication Foundation non-HTTP
Activation.
2. Run the Command Prompt (cmd.exe) as
administrator:
268
Troubleshooting
Issue Cause/Solution
Enter
%windir%\Microsoft.NET\Framework\v4.0.xxxxx\
aspnet_regiis.exe –iru (for 32 bit computer) or
%windir%\Microsoft.NET\Framework64\v4.0.xxx
xx\aspnet_regiis.exe –iru (for 64 bit computer).
Example:
C:\Windows\Microsoft.NET\Framework64\v4.0.
30319\aspnet_regiis.exe –iru
3. Press Enter.
For Windows 8.0 or 8.1, make sure that all the
following options are selected in the Windows
Features window: Net Framework 3.5> Windows
Communication Foundation HTTP Activation and
Windows Communication Foundation non-HTTP
Activation.
The license management function is Make sure you have the administrative Client
unavailable and I cannot assign installation and management permission. If you have
licenses to Clients. this permission, but the license management function
is still unavailable, then your copy of the program is
not licensed. Please purchase serial keys and activate
them online or activate them on your vendor’s license
site and add them offline.
I have no Internet connection on the You can activate the serial on the license site of your
computer with the installed Server vendor and then add activated keys on the computer
and cannot activate serial keys. with the installed Server.
I have reinstalled/updated the Server If you activated serial keys online, after you
and now there are no activated reinstall or update the Server, activated serial
serial keys in it. keys will be automatically synchronized. For
this purpose, you need to have an active
Internet connection during the first start of the
Server.
If you used an offline activation (added
activated serial keys), you need to add them in
the Management Tool again.
The list of the domain computers is This problem can be caused by network or Windows
empty during the Client installation. issues (e.g., your computer cannot connect to the local
network). If there are no network problems, try
searching for computers via the Add computers by IP
option. To install Clients in such a way, on the
Computers without Clients page click Add computers
by IP.
269
Troubleshooting
Issue Cause/Solution
The list of the domain computers is Ekran System obtains the list of domain computers
not complete during the Client using standard Windows methods, which do not
installation. always provide the full list of computers.
The target computer is out of the If DNS settings of your computer network allow, you
domain. can:
Search for computers using the Add computers
by IP option. To install Clients in such a way, on
the Computers without Clients page, click Add
computers by IP.
Create an installation package and install a
Client locally on the target computer. To
generate an installation package, on the
Computers without Clients page, click
Download installation file and then select the
type of the installation file you want to
download. When the installation file is
downloaded to your computer, you can start
the installation process.
I have assigned a Terminal Server Any license can be unassigned from a Client anytime.
Client license instead of a
Workstation Client license to the
Client or I have assigned a license to
the wrong Client.
There are some Clients that I did not These may be old Clients that were installed earlier.
install. You can uninstall them remotely via the Management
Tool or locally on the Client computer.
I do not receive email notifications, Make sure you do not use Microsoft Exchange Server
although the parameters are correct. 2010, which is not supported.
Some of the Management Tool Make sure that you have the corresponding
functions are unavailable. permissions for these functions.
I do not want to provide the user By defining the Client permissions for the user in the
with access to all Clients. Management Tool, you can define which Clients the
user will have the access to.
I forgot the password of the internal Contact the administrator and ask them to change the
user. password.
The user is able to perform actions Check the groups which the user belongs to. They
that are supposed to be prohibited might have inherited some new permissions from
for them (e.g., the user sees the these groups.
270
Troubleshooting
Issue Cause/Solution
Clients that they do not have a
permission for).
Message Cause/Solution
If you get the following message when The program encountered an unexpected error
trying to connect to the Management while trying to perform an action.
Tool: “Server is unavailable. Please Please refresh the Management Tool.
contact administrator.”
Please make sure that the Server is
running.
Please restart the Server and try again.
If the problem comes up again, please contact the
support.
If you get the following message when Please make sure that your login and the
trying to connect to the Management password are correct. If you are logging in as a
Tool: “Wrong password or Windows user, do not forget to enter <domain
username.” name>\<login>.
I have successfully logged into the Please check the section “Possible
Management Tool but I cannot see any Problems with Receiving Data from
captured data from the Windows Clients”.
Client. Contact the administrator and check if you
have the Viewing monitoring results
permission for the Client.
An alert event does not trigger an Please check that the defined alert
alert notification and is not displayed parameters are correct on the Alert Rules
as alert in the Management Tool. tab on the Edit alert page of the
Management Tool (e.g., Process name
may be defined instead of Window title).
To do this, open the Alert Management
page of Management Tool, click Edit alert
271
Troubleshooting
Issue Cause/Solution
for the required alert and select the Alert
Rules tab.
The alert might be disabled. Please make
sure the alert is enabled on the Alert
properties tab in the Management Tool.
I don’t receive alert notifications about Please check the Minimal interval between
all the events that correspond to notifications sent for the same alert event
notification settings. parameter. If less time than defined in the
settings has passed since the moment when the
last notification for the same alert event had been
received, you will not receive the notification.
Client sessions contain no screenshots Please check that the Enable screenshot creation
at all. along with user activity recording option is
enabled on the required Client.
To do this, open the Client Management page and
click Edit Client for the required Client, and then
click the User Activity Recording tab.
Some screenshots look like they There are two monitors on the Client computer
consist of two parts. and you see the screenshots from both of them.
The Text data column is empty, Check that you have Viewing text data
although the text was entered on the permission for this Client.
Client computer. Please check that you have enabled the
keystroke logging in the Client
configuration.
The keystrokes are logged only after the
user presses Enter or switches to another
window. So they might be attached to
another screenshot.
272
Troubleshooting
Issue Cause/Solution
The Text data column is empty, Check that you have Viewing text data
although the text was copied, cut, and permission for this Client.
pasted on the Client computer. Please check that you have enabled the
clipboard monitoring in the Client
configuration.
The screenshots are sent more If in the Client configuration you have enabled
frequently than I defined. options other than Capture screen periodically, the
screenshits may be created more frequently
depending on the user activity. Check the Client
configuration.
Screenshot image is blurry. The Client computer may have smooth interface
animation – the screenshot may have been taken
when the animation was in progress.
The screenshot image is black and The Client is configured to capture screen in
white. greyscale images. Please check the Client
configuration in the Management Tool.
The screenshot time does not The screenshot time corresponds to the time
correspond to time on my computer. displayed on the Client computer.
The screenshot time does not Please check that the Client computer time
correspond to the time that should be settings have not been changed.
displayed on Client computer.
Windows Client
Checking that the Client Is Installed
If the Client is successfully installed, it will appear on the Clients page of the Management Tool
in the Data View pane.
If there is no Client in the Management Tool, you have to check whether the Client has been
installed.
You can check if the Client is installed on the investigated computer in one of the following ways:
The EkranService.exe process is running.
The EkranClient and EkranController services are started.
273
Troubleshooting
274
Troubleshooting
How to Check:
To check the administrative shares availability, do the following:
1. Open Windows Explorer.
2. In the address bar type \\<target_computer_IP/Name>\admin$ and press Enter.
3. When the Enter Network Password window opens, enter administrator credentials
and click OK.
4. If the login credentials are accepted, the system folder opens (by default,
C:\Windows).
If you get an error after performing step 2, try the following:
Open the Command Prompt (cmd.exe). Enter and execute the ping
<target_computer_name or IP> command. Check the following:
1. If you do not get ping replies, network may be down. Check the
network connection and try again.
2. If the network is up, but you do not get the ping reply, check the
firewall on the remote computer. Disable the firewall on the target
remote computer.
If you are receiving ping replies, but the administrative share is still unavailable, check
that the Sharing Wizard or the Simple file sharing are disabled.
276
Troubleshooting
If you are receiving ping replies and the sharing options are good, but you still cannot
access the administrative shares, check that the Server system service is running on the
remote computer.
If you get a login error after performing step 3, try the following:
Make sure that the credentials you enter are correct. You have to enter the credentials
of a domain administrator or a local administrator account on the remote computer.
Verify that the account password is not empty. Accounts with empty passwords cannot
be used for remote connection.
Try typing the username as <domain_name>\<username> if the remote computer is in
a domain, or <computer_name>\<username> if the PC belongs to a workgroup.
How to Fix:
To enable access to administrative shares, you need to enable the Local Account Token
Filter Policy.
NOTE: This is a known Windows issue that might block remote application installation.
How to check:
To check the DNS Service availability, please execute the following command in the Command
line (cmd.exe): ping <Computer name>.
277
Troubleshooting
If the command does not respond, you have to enable the DNS Service.
How to fix:
To enable the DNS Service, please follow the instructions of the Windows Troubleshooting. In
the Windows Server 2003, you can use the netdiag.exe tool.
How to fix:
To disable UAC, do the following:
1. Open the Windows Registry Editor.
2. Select the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System.
3. Double-click the EnableLUA value, or select it and click Modify in the context menu.
4. In the opened window, in the Value data filed, enter 0 and click OK.
5. Close the Windows Registry Editor window and then reboot the Client computer.
How to Fix:
To resolve errors in Active Directory, do the following:
1. Open the Active Directory Users > Computer Tools.
2. Open the System Container.
3. If there is no TDO object (trusted domain object) in the System container, please reset
the trust between parent and child relationships between domain controllers of
different domains with netdom.
278
Troubleshooting
How to Fix:
To resolve this issue, rename the computer in the parent domain which has the same
name as the computer in the child domain.
If you get a message at the end of the remote Client installation: “The network name
cannot be found”, it can be caused by the following reasons:
There is no access to the remote computer.
There is no access to Network Shares.
How to Check:
Please check that you have access to the remote computer. To do this, enter the
following command in the Windows command line: ping <name of the remote computer>
If you do not receive any response, the access might be blocked by the remote computer
Firewall.
How to Fix:
Try enabling the Local Account Token Filter Policy on the target computer.
279
Troubleshooting
If you get a message at the end of the remote Client installation: “Client machine must be
rebooted before agent installation”, please, reboot the computer because if the Client has
been recently uninstalled, the Client computer must be rebooted first.
If you get a message after clicking Uninstall Ekran System Client: “The host is unavailable now
or turned off. Try again later.”, this means that the Client may be offline or may not be able to
connect to the Server. Please do one of the following:
Wait until the Client appears online.
If the Client does not appear online, uninstall it locally on the Client computer via the
Windows command line by executing the following command: UninstallClient.exe
/key=<uninstallation key>
By default, the UninstallClient.exe file is located in the Client installation folder. The default
path is C:\Program Files\Ekran System\Ekran System\.
If you changed the name of the Server computer, you have to change it on the Client
computer through the registry.
To change the Server name:
1. Open the Windows Registry Editor.
2. Select the following key: HKEY_LOCAL_MACHINE/SOFTWARE/EkranSystem/Client.
3. Double-click the RemoteHost value, or select it and click Modify in the context menu.
4. Enter the new name or IP address of the Server to which the Client must connect.
5. Reboot the Client computer.
NOTE: If the Client works in the non-protected mode, you can change the name of the
Server to which it connects, by installing the Client remotely via the Management Tool
once more.
Make sure the database is not full: there may be no free space left on the disk where
the database is located in the Server database.
If an installed Client has stopped sending data, it may be caused by the following issues:
The Client processes on the Client computer may have been terminated. Make sure the
Client processes are running on the Client computer (see Checking that the Client is
installed topic in the help file).
The Client service (EkranClient) might have been stopped. Please make sure it is started.
The Client computer may be offline. Make sure it is online and has no network
connection problems.
The sending of data is prevented by antivirus software. Make sure the Client
processes/services are not blocked by the antivirus software.
The connection might be blocked by Firewall. Try unblocking the connection.
Linux Client
Possible Problems with Receiving Data from Clients
If an installed Client does not appear online, do the following:
Make sure that the Linux Client is installed and running by checking the state of the
Client.
Make sure that there are no network connection problems:
On the Server computer, in the Command line (cmd.exe), execute the following
command: ping <Client computer name>. If the command displays network issues,
resolve them.
If a Linux Client is online and not sending any data, do the following:
Make sure a license is assigned to the Client.
Make sure there is enough free space on the disk on which the Client is installed.
Make sure the database is not full: there may be no free space left on the disk where
the database is located in the Server database.
281
Troubleshooting
If an installed Client has stopped sending data, it may be caused by the following issues:
The Linux Client might have been stopped. Please make sure it is started.
The Client computer may be offline. Make sure it is online and has no network
connection problems.
282
Appendix
Appendix
Default Alerts
The Management Tool contains the default alerts, which are triggered on the different kinds of
potentially harmful or forbidden actions performed on the computers with installed Clients.
Fraud Activity
Cleanup applications
This alert is triggered when the user on the Windows Client computer is opening the PC
cleanup applications such as CCleaner, PC Decrapifier, File Shredder, and CleanUp.
Command prompt
This alert is triggered when the user on the Windows Client computer is executing the
command prompt.
Date/Time changing
This alert is triggered when the user changes the Date and Time settings on the
Windows Client computer.
Editing Windows Registry
This alert is triggered when the user on the Windows Client computer is editing the
Windows registry via the Windows Registry Editor.
File Download from Internet browser
This alert is triggered when the user on the Widows Client computer is downloading files
via such Internet browsers as Chrome, Firefox, or Internet Explorer.
File Upload via Internet browser
This alert is triggered when the user on the Windows Client computer is uploading files
via such Internet browsers as Chrome, Firefox, or Internet Explorer.
Hacking software
This alert is triggered when the user on the Windows Client computer is using the
different kinds of hacking software such as Angry IP Scanner, HashCat, Burp Suite, Cain
& Abel, Ettercap, John The Ripper, Kali, Metasploit, Nmap (Network Mapper), Snort,
THC Hydra, Wapiti, Wifite, and Wireshark.
IIS Binding Settings
This alert is triggered when the user on the Windows Client computer is changing IIS
binding settings.
Internet Explorer proxy settings
This alert is triggered when the user on the Windows Client computer is changing the
Internet Explorer Proxy Settings.
283
Appendix
Data Leakage
Cloud backup
This alert is triggered when the user on the Windows Client computer is opening a cloud
backup service such as ADrive, AltDrive, Backblaze, avast!, BackUp, Backup Lizard,
BackupRunner, Bitcasa, Carbonite, Comodo Backup, CrashPlan, Cyphertite,
ElephantDrive, Gillware, IDrive, Iozeta, Jottacloud, Jungle Disk, KineticD, Livedrive,
Malwarebytes, Mevvo, Mozy, MyOtherDrive, MyPC Backup, NitroBackup, Nomadesk,
SafeSync, sosonlinebackup, SpiderOak, SugarSync, Symform, Total Defense Online
Backup, OpenDrive, and Zoolz.
Cloud file sharing
This alert is triggered when the user on the Windows Client computer is sharing the files
using the cloud based services 2Big2Send, 4shared, Addie.it , BitLet.org, CloudApp,
Digital Pigeon.com, DivShare, Dropcanvas, Droplr, Dropmark, DropSend, EFShare,
Filecamp, FileDropper, FileSavr.com, Fyels, Ge.tt, GigaSize, JustBeamIt, Kicksend,
LargeDocument.com, letscrate, MailBigFile, Minus.com, pastebin.com, PasteLink.me,
RapidShare, Send6, Senduit, SendYourFiles, Streaky, Uploaded.to, Uploadie, Wappwolf,
WeTransfer, Wikisend, YouSendIt, and zShare.net.
Cloud storages
This alert is triggered when the user on the Windows Client computer is visiting the
following cloud storage websites: Dropbox.com; drive.google.com; onedrive.live.com;
Otixo; box.com; Fluxiom; spideroak.com; Uploadingit; amazon.com; justcloud.com;
livedrive.com; sugarsync.com; code42.com/crashplan; zipcloud.com;
sosonlinebackup.com; carbonite.com; eSnips; Fileshare; mozy.com; mega.nz;
adrive.com; bitcasa.com; icloud.com; Memonic; Doxo.
284
Appendix
285
Appendix
286
Appendix
Online video
This alert is triggered when the user on the Windows Client computer is visiting the
following online video websites: Youtube; dailymotion.com; vimeo; gopro.com;
ted.com; on.aol.com; mtv.com; funnyordie.com; break.com; metacafe.com; veoh.com.
Social networks
This alert is triggered when the user on the Windows Client computers is visiting the
following social network websites: facebook; twitter; linkedin; pinterest;
plus.google.com; tumblr; instagram; vk.com; flickr; vine.co; meetup.com; tagged.com;
ask.fm; meetme.com; classmates.com; foursquare; tripadvisor; weeworld.com; mixi.jp;
myspace.com; myheritage.com; schtik.com.
287
Appendix
High Availability ✘ ✔
Database cleanup ✔ ✔
Database archiving ✘ ✔
288
Appendix
Client protection ✔ ✔
Client mode (protected, non-protected)
Protection from uninstallation
(uninstallation key)
Alert policies ✔ ✔
Screenshot creation ✔ ✔
Keystroke logging ✔ ✔
Clipboard monitoring ✔ ✔
URL monitoring ✔ ✔
Application filtering ✔ ✔
289
Appendix
User filtering ✔ ✔
Secondary authentication ✔ ✔
One-time password ✘ ✔
Two-factor authentication ✔ ✔
290
Appendix
Internal users ✔ ✔
User permissions ✔ ✔
Administrative permissions
Client permissions
Web-based Player ✔ ✔
Searching Client sessions by metadata
Playing Client sessions (live and finished)
Interactive monitoring ✔ ✔
Dashboards ✔ ✔
Alert Viewer ✔ ✔
Screenshot export ✔ ✔
291
Appendix
292