Ekran System v6 Help File Setup and Configuration

Ekran System v.6.
0
Help File
Table of Contents
About................................................................................................................................. 15
System Requirements .................................................................................................... 16
Program Structure........................................................................................................... 19
Getting Started................................................................................................................. 21
Deployment Process ...............................................................................................................21
Working with Application ........................................................................................................22
Server and Database ....................................................................................................... 23
About .........................................................................................................................................23
Database Types Comparison ................................................................................................23
High Availability Mode ............................................................................................................23
About ......................................................................................................................................23
Standard and High Availability Modes Comparison .......................................................24
Installing/Uninstalling/Updating the Server ..........................................................................24
Installing the Server .............................................................................................................24
Backing up Ekran Master Certificate.................................................................................26
Deleting Ekran Master Certificate ......................................................................................30
Importing Ekran Master Certificate ....................................................................................30
Installing the Server in the Cloud .......................................................................................31
Adding Server Executable to Windows Firewall..............................................................31
Using an External/Cloud-Based Server Computer .........................................................34
Updating the Server .............................................................................................................34
Uninstalling the Server ........................................................................................................35
Server Tray ...............................................................................................................................35
Database Management ..........................................................................................................35
About ......................................................................................................................................35
Cleanup Parameters ............................................................................................................36
One-Time Cleanup ...............................................................................................................37
Scheduled Cleanup..............................................................................................................37
Shrinking MS SQL Database .............................................................................................38
Firebird Database Optimization .........................................................................................38
Deleting the Client ................................................................................................................39
Moving the Server Database ..............................................................................................40
About ...................................................................................................................................40
2
Moving the Server Database on the Same Computer ................................................40
Moving the Server Database to Another Computer ....................................................43
Moving Binary Data to Shared or Local Folder ...............................................................44
Validating Monitoring Data..................................................................................................45
About ...................................................................................................................................45
Validating Monitoring Data Using Hash Codes ............................................................46
Signing Monitoring Data with Certificate .......................................................................46
Moving the Server Database Signed with Certificate to another Computer ............50
Advanced SIEM Integration ...................................................................................................54
About ......................................................................................................................................54
Log File Contents .................................................................................................................54
Enabling Log File Creation .................................................................................................55
Log Cleanup ..........................................................................................................................55
Management Tool ............................................................................................................ 56
About .........................................................................................................................................56
Management Tool Installation Prerequisites .......................................................................56
Prerequisites Overview .......................................................................................................56
Turning on Internet Information Service (IIS) ..................................................................57
Turning on IIS for Windows 8 and Windows 7 .............................................................57
Turning on IIS for Windows Server 2008 R2 ................................................................58
Turning on IIS for Windows Server 2012 ......................................................................59
Installing .NET Framework .................................................................................................61
Configuring Internet Information Service (IIS) .................................................................61
Using Certificates .................................................................................................................65
Generating Self-Signed Certificate ................................................................................65
Exporting Self-Signed Certificate ...................................................................................67
Importing Trusted Certificate ...........................................................................................67
Adding Certificate to Trusted Root Certification Authorities ..........................................68
Setting HTTPS Binding for a Default Web-Site ...............................................................73
Installing/Uninstalling/Updating the Management Tool .....................................................75
Installing the Management Tool .........................................................................................75
Adjusting Computer for Remote Access ..........................................................................77
Updating Management Tool ...............................................................................................78
Uninstalling Management Tool ..........................................................................................79
Opening Management Tool ...................................................................................................79
Management Tool Interface ...................................................................................................80
3
Changing Password for Logged in User ..............................................................................81
Multi-Tenant Mode/Single-Tenant Ekran System Mode ............................................. 83
About .........................................................................................................................................83
User Types in Ekran System Deployed in Multi-Tenant Mode ........................................83
Admin of the default tenant (Technician)..........................................................................83
Tenant Admin........................................................................................................................83
Tenant User ..........................................................................................................................84
Tenant Management ...............................................................................................................85
Viewing Tenants ...................................................................................................................85
Adding Tenants ....................................................................................................................85
Editing Tenants .....................................................................................................................87
Resending Email to the Tenant Admin .............................................................................87
Deleting Tenants ..................................................................................................................88
Switching to Tenant Account ..............................................................................................88
Granting Technician Access to Tenant Account Info .........................................................89
Licensing .......................................................................................................................... 90
General Licensing Information ..............................................................................................90
Getting Licenses by the Default Tenant Admin (Technician) ...........................................91
Serial Keys ............................................................................................................................91
About Update & Support Period ........................................................................................92
Viewing License State .........................................................................................................92
Activating Serial Keys Online .............................................................................................93
Adding Activated Serial Keys Offline ................................................................................94
Deactivating Serial Keys .....................................................................................................95
License Management..............................................................................................................95
Client License Management ...............................................................................................95
Viewing Granted Licenses ...............................................................................................96
User and User Group Management .............................................................................. 97
About .........................................................................................................................................97
Viewing Users and User Groups ...........................................................................................97
User Management ...................................................................................................................98
Adding Users ........................................................................................................................98
Editing Users .......................................................................................................................102
Deleting Users ....................................................................................................................103
User Group Management .....................................................................................................103
Adding User Groups ..........................................................................................................103
4
Editing User Groups ..........................................................................................................104
Deleting User Groups ........................................................................................................104
Permissions ............................................................................................................................104
About ....................................................................................................................................104
Administrative Permissions ..............................................................................................105
Client Permissions .............................................................................................................105
Permission Example ..........................................................................................................106
Management Tool Log ..........................................................................................................108
About ....................................................................................................................................108
Viewing Management Tool Log .......................................................................................108
Management Tool Log Protection ...................................................................................110
Filtering and Sorting Log Data .........................................................................................110
Windows Clients ............................................................................................................ 111
About .......................................................................................................................................111
Monitoring via Windows Clients ..........................................................................................111
Installing Windows Clients ...................................................................................................112
About ....................................................................................................................................112
Setting up Environment for Remote Installation ............................................................112
Windows Client Installation Prerequisites ...................................................................112
Disabling Simple File Sharing in Windows XP ...........................................................113
Disabling Sharing Wizard in Windows 8.1, Windows 8, and Windows 7 ...............114
Checking System Services............................................................................................115
Setting up Firewall for Windows Vista, Windows XP, and Windows Server
2003 ..................................................................................................................................116
Setting up Firewall for Windows 10, Windows 8.1, Windows 8, Windows 7,
Windows Server 2012, Windows Server 2008 ...........................................................117
Installing Windows Clients Remotely via the Management Tool ................................120
About .................................................................................................................................120
Selecting Computers ......................................................................................................120
Remote Windows Client Installation Process .............................................................122
Remote Installation from an Existing .INI File ............................................................123
Installing Windows Clients Locally ..................................................................................123
About .................................................................................................................................123
Windows Client Installation Package ...........................................................................123
Generating Windows Client Installation Package ......................................................128
Installing Windows Clients Locally with Custom Monitoring Parameters ..............128
5
Downloading Windows Client Installation File (.exe) ................................................129
Installing Windows Clients Locally without .ini File....................................................129
Installation via Third Party Software................................................................................129
Installing Windows Client on Amazon WorkSpace .......................................................130
Cloning a Virtual Machine with Installed Client .............................................................130
Unassigning License on Virtual Machine Shutdown ....................................................130
Updating Windows Clients ...................................................................................................131
About ....................................................................................................................................131
Windows Client Status after Server Update ..................................................................132
Updating Windows Clients Automatically .......................................................................132
Updating Windows Client Manually .................................................................................132
Reconnecting Windows Clients to another Server ...........................................................133
Uninstalling Windows Clients ..............................................................................................133
About ....................................................................................................................................133
Client Uninstallation Key ...................................................................................................133
Uninstalling Windows Clients Remotely .........................................................................134
Uninstalling Windows Clients Locally..............................................................................134
Viewing Windows Clients .....................................................................................................135
Windows Client Description .................................................................................................135
Windows Client Configuration .............................................................................................136
About ....................................................................................................................................136
Protected Mode Parameter ..............................................................................................136
Automatic Client Update Parameter................................................................................136
Client Tray Icon Parameter ...............................................................................................136
Custom Path for Client Installation Folder Parameter ..................................................137
Offline Cache Size Parameter..........................................................................................137
User Activity Recording Parameters ...............................................................................137
Keystroke Logging Parameter..........................................................................................138
Start Monitoring on Keyword Parameter ........................................................................139
Detect system IDLE event Parameter ............................................................................139
Register IDLE event Parameter .......................................................................................139
Clipboard Monitoring Parameter ......................................................................................139
Monitoring Log Parameter ................................................................................................140
URL Monitoring Parameters .............................................................................................141
Application Filtering Parameters ......................................................................................142
User Filtering Parameters .................................................................................................144
6
Monitoring Time Filtering Parameters .............................................................................146
Forced User Authentication Parameter ..........................................................................147
Two-Factor Authentication Parameter ............................................................................148
Additional Message on User Login Parameter ..............................................................148
User’s Comment Parameter .............................................................................................148
Ticket Number Parameter .................................................................................................148
Editing Windows Client Configuration ................................................................................149
Viewing Windows Client Configuration ..............................................................................152
Forced User Authentication on Windows Clients .............................................................153
About ....................................................................................................................................153
Enabling Forced User Authentication on Windows Client ...........................................153
Granting User Permission to Log In ................................................................................154
Managing One-Time Passwords .....................................................................................154
About .................................................................................................................................154
Generating One-Time Password ..................................................................................155
Viewing One-Time Passwords......................................................................................156
Resending the Email ......................................................................................................157
Terminating One-Time Password Manually ...............................................................157
Logging In ............................................................................................................................158
Logging in Using Ekran System User Additional Credentials ..................................158
Logging in Using One-Time Password ........................................................................158
Requesting One-Time Password .................................................................................159
Login Approved by Administrator ........................................................................................159
About ....................................................................................................................................159
Approving User Access on Login ....................................................................................160
Defining Email Address for User Access Approval .......................................................160
Managing Restricted User List .........................................................................................160
Adding User to Restricted List ......................................................................................160
Deleting User from Restricted List ...............................................................................161
Logging In ............................................................................................................................161
Privileged User Accounts .....................................................................................................162
About ....................................................................................................................................162
Adding Privileged User ......................................................................................................162
Deactivating Privileged Account ......................................................................................163
Using Privileged Account ..................................................................................................163
Password Vault Configuration ..........................................................................................164
7
Informing about Monitoring ..................................................................................................165
About ....................................................................................................................................165
Enabling Displaying Additional Message .......................................................................165
Enabling User’s Comment Option ...................................................................................166
Enabling Displaying Client Tray Icon ..............................................................................166
Logging In ............................................................................................................................167
Integration with Ticketing Systems .....................................................................................167
About ....................................................................................................................................167
Enabling Ticket Number Option .......................................................................................168
Logging In ............................................................................................................................168
macOS Clients ............................................................................................................... 169
About .......................................................................................................................................169
Monitoring via macOS Clients .............................................................................................169
Installing macOS Client ........................................................................................................170
About ....................................................................................................................................170
Downloading macOS Client Installation File ..................................................................170
Installing macOS Clients ...................................................................................................170
Uninstalling macOS Clients .................................................................................................171
About ....................................................................................................................................171
Uninstalling macOS Clients Remotely ............................................................................171
Uninstalling macOS Clients Locally ................................................................................172
Viewing macOS Clients ........................................................................................................172
macOS Client Description ....................................................................................................173
macOS Client Configuration ................................................................................................173
About ....................................................................................................................................173
User Activity Recording Parameters ...............................................................................173
URL Monitoring Parameters .............................................................................................174
Linux Clients .................................................................................................................. 175
About .......................................................................................................................................175
Monitoring via Linux Clients .................................................................................................175
Installing Linux Client ............................................................................................................175
About ....................................................................................................................................175
Downloading Linux Client Installation File......................................................................175
Installing Linux Clients .......................................................................................................176
Uninstalling Linux Clients .....................................................................................................177
Viewing Linux Clients ............................................................................................................177
8
Linux Client Description ........................................................................................................178
Forced User Authentication on Linux Clients ....................................................................178
About ....................................................................................................................................178
Enabling Forced User Authentication on Linux Client ..................................................178
Granting the User Permission to Work with the Terminal............................................179
Launching the Terminal .....................................................................................................179
Two-Factor Authentication for Windows Clients ...................................................... 180
About ....................................................................................................................................180
Allowing User to Log In .....................................................................................................180
Deleting User from the List ...............................................................................................181
Enabling Two-Factor Authentication ...............................................................................182
Logging in Using Time-Based One-Time Password ....................................................182
User Blocking ................................................................................................................ 183
About .......................................................................................................................................183
Blocking User from Live Session ........................................................................................183
Blocking User from Finished Session ................................................................................184
Blocking User on Alert Triggering .......................................................................................185
Blocking User on Client with Secondary Authentication .................................................185
Blocked User List ...................................................................................................................185
Viewing Blocked User List ................................................................................................186
Removing User from Blocked User List..........................................................................186
Client Group Management ........................................................................................... 187
About .......................................................................................................................................187
Adding Client Groups ............................................................................................................187
Editing Client Groups ............................................................................................................188
Adding Clients to Groups .....................................................................................................188
Adding Clients to Groups during Client Group Editing .................................................188
Adding Clients to Groups during Client Editing .............................................................188
Applying Group Settings to Client .......................................................................................189
Removing Clients from Groups ...........................................................................................190
Removing Clients from Groups during Client Group Editing .......................................190
Removing Clients from Groups during Client Editing ...................................................190
Deleting Client Groups..........................................................................................................190
Alerts ............................................................................................................................... 192
About .......................................................................................................................................192
Viewing Alerts ........................................................................................................................192
9
Default Alerts ..........................................................................................................................193
Alerts Management ...............................................................................................................193
Adding Alerts .......................................................................................................................193
Rules ....................................................................................................................................196
About .................................................................................................................................196
Rule Examples ................................................................................................................199
Enabling/Disabling Alerts ..................................................................................................205
Editing Alerts .......................................................................................................................205
Editing Single Alert .........................................................................................................205
Editing Multiple Alerts.....................................................................................................206
Assigning Alerts to Clients ................................................................................................206
Assigning Alerts to Clients during Alert Editing ..........................................................206
Assigning Alerts to Clients during Editing Multiple Alerts .........................................206
Assigning Alerts to Clients during Client/Client Group Editing ................................207
Exporting and Importing Alerts .........................................................................................207
Exporting Alerts ...............................................................................................................207
Importing Alerts ...............................................................................................................207
Deleting Alerts ....................................................................................................................208
Defining Global Alert Settings..............................................................................................208
Receiving Information on Alert Events ...............................................................................209
Advanced Reports......................................................................................................... 210
About .......................................................................................................................................210
Report Types ..........................................................................................................................210
Scheduled Reports ................................................................................................................212
About ....................................................................................................................................212
Adding Report Rules..........................................................................................................213
Editing Report Rules ..........................................................................................................214
Deleting Report Rules .......................................................................................................214
Generating Reports from the Scheduled Report Rule .................................................214
Frequency and Time Interval for Report Creation ........................................................215
Viewing Logs .......................................................................................................................216
Report Generator ...................................................................................................................217
About ....................................................................................................................................217
Report Parameters .............................................................................................................217
Generating Report..............................................................................................................217
Creating a Scheduled Report Rule from the Report Generator Page .......................218
10
USB Monitoring & Blocking ......................................................................................... 220
About .......................................................................................................................................220
Monitored Devices .................................................................................................................220
Kernel-Level USB Monitoring Rules ...................................................................................222
About ....................................................................................................................................222
Adding USB Monitoring Rules..........................................................................................223
Editing USB Monitoring Rules ..........................................................................................224
Deleting USB Monitoring Rules .......................................................................................225
Defining Exceptions for USB Rules .................................................................................225
Viewing Device Hardware ID............................................................................................226
Configuration ................................................................................................................. 227
Defining Email Sending Settings .........................................................................................227
Defining Player Link Settings ...............................................................................................228
Defining System Settings .....................................................................................................228
Defining SIEM Logs ..............................................................................................................228
Defining Ticketing System Integration Settings ................................................................229
Defining LDAP Targets .........................................................................................................230
About ....................................................................................................................................230
Automatic LDAP Target ....................................................................................................230
Adding LDAP Target Manually .........................................................................................230
Editing LDAP Target ..........................................................................................................231
Deleting LDAP Target........................................................................................................231
Defining Date & Time Format ..............................................................................................231
Defining Server Settings .......................................................................................................232
Viewing Monitoring Results ......................................................................................... 233
Session List ............................................................................................................................233
About ....................................................................................................................................233
Client Sessions List............................................................................................................233
Filtering Sessions ...............................................................................................................234
Filtering by Specific Parameters ...................................................................................234
Searching in the Session Data .....................................................................................235
Export Sessions..................................................................................................................236
Sorting Sessions ................................................................................................................236
Playing Sessions ...................................................................................................................236
About ....................................................................................................................................236
Session Viewer Interface ..................................................................................................237
11
Session Player ....................................................................................................................237
Magnifier ..............................................................................................................................238
Getting Data URL ...............................................................................................................238
Metadata Grid .....................................................................................................................239
Player and Metadata Synchronization ............................................................................240
Filtering Data .......................................................................................................................240
Sorting Data ........................................................................................................................241
Live Sessions .........................................................................................................................241
Windows Client Sessions .....................................................................................................242
Playing Windows Sessions ...............................................................................................242
Viewing Keystrokes............................................................................................................242
Viewing Clipboard Text Data ............................................................................................243
Viewing USB Device Info ..................................................................................................244
Viewing URLs .....................................................................................................................245
Viewing Idle State ..............................................................................................................245
macOS Client Sessions ........................................................................................................246
Playing macOS Sessions..................................................................................................246
Viewing URLs .....................................................................................................................246
Linux Client Sessions............................................................................................................247
Playing Linux Sessions .....................................................................................................247
Filtering EXEC Commands ...............................................................................................247
Viewing Alerts ........................................................................................................................248
About ....................................................................................................................................248
Alert Viewer Interface ........................................................................................................248
Using Alert Viewer..............................................................................................................249
Archived Sessions .................................................................................................................250
About ....................................................................................................................................250
Changing Investigated Database ....................................................................................250
Viewing Archived Sessions ..............................................................................................250
Dashboards .................................................................................................................... 251
About .......................................................................................................................................251
Dashboard Types ..................................................................................................................251
Licenses ...............................................................................................................................251
Clients ..................................................................................................................................252
Database Usage Storage..................................................................................................253
Recent Alerts ......................................................................................................................254
12
Latest Live Sessions ..........................................................................................................255
Sessions out of Work Hours .............................................................................................255
Rarely Used Computers ....................................................................................................256
Rarely Used Logins............................................................................................................257
Customizing Dashboards .....................................................................................................258
Interactive Monitoring................................................................................................... 259
About .......................................................................................................................................259
Viewing Data ..........................................................................................................................259
Applications Monitoring Chart ..............................................................................................259
URL Monitoring Chart ...........................................................................................................260
Forensic Export ............................................................................................................. 261
About ....................................................................................................................................261
Exporting Session Fragment ............................................................................................261
Exporting Full Session .......................................................................................................261
Exporting Multiple Sessions .............................................................................................262
Viewing Forensic Export History ......................................................................................262
Playing Exported Session .................................................................................................263
Validating Exported Data ..................................................................................................264
Troubleshooting ............................................................................................................ 265
Quick Access to Log Files ....................................................................................................265
Database/Server ....................................................................................................................265
Database/Server Related Issues .....................................................................................265
Database/Server Related Error Messages ....................................................................266
Management Tool..................................................................................................................268
Management Tool Related Issues ...................................................................................268
Management Tool Error Messages .................................................................................271
Viewing Monitored Data ....................................................................................................271
Windows Client ......................................................................................................................273
Checking that the Client Is Installed ................................................................................273
Clients Installation/Uninstallation Issues and Error Messages ...................................275
Possible Problems with Receiving Data from Clients ..................................................280
Possible USB Monitoring Problems ................................................................................281
Linux Client .............................................................................................................................281
Possible Problems with Receiving Data from Clients ..................................................281
Checking the State of the Linux Client............................................................................282
Restarting Linux Client ......................................................................................................282
13
Appendix ........................................................................................................................ 283
Default Alerts ..........................................................................................................................283
Fraud Activity ......................................................................................................................283
Data Leakage......................................................................................................................284
Potentially Illicit Activity .....................................................................................................285
Not Work-related Activity ..................................................................................................286
Standard and Enterprise Edition Comparison Chart........................................................288
14
About
Welcome to Ekran System!
Ekran System is an application that allows you to record the activity of the target computers
with installed Clients and to view the screenshots from these computers in the form of video.
15
System Requirements
Ekran System claims different system requirements for each of its components. Make sure your
hardware and software meet the following system requirements to avoid possible component
malfunctions.
Server requirements:
 2 GHz or higher CPU
 4GB or more RAM
 Enterprise-level Ethernet card
 Minimum 1 Gbit/s network adapter
 Windows Server 2016, Windows Server 2012, and Windows Server 2008 R2 (x64
platform)
 Universal C Runtime and Visual C++ Runtime (starting with Ekran System 5.5). Both can
be installed via the Microsoft Visual C++ 2015 Redistributable:
https://www.microsoft.com/en-gb/download/details.aspx?id=48145
NOTE: The Universal C Runtime needs to be initially installed via update KB2999226:
https://support.microsoft.com/en-us/help/2999226/update-for-universal-c-runtime-in-
windows
 .Net Framework 4.5.2 or higher
NOTE: If the Server and the Management Tool are to be installed on the same
computer, make sure you turn on the Internet Information Service before the
installation of .Net Framework 4.5.2.
 [When using MS SQL Database]: Full edition of MS SQL Server 2008R2 SP1 or higher.
Standard license or higher is required.
NOTE: If you want to deploy the Ekran System in the High Availability mode, enabled
Message Queueing and configured NLB cluster are required. Please refer to the High
Availability Deployment Guide for more information.
Management Tool requirements:

 4GB or more RAM
 100 Mbit/s network adapter
 Windows 10, Windows 8.1, Windows 8, Windows 7 (any edition except Home);
[recommended] Windows Server 2016, Windows Server 2012, and Windows Server
2008 R2 (starting from SP1 version). Both x86 and x64 platforms are supported.
 .Net Framework 4.5.2 or higher
 IIS 7.5 or higher with enabled ASP.NET 3.5 and 4.5 support (4.6 for Windows Server
2016)
 [For accessing the Management Tool locally or remotely] One of the following browsers:
 Google Chrome 37 or higher
16
 Mozilla Firefox 32 or higher
 Internet Explorer 10 or higher
 Safari S6 and Safari S5
 Opera 15 or higher
NOTE: The Management Tool might be opened in other browsers, but its compatibility with
other browsers is not guaranteed.
Windows Client requirements:

 512 MB or more RAM
 Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows XP
SP3; Windows Server 2016, Windows Server 2012, Windows Server 2008, and
Windows Server 2003 SP1. Both x86 and x64 platforms are supported.
NOTE: Due to the new SHA-256 code signing, on Windows 7 SP1 and Windows
Server 2008 R2 SP1, the Microsoft Security Advisory update 3033929 needs to be
installed: https://technet.microsoft.com/en-us/library/security/3033929.aspx.
 Citrix XenDesktop; Citrix XenApp; Citrix XenDesktop/XenApp with Citrix Provisioning
Services (PVS).
 It is recommended to have not less than 500MB of free space on the disk where the
Client is installed to save data during the offline session.
macOS Client requirements:

 2.26GHz Intel Core 2 Duo or higher CPU
 2GB RAM
 macOS 10.9 and later
Linux Client requirements:

 512 MB or more RAM
 Linux Kernel 2.6.32 and higher
17
Distributor Base OS Versions Supported
Debian Debian 8.0, 7.0

Ubuntu 16.0, 15.0, 14.0, 12.0
Linux Mint 17.xx – 13
openSUSE Suse Linux Enterprise Server 11(SP2, SP3, SP4), 12(SP1, SP2,
SP3)
RedHat RedHat 7.0, 6.0

CentOS 7.x , 6.x
Oracle Linux 7.x - 5.6
Sun Microsystems Solaris 11.x – 10.0
NOTE: When the Client is installed to the terminal server, hardware requirements depend on
the number of active user sessions and may increase drastically. For example, hardware
requirements for the Client deployed on the terminal server hosting 10 active user sessions
will be as follows:
 Intel Core i3 or similar AMD CPU
 2048 MB RAM
18
Program Structure
Ekran System is an application specially designed to control user activity remotely.
Ekran System includes the following components:
 Ekran System Server (further referred to as Server): It is the main part of the Ekran
System used for storing the screenshots and associated information received from the
Clients. The work of the Server can be started or stopped via Server Tray.
 Ekran System Management Tool (further referred to as Management Tool): It is a

central administrative unit that allows you to control and manage Clients, Users, USB
Monitoring Rules, Alerts, Server database, and Serial Keys. You can have access to the
Management Tool from any computer in the network without having to install it on this
computer.
Ekran System Session Viewer provides a usable interface for quick review of the
monitored data received from the Ekran System Clients.
 Ekran System Windows Clients (further referred to as Windows Clients): Being hosted
on the remote computers, Windows Clients create screenshots with the defined
frequency and send them to the Server along with metadata information such as user
name, host name, activity time, active window titles, application names, URL addresses,
clipboard text data, keystrokes, etc. Managing the remote Windows Clients
configuration and settings is performed via the Management Tool.
 Ekran System macOS Clients (further referred to as macOS Clients): Being hosted on
the remote computers, macOS Clients create screenshots with the defined frequency
and send them to the Server along with metadata information such as user name, host
name, activity time, active window titles, application names, URL addresses, etc.
Managing the remote macOS Clients configuration and settings is performed via the
Management Tool.
 Ekran System Linux/Unix Clients (further referred to as Linux Clients): Being

hosted on the remote computers, Linux Clients capture input/output terminal data
(including all executed commands) and send this interactive data to the Server.
 Ekran System Tray Notifications application (further referred to as Tray

Notifications application): This application allows receiving notifications on alert
events on Clients.
19
20
Getting Started
Getting Started
Deployment Process
The Ekran System installation consists of several steps:
1. Installing the Server: To deploy the system, first of all you need to install the Server. The
Server is used to store and process all records sent by the Clients hosted on the remote
computers. During the Server installation you can select the type of the database and define
administrator credentials.
NOTE: You can deploy the Ekran System in the High Availability mode, which allows you
to work with multiple Server instances in the Network Load Balancer cluster. This would
provide a high level of operational performance, which allows minimizing downtime and
service interruptions. Please refer to the High Availability Deployment Guide for more
information.
2. Completing Management Tool installation prerequisites: To install and run the Management
Tool, you need to turn on the Internet Information Service on your computer, add the self-
signed or trusted certificate to the Trusted Root Certification Authorities and set HTTPS
binding for a default web site (or any other IIS site).
3. Installing the Management Tool: The Management Tool is used to manage Users, Clients,
Alerts, and Database, as well as to view the monitored data received from Clients.
Connection with the Server is required for the Management Tool to operate.
4. Activating serial keys (adding activated serial keys): To be able to receive data from the
Clients, you need to license the Clients by activating purchased serial keys. You can also
activate an Enterprise serial key to get an access to the enterprise features of the Ekran
System during the unlimited period of time.
5. Installing Clients:
 Installing Windows Clients: The Windows Clients are usually installed remotely via the
Management Tool. A Windows Client can be installed on any computer in the network.
Please note that several conditions have to be met for successful remote Client
installation.
 Installing macOS Clients: The macOS Clients are installed locally.
 Installing Linux Clients: The Linux Clients are installed locally.
6. Installing the Tray Notifications application: The Tray Notifications application can be
installed on any computer and as long as there is connection to the Server; the Tray
Notifications application displays notifications on all alert events received from Clients.
For more information, see the Tray Notifications application help file.
After installing all the system components, Ekran System is considered deployed and all its
features become available.
21
Getting Started
Working with Application

The work with the application includes the following options:
1. Assigning licenses to the Clients: An available license is automatically assigned to the Client
(both Windows and Linux) during its first connection to the Server. If the license hasn’t been
assigned to the Client, you need to assign it manually.
2. Adding Client Groups: Client Groups allow you to grant access to several Clients at the same
time to your users without the necessity to grant them access to all the Clients.
3. Adding Users/User Groups and defining their permissions: To allow others to work with the
Management Tool, you can create new users and define their permissions in the
Management Tool.
4. Defining Client configuration and Client Group Configuration.
5. Managing Alerts: Alerts are used to notify the investigators of a specific activity (potentially
harmful/forbidden actions) on the target computers with installed Clients. You can create,
assign, import, and export alerts. When the Ekran System is installed, it has a list of
predefined alerts.
6. Creating USB blocking rules: Kernel-level USB Monitoring allows you to detect that the USB
device is plugged into the computer on which the Windows Client is installed. You can view
information on the detected devices, receive notifications or block USB devices.
7. Viewing monitoring results in the Management Tool: The monitored data received from the
Client computer can be viewed in the Session Viewer part of the Management Tool.
8. Exporting sessions from the Session Viewer: You can export sessions in the encrypted form
to view Client sessions on any computer, even without access to the Management Tool.
9. Receiving Alert notifications: The notifications on the alert events are received via the Tray
Notifications application. The notifications are displayed in the Windows notification area.
10. Generating reports: The user activity can be analysed with the help of reports generated via
the Management Tool. You can schedule the reports to be generated and sent via email at
the specified time or generate the reports manually via Report Generator.
11. Interactive Monitoring: The user activity can be analysed with the help of the statistic data
you can generate using Interactive Monitoring. You can get detailed information on the
total time that has been spent in each application/on each website.
12. Managing database: Not to run out of space on the Server computer, it is recommended to
cleanup or archive and cleanup the database periodically deleting old monitored data. You
can enable the database archiving and cleanup and then access the archived data any time
via the Management Tool. In addition, you can remove unnecessary uninstalled Clients from
the database.
22
Server and Database
Server and Database

About
The Server is the main component of the system, which provides interaction between other
components. The Server stores all monitored data, user accounts, and system settings in the
database.
Database Types Comparison

When installing the Server, you can choose between the two types of databases (MS SQL
database and Firebird database). These databases have the following differences:
Feature MS SQL Database Firebird

Database
Free ✘ (has a limited free version) ✔

NOTE: Using MS SQL Express does
not guarantee the stable work of the
Server.
Processing speed High Low
Remote access to database ✔ ✘
Requires additional software ✔ ✘

installation
Security High Low
High Availability Mode

About
The High Availability mode allows you to configure and deploy Ekran System in such a way that
it can work with multiple Server instances in the Network Load Balancer cluster. This would
allow balancing the load of data sent to the servers by Ekran Clients and ensure data integrity in
case any of the instances goes offline for any number of reasons. Additionally, Ekran System
deployed in the High Availability mode includes a special License Server, which manages Client
licenses in the whole system.
NOTE: The High Availability mode is available only if you have an activated Enterprise serial
key.
23
Server and Database
Standard and High Availability Modes Comparison

The Standard and High Availability modes have the following differences:
Feature Standard Mode High Availability Mode
Serial key types One of the following Enterprise serial key and one of the
serial keys: following keys:
 Permanent  Permanent
 Trial  Trial
 Update and  Update and support
support
Database type Firebird or MS SQL MS SQL
Number of Servers One Multiple
System requirements Standard system Standard system requirements,

requirements. enabled Message Queueing, and
configured NLB cluster.
Additional Ekran None License Server

System components
Additional Software None NLB cluster

NOTE: We recommend using
Windows NLB. We cannot
guarantee the High Availability
Mode to function with other load
balancers correctly.
Component Physical IP address Logical IP address

connection
Recommended for Average number of Large number of Client computers

Client computers
Installing/Uninstalling/Updating the Server

Installing the Server
To install the Server, do the following:
1. Run the EkranSystem_Components.exe installation file.
24
Server and Database
2. Click Next on the Welcome page.

3. Carefully read the terms of the End-User License Agreement and click I Agree.
4. On the Choose Components page, do one of the following and click Next:
 In the drop-down list, select Ekran System Server.
 Select Ekran System Server in the box.
5. On the Choose Install Location page, enter the installation path or click Browse to
navigate to the Server installation folder. Click Next.
6. On the Database Type page, select the type of the database you want to use for
storing data. Click Next. For more information see the Database Types Comparison
chapter.
7. If you have selected MS SQL Server, on the MS SQL Server Database Configuration
page, define the connection parameters and then click Next.
 Define the MS SQL Server instance name, which is the instance name assigned
to the TCP/IP port.
NOTE: If the default instance of the MS SQL is used, then only name of the PC
with the MS SQL server must be defined.
 Define the Database name for the database.
 Define the User name and Password of a user account via which the
connection to the Server will be established.
NOTE: You have to define either the SA credentials or the credentials of the
user with the dbcreator permission.
8. If you have selected Firebird database, on the Database Location page, enter the
database path or click Browse to navigate to the database installation folder. Click
Next.
9. If you already have a database created during the usage of previous program versions,
you will be offered to re-use it. If you want to use the existing database, click Yes. In
other case, click No and the new database will be created.
NOTE: If you click No, the existing database will be deleted.
10. On the Administrator password page, define the password for the administrator (the
default user of Ekran System with login admin and full permissions). Click Next.
11. On the Client Uninstallation Key page, enter the key that will be used during the
Client local uninstallation and click Next. By default, the Uninstallation key is allowed.
You will be able to change this key via the Management Tool any time later.
12. Click Install.
13. The installation process starts. Its progress is displayed on the Installing page.
14. After the end of the installation process, click Finish to exit the wizard.
15. If you are installing the Server for the first time, back up EkranMasterCertificate. The
backed up certificate might be required for Server recovery or during updates.
16. If you already have a backed up master certificate and re-using the database, delete
the master certificate and import the backed up one instead of it.
25
Server and Database
17. In Windows Firewall, you must allow the Server executable to accept TCP connections
via ports 9447 and 9449 (for the connection between the Server and the Clients), and
22713 (for the connection between the Server and the Management Tool). These
rules will be added to Windows Firewall automatically if Windows Firewall is enabled
during the Server installation.
Backing up Ekran Master Certificate

To back up Ekran Master Certificate, do the following:
1. On the Ekran Server computer with the certificate you want to back up, press
Windows+R, type mmc in the Run text box and press Enter.
2. In the opened User Account Control window, click Yes.

3. In the Console window, select File > Add/Remove Snap-in.
4. In the Add or Remove Snap-ins window, select Certificates and click Add.
26
Server and Database
5. In the Certificates Snap-in window, select the Computer account option and click Next.
6. In the Select Computer window, select the Local computer option and click Finish.
27
Server and Database
7. In the Add or Remove Snap-ins window, click OK.

8. In the Certificates (Local computer) tree-view, select Personal > Certificates.
9. Select EkranMasterCertificate and in its context menu select All Tasks > Export.
10. The Certificate Export Wizard opens.

11. On the Certificate Export Wizard Welcome page, click Next.
12. On the Export Private Key page, select the Yes, export the private key option and click
Next.
13. On the Export File Format page, select the following options :
 Personal Information Exchange
 Include all certificates in the certification path if possible
 Export all extended properties
14. Click Next.
28
Server and Database
15. On the Security page, select the Password option and enter the password in the Password
and the Confirm password fields. Click Next.
NOTE: Make sure that you remember the password since you will need it when restoring
the certificate or transferring it to another server.
16. On the File to Export page, specify the location to store the certificate and the certificate
name manually or click Browse, and click Next.
17. On the Completing the Certificate Export Wizard page, click Finish.
NOTE: You will need the certificate for reinstalling the Server, moving it to another
computer, or creating the High Availability cluster.
29
Server and Database
Deleting Ekran Master Certificate

To delete Ekran Master Certificate, do the following:
1. On the Ekran Server computer, press Windows+R, type mmc in the Run text box and press
Enter.
9. Select EkranMasterCertificate and in its context menu select Delete.
10. Click Yes in the confirmation message.
Importing Ekran Master Certificate

To import Ekran Master Certificate, do the following:
Enter.
9. In the Console window, select Actions > All Tasks > Import.
10. The Certificate Import Wizard opens.
11. On the Certificate Import Wizard Welcome page, click Next.
12. On the File to Import page, click Browse and select the file with the backed up certificate.
Click Next.
13. On the Private key protection page, enter the password and click Next.
14. On the Certificate Store page, select the Place all certificates in the following folder option,
click Browse, and select the Personal node. Click Next.
30
Server and Database
Installing the Server in the Cloud

To install the server in the cloud, do the following:
1. In the cloud, install the Server in a usual way.
2. In the cloud management console, allow the Server executable to accept TCP connections
via ports 9447 and 9449 (for the connection between the Server and the Clients), and 22713
(for the connection between the Server and the Management Tool).
NOTE: It is recommended to install the Server and Management Tool on the same computer.
Adding Server Executable to Windows Firewall

Please note that Windows Firewall will be adjusted automatically if it is enabled during the
Server installation. If you use any other Firewall, it should be adjusted as well.
To add the Server executable to the Windows Firewall, do the following:
1. In the Control Panel, select System and Security > Windows Firewall.
2. In the Windows Firewall window, click Advanced settings.
3. In the Windows Firewall with Advanced Security window, right-click Inbound Rules
and select New rule.
31
Server and Database
4. The New Inbound Rule Wizard opens.

5. On the Rule Type page, select Program and click Next.
6. On the Program page, select This program path, then click Browse and navigate to
the Server executable. The default path is "C:\Program Files\Ekran System\Ekran
System\Server\EkranServer.exe ". Click Next.
7. On the Action page, select Allow the connection and then click Next.
32
Server and Database
8. On the Profile page, select the profile of the network used for connecting remote
computers and the Server. Click Next.
9. On the Name page, define the Name of the rule. Click Finish.
10. The rule is created for the Server application. By default, the rule allows any
connections via all ports.
11. To define the protocol and ports, double-click the created rule. The Properties
window opens.
33
Server and Database
12. In the Protocols and Ports tab, do the following:

 In the Protocol Type list, select TCP.
 In the Local port list, select Specific Ports. Type the following port numbers in
the box below:
o 9447 and 9449 (for the connection between the Server and the Clients)
o 22713 (for the connection between the Server and the Management Tool)
13. Click Apply to save changes. Click OK.
14. Close the Windows Firewall window.
Using an External/Cloud-Based Server Computer

If your Server is not in the same network as Clients or the Management Tool, do the
following:
1. Make sure your Server has a unique external IP address.
2. Specify this address when installing the Management Tool and installing the Client.
Updating the Server

The updating of the Server is performed via the installation file of a newer version. During an
update you may select to update the existing database to a newer version or simply reinstall it.
To update the Server, do the following:

1. Run the EkranSystem_Components.exe installation file.
2. On the Welcome page, click Next.
3. On the Already Installed page, select Update/Add/Remove components and click Next.
4. On the Choose Components page, select Ekran System Server in the box and then click
Next.
5. On the Database Update page, if you want to keep the existing database, select Update
database to a new version, otherwise select Reinstall the database. Click Next.
NOTE: To change the type of the database, you need to reinstall the whole system.
6. On the Administrator password page, define the password for the administrator (the
default user of Ekran System with login admin and full permissions). Click Next.
7. The update process starts.
8. After the end of the update process, click Finish to exit the wizard.
9. If you are updating Server from version lower than 5.5, back up EkranMasterCertificate .
10. If you are updating Server from version 5.5 and higher, make sure that the master
certificate is correct. If necessary, import it from the backed up copy.
34
Server and Database
Uninstalling the Server

NOTE: Before uninstalling the Server, make sure you have uninstalled all the Clients from the
remote computers. If you do not uninstall the Clients, they will remain installed on the
remote computers and collect the data locally. It will be impossible to remove them in a
common way.
To uninstall the Server from the local computer, do the following:
1. Run the EkranSystem_Components.exe installation file or click Uninstall/Change on
the Ekran System application in the Programs and Features window of the Windows
Control Panel.
2. The setup wizard opens.
3. Click Next on the Welcome page.
4. On the Already Installed page, select Uninstall and click Next.
5. On the Uninstall Ekran System page, click Uninstall.
6. If you want to delete the database, click Yes in the confirmation message. In other
case, click No and you will be able to use the saved database during the next
installation of the program.
7. Wait for the uninstallation process to complete.
Server Tray
The Server Tray application informs you about the Server state. This application is installed on
the computer where the Server is installed.
It also automatically restarts the Server in case of its failure. The first three times the restart is
performed automatically. The user is informed about the Server failure in the notification area.
If the Server fails for the fourth time, it does not restart.
You can start/stop the Server or hide the icon from the notification area.
Database Management
About
Database management is performed via the Management Tool by the user with the
administrative Database management permission. During the database management process
you can delete monitoring data, delete offline or uninstalled Clients, shrink the database
depending on its type, and enable using the password vault.
35
Server and Database
Two types of the cleanup operation are available:

 Cleanup: Allows deleting monitored data collected by the Clients from the database.
 Archiving & Cleanup: Allows saving the monitored data in the secure storage and then
deleting it from the database. You can view the archived sessions in the Session Viewer
any time.
NOTE: The Archiving & Cleanup option is available only if you have an activated Enterprise
serial key.
You can configure the cleanup execution frequency as follows:
 Once: The one-time cleanup operation will be performed by click on Save.

 On schedule: The scheduled cleanup operation will be performed every few days at a
specified time.
Cleanup Parameters
The following parameters are available for cleanup operation:
Parameter Description
Parameters applied to both Cleanup and Archiving & Cleanup operations
Leave sessions in Sessions stored in the database longer than the defined period of
database (days) time will be deleted during the cleanup process.
Client exceptions The Clients whose monitoring data will not be deleted during the
cleanup process. They are added on the Adding Exceptions page.
Parameters applied to the Archiving & Cleanup operation for Firebird database type
Archive database The location of the database.

location NOTE: If you do not have an archive database, it will be created
on Archiving & Cleanup start.
Binary data location In case the binary data is stored separately, you have to define
the binary data folder location.
Parameters applied to the Archiving & Cleanup operation for MS SQL database type
SQL server instance The path to the SQL server instance.
Archive database The name of the database.

name NOTE: If you do not have an archive database, it will be created
on Archiving & Cleanup start.
36
Server and Database
Parameter Description
User name and Credentials of the user with access to the database.
Password
One-Time Cleanup
To delete data from the Server once, do the following:
1. Log in to the Management Tool as a user with the administrative Database management
permission.
2. Click the Database Management navigation link to the left.
3. On the Database Management page, select the Archiving & Cleanup Options tab.
4. In the Frequency section, select the Run once option.
5. On the Archiving & Cleanup Options tab, in the Settings section, in the Action type drop-
down list, select the Cleanup option to delete the monitored data from the database or the
Archive & Cleanup option to archive and then delete the monitored data.
6. Define the necessary parameters.
NOTE: To check connection with the archive database before Archiving & Cleanup start, click
Test Database Connection in the Archive parameters section.
7. To select the Clients whose monitoring data will not be deleted during the cleanup
process, click Add Exceptions.
8. On the Adding Exceptions page, select the necessary Clients and then click Add
selected. Use filters to find a specific Client.
9. When all cleanup settings are defined, click Save.
10. The cleanup process starts.
Scheduled Cleanup
To delete data from the Server on schedule, do the following:
permission.
3. On the Database Management page, select the Archiving & Cleanup Options tab.
4. In the Frequency section, select the Repeat by scheduler option.
5. Define the following options:
 Perform every (days): The frequency of the cleanup operation.
 Start database cleanup at: The time to execute the cleanup operation.
6. On the Archiving & Cleanup Options tab, in the Settings section, in the Action type drop-
down list, select the Cleanup option to delete the monitored data from the database or the
Archive & Cleanup option to archive and then delete the monitored data.
37
Server and Database
7. Define the necessary parameters.

NOTE: To check connection with the archive database, click Test Database Connection in the
Archive parameters section.
8. To select the Clients whose monitoring data will not be deleted during scheduled
cleanup process, click Add Exceptions.
9. On the Adding Exceptions page, select the necessary Clients and then click Add
selected. Use filters to find a specific Client.
10. When all cleanup settings are defined, click Save.
Shrinking MS SQL Database

The database shrinking feature allows you to shrink the size of the MS SQL database to the
actual amount of the data stored in it by cutting the space reserved by the database, but which
is not used by it.
NOTE: The database shrinking procedure may take some time (up to several hours) and cause
performance slowdown.
To shrink a database, do the following:

permission.
3. On the Database Management page, select the Database Options tab.
4. On the Database Options tab, click Shrink database.
NOTE: The progress of the database shrinking process is not displayed in the Management
Tool and there is no indication of the process finishing.
Firebird Database Optimization

When using the Firebird database it is recommended to perform the Update statistics
procedure at least every two months in order to optimize the database and increase the speed
of reports generation.
To perform the Update statistics procedure, do the following:

permission.
3. On the Database Management page, select the Database Options tab.
4. On the Database Options tab, click Update statistics.
38
Server and Database
Deleting the Client

To delete the Client means to delete it completely from the database with cleaning up all its
captured sessions. After this, the Client disappears from the Management Tool and its captured
data is not displayed in the Session Viewer.
It is possible to delete only offline or uninstalled (both after local or remote uninstallation)
Clients. If after deletion the Client connects to the Server again, it will appear in the
Management Tool but its deleted data will be unavailable.
To delete one offline/uninstalled Client, do the following:

permission.
2. Click the Client Management navigation link to the left.
3. On the Clients page, select the needed offline or uninstalled Client from the list and click
Edit Client.
4. On the Editing Client page, on the Properties tab, click Delete Client.
5. In the confirmation message, click Delete.
6. The Client is deleted.
To delete several offline/uninstalled Clients, do the following:

permission.
3. On the Clients page, click Delete Clients.
39
Server and Database
4. On the Client Deletion page, click Add Clients to list.
5. The Client Deletion from Database page opens. It contains all Clients that can be deleted.
NOTE: Only offline and uninstalled Clients are displayed in the list.
6. Select the needed Clients from the list and then click Next. To find a specific Client, enter its
name in the Contains box and click Apply Filters.
7. When all Clients are selected, click Delete on the Client Deletion from Database page.
8. The Clients are deleted from the Server (with all captured sessions) and disappear from the
Management Tool.
Moving the Server Database

About
Ekran System allows you to move the Server database either to another computer or to
another location on the same computer.
Moving the Server Database on the Same Computer

To change the location for the MS SQL Server Database, do the following:
1. Stop the Server by clicking Stop in the context menu of the Server icon in the notification
area or find the EkranServer service in the Task Manager and click Stop.
2. Log in to the SQL Management Studio as a user with administrative permissions.
40
Server and Database
3. In the SQL Management Studio, detach the Ekran databases (select the database and in its
context menu, select Task > Detach). Default names of the databases are EkranActivityDB
and EKRANManagementDatabase.
4. Navigate to the location where the Ekran databases are stored. The default location is
C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA.
5. Move the following files to another location: EkranAlphaActivityDB,
EKRANManagementDatabase, EkranAlphaActivityDB_log, and
EKRANManagementDatabase_log.
6. In the SQL Management Studio, reattach the Ekran databases as follows:
 In the context menu of the Database partition, click Attach.
 In the opened Attach Databases window, click Add and select the moved database.
 Click OK.
7. The Database location is changed. Start the EkranServer service to continue working with
the program.
To change the location for the Server Firebird database, do the following:
2. Open the Windows Registry Editor.
3. In the Registry Editor window, select the HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem
key.
4. Find the Database values (Database and ManagedDatabase) and see where the Database
files are located on your computer.
5. Move the folder with database files to a new location.

NOTE: The folder contains the EKRANACTIVITYDB.FDB and MANAGEMENTDATABASE.FDB
files and the Cache subfolder (unless your Cache subfolder is stored in the shared folder).
41
Server and Database
6. In the Registry Editor window, modify the following values:

 Database: Enter the full path to the EkranActivityDB.fdb file (including the file name) in
its new location and then click OK.
 Managed Database: Enter the path to the folder with Ekran database in its new location
and then click OK.
42
Server and Database
7. The Database location is changed. Start the EkranServer service to continue working with the
program.
Moving the Server Database to Another Computer

To move the MS SQL Server Database to another computer, do the following:
2. Log in to the SQL Management Studio as a user with administrative permissions.
3. In the SQL Management Studio, detach the Ekran databases (select the database and in its
context menu, select Task > Detach). Default names of the databases are EkranActivityDB
and EKRANManagementDatabase.
4. Navigate to the location where the Ekran databases are stored. The default location is
C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA.
5. Copy the following database and log files: EkranAlphaActivityDB,
EKRANManagementDatabase, EkranAlphaActivityDB_log, and
EKRANManagementDatabase_log.
NOTE: If the binary data is stored in the shared or local folder, you have to copy it too.
6. Upload the copied files to a suitable location on the new computer with the SQL Server.
43
Server and Database
7. On the computer the MS SQL database is moved to, log in to the SQL Management Studio
as a user with the administrative permissions and attach the Ekran databases as follows:
 In the context menu of the Database partition, click Attach.
 In the opened Attach Databases window, click Add and select the uploaded
database.
 Click OK.
8. Uninstall the Server on the original computer.
9. Install the Server:
 If you are reinstalling the Server on the original computer, select the MS SQL
database, configure the connection to the moved database, and confirm its usage.
 If you are installing the Server on the computer with the moved database, do the
following:
- Copy the certificates from the Server installation folder on the original computer.
- Reinstall all Clients.
- Contact the support team at support@ekransystem.com to change the HWID
associated with your serial keys to a new one.
10. The Database location is changed. Start the EkranServer service to continue working with
the program.
Moving Binary Data to Shared or Local Folder

If necessary, you can store binary data received from Clients in the shared or local folder on
your computer. This might be necessary for storing large amounts of data.
This feature has the following limitations:
 Shared Folders on mapped and mounted disks cannot be used for storing binary data.
 After you select to store binary data in the shared folder instead of MS SQL database,
the already existing screenshots will no longer be displayed (only metadata will be
available for them). The newly received screenshots will be displayed.
To move binary data to the shared folder, do the following:

2. For the Firebird database, do the following (for the MS SQL database, skip this step):
 Open the Windows Registry Editor.
 In the Registry Editor window, select the
HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem key.
 Find the Database value and check where the Database files are located on your
computer.
 Move the Cache folder with binary file to a new location.
3. In the Registry Editor window, click Edit > New > String value and add a new value:
 Value type: String
 Value name: StorageDirectory
 Value data: Shared Folder location as \\<computer IP>\<folder path> or \\<computer
name>\<folder path>
44
Server and Database
4. To access binary data in the shared folder on a different computer from your Server, it is
recommended to do the following:
 Open Computer Management.
 In the Computer Management window, open Services and Applications > Services.
 In the Services pane, find the EkranServer service and select Properties in the context
menu.
 In the EkranServer Properties window navigate to the Log On tab.
 In the Log On tab, select the This account option, specify the credentials for the
EkranServer service to start under, and click Apply. Make sure the user with the
specified credentials has administrator permissions on your Server computer and full
access to the shared folder on the different computer.
 Restart the service.
5. Start the EkranServer service to continue working with the program.
Validating Monitoring Data

About
If necessary, you can enable the validation of monitoring data of Windows Clients, which allows
checking that data integrity in the database has not been altered. It can be enabled for both
Firebird and MS SQL databases.
Two types of monitoring data validation are available:
45
Server and Database
 Calculating hash codes for monitoring data: in this case, the hash codes will be
calculated for each screenshot and metadata record received from Windows Clients.
 Signing monitoring data with certificate: in this case, each screenshot and metadata
record received from Windows Clients will be signed with the trusted certificate.
NOTE: If both types of validation are enabled, only signing monitoring data with certificate
will be used.
After validation of monitoring data is enabled or validation type is changed, all previously
recorded sessions of Windows Clients will be considered as invalid.
With enabled validation of the monitoring data, the integrity of monitoring data within a
Windows Client session is checked on the session opening via the Session Player. If some
screenshots or metadata records have been deleted or modified, the warning message
“Session data is not valid!” will be displayed in the Session Player.
NOTE: When the validation of monitoring data is enabled, the CPU usage will rise while
viewing the Client sessions in the Session Player.
NOTE: After the enabling validation of monitoring data, for existing sessions, that were not
viewed before, screenshots will not be shown.
Validating Monitoring Data Using Hash Codes

To enable calculating of hash codes for monitoring data, do the following:
key.
4. Select Edit > New > DWORD (32-bit) Value and define the following:
 Value name: SignMonitoredData
 Value data: 1
Signing Monitoring Data with Certificate

To enable signing of monitoring data with certificate, you have to do the following on the Ekran
Server computer:
Step 1. Import the trusted purchased certificate or the self-signed one.
Step 2. Create a special string value in the Windows Registry.
Step 1. Importing Trusted Certificate
Enter.
46
Server and Database
6. In the Select Computer window, select the Local computer: (the computer this console is
running on) option and click Finish.
8. In the Certificates (Local computer) tree-view, find the Personal node.
47
Server and Database
9. In the context menu of the Personal node, select All Tasks > Import.

12. On the File to Import page, specify the location and name of the certificate to be imported
manually or click Browse, and then click Next.
48
Server and Database
13. If required, on the Private key protection page, enter the password for the private key and
then click Next.
14. On the Certificate Store page, click Next.
15. On the last page of the Certificate Import Wizard, click Finish, and then click OK in the
confirmation message.
16. Select Certificates (Local Computer) > Personal > Certificate and double-click the imported
certificate.
49
Server and Database
17. In the Certificate window, select Details > Thumbprint and then copy the Thumbprint
value.
Step 2. Enabling Monitoring Data Signing with Certificate
key.
4. Select Edit > New > String Value > and add a new value:
 Value name: SignMonitoredDataCert
 Value data: <copied Thumbprint value of the imported certificate (without
spaces)>
Moving the Server Database Signed with Certificate to another

Computer
About
If you want to move the Ekran database whose monitoring data is signed with certificate to the
new computer, you have to do the following:
Step 1. On the Ekran Server computer, export the certificate used for signing the monitoring
data, copy it to the new computer, and then import it.
50
Server and Database
Step 2. Move the database to the new computer.

Step 3. Install the Ekran Server on the new computer and then enable signing of monitoring
data with imported certificate.
Exporting Trusted Certificate
Enter.
51
Server and Database
6. In the Select Computer window, select the Local computer: (the computer this console is
running on) option and click Finish.
9. Select the trusted certificate used for signing the monitoring data in the database and in its
context menu select All Tasks > Export.
10. The Certificate Export Wizard opens.

11. On the Certificate Export Wizard Welcome page, click Next.
12. On the Export Private Key page, click Next.
13. On the Export File Format page, select the file format for the certificate and click Next.
52
Server and Database
14. On the File to Export page, specify the location to store the certificate and the certificate
name manually or click Browse, and then click Next.
16. Copy the exported certificate to a suitable location on the new computer and then import
it.
53
Server and Database
Advanced SIEM Integration

About
Advanced SIEM integration provides the ability to create a separate log file in one the following
formats:
- Common Event Format (CEF): can be viewed and analysed by the Splunk or ArcSight
monitoring software
- Log Event Extended Format (LEEF): can be viewed and analysed by the IBM QRadar
monitoring software
When SIEM integration is enabled, the log file will be created on the Ekran Server computer. By
default, the log file name is EventLog and it is stored in the Server installation folder.
NOTE: The Advanced SIEM Integration functionality is available only if you have an activated
Enterprise serial key.
Log File Contents

Depending on the defined log settings, different types of monitoring data can be written to the
log file.
CEF header information LEEF header information Log data
Client events
Device Event Class ID = EventID = 100 Windows Client events: username

100 (with the secondary username),
Cat = ClientEvents Client name, activity time, activity
Name = title, application name, URL,
EkranClientEvent keystrokes, alert/USB Rule, Session
cat = ClientEvents Player URL, OS, domain name, IPv4,
IPv6, remote IP.
Linux Client events: username,
Client name, activity time,
command, function, parameters,
alert, Session Player URL, OS, IPv4,
IPv6.
Alert events
EventID = 200 Windows Client alert events: alert

Device Event Class ID = ID, alert name, alert description,
200 Cat = AlertEvents username (with the secondary
username), Client name, activity
Name = EkranAlertEvent
time, activity title, application name,
URL, keystrokes, Session Player URL,
54
Server and Database
cat = AlertEvents OS, domain name, IPv4, IPv6, remote

IP.
Linux Client alert events: alert ID,
alert name, alert description,
username, Client name, activity time,
command, function, parameters,
Session Player URL, OS, IPv4, IPv6.
Management Tool Log Events
Device Event Class ID = EventID = 300 Management Log entry ID, time,
300 Ekran System username, user
Cat = MTLogEvents groups, category, action, object,
Name = details.
EkranMTLogEvent
cat = MTLogEvents
Enabling Log File Creation

To enable the creation of a log file, do the following:
permission.
2. Click the Configuration navigation link to the left and open the SIEM Integration tab.
3. Select the Create a log file option to enable creating a log file.
4. Select the log file format: CEF log or LEEF log.
5. Define the log settings.
6. Click Save.
Log Cleanup
Depending on the defined log cleanup settings, the cleanup operation can be performed either
daily at a specified time or every few days, hours, or minutes. During the log cleanup operation
the current log file is renamed (the date and time of the cleanup operation is added to its
name) and a new one is created in the same folder. If a log file achieves its maximum size
before the cleanup start time, it also will be renamed.
NOTE: Not to run out of space on the computer where the log files are stored, it is
recommended to check the used disk space periodically and delete the log files that are no
longer in use.
55
Management Tool
Management Tool
About
The Management Tool is the component for managing the whole system and viewing
monitored data received from Clients. It can be installed on any computer, but a network
connection to the Server is required for the Management Tool to operate. There can be several
computers with the installed Management Tool in the system. The work with the Management
Tool is performed via your browser.
Management Tool Installation Prerequisites

Prerequisites Overview
The following prerequisites are necessary for successful installation of the Management Tool.
For Windows 7, it is important that you follow these steps in the correct order.
To be able to install the Management Tool, you need to:

1. Turn on the Internet Information Service.
2. Install .NET Framework.
3. Configure the Internet Information Service.
4. Generate a self-signed certificate or import a purchased SSL certificate issued for the
computer on which the Management Tool will be installed.
5. Add the certificate to the Trusted Root Certification Authorities on the computer on which
the Management Tool will be installed. Otherwise a certificate error will be displayed in
your browser when opening the Management Tool.
6. Set HTTPS binding for a default web site (or any other IIS site).
NOTE: If you already have a certificate generated for the computer on which the
Management Tool will be installed, you can skip certificate generation step and use an
existing certificate.
56
Management Tool
Turning on Internet Information Service (IIS)

Turning on IIS for Windows 8 and Windows 7
To turn on the Internet Information Service for Windows 8 and Windows 7 do the following:
1. Select Control Panel > Programs and Features (Program uninstallation).
2. Click the Turn Windows features on or off navigation link.

3. The Windows Features window opens.
4. In the features tree-view, select the Internet Information Services option.
5. Click OK.
57
Management Tool
Turning on IIS for Windows Server 2008 R2

To turn on the Internet Information Service for Windows Server 2008 R2, do the following:
1. In the Start menu, select All Programs > Administrative Tools > Server Manager.
2. In the navigation pane, select Roles, and then click Add Roles.
3. The Add Roles Wizard opens.

4. On the Before You Begin page, click Next.
5. On the Server Roles page, select Web Server (IIS), click Next, and then go to the Role
Services page to start configuring Web Server (IIS).
58
Management Tool
Turning on IIS for Windows Server 2012

The Internet Information Service can be turned on using the Windows PowerShell or Windows
Server 2012 Server Manager.
To turn on the Internet Information Service for Windows Server 2012 using Windows
PowerShell, do the following:
1. In the Start menu, select Windows PowerShell.
2. Enter the following command and press Enter:
Install-WindowsFeature - Web-Server, Web-Mgmt-Tools
To turn on the Internet Information Service for Windows Server 2012 using Server Manager,
do the following:
1. In the Start menu, select Server Manager.
2. In the navigation pane, select Dashboard, then click Manage > Add roles and features.
3. The Add Roles and Features Wizard opens.

4. On the Before You Begin page, click Next.
5. On the Installation type page, select Role-based or feature-based installation, and then
click Next.
59
Management Tool
6. On the Server Selection page, select Select a server from the server pool, select your server
from the Server Pool list, and then click Next.
7. On the Server Roles page, select Web Server (IIS), click Next and then click Add Features to
start configuring Web Server (IIS).
60
Management Tool
Installing .NET Framework

Windows 10 and Windows Server 2016 usually have .NET Framework 4.6 installed.
If you are using Windows 8.1, Windows 8, Windows 7, Windows Server 2012, Windows Server
2008, or if there is no .NET Framework 4.5.2 on other Windows versions, you can download it
from the Microsoft official website http://www.microsoft.com/en-
us/download/details.aspx?id=42642 and run the installation file on your computer.
Alternatively, on Windows Server 2012, you can install .NET Framework 4.5.2 using Windows
PowerShell.
To install .NET Framework 4.5.2 and configure Internet Information Service (IIS) for Windows
Server 2012 using Windows PowerShell, do the following:
1. In the Start menu, select Windows PowerShell.
2. Enter the following command and press Enter:
Install-WindowsFeature - NET-Framework-Core, NET-Framework-45-ASPNET, Web-Asp-
Net45, Web-ISAPI-Ext, Web-ISAPI-Filter
Configuring Internet Information Service (IIS)

Windows 10 Make sure that all the following options are selected in the
Windows Features window and then click OK:
 .NET Framework 3.5 and .NET Framework 4.6 Advanced
Services;
 Internet Information Services > Web Management Tools >

IIS Management Console;
 Internet Information Services > World Wide Web Services

> Application Development Features > ASP.NET 3.5 and
ASP.NET 4.6;

> Common HTTP Features > Static Content.
61
Management Tool
 .NET Framework 3.5 and .NET Framework 4.5 Advanced
Services;


> Application Development Features > ASP.NET 3.5 and
ASP.NET 4.5;


> Application Development Features > ASP.NET;
62
Management Tool

Windows 3. In the Add Roles Wizard window, on the Role Services page,
Server 2008 make sure that the following options are selected:
 Common HTTP Features > Static Content;
 Application Development > ASP.NET.
4. Click Next and then click Add Required Role Services.

5. On the Role Services page, make sure that the following
options are selected:
 Management Tools > IIS Management Console.
6. Click Next and then click Install.

7. After the end of installation, click Close.
Windows 1. In the Add Roles and Features Wizard window, on the Server
Server 2012 Roles page, make sure that the Web Server (IIS) option is
selected and then click Next.
2. On the Features page, make sure that the following options are
selected:
 .NET Framework 3.5 Features (Installed) > .NET
Framework 3.5;
 .NET Framework 4.5 (Installed) > ASP.NET 4.5.
3. Click Next.
4. On the Web Server Role IIS page, click Next.
5. On the Role Services page, select the ASP.NET 4.5 option
(under Application Development).
63
Management Tool
6. Click Next and then click Add Features.

 Application Development > .NET Extensibility 4.5 > ASP >
NET 4.5 > ISAPI Extensions > ISAPI Filters.

Windows 1. In the Add Roles and Features Wizard window, on the Server
Server 2016 Roles page, make sure that the Web Server (IIS) option is
selected and then click Next.
2. On the Features page, make sure that the following options are
selected:
 .NET Framework 3.5 Features > .NET Framework 3.5
 .NET Framework 4.6 Features > .NET Framework 4.6 and
ASP.NET 4.6
3. Click Next.
4. On the Web Server Role IIS page, click Next.
5. On the Role Services page, select the ASP.NET 4.6 option
(under Application Development).
6. Click Next and then click Add Features.

64
Management Tool
 Application Development >

 .NET Extensibility 4.6
 ASP.NET 4.6
 ISAPI Extensions
 ISAPI Filters

Using Certificates
Generating Self-Signed Certificate
To generate a self-signed certificate on the computer on which you will install the
Management Tool, do the following:
1. Open the Internet Information Service Manager:
 For Windows 8 or Windows 7: Open Computer > Manage > Services and Applications >
Internet Information Services (IIS) Manager.
 For Windows Server 2012 or Windows Server 2008: Press Windows+R, enter inetmgr
in the Run window and then press Enter.
NOTE: Using the inetmgr command is a common way of opening the Internet Information
Service Manager for any version of the Windows operating system.
2. Click the main node in the Connections tree-view and then double-click the Server
Certificates item under the IIS category.
65
Management Tool
3. The Server Certificates pane opens.

4. On the Actions pane (to the right), click Create Self-Signed Certificate.
5. The Create Self-Signed Certificate window opens.

6. Enter the name for a certificate in the Specify a friendly name for the certificate box and
select Personal in the Select a certificate store for the new certificate drop-down list. Click
OK.
7. The certificate is created.
66
Management Tool
Exporting Self-Signed Certificate

To export self-signed certificate, do the following:
1. In the Internet Information Service Manager, on the Server Certificates pane, select the
generated certificate and click Export on the Actions pane or in the certificate context
menu.
2. In the Export Certificate window, define the location and password for the certificate. Click
OK.
3. The certificate is exported and can be added to the Trusted Root Certification Authorities.
Importing Trusted Certificate
To import a purchased certificate issued for the computer, do the following:
 For Windows 8 or Windows 7: Open Computer > Manage > Services and
Applications > Internet Information Services (IIS) Manager.
 For Windows Server 2012 or 2008: Press Windows+R, enter inetmgr in the Run
window and then press Enter.
NOTE: Using the inetmgr command is a common way of opening the Internet
Information Service Manager for any version of the Windows operating system.
2. Click the main node in the Connections tree-view and then double-click the Server
Certificates item under the IIS category.
3. The Server Certificates pane opens.
4. On the Actions pane (to the right), click Import.
67
Management Tool
5. In the Import Certificate window, click the Browse button to browse for the file of the
purchased certificate and enter its password in the Password field.
6. Click OK.
7. The certificate is imported and displayed on the Server Certificates pane of the Internet
Information Services (IIS) Manager.
Adding Certificate to Trusted Root Certification Authorities

Before adding the self-signed certificate to the Trusted Root Certification Authorities, it should
be exported. For purchased certificates that were issued for your computer this procedure is
not needed.
To add the certificate to the Trusted Root Certification Authorities, do the following:
1. Press Windows+R, type mmc in the Run text box and press Enter.
68
Management Tool
4. In the opened Add or Remove Snap-ins window, select Certificates > Add.
5. In the opened Certificates snap-in window, select Computer account and click Next.
6. In the opened Select Computer window, select Local computer: (the computer this console
is running on) and click Finish.
69
Management Tool
8. In the Console window, expand the Certificates (Local computer) node.

9. In the Certificates (Local computer) tree-view, find the Trusted Root Certification
Authorities node.
10. In the context menu of the Trusted Root Certification Authorities node, select All Tasks >
Import.

70
Management Tool
13. On the File to Import page, click Browse to find the certificate to be imported and then click
Next.
14. On the Private key protection page, enter the certificate password and then click Next.
71
Management Tool
15. On the Certificate Store page, click Next.
16. On the last page of the Certificate Import Wizard, click Finish.
17. In the confirmation message, click OK.
18. The certificate is imported and is displayed in the Console window in the Certificates node.
Please note that the Issued To field contains the name of the computer on which the
Management Tool will be installed in the format that will be used when opening the
Management Tool.
72
Management Tool
19. Close the Console window.
Setting HTTPS Binding for a Default Web-Site

To set HTTPS binding for a default web-site, do the following:
 For Windows 8 or Windows 7: Open Computer > Manage > Services and
Applications > Internet Information Services (IIS) Manager.
 For Windows Server 2012 or Windows Server 2008: Press Windows+R, enter
inetmgr in the Run window and then press Enter.
NOTE: Using the inetmgr command is a common way of opening the Internet
Information Service Manager for any version of the Windows operating system.
2. Expand the node with the name of the target computer in the central pane.
3. Expand the Sites node.
4. Select the Default Web Site.
NOTE: If there is no such site in the Internet Information Services (IIS) Manager of your
computer, you can select any other site (the name of the site does not matter).
5. Click the Bindings navigation link to the right.

6. The Site Bindings window opens.
73
Management Tool
7. If there is no binding of HTTPS type in the Site Bindings window, click Add.
8. The Edit Site Binding window opens.
9. In the Type box, select https.
10. Next to the SSL certificate drop-down list, click Select.

11. The Select Certificate window opens, where the list of existing certificates is displayed.
12. In the Select Certificate window, select the certificate generated for the Management Tool
and then click OK.
13. In the Add Site Binding window, click OK.

14. In the Site Bindings window, click Close.
15. Now the Internet Information Service is fully adjusted and you can start installing the
Management Tool.
74
Management Tool
Installing/Uninstalling/Updating the Management Tool

Installing the Management Tool
To install the Management Tool, do the following:
1. Run the EkranSystem_ManagementTool.exe installation file.
2. On the Welcome page, click Next.
3. Carefully read the terms of the End-User License Agreement and click I Agree.
4. On the Connection Settings page, do the following and then click Next:
 In the Server address box, enter the name or IP address of the computer on which
the Server is installed.
 In the URL address field enter the folder where the Management Tool will be
located within IIS. This URL will be used when opening the Management Tool.
5. On the Choose Install Location page, enter the destination folder in the corresponding
field or click Browse and in the Browse For Folder window, define the destination
folder. Click Install.
75
Management Tool
6. The installation process starts. Its progress is displayed on the Installing page.
7. After the end of the installation process, click Close to exit the wizard.
8. The Management Tool is displayed as an application of a default web site or any other
site with https connection in the Internet Information Services (IIS) Manager.
9. Now you can open the Management Tool via your browser from the same computer
or a remote one.
76
Management Tool
Adjusting Computer for Remote Access

If you want to open the Management Tool from the computer different from the one where
the Management Tool is installed, you need to adjust Firewall settings to be able to access this
computer.
If the users access Management Tool only from computers where it is installed, there is no
need to configure Firewall.
To adjust Firewall on the computer where the Management Tool is installed, do the
following:
1. In the Control Panel, select System and Security > Windows Firewall.
3. In the Windows Firewall with Advanced Security window, right-click Inbound Rules
and select New rule.
4. The New Inbound Rule Wizard opens.
5. On the Rule Type page, select Predefined and then select Secure World Wide Web
Services (HTTPS) in the list. Click Next.
77
Management Tool
6. On the Predefined Rules page, select the World Wide Web Services (HTTPS Traffic-In)
option. Click Next.
7. On the Action page, select Allow the connection. Click Finish.
8. The new inbound rule for Firewall is created.
Updating Management Tool

To update the Management Tool, do the following:
1. Run the Management Tool installation file (EkranSystem_ManagementTool.exe) of a newer
version.
2. On the The program is already installed page, select Update and then click Next.
3. Follow the installation instructions.
4. The Management Tool will be updated to the new version.
78
Management Tool
Uninstalling Management Tool

To uninstall the Management Tool, do the following:
1. Open the Programs and Features window of the Windows Control Panel.
2. In the Programs and Features window, find the Ekran System Management Tool
application.
3. In the context menu of the application, select Uninstall.
4. The setup wizard opens and starts the uninstallation process.
5. When the process is completed, click Close to exit the setup wizard.
6. The Management Tool is uninstalled and removed from the Internet Information Service
(IIS).
Opening Management Tool

To open the Management Tool, do the following:
1. Open the browser and enter https://<name of the computer or IP on which the
Management Tool is installed>/<URL address that has been specified during the
Management Tool installation> in the address line.
For example, https://john-pc/MyMonitoringSystem.
NOTE: If the certificate is not added to the Trusted Root Certification Authorities or
the name of the computer entered in the browser address does not match the
subject (Issued To field) of the certificate, your browser will display a certificate
error when opening the Management Tool.
2. The Management Tool opens.
3. Enter the credentials of the existing user added to the system:
 For an internal user, enter the login and password defined during user
creation.
 For a Windows user, enter the login in the form <domain name>\<user name>
and Windows authentication password.
Please note, if the Active Directory user group has been added to the system, the
users belonging to it can login using their Windows credentials.
To save your login for the next authorization, select the Remember me on this
computer check box.
4. The Management Tool Home page opens.
Please note, the Management Tool may take a while to launch on first connection, since
IIS is not used constantly and its processes are stopped and restarted on the connection.
If you encounter any problems when opening the Management Tool, see the
Troubleshooting chapter.
79
Management Tool
Management Tool Interface

The Management Tool interface is divided into the following areas:
 Navigation pane
 Data View pane
 Filtering pane
 Toolbar
Panes
The Navigation pane
The Navigation pane allows you to navigate between different sections of the Management
Tool and consists of the following navigation links:
 Home: Opens the page on which dashboards are displayed, containing information on
the system state, recent user activity, and any suspicious user behaviour.
 Monitoring Results: Opens the page on which the user can view the list of all Client
sessions received from Clients the user has the View monitoring results permission for,
and export these sessions.
 Forensic Export History: Displays the list of sessions exported via Forensic Export. A user
can download any exported session and validate the already exported session.
 Report Generator: Opens the Report Generator page on which the user can generate
the report of the required type by defined parameters and then save it or print it.
 Interactive Monitoring: Opens the Interactive Monitoring page on which the user can
view statistic data on user activity displayed in two column charts (Applications
Monitoring and URL Monitoring).
 Client Management: Displays the information about all Clients in the system. The
number of Clients displayed on the page depends upon permissions given to users that
log in to the Management Tool. Additionally, the user can navigate to the Blocked User
list from the Client Management page.
 User Management: Displays the information about all Users in the system and is
available to users that have the User management permission.
 Access Management: Opens the Access Management page on which the user can
manage Two-Factor Authentication keys, One-Time Passwords, and Restricted Users.
 Alert Management: Displays the information about alerts assigned to your Clients.
 Kernel-level USB monitoring: Displays the list of all USB monitoring rules for all the
Clients in the system and is available to users with the administrative Client installation
and management permission.
 Scheduled Reports: Opens the Scheduled Reports page on which the user can view and
manage report generation rules, and view rule logs.
 Database Management: Opens the page on which the user with the Database
management permission can perform archiving and cleanup of the Database.
80
Management Tool
 Serial Key Management: Displays the information about your Serial key and contains
keys activating/deactivating options and is available to users that have the Serial keys
management permission.
 Configuration: Opens the page on which the user can define the Email sending settings,
Player link settings, System settings, Log settings, Ticketing system integration settings,
LDAP Targets, Date & Time Format, and Server settings.
 Management Tool Log: Contains information on all user actions performed in the
Management Tool.
 Diagnostics: Provides quick access to Server and Management Tool log files for users
that have the Database management permission.
The Data View pane
The Data View pane contains a grid with the information about your Clients, Users, Alerts,
database, and Serial keys.
The Filtering pane
The Filtering pane allows you to filter the Clients, Users, and Alerts by keywords of their names
and hide offline/online/uninstalled/licensed/Windows/macOS/Linux Clients.
Toolbar
The Toolbar of the Management Tool allows you to perform basic actions with Clients, Users,
and Alerts. The options of the Toolbar are the following:
 For Client Management: Add Client Group, Install Clients, Manage Licenses, Edit
Uninstallation Key, Uninstall Clients, Delete Clients, Blocked User List, and One-Time
Passwords.
 For User Management: Add User and Add User Group.
 For Alert Management: Add Alert, Manage Multiple Alerts, Export Alerts, Import Alerts,
and Global Alert Settings.
 For Kernel-Level USB Monitoring Management: Add Rule.
 For Scheduled Reports: Add Rule.
 For Forensic Export: Validate Export Results.
Changing Password for Logged in User

Internal users, including the Built-in administrator, can change their passwords after logging in
to the Management Tool. This action is not available for Active Directory users.
To change your password, do the following:

1. Click your user name in the upper right corner of any Management Tool page.
81
Management Tool
2. The Manage account page opens.

3. In the Current password box, type your current password.
4. In the New password box, type the new password.
5. Re-enter the password in the Confirm password box.
6. Click Change password.
7. Your password is changed. You will need to use it during the next log in.
82
Multi-Tenant Mode/Single-Tenant Ekran System Mode
Multi-Tenant Mode/Single-Tenant Ekran

System Mode
About
By default, Ekran System is installed in the Single-Tenant mode, so all Clients and settings are
shared with all users according to their permissions.
If necessary, you can use the Ekran System in the Multi-Tenant mode. In this mode, all tenant
users have access to their tenant Clients, but they have no access to other tenants’ Clients,
configurations, alerts, reports, etc.
NOTE: If you update the Ekran System to version 6.0 from the version without tenants, the
built-in default tenant will be created and all users, Clients and licenses will be assigned to it.
User Types in Ekran System Deployed in Multi-Tenant

Mode
There are three types of users in the Multi-Tenant mode.
NOTE: Tenant admins or users can see the only information belonging to their tenant.
Admin of the default tenant (Technician)

Technicians are able to perform the next actions:
 Manage serial keys (activate/deactivate serial keys and grant licenses to tenants)
 Manage Tenants:
 View
 Add
 Edit
 Delete
 Download Server and Management Tool log files
 Configure all custom settings.
 Is the tenant admin for default tenant
Tenant Admin
Tenant Admin is the account created by the technician during tenant creation. Tenant-Admins
are able to perform such actions:
 Manage tenant users and define their permissions
 Manage user groups containing tenant users
 Generate Client installation packages (and view the automatically generated token for
manual definition during the Offline Client installation).
83
 Manage Client Groups (for tenant’s Clients)

 Edit uninstallation key (for tenant’s Clients)
 Manage alerts
 Manage kernel-level USB monitoring rules
 Assign licenses from the license pool provided by the technician to Clients
 Manage blocked and restricted users
 Allow users to use time-based one-time passwords and one-time passwords
 View, export, and download sessions of tenant’s Clients and validate the export results
 Use Interactive Monitoring to view statistic information on tenant’s Clients
 Generate reports with data received from tenant’s Clients, schedule report generation
 View the Management Tool Log for tenant users and admins
 View and manage dashboards
Tenant User
Tenant User is able to perform the same actions as the Tenant Admin according to granted
permissions.
84
Tenant Management
Viewing Tenants
The Tenants are displayed on the Tenant Management page in the Management Tool. The list
of Tenant contains the following information:
 Tenant Name
 Tenant Admin
 Description
 Tenant Key
On the Tenant Management page, you can add new Tenants and edit existing Tenants
(including deletion).
Adding Tenants
To add a new tenant, do the following:
1. Log in to the Management Tool as a user with the administrative Tenant management and
system configuration permission.
2. Click the Tenant Management navigation link to the left.
3. On the Tenants page, click Add Tenant.
4. On the Tenant Settings tab, define the tenant name and the description.
5. You can register the tenant admin via email or select an admin from the domain users.
6. To register the tenant admin via email or select the tenant admin from the domain user,
select the corresponding option and do the next:
 For registering the tenant admin via email, define the email of the tenant admin. The
email with credentials will be sent to the tenant admin
 For selecting the tenant admin from the domain users, select the domain and user
from the drop-down lists.
85
7. On the Licenses tab, enter the amount of licenses of each type to be granted to the tenant.
86
8. Click Finish.
9. The tenant is added and displayed on the Tenants page.
Editing Tenants
To edit an existing tenant, do the following:
3. On the Tenants page, click Edit Tenant for the required tenant.
4. Edit tenant properties on the corresponding tabs in the same way as when adding a new
tenant. If the user unassigned the licenses, they will return in the license pool.
5. The tenant is edited.
Resending Email to the Tenant Admin

If you need to change the tenant admin or the tenant admin forgot password, you can resend
an email.
NOTE: If the tenant admin is a domain user, this feature is unavailable.
To resend email with credentials to the tenant admin, do the following:
4. On the Tenant Settings tab, click Resend Email.
5. The email with a new password is sent.
87
Deleting Tenants
Deleting a tenant means that a tenant admin will not be able to use the system and all data
and users. If you delete the tenant when its admin is logged in the Management Tool, the
Management Tool will become unavailable to the tenant admin at once and none of its pages
will be displayed.
NOTE: If the tenant has at least one Client, it cannot be deleted.
To delete a tenant, do the following:
4. On the Tenant Settings tab, click Delete Tenant.
6. The tenant is deleted.
Switching to Tenant Account

system configuration permission. The Grant access to tenant account option for tenant
account must be enabled.
2. Сlick the Tenant Management navigation link to the left.
3. The Tenants page opens.
4. Select the necessary tenant account from the Tenants list, and then click the Switch to link.
NOTE: This action is available only for tenants with the enabled Grant access to the tenant
account option.
5. You will be logged out and automatically logged in as selected tenant admin. In the
Management Tool you can see and perform all actions available for the selected tenant
account.
6. To switching back to the technician account, log off and login with your credentials.
88
Granting Technician Access to Tenant Account Info

By default, only tenant users have an access to the tenant data. If you need to grant access the
technician, you can do this. After getting an access, the technician can login under the tenant
admin account and will be able to perform all actions as tenant admin.
To grant access to tenant account info, do the following:
1. Log in to the Management Tool as a tenant admin.
2. Click the Configuration navigation link to the left.
3. The Configuration page opens.
4. On the Settings tab, select the Grant access to tenant account option and click Save.
5. In the warning message, click OK.

6. The access to tenant account has been provided to the technician. Now the technician can
login and view as the tenant admin.
89
Licensing
Licensing
General Licensing Information
To start receiving information from the Clients, you have to assign licenses to them. Five types
of licenses are available:
Required additional Number of recorded

License OS
configuration concurrent sessions
Workstation Windows desktop

- 1
Client OS, macOS
Infrastructure
- 2
Server Client
installed
Remote Desktop
Services/Terminal Services
Terminal
or unlimited
Server Client
Windows Server Citrix Server
or
Published App Server
deployed on
Cloud Server Microsoft Azure
2
Client or
Amazon Web Services
Linux/UNIX Linux, Oracle

- unlimited
Server Client Solaris, IBM AIX
NOTE: Licenses of the workstation type cannot be assigned to a computer with Server OS.
Each Client can have only one license assigned. During the first connection to the Server, the
license corresponding to the Client computer operating system is automatically assigned to a
Client. If the license has not been automatically assigned, then you will have to assign the
license to the Client manually.
90
Licensing
Getting Licenses by the Default Tenant Admin

(Technician)
Serial Keys
When you log into the Management Tool for the first time, you can request a trial serial key
which allows you to use 3 Workstation Client licenses, 3 Linux/UNIX Server Client licenses, and
1 Terminal Server Client license for 30 days. The trial serial key will be sent to the email address
you specify in the request form.
To use the system permanently and with a greater number of licenses, you have to license it
with purchased serial keys on a computer with the installed Server.
NOTE: After activation of any serial key, the embedded trial key expires.
Five types of serial keys are available:

 Permanent serial keys: These keys allow you to use licenses they contain during the
unlimited period of time.
 Trial serial keys: These keys allow you to use the licenses they contain for 30 days (may
vary) from activation and update the product during this period.
 Update and Support serial keys: These keys allow you to extend your update and
support period.
 Enterprise serial keys: These keys allow you to get access to the enterprise features of
the Ekran System during the unlimited period of time. See the detailed information on
the Standard and Enterprise Editions of Ekran System in the Appendix.
 Trial enterprise keys: These keys allow you to get access to the enterprise features of
the Ekran System for 30 days (may vary) from activation and update the product during
this period.
Each permanent, trial, and update and support serial key contains the following data:
 Update & support period
 Licenses for the Clients
The enterprise serial key does not contain any Client licenses and is active during the unlimited
period of time. This key grants you an access to such valuable features of the Ekran System as
Database Archiving, Advanced SIEM Integration, One-Time Password, High Availability, and
Multi-Tenant Mode.
Once you have purchased serial keys, you can either activate serial keys online or add activated
serial keys if you have no Internet connection on a computer with the installed Server. Contact
your vendor for information on purchasing serial keys.
You need the administrative Serial keys management permission to activate serial keys.
Please note, after the activation, serial keys are bound to a specific computer and cannot be
used on another computer.
91
Licensing
About Update & Support Period

An Update & support period is a period that defines what updates can be applied to your copy
of the product. Updates are defined by their release date. After the update & support period
expires, you can still assign licenses to Clients, but you will be unable to update the System to
versions released after the update & support period expiration date.
The update & support period end date is defined during the serial key activation (either via the
Management Tool or on the vendor’s site). It is calculated using a serial key with the longest
update & support period.
Example: If you activate two keys, one with a 30 days update & support period and one with a
12 months update & support period, simultaneously, the update & support period end date
will be set to 12 months from the activation date.
When a new serial key is being activated, the update & support period is prolonged
accordingly. Please note, if the current update & support period is longer than the one of a key
being activated, current update & support period does not change. For example, if you activate
a key with 12 months update & support period after a key with 30 days update & support
period, the update & support end date will be set to 12 months since the activation date. But if
you activate a key with 30 days update & support period after a key with 12 months update &
support period, the update & support period end date will not change.
If your update & support period expires, you can purchase a special serial key, which does not
contain any licenses, but extends your update & support period, or you can activate any other
serial key.
Viewing License State

You can view the information on serial keys you have activated or added and license details on
the Serial Key Management page in the Management Tool.
To view the license state, open the Management Tool and click the Serial Key Management
navigation link to the left. Select the Serial Keys tab.
The following information is displayed on the Serial Keys tab:

 Update & support period end date: The update & support period end date is calculated
basing on dates of serial keys activation and their subscription periods.
 Workstation/Terminal Server/Infrastructure Server/Cloud Server/Linux/UNIX Server
Client licenses used: The number of licenses of the corresponding type used out of total
number, which is summed up from all activated serial keys.
 Not licensed Clients: The number of installed Clients with no licenses assigned.
 Enterprise key: Displays whether the target Server computer has an activated
enterprise serial key.
The following information is displayed in the Serial Keys table:

o Serial key
92
Licensing
o Activation date
o Type: Enterprise/Permanent/Update and Support/Trial/Trial Enterprise
o State: activated/deactivated/expired
o Details: expiration/deactivation date, type and number of licenses
Activating Serial Keys Online

To activate purchased serial keys online, do the following:
1. Make sure you have an active Internet connection on the computer with the installed
Server.
2. Log in to the Management Tool as a user with the administrative Serial keys management
permission.
3. Click the Serial Key Management navigation link to the left.
4. On the Serial Keys tab, click Activate keys online.
5. In the Serial Key Activation window, enter serial keys to be activated separating them with
semicolons or paragraphs and click Activate.
6. The activated keys will appear on the Serial Key Management page.
7. The number of available licenses and the update & support period end date change.
93
Licensing
Adding Activated Serial Keys Offline

If you have no Internet connection on a computer on which the serial keys are to be activated,
you can activate them on the license site and then add the activated serial keys offline. For
more information, send an email to info@ekransystem.com
NOTE: Update and Support serial keys cannot be activated offline.
To activate serial keys offline on the license site, do the following:

1. On the computer with the installed Server, start the UniqueIdentifierGenerator.exe file,
which you can download at
https://www.ekransystem.com/sites/default/files/ekransystem/UniqueIdentifierGenerator.
exe
2. The Unique Identifier Generator window opens.
3. Click Generate to generate a unique identifier for your computer.
4. When a unique identifier for your computer is generated, it will appear in a text box under
the Unique Identifier group of options.
5. Copy the unique identifier from the text box to a text file on a removable drive.
6. Go to the license site.
7. Enter the generated unique identifier in the Unique Identifier box.
8. Copy and paste the purchased serial keys to the Serial Keys box separating them with
paragraphs or spaces.
9. Enter the CAPTCHA text in a text box near the CAPTCHA image.
10. Click Activate.
11. The activatedKeys.txt file will be generated. Save the file on a removable drive.
12. Copy the file to the computer on which you will open the Management Tool.
NOTE: Please do not edit the generated file activatedKeys.txt.
To add activated serial keys in offline mode, do the following:

permission.
3. On the Serial Keys tab, click Add activated keys.
4. On the Activated Serial Key Adding page, click Choose File and navigate to the
activatedKeys.txt file with activated serial keys.
5. Click Add.
6. The newly added serial keys appear on the Serial Key Management page.
8. If there are both licensed and unlicensed Clients in your network and you want to license
the rest of Clients with a purchased key, you will have to assign the license to the remaining
unlicensed Clients manually.
94
Licensing
Deactivating Serial Keys

If for some reason you decide to discontinue using Ekran System, you can deactivate serial
keys.
To deactivate a serial key, do the following:
1. Make sure you have an active Internet connection on the computer with the installed
Server.
permission.
4. On the Serial Keys tab, select a serial key to be deactivated and click Deactivate selected.
NOTE: Expired serial keys can’t be deactivated.
5. In the confirmation message, click Deactivate.
6. The deactivated serial key is marked as Deactivated in the State column of the Serial Key
Management page.
License Management
Client License Management
The Client license management is performed in the Management Tool by the user with the
administrative Client installation and management permission.
You can assign a license to a Client or unassign it manually any time. The license can be
assigned to an offline Client, and it will be applied after the Client is online. If the Client is
uninstalled, its license becomes free and can be assigned to another Client.
NOTE: When a trial serial key expires, the corresponding number of licenses is automatically
unassigned from Clients.
Information about the number of used and free licenses of each type is displayed on the
License Management page in the Management Tool.
To assign a license to one Client, do the following:

1. Log in to the Management Tool as a user with the administrative Client installation
3. On the Clients page, select the needed Client from the list and then click Edit Client.
4. On the Editing Client page, on the Properties tab, in the License box, select the type
of license you want to assign to the Client.
5. Click Finish.
6. The license is assigned to the Client.
95
Licensing
To manage licenses to several Clients, do the following:

3. On the Clients page, click Manage Licenses.
4. On the License Management page, select the Clients to which the licenses should be
assigned. To find a specific Client, enter its name in the Contains box and click Apply
Filters.
5. When the Clients are selected, click one of the following:
 Assign recommended license: Assigns licenses to the selected Clients, automatically
defining the type of license basing on the operating system of the Client computers.
If the corresponding type of license is missing, a license of a higher type can be
assigned.
 Assign license of specific type: Assigns selected licenses of a specific type to the
selected Clients.
 Unassign license: Removes licenses from the selected Clients.
NOTE: To change the Client license type, you do not need to unassign the current license.
This will be done automatically.
Viewing Granted Licenses

You can view the information on licenses you have granted on the Serial Key Management
page in the Management Tool.
To view the granted licenses, open the Management Tool and click the Serial Key Management
navigation link to the left. Select the Granted Licenses tab.
The following information is displayed in the Granted Licenses table:

o Tenant Name
o Count of Workstation licenses/Terminal Server licenses/Infrastructure Server
licenses/Cloud Server licenses/Linux licenses
96
User and User Group Management

About
By default, there is one administrator in the system, whose login is admin and whose password
is defined during the Server installation. The administrator has all the rights for work in the
system. If the Multi-tenant mode is enabled, the administrator is the technician and is able to
create tenants.
In order to grant others access to the system, you can add users and define their permissions.
There are two types of users:
 Internal users
 Active Directory users (Windows domain users and Windows domain user groups)
To define permissions for users, you can create user groups. One user can belong to several
user groups.
When the user is added to a group, they inherit all permissions from a group. If the user
inherited some permissions from a group, these permissions can be removed only by removing
the user from this group. Apart from permissions received from the group, you can assign
other permissions to a specific user.
By default, there are three user groups in the system:
 All Users: A group that contains all created users.
 Administrators: A group of users that can perform administrative functions within the
system. If a user is added to this group, they receive all administrative and Client
permissions within the system.
 Supervisors: A group of users that perform major investigative work with the Clients. If a
user is added to this group, they receive the Viewing monitoring results permission for
All Clients.
You can also add other custom user groups and manage them yourself.
Please note, user and user group management is allowed only to the users with the
administrative User management permission.
Viewing Users and User Groups

The Users and User Groups are displayed on the User Management page in the Management
Tool. Users are grouped by the User Groups which they belong to. The lists of Users contain the
following information:
 Login
 First Name
 Last Name
 Description
97
NOTE: For Active Directory users, their first name and last name will be filled automatically
after the first log in to the system.
To find a required User, enter a part of their user name, first name, last name or description in
the Contains box and click Apply Filters.
On the User Management page, you can add new Users/User Groups and edit existing
Users/User Groups (including deletion).
User Management
Adding Users
To add a new user, do the following:
10. Log in to the Management Tool as a user with the administrative User management
permission.
11. Click the User Management navigation link to the left.
12. On the Users page, click Add User.
13. On the User Type tab, select the type of the user you want to add:
 Click Add an Internal user to create an internal application user.
 Click Add an Active Directory user/user group to add an existing Windows user/user
group.
98
14. On the User Details tab, do one of the following and click Next:
 For an internal user, define user credentials and additional information about the
user.
NOTE: Login and password are required. The password must be at least 6 characters long.
The maximum length of the first name, last name, and description is 200 characters.
 For an Active Directory user/user group, select the domain in the Domain list and
then enter at least two characters into the User/User group box to search for the
required user/user group.
99
NOTE: The Active Directory user/user group cannot be added if there is no LDAP target
added for the required domain on the Configuration page or if the connection with the
domain is lost (the domain is unavailable).
15. On the User Groups tab, select the user groups the user will belong to. To find a specific
group, enter its name in the Contains box and click Apply Filters. Click Next.
NOTE: The user is automatically added to the default All Users group and can’t be
removed from it.
16. On the Administrative Permissions tab, select administrative permissions that will be given
to the user. Click Next.
NOTE: If the user has inherited some permissions from user groups, you can only add new
permissions. To remove permissions inherited from user groups, you need to remove the
user from these groups.
100
17. On the Client Permissions tab, do the following:

 Select the necessary Client/Client Group. To find a specific Client/Client Group, enter
its name in the Contains box and click Apply Filters.
 Click Edit Permissions and then, in the Client Permissions/Client Group Permissions
window, define the Client permissions which will be given to a user for the
corresponding Client/Client Group.
 When the permissions are defined, click Save to close the Client Permissions/Client
Group Permissions window.
18. Click Finish.

19. The user is added and displayed on the Users page.
NOTE: For an Active Directory user, the first name and last name properties will be
automatically filled after the user’s first login to the system.
101
Editing Users
To edit an existing user, do the following:
permission.
8. On the Users page, click Edit User for the required user.
9. Edit user properties and permissions on the corresponding tabs in the same way as when
adding a new user.
NOTE: Click Next or Finish to save the changes on each tab.
10. The user is edited.
102
Deleting Users
Deleting a user means that a user will not be able to use the system. If you delete the user who
is logged in the Management Tool, the Management Tool will become unavailable to the user
at once and none of its pages will be displayed.
To delete a user, do the following:
permission.
9. On the Users page, click Edit User for the required user.
10. On the User Details tab, click Delete User.
12. The user is deleted.
User Group Management

Adding User Groups
To add a new user group, do the following:
permission.
3. On the Users page, click Add User Group.
4. On the Group Properties tab, define the name for the user group and, optionally, define its
description. Click Next.
5. On the User Management tab, select users that will belong to the user group. To find a
specific user, enter its name in the Contains box and click Apply Filters. Click Next.
6. On the Administrative Permissions tab, select administrative permissions that will be given
to all users belonging to this user group. Click Next.
7. On the Client Permissions tab, find the Client/Client Group for which permissions are to be
defined.
 To find a specific Client/ Client Group, enter its name in the Contains box and click Apply
Filters.
 Click Edit Permissions and then, in the Client Permissions/ Client Group Permissions
window, define the Client permissions which will be given to a user for the
corresponding Client/Client Group.
 After you have defined all Client permissions, click Save to close the Client Permissions/
Client Group Permissions window.
8. On the Client Permissions tab, click Finish.
9. The user group is added.
103
Editing User Groups

To edit an existing user group, do the following:
permission.
3. On the Users page, click Edit User Group for the required user group.
4. Edit user group properties and permissions on the corresponding tabs in the same way as
when adding a new user group.
5. The user group is edited.
Deleting User Groups

Deleting a user group does not delete users belonging to it. If the group is deleted, its users no
longer have permissions given by this user group unless these permissions are inherited from
another user group.
NOTE: The user group All Users cannot be deleted.
To delete a user group, do the following:
permission.
3. On the Users page, click Edit User Group for the required user group.
4. On the Group Properties tab, click Delete Group.
6. The user group is deleted.
Permissions
About
The permissions allow you to define which functions a user will be able to perform with the
system and Clients. There are two types of permissions:
 Administrative permissions define actions that a user can perform with the whole system.
 Client permissions define actions that a user can perform with selected Clients.
The permissions can be defined during user and user group adding/editing.
If you define permissions for the group, any user belonging to this group inherits these
permissions. To remove permissions inherited by the user from a group, you need to remove
the user from a group. Apart from permissions inherited from the group, you can assign a user
their own permissions.
104
Administrative Permissions
The following administrative permissions are available:
 Serial keys management: Allows a user to activate and deactivate serial keys.
 User management: Allows a user to add, edit, delete Users/User groups and define
permissions for them. It also allows a user to view the Management Tool log.
 Client installation and management: Allows a user to install Clients, assign licenses to
Clients, add, edit, and delete Client groups, manage alerts, define alert settings, create
and manage scheduled report rules, view report logs, define Email sending settings,
create and manage the USB monitoring & blocking rules, as well as block users.
 Database management: Allows a user to get information on the database, perform
database cleanup, delete Clients from the database, and download Server and
Management Tool log files.
 Viewing archived data: Allows a user to view and export sessions from archive
databases.
 Tenant management and system configuration: Allows a user to add, edit, delete
Tenants and grant licenses to them. This permission is available only for the users of the
default tenant.
Client Permissions
Client permissions define which actions a user will be able to perform with the Clients.
If a user does not have the administrative Client installation and management permission, in
the Management Tool they will see only those Clients for which they have at least one Client
permission.
NOTE: Client permissions are defined for each Client or Client Group individually.
The following Client permissions are available:

 Client configuration management: Allows a user to define Client configuration.
 Viewing monitoring results: Allows a user to:
o View the results of Client monitoring and Forensic Export results in the
Management Tool.
o View Client configuration.
o Generate reports in the Management Tool.
 [Windows Clients] Viewing text data: Allows a user to view keystrokes and clipboard
text data recorded during Client monitoring
 [Windows Clients] Client uninstallation: Allows a user to uninstall a Client.
 Access Client computer: Allows a user to log in to the Client computer with enabled
forced user authentication. It is available for Linux and Windows computers.
105
Permission Example
You can define the permission for a user, by selecting the Edit User option and selecting the
option next to the required permission on the Administrative Permissions tab.
If the user belongs to several Groups, they will inherit all the permissions defined for them.
For example:
There is a user Joe who belongs to Group 1 and Group 2 user groups.
Besides, there are Client 1 and Client 2 that belong to All Clients group.
The following permissions are given to the user Joe, Group 1, and Group 2 by the administrator:
User/User Group Administrative Client permissions
permissions Permission For
Group 1 User management Client uninstallation Client 1
Group 2 Serial keys management Viewing monitoring Client 2
results
User Joe Client installation and Viewing monitoring Client 1
management results
Serial keys management Client configuration All Clients
management
As a result, the user Joe will have the following permissions:
 Administrative
o User management permission (Because he belongs to Group 1).
o Serial keys management permission (Because he belongs to Group 2. But he also
has his own Serial keys management permission, and thus will have it even if
Group 2 is deleted or its permissions are edited).
o Client installation and management permission (He will have this permission
irrespective to user groups which he will be added to).
106
 Client permissions for Client 1

o Client uninstallation permission (Because he belongs to Group 1).
o Viewing monitoring results permission (Because it is his own permission and he
will have it irrespective to user groups which he will be added to).
o Client configuration management permission (Because the Client belongs to All
Clients group).
 Client permissions for Client 2

o Viewing monitoring results permission (Because he belongs to Group 2).
o Client configuration management permission (Because the Client belongs to All
Clients group).
107
Management Tool Log

About
The Management Tool Log is a component that contains information on all user actions
performed in the Management Tool. Such information might be useful for the administrator to
manage and monitor the actions of all users in the system.
Viewing the Management Tool Log is available only to users with the administrative User
management permissions.
Viewing Management Tool Log

To view the log, log into the Management Tool and click the Management Tool Log navigation
link to the left.
On the Management Tool Log page, the Log Grid with the following data is displayed:
 Time: Displays the date & time the action was performed.
 User Name: Displays the name of the user who performed the action.
 User Groups: Displays the list of the User Groups the user belongs to.
 Category: Displays the category the action performed belongs to.
 Action: Displays the action performed.
 Object: Displays the list of the objects affected by the action.
 Details: Displays additional information about the action performed.
You can define the number of the log entries to be displayed per page: 10/100/250/1000.
All actions performed by the users in the Management Tool are grouped by the following
categories:
1. Alert management. Contains the information on the alert configuration being changed,
as well as exporting, importing, deleting older alerts, creating new ones, and changing
the Global Alert settings.
2. Alert player viewing. Contains the information on viewing alert events in the Alert
Viewer by a user.
108
3. Archived Sessions Viewing. Contains the information on the archived sessions being
opened in the Session Viewer or being exported via Forensic Export.
4. Log settings. Contains the information on the log settings being changed.
5. Client editing. Contains the information on the Client configuration being changed. If
there were multiple configuration changes, they are combined in a single log entry.
6. Client group management. Contains the information on the Client Group configuration
being changed, as well as deleting older Client Groups and creating new ones.
7. Client installation/Uninstallation. Contains the information on installation and
uninstallation of the Clients performed by a user, as well as the Client uninstallation key
being changed.
8. Database cleanup. Contains the information on the manual & automatic cleanup being
performed and the changes made to the automatic cleanup settings by a user.
9. Database management. Contains the information on the database shrinking, database
archiving and cleanup, and statistics update performed by a user.
10. Date & Time Format. Contains the information on the date and time format settings
being changed.
11. Diagnostics. Contains the information on downloading the server and Management Tool
log files by a user.
12. Email sending settings. Contains the information on the email sending settings being
changed.
13. Forensic Export. Contains the information on users performing Forensic Export,
downloading and deleting the Forensic Export results, as well as validating those results.
14. Interactive monitoring. Contains the information on Clients, users on Client computers,
and time period, for which the Application Monitoring and URL Monitoring widgets
were generated.
15. Kernel-level USB monitoring. Contains the information on the USB monitoring &
blocking rules being changed by a user, as well as deleting older rules and creating new
ones.
16. LDAP targets. Contains the information on the added, edited, and deleted LDAP targets.
17. Log in / Log off. Contains the information on users logging in/logging off (including MT
being closed, session expiring, etc.).
18. One-time password. Contains the information on generated, used, expired and
manually terminated one-time passwords.
19. Report generation. Contains the information on the reports generated by a user, both
via Report Generator and from the Scheduled rule. It also contains information about
the generated reports being downloaded by a particular user.
20. Scheduled report management. Contains the information on the Scheduled Report
rules being changed by a user, as well as deleting older rules and creating new ones.
21. Serial key management. Contains the information on adding, activation, and
deactivation of the serial keys by a user.
22. Session Viewing. Contains the information on the sessions opened in the Session Viewer
by a user.
23. Ticketing system integration. Contains the information on the ticketing system
integration being enabled or disabled and on the ticketing system access parameters
being edited.
109
24. Two-Factor Authentication. Contains the information on the users being added or
deleted on the Two-Factor Authentication page and on editing of two-factor
authentication keys.
25. User blocking. Contains the information on users being added to and removed from the
Blocked User list.
26. User group management. Contains the information on the user group configuration
being changed by a user, as well as deleting older user groups, creating new ones,
changing the Client and administrative permissions.
27. User management. Contains the information on the user configuration being changed
by a user, as well as deleting older users, creating new ones, changing the Client and
administrative permissions.
Management Tool Log Protection

The Management Tool Log is protected against log-altering attacks, its data being encrypted in
the database. The database encrypting is unique for each server. If the log has been modified, a
warning is displayed that the log data is not valid, and the invalid log entries are marked red.
Filtering and Sorting Log Data

You can filter Management Tool log entries using the column header menu in the Log grid. You
can filter data by multiple fields.
To filter data by the not date field (User Name, User Groups, Category, Action, Object), click
near the required column name, select one or several options, and then click OK.
To filter data by the Time field, click near the required column name, select the From and
To dates, and then click OK.
To sort data in the Log grid, click the required column header. You can change column sort
order from ascending to descending, and vice versa. To do this, click the Sort arrow near the
column header.
110
Windows Clients
Windows Clients
About
Windows Client is a program that can be installed on the target computers to monitor the
activity of their users. The monitored data is sent to the Server and can be viewed in the
Management Tool.
Depending upon their permissions, a user can install/uninstall Clients remotely, manage their
configuration, and manage Client groups.
Monitoring via Windows Clients

The Windows Clients work as follows:
 Each Windows Client starts automatically on computer start.
 A licensed Windows Client monitors a certain number of local and remote sessions,
depending on the license type:
- Workstation Client license (one local/remote session)
- Infrastructure/Cloud Server Client licenses (up to two concurrent sessions)
- Terminal Server Client license (several concurrent sessions)
 Every time the computer is restarted, the Windows Client starts recording user activity in a
new session. The maximum duration of one session can be 24 hours. At 00:00 all live
sessions are terminated. After their termination (their status changes from live to finished),
new live sessions automatically start.
 If a user works with several monitors, the Windows Client creates screenshots from all of
them.
 The Windows Client sends its monitoring results to the Server. On the Client side, the
monitoring data is compressed before sending it to the Server.
To disable the data compression on the Client side, in the Windows Registry Editor, select
the HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem\Client key and add a new value:
o Value type: DWORD
o Value name: Compression
o Value data: 0
 If there is no connection with the Server, the Client stores the monitored data locally and
automatically sends it to the Server when the connection is restored. The data is stored in
the TempWrite.dat file in the Client installation folder. The Client can stop writing data to
an offline cache in one of the following cases:
o If the amount of data stored offline reaches the limit at which the Client must
stop writing to offline cache. This limit is defined during remote Client
installation or during generation of Client installation package.
o There is 500 MB of free space on the hard drive left.
111
Windows Clients
 By default, the Windows Client records user activity as follows:

o Typing: every 10 seconds.
o Mouse clicking: every 3 seconds.
o Active window changing: every 3 seconds.
To change the frequency of user activity recording, in the Windows Registry Editor, select
the HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem\Client key and modify a value data:
1. Typing
o Value name: SmartScrTimer
2. Mouse clicking
o Value name: SmartScrTimerMouse
User activity recording triggers usually influence each other, though the average frequency of
user activity recording is higher.
Installing Windows Clients

About
During the system deployment, remote installation of the Windows Clients is used. Remote
installation of the Clients is performed via the Management Tool.
To ensure successful remote installation of the Windows Clients, you have to set up the
network environment beforehand. If your computers belong to a workgroup but not a domain,
you need to know the administrator account credentials for each remote computer. Otherwise,
knowing the domain administrator credentials is enough.
The Windows Clients can also be installed locally via the installation package generated in the
Management Tool. Thus you can distribute the installation package of the Client with
predefined settings among the network computers and install it. This kind of installation is
useful when you experience difficulties with installing the Clients remotely via the
Management Tool, or the computers in your network are a part of a workgroup and do not
have the same administrative account for each computer.
Setting up Environment for Remote Installation

Windows Client Installation Prerequisites
The majority of Windows Client installation/uninstallation issues are caused by incorrect
system or network settings.
The following conditions have to be met for successful Windows Client installation:
 The remote computer has to be online and accessible via network.
 Shared folders have to be accessible on the remote computer. Simple file sharing
(Sharing Wizard) has to be disabled if the computer is in a workgroup (for domain
computers this requirement can be skipped).
112
Windows Clients
 You need to know the domain administrator or local administrator account credentials
for the remote computer.
 The Server and the Remote Procedure Call (RPC) system services have to be running on
the remote computer.
 Windows Vista and Windows XP Firewall has to be properly set up on the remote
computer during the Clients remote installation.
 In Windows 8, Windows 7, Windows Server 2012 and Windows Server 2008 Firewall,
inbound connections have to be allowed in the Remote Service Management (RPC) rule
for the remote computers and the File and Printer Sharing option has to be enabled (in
this case it is not necessary to disable Windows Firewall).
 Due to the new SHA-256 code signing, on Windows 7 SP1 and Windows Server 2008 R2
SP1, the Microsoft Security Advisory update 3033929 needs to be installed:
https://technet.microsoft.com/en-us/library/security/3033929.aspx.
In Windows Firewall on the Server side, allow the Server executable to accept TCP connections
via ports 9447 and 9449 (for the connection between the Server and the Clients).
NOTE: These rules will be added to Windows Firewall automatically if Windows Firewall is
enabled during the Server installation.
Make sure the conditions mentioned above are met to avoid possible problems with Client
remote installation.
Disabling Simple File Sharing in Windows XP

To disable simple file sharing in Windows XP, do the following:
1. Open My Computer.
2. Select Tools > Folder Options in the menu.
3. In the Folder Options window, select the View tab.
113
Windows Clients
4. Clear the Use simple file sharing option.

5. Click Apply and OK to close the window.
Disabling Sharing Wizard in Windows 8.1, Windows 8, and Windows 7

To disable the Sharing wizard in Windows 8.1, Windows 8, and Windows 7, do the following:
1. Open the Folder options window:
 For Windows 8.1/Windows 8: Open the Control Panel and then select
Appearance and Personalization.
 For Windows 7: Open Computer and then select Organize > Folder and search
options.
2. In the Folder Options window, select the View tab.
114
Windows Clients
3. Clear the Use Sharing Wizard option.

4. Click Apply and OK to close the window.
Checking System Services

To check that the Server and Remote Procedure Call (RPC) system services are running:
1. Right-click Computer and select Manage. The Computer Management window opens.
2. Expand the Services and Applications node and select Services. To quickly access
Windows Services, press Windows+R, type services.msc in the Run text box and press
Enter.
3. Find the Server service and the Remote Procedure Call (RPC) service in the list of
services. Make sure both services are running (their status is displayed as Started).
115
Windows Clients
4. If one or both services are not running, start them manually. To start the service,
right-click it and select Start from the context menu. The selected service is started.
Setting up Firewall for Windows Vista, Windows XP, and Windows

Server 2003
It is not necessary to disable the Firewall in Windows Vista, Windows XP, and Windows Server
2003. For successful remote installation of the Clients, you have to enable the File and Printer
Sharing option.
To set up Windows Vista, Windows XP, and Windows Server 2003 Firewall, do the following:
1. Select Start > Control Panel > Windows Firewall.
2. In the Windows Firewall window, select the Exceptions tab.

3. On the Exceptions tab, select the File and Printer Sharing option.
4. Click OK.
116
Windows Clients
Setting up Firewall for Windows 10, Windows 8.1, Windows 8,

Windows 7, Windows Server 2012, Windows Server 2008
It is not necessary to disable the Firewall in Windows 8.1, Windows 8, Windows 7, Windows
Server 2012, and Windows Server 2008. For successful remote installation of the Clients, you
have to allow inbound connections in the Remote Service Management (RPC) rule for the
remote computers and enable the File and Printer Sharing option.
To enable inbound connections for the Remote Management Service (RPC), do the following:
1. Select Control Panel > System and Security > Windows Firewall.
3. In the Windows Firewall with Advanced Security window, click Inbound Rules and
then double-click the Remote Service Management (RPC) rule in the rules list.
4. The Remote Service Management (RPC) Properties window opens.

5. On the General tab, select Enabled under General and click Allow the connection
under Action.
117
Windows Clients
6. On the Advanced tab, under Profiles, select the profile of the network used for
connecting remote computers and the Server.
7. Click Apply and then OK to save the settings and close the Properties window.
8. Close the Windows Firewall window.
118
Windows Clients
To enable the File and Printer Sharing option, do the following:

1. Select Control Panel > System and Security > Windows Firewall.
2. In the Windows Firewall window, click Allow an app or feature through Windows Firewall.
3. In the opened Allowed apps window, click Change settings.
4. Select the File and Printer Sharing option and then click OK.
119
Windows Clients
Installing Windows Clients Remotely via the Management

Tool
About
You can install the Windows Clients remotely via the Management Tool. This way of installation
is very convenient if all computers in your network have the same domain administrator
credentials.
Remote Windows Client Installation is performed by a user who has the Client installation and
management permission in two steps:
1. Selecting computers on which Clients will be installed.
2. Defining installation parameters and installing the Clients.
Selecting Computers
To select the computers for Client installation, do the following:
1. Log in to the Management Tool as a user with the Client installation and management
permission.
3. On the Clients page, click Install Clients.
4. The Computers without Clients page opens. On this page, you can see the computers for
which the previous installations failed.
5. Select how you would like to search for computers where the Windows Clients will be
installed:
 To select computers from the list of all computers in your network, click Deploy via
network scan.
 To select computers by IP range (IPv4 or IPv6 addresses), click Deploy via IP range.
 To select computers by their names, click Deploy on specific computers.
6. In the Choose search results window:
 Click Start new search to look for computers with defined parameters.
120
Windows Clients
 Click Previous search results to choose the computers found in the previous search.
If you have not performed any searches yet, this option will be absent.
7. If you have selected the Deploy via IP range option, the Computers Scan page opens. In the
From Address and To Address boxes, enter the IP range (either IPv4 or IPv6) for which the
network should be scanned. To find only one computer, enter the same IP address in both
boxes. Click Scan.
8. If you have selected the Deploy on specific computers option, the Adding Computers page
opens. Enter the names of computers on which Windows Clients must be installed in the
box Name and click Scan. Use semicolon to separate computer names.
Please note that you should enter the full name of the computer.
9. The scanning process starts. The list of found computers will be updated automatically. If it
is not updated, click Refresh. To stop the scanning process, click Stop.
10. When the scanning process finishes, select check boxes next to the computers that you
want to install the Clients on. Click Next.
11. The selected computers are added to the list on the Computers without Clients page.
12. If you want to remove some computers from this list, click Remove from list next to the
selected computer.
121
Windows Clients
Remote Windows Client Installation Process

When all computers for Windows Client installation are selected, you are ready to start
installation. Please make sure that all selected computers are correctly adjusted.
To install the Windows Clients remotely, do the following:

1. On the Computers without Clients page, click Install.
2. On the Client Configuration page, define the name/IP of the Server to which the Windows
Clients will connect, and define the Client configuration for the Clients you are installing.
Click Next.
NOTE: The Server IP address has to be static for Clients to connect to it successfully.
Unique external IP addresses should be used for cloud-based Servers. You can add several
names and IP addresses separated with comma or semicolon.
3. On the Installation credentials page, enter the credentials of a user with administrator
permissions on the target computers for Client installation and then click Next.
 If the computers are in a domain, enter the domain name and domain administrator
account credentials.
 If the computers are in workgroup, enter the credentials of a local administrator for
target computers.
If you leave the Domain box empty, the entered credentials will be used as the credentials
of a local user of a target computer and the Client will be installed under the <target PC
name>\<user name> account.
NOTE: All workgroup computers must have the same administrator account credentials.
Otherwise use installation via installation package method to deploy the Clients.
4. The installation process starts. The progress of installation will be updated automatically on
the Client installation page. If it is not updated, click Refresh.
122
Windows Clients
NOTE: If the connection with the Server fails, the Client will be not installed.
5. After the end of the installation, the installed Clients will appear on the Clients page in All
Clients group. If the installation of some Clients fails, these computers will remain in the
Computers without Clients list and you can click Retry to start the installation again.
Remote Installation from an Existing .INI File

If you already have an .ini file with defined settings generated in the Management Tool and
saved to your computer, you can use it for installing the Windows Clients.
To install the Windows Clients remotely using an existing .ini file, do the following:
1. On the Computers without Clients page, click Install using existing .ini file.
2. On the INI file selection page, click Choose file to select the .ini file that will be used for
configuration of new Clients.
Please note, if any parameter except RemoteHost is absent or not valid, its value will be set
to default. The RemoteHost parameter is ignored in this type of installation. The Windows
Client will connect to the Server to which the Management Tool is connected.
3. Once the .ini file is chosen, click Next and continue the installation the same way as when
installing the Clients remotely in a common way.
Installing Windows Clients Locally

About
You can install the Windows Clients locally using the Client installation file generated in the
Management Tool. You have two options for downloading the Client installation file from the
Management Tool:
 Generate the installation package and set the Windows Client configuration during
generation.
 Use Client installation file (.exe) to install the Client with default parameters.
NOTE: Due to the new SHA-256 code signing, on Windows 7 SP1 and Windows Server 2008
R2 SP1, the Microsoft Security Advisory update 3033929 needs to be installed:
https://technet.microsoft.com/en-us/library/security/3033929.aspx.
Windows Client Installation Package

The installation package consists of 2 components:
 A signed EkranSystemClient.exe installation file.
123
Windows Clients
 An EkranSystemClient.ini text configuration file that contains the Windows Client

installation parameters defining the Server to which the Client will connect, and
the Client configuration.
The table below lists all the Windows Client installation parameters. If any parameter
except RemoteHost is absent or not valid, its value will be set to default.
Parameter Description Default

Value
RemoteHost A name or IP address of the computer on which the No

Server is installed. This parameter might contain
several names and IP addresses separated with comma
or semicolon.
NOTE: The Server IP address has to be static for
Clients to connect to it successfully. Unique external
IP addresses should be used for cloud-based Servers.
ColourDepth A colour scheme used for screenshots saving. 7— 4 bits 7(4 bits
(Grayscale), 8 — 8 bits, 16 — 24 bits. (Grayscal
e))
EnableScreenshotCr Creating screenshots along with recording user activity. Enabled

eation If the value is 1, the option is enabled, if the value is 0 –
disabled.
EnableActiveWindo Screenshots and recorded metadata will contain Disabled

w information on active window only. If the value is 1, the
option is enabled, if the value is 0 – disabled.
MonitorUSBStorage Monitoring plugged in USB-based storage devices. If Enabled

the value is 1, the option is enabled, if the value is 0 —
disabled.
EnableTimer Recording user activity and creating screenshots with a Disabled

certain time interval. If the value is 1, the option is
enabled, if the value is 0 — disabled.
Timer Time interval of user activity recording and screenshot 30

creation in seconds. This period can’t be less than 30
seconds. This parameter is needed if the EnableTimer
parameter is set.
EnableActivity Recording user activity and creating screenshots when Enabled

an active window is changed. If the value is 1, the
option is enabled, if the value is 0 — disabled.
124
Windows Clients

Value
EnableWndNmChan Recording user activity and creating screenshots when Enabled

ges a window name is changed. If the value is 1, the option
is enabled, if the value is 0 — disabled.
DisplayClientIcon The Client tray icon displaying. If the value is 1, the Disabled
Client tray icon is displayed, if the value is 0 – hidden.
EnableKBandMouse Recording user activity and creating screenshots on Enabled

clicking and a key pressing. If the value is 1, the option
is enabled, if the value is 0 — disabled.
EnableProtectedMo The mode of Client work. If the value is 1, the Disabled

de protected mode is enabled, if the value is 0 — disabled.
EnableKeystrokes Logging of a keystroke. If the value is 1, the option is Enabled

enabled, if the value is 0 — disabled.
StartSessionOnKey Starting monitoring on detecting a suspicious keyword Disabled

word in the keystrokes. If the value is 1, the option is
enabled, if the value is 0 – disabled.
Keywords A list of keywords, which being typed trigger the Empty

session start, separated with comma (e.g., drugs,
medicine). Keywords are combined with OR logic; the
LIKE operator is applied to the typed keywords (if drug
is written, then drugstore will trigger the session start).
EnableClipboardMo Logging of copy and paste operations. If the value is 1, Enabled

n the option is enabled, if the value is 0 — disabled.
URLMonitoring Monitoring of URL addresses. If the value is 1, the Enabled

MonitorTopDomain Monitoring of top and second-level domain names. If Enabled

the value is 1, the option is enabled, if the value is 0 —
disabled.
NOTE: This parameter works only if URLMonitoring=1.
125
Windows Clients

Value
FilterState Application filtering during monitoring. If the value is Disabled

“disabled”, the application filtering is disabled and all
applications are monitored. If the value is “include”,
the application filtering is enabled in the Include mode,
and only applications listed in FilterAppName or
FilterAppTitle are monitored. If the value is “exclude”,
the application filtering is enabled in the Exclude mode,
and only applications not listed in FilterAppName or
FilterAppTitle are monitored.
FilterAppName The list of application names separated with comma Empty

(e.g., word.exe, skype.exe). Names are combined with
OR logic; the LIKE operator is applied to names (e.g., if
word.exe is written then winword.exe will be
monitored).
FilterAppTitle The list of application titles separated with comma Empty

(e.g., Facebook, Google). Names are combined with OR
logic; the LIKE operator is applied to titles (if Facebook
is written, then Facebook-Messages will be monitored).
UserFilterState User filtering during monitoring. If the value is Disabled

“disabled”, activity of all users is monitored. If the
value is “include”, the user filtering is enabled in the
Include mode, and only activity of users listed in
UserFilterNames is monitored. If the value is “exclude”,
the application filtering is enabled in the Exclude mode,
and only activity of users not listed in UserFilterNames
is monitored.
UserFilterNames The list of user names separated with a semicolon (e.g., Empty
work\jane;work\john). Names are combined with OR
logic. Using asterisk (*) as name/domain mask is
allowed (e.g., *\administrator or *\admin*).
MonitorTimeFilterSt Filtering the time of recording user activity. If the value Disabled
ate is “disabled”, the user activity is recorded twenty-four
seven. If the value is “include”, the user activity is
recorded only on days defined in MonitoringDays and
only during hours defined in MonitoringHours. If the
value is “exclude”, the user activity is not recorded on
days defined in MonitoringDays and during hours
defined in MonitoringHours.
126
Windows Clients

Value
MonitoringDays The days of the week during which the Client will or will Mon,
not record users' activity. The days of the week are Tue,
combined by OR logic. Wed,
Thu, Fri
MonitoringHours The hours during which the Client will or will not record 8:00 –
users' activity. 18:00
MonLogging Creation of monitoring logs on the Client computer. 0 - Disabled

monitoring logs creation is disabled, 1 - monitoring text
log will be created in the LogPath location.
LogPath The path to the monitoring logs location. Using C:\Progr

environment variables (%appdata%, %temp%, etc.) is amData\
allowed. Ekran
System\
MonLogs
EnableForcedAuth Additional identification of users that log in to the Disabled

Client computer with server operation system. If the
value is 1, the option is enabled, if the value is 0 —
disabled.
EnableOneTimePass Additional option that allows the user to request a one- Disabled
word time password to get a temporary access. If the value is
1, the option is enabled, if the value is 0 — disabled.
EnableTwoFactorAu The option that requires the user to enter a time-based Disabled
th one-time password to log in. If the value is 1, the
NotificationMessag The message that is displayed on user login to the Disabled

e system.
EnableNotificationC Additional option that requires the user to comment on Disabled

omment the additional message displayed on login to the
system. If the value is 1, the option is enabled, if the
value is 0 — disabled.
RequireTicketNumb Additional option that requires the user to enter a valid Disabled
er ticket number of an integrated ticketing system to start
working with the Client computer. If the value is 1, the
option is enabled, if the value is 0 – disabled.
127
Windows Clients

Value
LocalCacheLimit Size of the Client offline data cache in MB. 500
InstallDir The path to the Client installation folder. Using %Progra

environment variables (%appdata%, %temp%, etc.) is mFiles%\
allowed. Ekran
System\E
kran
System
UpdateAutomaticall The Client update mode. If the value is 1, the automatic Enabled
y Client update is enabled, if the value is 0 – disabled and
the Client requires manual update.
Generating Windows Client Installation Package

To generate an installation package, do the following:
permission.
4. On the Computers without Clients page, click Download installation file.
5. On the Installation File Download page, click Generate Client installation package
(*.ini + *.exe).
6. On the Generate Installation Package page, define the name/IP of the Server to which
the Clients will connect, and define the Client configuration to be applied to the Client
and then click Next.
NOTE: The Server IP address has to be static for Clients to connect to it successfully.
Unique external IP addresses should be used for cloud-based Servers.
7. The installation package is successfully created and downloaded to your computer.
The download settings depend upon the settings of your browser.
Installing Windows Clients Locally with Custom Monitoring

Parameters
To install the Windows Client locally using the installation package, do the following:
1. Copy the package (the EkranSystemClient.exe installation file and the EkranSystemClient.ini
file) to the target computer.
2. Start the EkranSystemClient.exe installation file under the administrator account on the
target computer.
128
Windows Clients
3. After the package is deployed, the name of the required computer appears on the Client
Management page in the Management Tool.
Downloading Windows Client Installation File (.exe)

To download the file for Windows Client installation, do the following:
permission.
5. On the Installation File Download page, click Download default Client Installation
(*.exe).
6. File downloading starts. The download settings depend upon the settings of your
browser.
Installing Windows Clients Locally without .ini File

This type of installation allows you to install the Windows Clients with the default configuration.
This way you will need only an EkranSystemClient.exe file for Client installation. The
EkranSystemClient.ini file with the default parameters will be generated automatically.
To install the Windows Client locally using the installation package on the target computer:
1. Copy the downloaded EkranSystemClient.exe file to the target computer and do one of the
following:
 Start the EkranSystemClient.exe installation file under the administrator account on the
target computer. Then in the opened window, enter the names and IP addresses of the
computer on which the Server is installed and click Install.
 In the Command Prompt (cmd.exe) started under administrator, enter
EkranSystemClient.exe /ServerName=<Server Name>.
NOTE. If there is no connection with the server, installation will failed and error
message will be displayed.
2. After the package is deployed, the installed Client appears in the list on the Client
Management page in the Management Tool.
Installation via Third Party Software

If you want to install the Windows Client via a third-party tool (e.g., via System Center
Configuration Manager, Active Directory, etc.), download the Client installation file and use the
following command: EkranSystemClient.exe /ServerName=<Server Name>. The Client will be
installed with a default configuration.
129
Windows Clients
Installing Windows Client on Amazon WorkSpace

To install the Windows Client on Amazon Workspaces, do the following:
1. Download the Client installation file.
2. Connect to the Amazon WorkSpace and run the Client installation file (.exe).
4. In the Windows Registry Editor, select the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem\Client
5. Select the AgentGUID value and click Delete in the context menu.
6. In the opened confirmation message, click Yes.
NOTE: You will not be able to edit the registry values in the Protected Mode.
7. In the Amazon WorkSpaces management console, do the following:
 Create an image of the Amazon WorkSpace with installed Windows Client.
 Create a bundle from the newly created image.
 Create new Amazon WorkSpaces from the newly created bundle.
8. All new Amazon WorkSpaces created from the bundle will automatically connect to the
Ekran Server.
NOTE: Make sure that Ekran Server is allowed to accept TCP connections via 9447 and
9449 ports for connection between Ekran Server and Ekran Clients.
Cloning a Virtual Machine with Installed Client

Each Windows Client has its own unique ID, which it receives when it connects to the Server.
When you prepare a virtual machine, which is to be monitored, for cloning, you need to remove
the Client ID to ensure the proper Client connection to Server.
To remove the Client ID, do the following:

1. Make sure the Client is offline (does not have any connection with the Server).
3. In the Registry Editor window, select the following key:
NOTE: You will not be able to edit the registry values in the Protected Mode.
Unassigning License on Virtual Machine Shutdown

If Ekran Windows Client is used on virtual machines, in some cases the master image might be
used multiple times. To prevent wasting Client licenses when this occurs, you can configure the
Client license to be unassigned on the virtual machine shutdown.
Before configuring a virtual machine image, you have to create a cmd file (for example,
uninstall_client.cmd) containing the following command-line command:
130
Windows Clients
start /wait <path to EkranClient.exe> -uninstwl <uninstallation key>

For example (default installation parameters used):
start /wait C:\Progra~1\EkranS~1\EkranS~1\Client\EkranClient.exe -uninstwl allowed
To configure the image of the virtual machine with the Client for the license to be unassigned
on shutdown:
1. Start your virtual machine image.

2. Configure the system and install the necessary software.
3. Install Ekran Client (via remote installation or locally) with the Protected Mode option
disabled.
8. Copy uninstall_client.cmd to the target folder on your virtual machine.
9. Run the Command Prompt (cmd.exe) as administrator.
10. Enter the gpedit command.
11. In the Local Group Policy Editor window, select Computer Configuration -> Windows
Settings -> Scripts (Startup/Shutdown) -> Shutdown
12. In the Shutdown Properties window, click Add and select the uninstall_client.cmd file.
13. Click OK.
14. Create the master snapshot (gold image).
15. From now on, whenever you start the virtual machine using this image, the Client is
going to connect to the Server as a new Client and get a license assigned to it. Whenever
the virtual machine is shutdown, the license is going to be unassigned from the Client.
NOTE: If you need the license to be unassigned on Logoff, you have to edit the Logoff script in
a similar way in the Local Group Policy Editor (User Configuration -> Windows Settings ->
Scripts (Logon/Logoff) -> Logoff -> Properties).
Updating Windows Clients

About
Ekran System offers two update options for Windows Clients:
- automatic update
- update of selected Clients via the Management Tool
The automatic Client update is performed when a Windows Client connects to the Server of a
newer version. It is recommended to use the automatic Client update.
131
Windows Clients
If you want to control the update of target Client computers yourself, you can disable the
automatic update on the required Clients and update them via the Management Tool.
After the Windows Client is updated, you will still be able to access the monitored data
received before its update.
NOTE: Windows Clients of very old versions might not be able to update. In this case, you
need to re-install the Clients.
Windows Client Status after Server Update

If the Update Client automatically option is enabled for the Windows Client, it is updated
automatically when it connects to the Server of a newer version.
If the Update Client automatically option is disabled for the Windows Client and it requires
manual update, it is displayed with the icon in the grid on the Clients page. Such Clients
store the monitoring data locally. They restart sending monitoring data to the Server after
update.
Updating Windows Clients Automatically

To update a Windows Client automatically, do the following:
1. Log in to the Management Tool as a user that has the Client configuration
3. On the Clients page, select the Client that needs to be updated automatically and click
Edit Client.
4. On the Editing Client page, on the Properties tab, select the Update Client
automatically option.
5. Click Finish.
6. The Client will be updated automatically when it connects to the Server of a newer
version.
Updating Windows Client Manually

To update a selected Windows Client via the Management Tool, do the following:
3. On the Clients page, select the Client that needs to be updated and click Edit Client.
4. On the Editing Client page, on the Properties tab, clear the Update Client
automatically option.
132
Windows Clients
5. Click Finish to save the changes.

6. Update the Server.
9. On the Clients page, select the Client that needs to be updated and click Edit Client.
10. On the Editing Client page, on the Properties tab, click Update.
11. On its next connection to the Server, the Client will be updated to a newer version.
Reconnecting Windows Clients to another Server

If you want to reconnect the Windows Clients to another Server, start the remote installation
from that Server. The Clients will be reconnected.
Please note that this way of reconnection can be used only for the Clients that work in the non-
protected mode. If your Clients work in the protected mode, first disable the protected mode
and then reconnect the Clients.
Uninstalling Windows Clients

About
Windows Clients can be uninstalled locally or remotely. It is possible to uninstall the
Windows Client locally only with the help of the Uninstallation key.
After uninstallation, the Client stops sending its data to the Server, but its data is not
deleted from the Server and the Client is displayed in the Management Tool. The Client
status in the Management Tool becomes offline after uninstallation.
To delete the Client from the Server (with all its captured data) and from the
Management Tool, follow the steps described in the Deleting the Client section.
Client Uninstallation Key

During the Server installation, it is possible to define the Client Uninstallation key. By
default, this key is allowed.
The Client Uninstallation key is used during the local Client uninstallation.
The user is able to view or change the Client Uninstallation key in the Management Tool.
If you change the Uninstallation key, the Windows Client will receive it after connection to
the Server. If the Client has not connected to the Server yet, then its Uninstallation key is
allowed. If the Client has not connected to the Server after the Uninstallation key has
been changed, the Client has to be uninstalled with the help of an old Uninstallation key.
133
Windows Clients
To change the uninstallation key, do the following:

1. Log in to the Management Tool as a user with the Client uninstallation permission.
3. On the Clients page, click Edit Uninstallation Key.
4. On the Custom Uninstall Key page, enter the new uninstallation key in the New Key
field.
5. Re-enter the new uninstallation key in the Confirm Key field and then click Save.
6. The uninstallation key is changed.
Uninstalling Windows Clients Remotely

To uninstall a Windows Client, do the following:
1. Log in to the Management Tool as a user that has the Client uninstallation permission.
3. On the Clients page, select the Client you want to uninstall and click Edit Client.
4. On the Editing Client page on the Properties tab, click Uninstall Client.
NOTE: This option is not displayed if the Client is already uninstalled or you do not
have the Client uninstallation permission for it.
5. In the confirmation message, click Uninstall.
6. The Client is uninstalled.
To uninstall several Windows Clients, do the following:

3. On the Clients page, select Uninstall Clients.
4. On the Client Uninstallation page, click Add Clients to list.
5. The page with the Clients for which you have the Client uninstallation permission
opens.
6. Select the Clients that you want to uninstall and click Next. To find a specific Client,
enter its name or a part of its name in the Contains box and click Apply Filters.
7. Make sure you have added all necessary Clients to the uninstallation list and click
Uninstall.
8. The selected Clients are uninstalled.
Uninstalling Windows Clients Locally

It is possible to uninstall the Windows Client locally only with the help of the Uninstallation key
that is defined during the Server installation or in the Management Tool.
To uninstall the Windows Client locally, do the following:
1. Run the Command Prompt (cmd.exe) as administrator.
2. In the Command Prompt, go to the Client installation folder. By default, it is located here:
C:\Program Files\Ekran System\Ekran System
134
Windows Clients
3. Enter the following command: UninstallClient.exe /key=<uninstallation key> /silent=true.

4. Press Enter.
5. The Client is successfully uninstalled.
NOTE: If you do not add the /silent=true parameter to the uninstallation command, the
confirmation message for uninstalling the Client will be displayed on the Client computer.
Viewing Windows Clients

Windows Clients are displayed in groups on the Client Management page. If the user has an
administrative Client installation and management permission, they will see all Clients. In other
case, the user will see only those Clients for which they have at least one Client permission.
The list of Clients contains the following information:
 Client name
 Status
 Type
 Domain
 IPv4
 IPv6
 Description
Please note, if there are several network cards on the Client computer, only those IPv4 and
IPv6 addresses used by Windows Clients will be displayed in the Management Tool.
You can filter Windows Clients in the following ways:
 To sort Clients by the type of operating system, click the Type column header.
 To find Windows Clients only, select Hide Linux Clients and Hide macOS Clients and
click Apply Filters.
 To find Clients by their host name or description, enter the name/description or a part
of it in the Contains box and click Apply Filters.
 To hide offline/online/uninstalled/licensed Clients, select the corresponding option in
the Filtering pane and click Apply Filters.
On the Client Management page you have the following options: Add Client Group, Install
Clients, Manage Licenses, Edit Uninstallation Key, Uninstall Clients, Delete Clients, Edit Client
Configuration and Edit Client Groups. The number of available options depends upon
permissions.
Windows Client Description

Client description is used as additional information about your Windows Clients, which makes
it easier to find a specific Client. You can filter your Clients by their descriptions as well as by
their names.
Client description can be defined on the Editing Client page on the Properties tab.
135
Windows Clients
To edit the description for the Windows Client, enter it in the Description box and click Finish.
Windows Client Configuration

About
Windows Client Configuration includes its monitoring parameters (screenshot creation,
keystrokes logging, Client mode, etc.).
The Client configuration can be defined in the .ini file, which is included to the installation
package. You can set the Client configuration during remote installation and during Client
editing.
Protected Mode Parameter

The Windows Client can work in two modes:
 Non-protected mode: a regular mode without enhanced Client security.
 Protected mode: a mode with enhanced Client security: the user is not able to edit
Client data (log files, generated screenshots, etc.), edit Client settings in the
registry, edit/remove/modify/rename Client files (*.exe and *.dlls).
The protected mode can be enabled when installing, updating, or editing the Client.
If the protected mode is enabled during Client installation, this change will come into
effect immediately.
If the protected mode is enabled during Client editing, this change will come into effect
after the computer is rebooted.
NOTE: It is impossible to reconnect the Client working in protected mode to another Server.
In such situation, you will have to uninstall the Client locally or change its mode to non-
protected.
Automatic Client Update Parameter

If the Update Client automatically option is enabled, the Client will be updated automatically
when it connects to the Server of a newer version. If the option is disabled, the Client needs to
be updated manually via the Management Tool.
Windows Clients requiring manual update store the monitoring data locally. After they are
updated to a newer version, they restart sending monitoring data to the Server.
Client Tray Icon Parameter

The Client tray icon is displayed to notify the users that their actions are being monitored when
they log into the Client computer and while they are working on it. This feature can be enabled
during Clients installation and editing in the Management Tool.
136
Windows Clients
If the Display Client tray icon option is enabled, the Client will display a tray notification to
inform the logged-in users that they are being monitored by a Server.
Custom Path for Client Installation Folder Parameter

During remote Client installation or generation of Client installation package, you can define a
custom path for the Client installation folder. You can use the environment variables
(%programfiles%, %appdata%, %temp%, etc.). If the defined location is not accessible or write-
protected, the Client is installed to <systemdisk>\Program Files\Ekran System\Ekran System.
Offline Cache Size Parameter

If there is no connection with the Server, the Client writes monitoring data to a local cache and
automatically sends it to the Server as soon as the connection is restored.
The Offline cache size (MB) parameter allows you to define the size of the Client offline cache.
It can be defined during remote Client installation or generation of Client installation package.
The default value is 500 MB. When the amount of monitoring data reaches the defined limit,
the Client stops writing to the offline cache.
You can adjust the Offline cache size (MB) value via the Windows Registry Editor any time by
selecting the HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem\Client key and modifying the
LocalCaсheLimit value.
User Activity Recording Parameters

Screenshots and associated metadata like an active window title, URL, text data, etc. are the
main results of the Windows Client monitoring.
You can define the following user activity recording parameters for the Client:
 Screenshot settings:
o Enable screenshot creation along with user activity recording: This option allows
you to enable the screenshot creation. If this option is not selected on the Client,
only metadata (active window title, URL, text data, etc.) will be monitored and
recorded.
o Capture active window only: By default, screenshots of the complete screen are
created. If this option is selected, only the current active window will be displayed
on a screenshot. It is recommended to use this option along with the application
filtering to fully prevent sensitive data from being monitored.
137
Windows Clients
o Bit depth: By default, screenshots are grayscale with 4 bit colour depth. This
guarantees the smallest database size with a normal screenshot quality. You can
also set colour depth to 8 bits or 24 bits.
 Frequency settings for user activity recording: These options allow you to define how
often the user activity on the Client computer will be captured. User activity recording
can be can be triggered by the following events:
o Time interval: User activity is captured with a certain time interval, irrespective to
whether something changes on the screen or not. The minimal time interval is 30
seconds.
o Active window change User activity is captured on the change of the active
window. For example, a new window opens (program starts), a new tab in the
browser opens, any secondary window opens, etc. (influences the keystroke logging
as well).
o Active window title change: User activity is captured on the change of the name of
the active window (influences the keystroke logging as well).
o Clicking or key pressing: User activity is captured on each mouse click or keyboard
key pressing. Please note, by default, in this mode, the recorded user activity is sent
not oftener than once in 3 seconds to avoid affecting the performance of the Client
computer and database size increasing.
Keystroke Logging Parameter

If Enable keystroke logging option is enabled, the Windows Client logs users’ keystrokes.
The Windows Client logs the following types of keystrokes:
 Character keys: Keys that contain alphabet symbols (upper or lower case), numerals (0-
9), all kinds of punctuation symbols, and space.
 Modifiers: This group of keys includes Control key, Shift key, Alt key, and Windows key.
138
Windows Clients
 Navigation and typing modes: The arrow keys, Home/End, Page Up/Page Down, Tab,
Insert, Delete/Backspace, Enter, and Lock keys (Num Lock, Scroll Lock, and Caps Lock).
 System commands: Print Screen, Menu, Escape, and Break/Pause key.
 Function keys: Keys that perform some functions, such as printing or saving files.
Usually, they are labelled as F1- F12 and are located along the top of the keyboard.
Start Monitoring on Keyword Parameter

If the Start monitoring after detecting one of the following keywords option is enabled, the
Client starts recording the user activities only after the user enters one of the specified
keywords. The Client continues recording the user activities until the session is finished. A new
session will be recorded after detecting one of the specified keywords again.
For the sessions start to be triggered by specific words or phrases, define them separating from
each other with comma (,), semicolon (;), or paragraph. The words in phrases must be always
separated with spaces.
Detect system IDLE event Parameter

If the Detect system IDLE event option is enabled, the idle event is registered in two cases:
 On computers with Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Vista,
Windows Server 2016, Windows Server 2012, and Windows Server 2008: If the user is
inactive for more than 15 minutes, computer is in sleep or hibernation modes, or the
screen is set to be turned off automatically.
 On computers with Windows XP and Windows Server 2003: If the computer is in sleep
or hibernation modes, or the screen is set to be turned off automatically.
Register IDLE event Parameter

If the Register IDLE event when user is inactive option is enabled, the idle event is registered
when there is no Client activity, i.e. mouse moving and key pressing more than the Timeout
(min) value. The default timeout is 15 minutes.
Clipboard Monitoring Parameter

The clipboard monitoring allows you to monitor the Cut, Copy, and Paste operations performed
on the Client computers.
If the Enable clipboard monitoring option is enabled, the Client logs the text data, which has
been copied or cut, and then pasted by using either the context menu commands or such key
combinations as Ctrl+C, Ctrl+Ins, Ctrl+X, Shift+Del, etc. The logged text data is displayed in the
Text Data column in the Session Player. For more information, see the Viewing clipboard text
data chapter.
139
Windows Clients
Monitoring Log Parameter

Monitoring logs are text files created on the Client computer. If the Enable creating log
files of the monitored events option is enabled, two log files will be created on the Client
computer:
 Client_<yyyy_mm_dd>: The log includes the following information on monitored
activities on the Client computer: activity time, session ID, Client computer name (host
name), user name, activity title, and application name.
 Login_<yyyy_mm_dd>: The log includes the following information on all user logins to
the Client computer: login time, Client computer name (host name), and user name.
Both logs are stored in the user defined location. You can use the environment variables
(%appdata%, %temp%, etc.) when defining the path. If this location is not accessible or
write-protected, logs are saved to <systemdisk>\ProgramData\Ekran System\MonLogs.
If you change the log files location via the Management Tool, the new log files will be
created in the defined location and the old log files (if any) will remain in the previous
location.
NOTE: Please do not confuse monitoring logs with Client activity logs (service logs for
internal use) stored in <client installation folder>\ActivityLogs.
Parameters examples:
.ini File Parameters Parameters Set in Management Tool
Do not create monitoring logs
[ActivityLogsParameters] On the Monitoring options tab, make sure

MonLogging=0 that the Enable creating log files of the
monitored events option is not selected.
LogPath=
Create monitoring logs in the default location %ProgramData%\EKRAN\MonLogs
[ActivityLogsParameters] On the Monitoring options tab, make sure

MonLogging=1 that the Enable creating log files of the
monitored events option is selected.
LogPath=
Create monitoring logs in the C:\1\Logs folder
[ActivityLogsParameters] On the Monitoring options tab, do the

MonLogging=1 following:
LogPath=C:\1\Logs 1. Select the Enable creating log files of
the monitored events option.
140
Windows Clients

2. In the Log files creation field, type
C:\1\Logs.
Create monitoring logs in the <current user profile>\AppData\EKRAN_Logs
[ActivityLogsParameters] On the Monitoring options tab, do the

MonLogging=1 following:
LogPath=%AppData%\EKRAN_Logs 1. Select the Enable creating log files of
the monitored events option.
2. In the Log files creation field, type
=%AppData%\EKRAN_Logs.
URL Monitoring Parameters

The URL monitoring option enables recording the text entered in the browser address line
at the moment of screenshot creation and allows the investigator to receive information
about websites visited by the user of the Client computer. This feature also allows you to
set an alert to send notifications each time when the user opens the forbidden URL.
The monitored URL addresses are displayed in the Management Tool on the Session
Viewer page in the URL column and in the Details pane.
There are several restrictions for the URL monitoring option in the current version of the
program:
 Only URLs from the standard browsers (Firefox, Chrome, Opera, and Internet Explorer)
are monitored.
 URLs from Metro versions of browsers Chrome/Internet Explorer are not
monitored.
 URLs entered in web anonymizers are not monitored. Please note that proxy server
anonymizers are supported.
 If there is no address line in the browser (e.g., due to user’s settings), URLs are not
monitored.
 Unicode symbols in domain names (e.g., Russian) are not monitored.
If the Enable URL monitoring option is selected in the Management Tool, you can also
select the Monitor top and second-level domain names only option. In this case only the
main part of the URL (e.g., example.com) will be monitored.
.ini File Parameters Set in Example of monitored

Parameters Management Tool data (activity title)
[AgentParameter On the Editing Client page, on John Doe - Google

s] the Monitoring Options tab, Chrome
clear the Enable URL
monitoring option.
141
Windows Clients
.ini File Parameters Set in Example of monitored

Parameters Management Tool data (activity title)
URLMonitoring=
0
MonitorTopDom
ain=0

s] the Monitoring Options tab, Chrome (URL:
URLMonitoring= select the Enable URL https://facebook.com/
1 monitoring option. John.doe)
MonitorTopDom
ain=0

s] the Monitoring Options tab, Chrome (URL:
URLMonitoring= select the Enable URL https://facebook.com)
1 monitoring option, then select
the Monitor top and second-
MonitorTopDom level domain names only
ain=1 option.
Application Filtering Parameters

Application filtering allows you to reduce the amount of information received from the
Windows Client by defining applications whose data will be skipped during the
monitoring.
The Application filtering can be in one of three states:
 Disabled: User activity in all applications is monitored (screenshots are created
and keystrokes are logged).
 Include: User activity in predefined applications is monitored. Information on all
other activity is skipped. This mode allows you to enable monitoring only of the
important applications.
 Exclude: User activity in all applications except predefined ones is monitored. This
mode allows you to skip information about user activity in non-suspicious
applications (for example, Word).
The applications are identified by name or window title. Both parameters are combined
with OR logic, i.e., if activity meets at least one of conditions, it’s recorded in the Include
mode or skipped in the Exclude mode.
Application filtering is recommended to be used along with the enabled Capture active window
only option to fully prevent sensitive data from being monitored.
142
Windows Clients
Monitor all data without applying filters
[FilterParameters] On the Application Filtering tab, in the Filter

FilterState=disable State box, select Disabled.
FilterAppTitle=
FilterAppName=
Monitor only data from all applications containing Facebook or Gmail in the title
[FilterParameters] On the Application Filtering tab, do the

FilterState=include following:
FilterAppTitle=Facebook,Gmail  In the Filter State box, select Monitor only
activity matching defined parameters.
FilterAppName=
 In the Active window title contains box,
type Facebook, Gmail.
Monitor only data from all applications containing Firefox or Internet in the application
names

FilterAppTitle= 1. In the Filter State box, select Monitor only
FilterAppName=Firefox,Internet
2. In the Application name contains box,
type Firefox, Internet.
Monitor only data from applications containing Firefox, Chrome or Internet in the application
names (any title) and applications with the Facebook word in the title (any name)

FilterAppTitle=Facebook 1. In the Filter State box, select Monitor only
FilterAppName=Firefox,Chrome,Inter
net 2. In the Active window title contains box,
type Facebook.
type Firefox, Chrome, Internet.
Monitor all data except data from applications containing words Work or Doc in the title
143
Windows Clients

FilterState=exclude following:
FilterAppTitle=work,doc 1. In the Filter State box, select Monitor all
activity except.
FilterAppName=
2. In the Active window title contains box,
type Work, doc.
Monitor all data except data from applications containing words Word or Excel in the
application names

FilterAppTitle= 1. In the Filter State box, select Monitor all
activity except.
FilterAppName=word,excel
type Word, Excel.
Monitor all data except data from applications containing the Word word in the application
name or the doc word in the title

FilterAppTitle=doc 1. In the Filter State box, select Monitor all
activity except.
FilterAppName=word
2. In the Active window title contains box,
type doc.
type Word.
User Filtering Parameters

User filtering allows you to reduce the amount of information received from the
Windows Client by defining computer users whose data will be skipped during the
monitoring. User filtering affects both primary and secondary users.
The User filtering can be in one of three states:
 Disabled: Activity of all users is monitored.
 Include: Activity of predefined users is monitored. Information on the activity of
all other users is skipped.
 Exclude: Activity of all users except predefined ones is monitored. This mode
allows you to skip information about the activity of particular users (for example,
administrator).
144
Windows Clients
You can define user names for filtering entering them manually or by clicking Add Users
and selecting users from the list.
When you enter user names manually, they must be entered as <domain name>\<user
name> and separated with comma (,), semicolon (;), or paragraph. You can also use
asterisk (*) as name/domain mask (e.g., *\administrator or *\admin*).
When you click Add Users, the Adding Users page opens. Please note, only those users
whose activities have already been monitored are listed. Select the user names to be
added and click Add selected.
NOTE: If you select a user with the Forced User Authentication on the Adding Users
page e.g., WORK\janet (jan), you need to change parentheses in the User names box to
semicolon, i.e., WORK\janet;jan.
Monitor all user activity without applying filters
[FilterParameters] On the User Filtering tab, in the Filter State

UserFilterState=disable box, select Disabled.
UserFilterNames=
Monitor only the activity of the janet user or joe user in the work domain
[FilterParameters] On the User Filtering tab, do the following:

UserFilterState=include  In the Filter State box, select Monitor only
UserFilterNames=WORK\janet;WORK activity of selected users.
\joe  In the User names box, enter
work\janet,work\joe manually or select
the users from the list.
Monitor the activity of all users except the users with administrator login (both local and
domain)
145
Windows Clients

UserFilterState=exclude  In the Filter State box, select Monitor
UserFilterNames=*\administrator activity of all users except.
 In the User names box, enter
*\administrator, using asterisk (*) as a
name/domain mask
Monitor only the activity of the janet Ekran system user name used for secondary
authentication

UserFilterState=include  In the Filter State box, select Monitor only
UserFilterNames=WORK\janet;janet activity of selected users.
 In the User names box, enter
work\janet;janet manually or select the
user from the list.
Monitoring Time Filtering Parameters

Monitoring time filtering allows you to reduce the amount of information received from
the Windows Client by defining the days of the week and hours during which the Client
will record the user activity.
The Monitoring time filtering can be in one of three states:
 Disabled: User activity is recorded twenty-four seven.
 Include: User activity is recorded only on defined days of the week and during the
defined hours. User activity outside the defined days of the week and hours is not
recorded.
 Exclude: User activity outside the defined days of the week and hours is recorded.
User activity is not recorded on defined days of the week and during the defined
hours.
NOTE: In the .ini file, the monitoring hours must be defined in the 24-hour time format only.
146
Windows Clients
Record all user activity without applying filters
[FilterParameters] On the Monitoring Time Filtering tab, in the Filter

MonitorTimeFilterState=disabl State box, select Disabled.
e
MonitoringDays=
MonitoringHours=
Record user activity only on Monday, Tuesday, Wednesday, Thursday, and Friday from 8 AM
to 6 PM
[FilterParameters] On the Monitoring Time Filtering tab, do the

MonitorTimeFilterState=includ following:
e  In the Filter State box, select Monitor only
MonitoringDays=Mon, Tue, during the defined hours.
Wed, Thu, Fri  Select the Monday, Tuesday, Wednesday,
MonitoringHours=8:00-18:00 Thursday, and Friday options.
 In the From drop-down list, select the 8 AM
option.
 In the To drop-down list, select the 6 PM option.
Do not record user activity on Friday and Saturday
[FilterParameters] On the Monitoring Time Filtering tab, do the

MonitorTimeFilterState=exclud following:
e  In the Filter State box, select Monitor only
MonitoringDays=Fri, Sat outside the defined hours.
MonitoringHours=00:00-23:59  Select the Friday and Saturday options.
 In the From drop-down list, enter the 12 AM
value.
 In the To drop-down list, enter the 11:59 PM
value.
Forced User Authentication Parameter

Forced User Authentication provides a method for an additional identification of users that log
in to the Client computer.
If the Enable secondary user authentication on log-in option is enabled, the Client will display
the secondary authentication window on the user login to Windows.
NOTE: Forced User Authentication can only be enabled during Client editing in the
Management Tool.
147
Windows Clients
Two-Factor Authentication Parameter

Two-Factor Authentication option allows you to require the users to additionally enter the
time-based one-time passwords (TOTP) generated via their mobile applications (i.e., Google
Authenticator) to log in to the Client computers.
If the Enable two-factor authentication option is enabled, the Client will display the additional
TOTP window on the user login to Windows.
NOTE: Two-Factor Authentication can only be enabled only during Client editing in the
Management Tool.
Additional Message on User Login Parameter

The additional message on user login allows you to inform the user that their actions are being
monitored and also notify them about corporate policies or the country law.
If the Enable displaying additional message option is enabled, the Client will display the
additional notification message on the user login to Windows.
After the user confirms acknowledging the message, they will be allowed to log in and continue
working.
For more information, see the Enable displaying additional message chapter.
User’s Comment Parameter

The user’s comment option allows you to require the user to comment on the additional
message displayed on login in order to allow the Ekran System administrator to be informed
about the user activity.
The user’s comment option is available only if the Enable displaying additional message option
is selected.
If the Require user’s comment option is enabled, the Client will prompt the user to comment
on the additional message displayed on login. After the user enters a comment, they will be
allowed to start working with the system. For more information, see the Enabling user’s
comment option chapter.
Ticket Number Parameter

The ticket number option allows you to require the user to enter a valid ticket number created
in the integrated ticketing system to start working with the Client computer.
The ticket number option is available only if the Require user’s comment option is selected.
If the Require ticket number option is enabled, the Client will prompt the user to enter a valid
ticket number in the additional message window displayed on login. After the user enters a
valid ticket number and comments on the additional message, they will be allowed to start
working with the system.
NOTE: The Require ticket number option is available only if you have an activated Enterprise
serial key.
148
Windows Clients
Editing Windows Client Configuration

You can edit the Client configuration for online and offline Clients. The configuration for online
Clients will be applied immediately. The configuration for offline Clients will be applied as soon
as the Client goes online.
The newly installed Clients have Custom configuration that can be edited for each Client
individually. When the Clients are added to the group, they can either still have their Custom
configuration or they can inherit configuration from the group. If the group configuration is
changed, the Client configuration that is inherited from this group is changed as well.
To edit the Windows Client custom configuration, do the following:
1. Log in to the Management Tool as a user with the Client configuration management
permission.
3. On the Clients page, select the Windows Client for which you want to edit the
configuration, and click Edit Client. To find a specific Client, enter its name in the
Contains box and click Apply Filters.
NOTE: If you do not have the Client configuration management permission for this
Client, the configuration options will be disabled.
4. On the Editing Client page, on the Properties tab, do the following:
 Optionally, define the description for the Client.
 Select the type of license to be assigned to the Client.
 Select the type of settings to be applied to the Client:
o If the Custom settings type is selected, you can edit all Client settings.
o If the Inherited from <Client group> settings type is selected, the Client
settings are inherited from the selected Client group and these settings
cannot be changed.
 Select the Enable protected mode option if you want to enable protected mode.
 Select the Update Client automatically option if you want the Client to be updated
automatically.
 Select the Display Client tray icon option if you want to display the Client tray icon
to the user.
NOTE: The Client mode will be changed after reboot of the Client computer.
149
Windows Clients
5. On the User Activity Recording tab, do the following:

 Define user activity recording frequency.
 Define the screenshot creation settings.
6. On the Monitoring Options tab, do the following:
 Select the Enable keystroke logging option to enable the keystroke logging.
 Select the Start monitoring after detecting one of the following keywords option
if you want the Client to start recording the user activities only after the user
enters one of the specified keywords on the Client computer.
 Select the Enable clipboard monitoring option to enable monitoring of the
Windows Clipboard text data.
 Select the Detect system IDLE event option to enable registering the idle events if
the user is inactive for more than 15 minutes, computer is in sleep or hibernation
modes, or the screen is set to be turned off automatically.
 Select the Register IDLE event when user is inactive option to enable the idle
event registering when there is no Client activity, i.e. mouse moving and key
pressing more than the Timeout (min) value. The default timeout is 15 minutes.
 Select the Enable creating log files of the monitored events option to enable
creation of monitoring logs on the Client computer and define log files location.
 Select the Enable URL monitoring option to receive information about websites
visited by the user of the Client computer.
 Select the Monitor top and second-level domain names only option to monitor
only the main part of the URL (e.g., example.com).
150
Windows Clients
7. On the Application Filtering tab, define the application filtering parameters for the
Client.
8. On the User Filtering tab, define the user filtering parameters for the Client.
9. On the Monitoring Time Filtering tab, define the monitoring time filtering parameters
for the Client.
151
Windows Clients
10. On the Authentication Options tab, do the following:

 Select the Enable displaying additional message option if you want to enable
additional message on user login, and then enter the message to be displayed to a
user.
 Select the Require user’s comment option if you want the user to comment on the
additional message displayed on login.
 Select the Require ticket number option if you want the user to enter a valid ticket
number to start working with the system.
 Select the Enable secondary user authentication on log-in option if you want to
enable the additional authorization for users that log in to the Client computer.
 Select the Allow using one-time password option if you want to allow users to use
one-time passwords to login to the Client computer. Then define the email
address of the administrator to receive users’ requests. You can define several
email addresses separating them with a semicolon (;).
 Select the Enable two-factor authentication option if you want to require the
users to enter the time-based one-time passwords to log in to the Client
computer.
11. After defining the configuration, click Next to proceed to defining Client Groups to
which the Client belongs, permissions on working with it, and alerts assigned to the
Client. Click Finish to except the changes.
12. A new configuration will be immediately applied to the Client.
Viewing Windows Client Configuration

The Windows Client configuration can be viewed by a user that has an administrative
Client installation and management permission or any Client permission.
To view the Windows Client configuration, do the following:

1. Log in to the Management Tool.
3. On the Clients page, select the required Client and click Edit Client.
4. On the opened page, you will see the tabs with the corresponding configuration
parameters.
152
Windows Clients
Forced User Authentication on Windows Clients

About
If the Client is installed on the computer with Windows operating system and several users may
use the same account to log in to this computer, it is important to identify the person using the
account. The identification can be performed by means of Forced User Authentication, which
requires the user to enter additional credentials in the pop-up dialog after logging in. The user
can either enter the credentials of the Ekran System user, which has the Access Client computer
permission, or use their email and the generated one-time password (if such option is enabled
for the Client computer). The secondary login will then be displayed in the Client Sessions list in
brackets next to the primary login under which the user is logged in to Windows.
NOTE: The one-time password feature is available only if you have an activated Enterprise
serial key.
The forced user authentication works only if there is a connection between the Client computer
and the Server computer. If the connection with the Server computer is lost (the Server is
unavailable), the pop-up dialog for entering secondary credentials will not be displayed.
NOTE: In some situations (e.g., after the forced restart) the Client service does not start
during one minute after the computer turning on. In these situations forced authentication
will not work.
Enabling Forced User Authentication on Windows Client

The Forced User Authentication parameter can be set only during Client editing and is available
for the Clients installed on the computers with Windows operating system.
To enable Forced User Authentication on the Client, do the following:
permission.
3. On the Clients page, select the Client for which you want to enable Forced User
Authentication, and click Edit Client. To find a specific Client, enter its name in the Contains
box and click Apply Filters.
4. On the Editing Client page, on the Authentication Options tab, select the Enable secondary
user authentication on log-in option.
5. Optionally, select the Allow using one-time password option and enter the administrator
email address into the Send emails to box. The requests for the one-time passwords will be
sent on the specified email addresses. You can enter several email addresses, separating
them with a semicolon (;).
153
Windows Clients
6. Click Finish.
7. If the Client is installed on Windows Server 2003, the computer must be restarted after
enabling or disabling the forced authentication mode. On other Windows versions the forced
authentication mode is enabled immediately.
NOTE: Forced user authentication does not work on Windows XP operating system.
Granting User Permission to Log In

To grant an Ekran System user a permission to log in to the Client computer with enabled
forced user authentication, do the following:
permission.
2. Edit the Active Directory or internal user who will log into the Client computer to the system
or add a new one.
3. During the user adding/editing, on the Client Permissions tab, click Edit Permissions for the
required Client. To find a specific Client, enter its name in the Contains box and click Apply
Filters.
4. In the opened Client Permissions window, select the Access Client computer option and
then click Save.
5. Click Finish.
Managing One-Time Passwords

About
The one-time password can be generated either on user’s request or without it by the Ekran
System user with the Client configuration management permission.
154
Windows Clients
The one-time password option can be enabled only along with the forced user authentication
option during Client editing in the Management Tool.
NOTE: The one-time password option is available only if you have an activated Enterprise
serial key.
Generating One-Time Password

Generating One-Time Password on User Request
When the user requests a one-time password for logging into the Client computer, the user
request is sent to the email address of the administrator defined for the Client in the Client
configuration. On the Access Management page, on the One-time Password tab, the requested
password is displayed with the Requested state.
NOTE: For the administrator to receive the email requests correctly, make sure that on the
Authentication Options tab of the Clients the valid email addresses are defined.
To generate a one-time password using the email link, open the received email with a request
for a one-time password and click the navigation link for the password generation. The one-
time password will be automatically generated and sent to the user’s email address.
To generate a one-time password via the One-Time Passwords page, do the following:
permission.
2. Click the Access Management navigation link to the left.
3. On the Access Management page, open the One-Time Passwords tab.
4. On the One-Time Passwords tab, click the Generate link for the user request with the
Requested state.
5. The one-time password is automatically generated and sent to the user email address.
Generating One-Time Password without User Request
To generate a one-time password without user request, do the following:

permission.
3. On the Access Management page, open the One-Time Passwords tab.
4. On the One-Time Passwords tab, click Generate Password.
5. The One-Time Password Generation window opens.
6. Enter the following parameters and then click Generate:
 Client name: Select the needed Client from the list.
 User name: Optionally, enter the user name.
155
Windows Clients

User’s confirmation email: Define the user email address, on which the generated
one-time password will be sent.
 Comment: Enter your own comment or leave the default one. The default comment
is “Generated without request”.
7. The one-time password is generated and sent to the specified email address.
Viewing One-Time Passwords

On the Access Management page, on the One-time Passwords tab, the grid with the following
information is displayed:
 Time Requested: Displays the date and time the one-time password was requested. For
one-time passwords, which were generated without the user’s request, the N/A value is
displayed.
 Time Generated: Displays the date and time the one-time password was generated.
 Client Name: Displays the name of the Client computer for which the one-time password
was requested or generated.
 User: Displays the user name of a user for which the one-time password was generated.
 Login: Displays the name of the user who requested a one-time password to log into the
Client computer.
 User’s Email: Displays the user email address for the one-time password to be sent to.
 Generated by: Displays the name of the administrator who generated the one-time
password. It is empty for the one-time password with the Requested state.
 State: Displays the current state of the one-time password. It can be Requested,
Generated & Sent, Sending Failed, Used, Expired, or Manually Expired.
 Time Used: Displays the date and time when the one-time password was used. It is empty
for not used passwords that are not expired. For expired passwords, the N/A value is
displayed.
 Comment: Displays the user’s comment entered in the Request Password window or
admin’s comment entered in the One-time Password Generation window.
The one-time password can have one of the following states:
State Description Possible Actions
Requested The user has requested a one-time  Generate: Allows auto-

password, but it has not been generating and sending of the
generated yet. one-time password.
Generated The one-time password has been  Expire: Allows terminating a

generated and sent to the user, but one-time password manually.
the user has not used it yet and the  Resend Email: Allows resending
password has not auto-expired. the previously sent email.
Sending The one-time password has been  Expire: Allows terminating a

Failed generated, but the email sending one-time password manually.
has failed.
156
Windows Clients
State Description Possible Actions
 Resend Email: Allows resending

the previously sent email.
Used The one-time password has been  Open Session: Allows opening a
generated and sent to the user, and session of the user logged into
the user has used it. the Client computer with a one-
time password.
Expired The one time password has been

generated and sent to the user, but
the user has not used it during 24
hours.
Manually The generated one-time password

Expired has been manually terminated by
the administrator.
Resending the Email

To resend the email with the generated one-time password, do the following:
permission.
3. On the Access Management page, open the One-time Passwords tab.
4. On the One-Time Passwords tab, click the Resend Email link for the target one-time
password.
6. A new one-time password is generated and sent to the user’s email address.
NOTE: You can resend the emails with one-time passwords with the Generated & Sent or
Sending Failed states only.
Terminating One-Time Password Manually

In case, the one-time password has been generated for the wrong user or sent to the wrong
email address, you can terminate it manually.
To terminate a one-time password manually, do the following:
permission.
3. On the Access Management page, open the One-time Passwords tab.
4. On the One-time Passwords tab, click the Expire link for the target one-time password.
157
Windows Clients
NOTE: You can manually terminate the one-time passwords with the Generated & Sent or
Sending Failed states only.
6. The state of the one-time password changes to Manually Expired and the user will not be
able to use it.
Logging In
Logging in Using Ekran System User Additional Credentials
The process of logging in to the Client computer with enabled forced user authentication is
performed as follows:
1. The user logs in to Windows in a common way (locally or remotely).
2. On the user login to Windows, the Client displays the secondary authentication window
requesting a user to enter their secondary credentials.
3. The user enters the credentials of the Ekran System user that has the Access to Client
computer permission.
4. These credentials are sent to the Server and the Server returns the response on whether
the access to this computer is allowed. If the user has the required permission for the Client
computer and their entered credentials are correct, the user is allowed to continue working
with the System. In other case, the user will receive a corresponding message.
5. As soon as the user starts working with the system, the Client will start recording their
activity and the user’s name will be displayed in the Management Tool on the Monitoring
Results page in the User name column in brackets: <logged in Windows user> (<forced
authentication user>).
Logging in Using One-Time Password

The process of logging in to the Client computer with enabled forced user authentication and
the one-time password option is performed as follows:
2. On the user login to Windows, the Client displays the secondary authentication window
requesting a user to enter their credentials or a one-time password.
3. The user enters their email address into the Login box and the one-time password received
via email into the Password box.
the access to this computer is allowed. If the entered email address and the one-time
password are correct and the one-time password was generated for this Client computer
and for this primary Windows user, the user is allowed to continue working with the
System. In other case, the user will receive a corresponding message.
5. As soon as the user starts working with the system, the Client will start recording their
activity and the user’s email will be displayed in the Management Tool in the Client Sessions
158
Windows Clients
list in the User name column in brackets: <logged in Windows user> (<user’s email
address>).
NOTE: After the one-time password has been used, it is automatically terminated and cannot
be used to log into the Client computer again
Requesting One-Time Password

While logging into the Client computer with the enabled forced user authentication and a one-
time password option, the user can request a one-time password to get a temporary access to
the Client computer, as follows:
1. In the secondary authentication window, the user clicks Request Password.
2. In the opened Request Password window, the user enters their email address and then,
optionally, enters a comment to be displayed to the administrator.
3. The user clicks Request.
4. The request is sent to the Ekran System administrators’ email addresses defined for the
Client while turning on the one-time password option.
5. The administrator will generate a one-time password and the generated password will be
sent to the email address defined in the Request Password window.
6. In a while, the user checks the email box for email with the generated password. In case the
email with the generated password has not been received, the user can request it again.
NOTE: The one-time password for logging into the same Client computer cannot be requested
more often than once per hour.
The received one-time password can be used only once during 24 hours since its generation
and only for logging into the Client computer from which it has been requested. If the user does
not use a one-time password during 24 hours, it automatically expires.
Login Approved by Administrator

About
The Administrator’s Approval on Login feature allows you to better protect the Client
computers from undesired access. You can create a list of users whose access to the Client
computers will be restricted. Such users will be able to log in to the Client computers only with
the approval of the administrator.
The Administrator’s Approval on Login feature works for computers with Windows operating
system.
159
Windows Clients
Approving User Access on Login

To ensure that particular users are able to log into the Windows Client computers only after
the additional approval, do the following:
1. Define the administrator’s email address (one or several), to which the access requests will
be sent.
2. Define the list of the restricted users required to get the administrator’s approval. The users
will be required to get approval when logging into all Client computers.
3. In the email sent to the defined address, grant or forbid the user the access to the Client
computer.
Defining Email Address for User Access Approval

To define the administrator’s email address, to which the access requests will be sent, do the
following:
permission.
3. On the Configuration page, open the Email sending settings tab.
2. On the Email sending settings tab, define the administrator’s email address under
Administrator Email. You can define several email addresses separating them with a
semicolon (;).
4. Click Save.
Managing Restricted User List

Adding User to Restricted List
To add a user whose login into Windows Client computers must be approved by the
administrator, do the following:
1. Log in to the Management Tool as a user with the User management permission.
3. On the Access Management page, open the Restricted Users tab and then click Add User.
4. In the Add User window, select the user type and define the following information:
 For Active Directory user, define the domain name and user login.
 For Local computer user, define the computer name and user login.
 For Ekran user for secondary authentication, define the user login.
5. Click Save.
6. The user is added to the grid. During the next login, they will be able to start working with
the Windows Client computers only with the approval of the administrator.
160
Windows Clients
Deleting User from Restricted List

To allow a user to log into Windows Client computers without administrator’s approval, do
the following:
3. On the Access Management page, open the Restricted Users tab.
4. Click Delete user for the required user and then click OK in the confirmation message.
5. The user is deleted from the list and will be able to log in to Windows Client computers
without administrator’s approval.
Logging In
The process of logging into the Client computer with the approval of the administrator is
1. The user logs in to the Windows computer with installed Client in a common way (locally or
remotely).
2. If Forced User Authentication is enabled, the user enters their secondary credentials.
3. If the additional message on login is enabled, the user acknowledges it. Additionally, if the
corresponding options are enabled, the user comments on the message and enters a valid
ticket number.
4. An email with the request and user information is sent to the defined email address. The
administrator receives an email with the request.
5. In the received email, the administrator clicks the Grant access hyperlink to allow the user
to log in.
If the user is not allowed to log in, the administrator clicks the Block access hyperlink and
the user is logged out.
161
Windows Clients
Privileged User Accounts

About
If you want to provide the temporary access to particular computer or computer group only
without revealing credentials, you can add a privileged user. The account credentials are
automatically generated, encrypted and stored in a Password Vault. Password is reset every
time after the expiration date; it allows enhancing data access security.
Adding Privileged User

To add a new privileged user, do the following:
1. Log in to the Management Tool as a user with the administrative User Management
permission.
3. On the Privileged Accounts page, click Add User.
4. The Privileged Accounts window appears.
5. Select the user type.

 For the Active Directory user select the user login and domain.
162
Windows Clients
 For the Local computer user select the user login and computer name.
 For the Ekran System user select the user login.
6. Select a computer or computer group to access and domain.
NOTE: The selected domain must be the same as domain of user who gets access.
7. Select a domain group from which the account will inherit permissions.
8. Define the access expiration date.
9. Add comment, if necessary.
10. Click Grant Access.
11. The privileged account is generated in the selected domain user group.
Deactivating Privileged Account

To deactivate the privileged account, do the following:
1. Log in to the Management Tool as a user with the administrative User Management
permission.
3. On the Privileged Accounts page, click Delete in the selected user row.
4. Click Delete in the confirmation window.
5. The privileged account of the selected user is deactivated.
Using Privileged Account

To access remote computer via Ekran System remote access application, do the following:
1. Enable jump server mode option on the Client.
2. The Client tray icon appears on the Client computer.

3. Click Remote Access in the Tray menu.
4. The Ekran System Remote Access app opens.
5. Select the computer from the drop-down list or enter its name/IP, click Connect.
163
Windows Clients
6. Auto-logged remote access session under the temporary account starts.
Password Vault Configuration

To configure password vault, do the following:
1. Log in to the Management Tool as a user with the administrative Database Management
permission.
3. On the Password Vault page, select Use password vault.
4. Define the instance, database name, user, and password.

5. Click Save.
164
Windows Clients
Informing about Monitoring

About
If you want the user to be informed that their session will be monitored, you can enable
displaying the Client tray icon option in Management Tool. You can also enable the additional
message option to set the message to be displayed to a user, who must confirm acknowledging
the message in order to log in to the computer.
The additional message is displayed when:
 Windows is started, restarted, or shut down.
 The user gets logged out or switched.
 The user logs in via the remote connection.
In addition, you can enable the user’s comment option, which will require the user to comment
on the additional message displayed on login. The entered comments are displayed in the
Client Sessions list.
If both forced user authentication and additional message features are enabled for the
Windows Client, the additional message will be displayed after the user enters the additional
credentials in the secondary authentication window.
The Client tray icon is always displayed to the user. The tray notification is displayed when:
 The user logs in.
 The user clicks the icon.
NOTE: The additional message and Client tray icon are not displayed for unlicensed Windows
Clients.
Enabling Displaying Additional Message

The additional message displaying can be enabled when editing Client/Client Group
configuration and defining the Client settings during the remote installation or Client
installation package generation for local installation.
By default, the additional message text is: “According to company policy you must agree to the
terms in order to continue working on this computer”. You can enter the custom message to
be displayed to users.
NOTE: The message can be up to 10 000 symbols.
To enable displaying the additional message when installing the Windows Client, select the
Enable displaying additional message option on the Client configuration page (if the Client is
to be installed remotely) or on the Generate Installation Package page (if the Client is to be
installed via the installation package).
When the Client is installed, the user will receive the default notification message on their login
until the text of the message is changed when editing the Client.
165
Windows Clients
To enable displaying the additional message when editing the Windows Client, do the
following:
permission.
3. On the Clients page, select the Client for which you want to edit the configuration, and click
Edit Client. To find a specific Client, enter its name in the Contains box and click Apply
Filters.
4. On the Authentication options tab, select the Enable displaying additional message option,
and then, optionally, enter the message to be displayed to a user.
5. Click Finish.
Enabling User’s Comment Option

The user’s comment option can be enabled when editing Client/Client Group configuration and
defining the Client settings during the remote installation or Client installation package
generation for local installation.
To enable the user’s comment option when installing the Windows Client, select the Enable
displaying additional message option and then select the Require user’s comment option on
the Client configuration page (if the Client is to be installed remotely) or on the Generate
Installation Package page (if the Client is to be installed via the installation package).
To enable the user’s comment option when editing the Windows Client, do the following:
permission.
Filters.
4. On the Authentication options tab, select the Enable displaying additional message option,
and then, optionally, enter the message to be displayed to a user. Select the Require user’s
comment option.
5. Click Finish.
Enabling Displaying Client Tray Icon

The Client tray icon displaying can be enabled when editing Client/Client Group configuration
and defining the Client settings during the remote installation or Client installation package
When the option is enabled, the Client icon is displayed in the notification area of the Client
computer. When the user clicks the icon, the notification displayed is the following: “Your
actions are being monitored by <Server name>”
To enable displaying the Client tray icon when installing the Windows Client, select the Display
Client tray icon option on the Client configuration page (if the Client is to be installed remotely)
166
Windows Clients
or on the Generate Installation Package page (if the Client is to be installed via the installation
package).
When the Client is installed, the notification message will be displayed to the user after their
login.
To enable displaying the Client tray icon when editing the Windows Client, do the following:
permission.
Filters.
4. On the Properties tab, select the Display Client tray icon option.
5. Click Finish. The Client tray icon will be displayed on the next user login.
Logging In
The process of logging in to the Windows Client computer with enabled additional message
option is performed as follows:
2. If the Forced User Authentication is enabled, the Client prompts the user to enter the
secondary credential.
3. After the user is logged in, the notification message is displayed.
NOTE: If the user logs in to the Citrix XenApp or Microsoft Shared App, the additional
message will be shown to them every eight hours.
4. If the Require user’s comment option is enabled, the user will be required to comment on
the additional message to start working with the Windows Client computer.
5. If the user clicks I Agree, they are allowed to continue working with the system. If the user
clicks Cancel, they return to the Windows login screen.
6. If the Client tray icon displaying option is enabled for the Client, the tray notification is
displayed to the user.
Integration with Ticketing Systems

About
Integration with ticketing systems allows you to require the users to provide ticket numbers to
start working with Windows Client computers. If integration with ticketing systems is enabled,
the Client will prompt the user to enter a valid number of the not closed ticket in the additional
message window displayed on login.
Currently, integration with the SysAid ticketing system is available. If you want Ekran System to
be integrated with any other ticketing system, contact our support team:
support_team@ekransystem.com.
NOTE: The integration with ticketing systems is available only if you have an activated
167
Windows Clients
Enabling Ticket Number Option

The ticket number option can be enabled when editing Client/Client Group configuration and
defining the Client settings during the remote installation or Client installation package
To enable the ticket number option when installing the Windows Client, select the Enable
displaying additional message and Require user’s comment options and then select the
Require ticket number option on the Client configuration page (if the Client is to be installed
remotely) or on the Generate Installation Package page (if the Client is to be installed via the
installation package).
To enable the ticket number option when editing the Windows Client, do the following:
permission.
Filters.
4. On the Authentication options tab, select the Enable displaying additional message and
Require user’s comment options, and then the Require ticket number option.
5. Click Finish.
Logging In
The process of logging in to the Windows Client computer with enabled ticket number option is
2. If the Forced User Authentication is enabled, the Client prompts the user to enter the
secondary credential.
3. After the user is logged in, the notification message is displayed.
4. The user enters a valid ticket number, comments on the additional message, and then clicks
I Agree to start working with the system. If the user clicks Cancel, they return to the
Windows login screen.
5. In the ticketing system, a comment is added to the corresponding ticket. It contains
information on who and when logged in to the Client computer. Additionally, it contains the
user’s comment entered in the additional message window and the link to the user session.
168
macOS Clients
macOS Clients
About
macOS Client is a program that can be installed on the target computers to monitor the activity
of their users. The monitored data is sent to the Server and can be viewed via the Session
Viewer in the Management Tool.
Monitoring via macOS Clients

The macOS Clients work as follows:
 Each macOS Client starts automatically on computer start.
 A macOS Client with a Workstation Client license monitors either one local or remote
session.
 Every time the computer is restarted, the macOS Client starts recording user activity in a
new session. The maximum duration of one session can be 24 hours. At 00:00 all live
sessions are terminated. After their termination (their status changes from Live to
Finished), new live sessions automatically start.
 The session status becomes Finished whenever: the computer is turned off, the user is
logged out, or the macOS Client is disconnected from the Server. Whenever the macOS
Client reconnects to the Server, the session status changes from Finished back to Live.
 If a user works with several monitors, the macOS Client creates screenshots from all of
them.
 If there is no connection with the Server, the Client stores the monitored data locally
(default folder is /Library/Application Support/Ekran) and automatically sends it to the
Server when the connection is restored. It is recommended to have not less than 500MB of
free space on the disk where the Client is installed to save data during the offline session.
 The frequency of user activity recording of the macOS Client is the following:
o If the user is typing the text, the user activity is recorded every 10 seconds.
o If the user clicks a mouse, the user activity is recorded every 3 seconds.
o If the user changes an active window, the user activity is recorded every 3 seconds.
User activity recording triggers usually influence each other, though the average frequency
of user activity recording is higher.
If the Record user activity on each event without timeout parameter is selected for the
macOS Client, the user activity is recorded on each mouse click or keyboard key pressing
without using data sending time out.
WARNING! The Record user activity on each event without timeout option affects CPU
usage on the Client computer and database size. It is not recommended to use this option
for a large number of Clients and for a long period of time.
169
macOS Clients
Installing macOS Client

About
You can install the macOS Clients locally using the Client installation file generated in the
Management Tool.
Downloading macOS Client Installation File

To download the file for macOS Client installation, do the following:
1. Log in to the Management Tool as a user with the Client installation and
5. On the Installation File Download page, click Download macOS x64 Client
Installation (.tar.gz).
browser.
Installing macOS Clients

This type of installation allows you to install the macOS Clients locally using the downloaded
EkranSystemmacOSClientx64.tar.gz package.
To install the macOS Client on the target computer with a macOS operating system from the
command line:
1. Make sure that there is only one user logged in to the computer.
2. Copy the installation package to any folder.
3. Run the Terminal.
4. Navigate to the folder with the installation package by entering the following command:
cd path/to/folder
5. Unpack the installation package using the following command:
tar xvfz <installation package name>
6. Navigate to the unpacked EkranClient folder using the following command:
cd EkranClient
The EkranClient folder contains the install.sh script used to install the Client.
7. Run the macOS Client installation script specifying the Server name or Server IP address
and the port used for connection to the Server (9447 is recommended):
./install.sh <server_name/IP> <Agent_port>.
8. After the end of the installation, macOS Client will appear in the list on the Clients page in
the Management Tool.
170
macOS Clients
Uninstalling macOS Clients

About
macOS Clients can be uninstalled locally or remotely.
After uninstallation, the Client stops sending its data to the Server, but its data is not
deleted from the Server and the Client is displayed in the Management Tool. The Client
status in the Management Tool becomes offline after uninstallation.
To delete the Client from the Server (with all its captured data) and from the Management
Tool, follow the steps described in the Deleting the Client section.
Uninstalling macOS Clients Remotely

To uninstall a macOS Client, do the following:
1. Log in to the Management Tool as a user that has the Client uninstallation
permission.
3. On the Clients page, select the Client you want to uninstall and click Edit Client.
4. On the Editing Client page on the Properties tab, click Uninstall Client.
NOTE: This option is not displayed if the Client is already uninstalled or you do not
have the Client uninstallation permission for it.
5. In the confirmation message, click Uninstall.
6. The Client is uninstalled.
To uninstall several macOS Clients, do the following:

3. On the Clients page, select Uninstall Clients.
4. On the Client Uninstallation page, click Add Clients to list.
5. The page with the Clients for which you have the Client uninstallation permission
opens.
6. Select the Clients that you want to uninstall and click Next. To find a specific Client,
enter its name or a part of its name in the Contains box and click Apply Filters.
7. Make sure you have added all necessary Clients to the uninstallation list and click
Uninstall.
8. The selected Clients are uninstalled.
171
macOS Clients
Uninstalling macOS Clients Locally

To uninstall the macOS Client from the command line, do the following:
1. Run the Terminal.

2. Navigate to the folder with the Linux Client by entering the command:
sudo cd /Library/Application\ Support/Ekran/EkranAgent
3. The EkranAgent folder contains the uninstall.sh script used to uninstall the Client.
4. Run the uninstallation script by entering the following command: sudo ./uninstall.sh and
press Enter.
5. Enter the password of the superuser.
6. macOS Client is successfully uninstalled.
Viewing macOS Clients

The macOS Clients are displayed in the Management Tool in the Clients list along with the
Windows and Linux Clients. If the users have an administrative Client installation and
management permission, they will see all Clients. In other case, the users will see only those
Clients for which they have at least one Client permission.
The Client list contains the following information:
 Client name
 Status
 Type
 IPv4
 IPv6
 Description
The Domain column is empty for macOS Clients.
Please note, if there are several network cards on the Client computer, only the IPv4 and IPv6
addresses used by macOS Client will be displayed in the Management Tool.
You can filter macOS Clients in the following ways:
 To find macOS Clients only, select Hide Windows Clients and Hide Linux Clinets and
172
macOS Clients
macOS Client Description

Client description is used as additional information about your macOS Clients, which makes it
easier to find a specific Client. You can filter your Clients by their descriptions as well as by their
names.
Client description can be defined on the Editing Client page on the Properties tab. Only users
with the Client configuration and management permission can edit the macOS Client
description.
To edit the description for the macOS Client, enter it in the Description box and click Finish.
macOS Client Configuration

About
macOS Client Configuration includes its monitoring parameters (URL monitoring, frequency
setting for user activity record ing, etc.).
User Activity Recording Parameters

Screenshots and associated metadata like an active window title, application name, URL, etc.
are the main results of the macOS Client monitoring.
You can define the following user activity recording parameters for the Client:
 Screenshot settings:
o Enable screenshot creation along with user activity recording: This option allows
you to enable the screenshot creation. If this option is not selected on the Client,
only metadata (active window title, application name, URL, etc.) will be monitored
and recorded.
o Capture active window only: By default, screenshots of the complete screen are
created. If this option is selected, only the current active window will be displayed
on a screenshot.
o Bit depth: By default, screenshots are grayscale with 4 bit colour depth. This
guarantees the smallest database size with a normal screenshot quality. You can
also set colour depth to 8 bits or 24 bits.
 Frequency settings for user activity recording: These options allow you to define how
often the user activity on the Client computer will be captured. User activity recording
can be can be triggered by the following events:
o Time interval: User activity is captured with a certain time interval, irrespective to
whether something changes on the screen or not. The minimal time interval is 30
seconds.
o Active window change User activity is captured on the change of the active
window. For example, a new window opens (program starts), a new tab in the
browser opens, any secondary window opens, etc.
173
macOS Clients
o Active window title change: User activity is captured on the change of the name of
the active window.
o Clicking or key pressing: User activity is captured on each mouse click or keyboard
key pressing. Please note, in this mode, the recorded user activity is sent not
oftener than once in 3 seconds to avoid affecting the performance of the Client
computer and database size increasing.
URL Monitoring Parameters

The URL monitoring option allows the investigator to receive information about websites
visited by the user on the Client computer. This feature also allows you to set an alert to
send notifications each time when the user opens the forbidden URL.
The monitored URL addresses are displayed in the Management Tool on the Session
Viewer page in the URL column and in the Details pane.
There are several restrictions for the URL monitoring option in the current version of the
program:
 Only URLs from the standard browsers (Safari, Chrome) are monitored.
 URLs entered in web anonymizers are not monitored. Please note that proxy server
anonymizers are supported.
 If there is no address line in the browser (e.g., due to user’s settings), URLs are
not monitored.
 Unicode symbols in domain names (e.g., Russian) are not monitored.
If the Enable URL monitoring option is selected in the Management Tool, you can also
select the Monitor top and second-level domain names only option. In this case only the
main part of the URL (e.g., example.com) will be monitored.
174
Linux Clients
Linux Clients
About
The Linux Client is a program that can be installed on the target computers to monitor the
activity of their users in the terminal. The monitored data is sent by the Linux Client to the
Server and can be viewed via the Session Viewer in the Management Tool.
Monitoring via Linux Clients

The Linux Client monitors the following actions:
1. User actions (input commands and responses from the terminal)
2. System calls in:
 SSH (local and remote)
 Telnet (local and remote)
 Local terminal sessions
3. Commands being executed in the running script.
A Client with a Linux/UNIX Server Client license can monitor multiple sessions simultaneously,
both remote and local.
A new monitoring session is created each time the terminal is opened. There is no time
limitation for a Linux Client session.
The session status becomes Finished whenever the terminal is closed or the Linux Client is
disconnected from the Server. Whenever the Linux Client reconnects to the Server, the session
status changes from Finished back to Live.
Installing Linux Client

About
You can install the Linux Clients locally from the command line using the
EkranSystemLinuxClient.tar.gz package, respectively:
 EkranSystemLinuxClientx64.tar.gz for the 64-bit system
 EkranSystemLinuxClientx86.tar.gz for the 32-bit system
Downloading Linux Client Installation File

To download the file for Linux Client installation, do the following:
permission.
175
Linux Clients
5. On the Installation File Download page, click Download Linux x86 Client Installation
(.tar.gz) or Download Linux x64 Client Installation (.tar.gz).
browser.
Installing Linux Clients

This type of installation allows you to install the Linux Clients locally from the command line
using the downloaded EkranSystemLinuxClient.tar.gz package.
To install the Linux Client on the target computer with a Linux operating system from the
command line:
1. Copy the installation package to any folder. Make sure you use the correct installation
package (x64 or x86).
2. Run the command-line terminal.
3. Navigate to the folder with the installation package by entering the following
command:
$ cd path/to/folder
4. Unpack the installation package using the following command:
$ tar xvfz <installation package name>
5. Navigate to the unpacked EkranClient folder using the following command:

$ cd EkranClient
The EkranClient folder contains the install.sh script used to install the Client.
176
Linux Clients
6. Run the Linux Client installation script specifying the Server name or Server IP address
and the port used for connection to the Server (9447 is recommended):
$ sudo ./install.sh <server_name/IP> <Agent_port>.
7. After the Client is installed, it starts monitoring the new terminal sessions. If you want
to monitor the older terminal sessions, restart them.
8. The installed Linux Client appears in the list on the Client Management page in the
Management Tool.
Uninstalling Linux Clients

To uninstall the Linux Client from the command line, do the following:
1. Run the command line terminal.

2. Navigate to the folder with the Linux Client by entering the command:
$ cd /opt/.Ekran
3. The .Ekran folder contains the uninstall.sh script used to uninstall the Client.
4. Run the uninstallation script by entering the following command: $ sudo ./uninstall.sh and
press Enter.
5. Enter the password of the superuser.
6. Linux Client is successfully uninstalled.
Viewing Linux Clients

The Linux Clients are displayed in the Management Tool in the Clients list along with the
Windows Clients. If the users have an administrative Client installation and management
permission, they will see all Clients. In other case, the user will see only those Clients for which
they have at least one Client permission.
The Client list contains the following information:
 Client name
 Status
 Type
 IPv4
 IPv6
 Description
The Domain column is empty for Linux Clients.
177
Linux Clients
Please note, if there are several network cards on the Client computer, only the IPv4 and IPv6
addresses used by Linux Client will be displayed in the Management Tool.
You can filter Linux Clients in the following ways:
 To find Linux Clients only, select Hide Windows Clients and Hide macOS Clients and
Linux Client Description

Client description is used as additional information about your Linux Clients, which makes it
easier to find a specific Client. You can filter your Clients by their descriptions as well as by their
names.
Client description can be defined on the Editing Client page on the Properties tab. Only users
with the Client configuration management permission can edit the Linux Client description.
To edit the description for the Linux Client, enter it in the Description box and click Finish.
Forced User Authentication on Linux Clients

About
If several users may use the same account (e.g., “root”) to work with the terminal, it might be
important to identify the person using the account. The identification can be performed by
means of Forced User Authentication, which requires the user to enter additional credentials
when they open the terminal. The user has to enter the credentials of the Ekran System user
who has the Access Client computer permission. The secondary user login will then be
displayed in the Client Sessions list in brackets next to the primary user name under which the
terminal is launched.
The forced user authentication works only if there is a connection between the Client computer
and the Server computer. If the connection with the Server computer is lost (the Server is
unavailable), the user will not be prompted to enter the secondary credentials.
Enabling Forced User Authentication on Linux Client

The Forced User Authentication parameter can be set only during Client editing.
To enable Forced User Authentication on the Client, do the following:

permission.
178
Linux Clients

3. On the Clients page, select the Linux Client for which you want to enable Forced User
Authentication, and click Edit Client. To find a specific Client, enter its name in the Contains
box and click Apply Filters.
4. On the Editing Client page, on the Authentication options tab, select the Enable secondary
user authentication on log-in option.
5. Click Finish.
6. The forced authentication mode is enabled immediately. When the user starts working with
the terminal, they will be prompted to enter the secondary credentials.
Granting the User Permission to Work with the Terminal

To grant an Ekran System user a permission to work with the terminal on the Linux Client
computer with enabled forced user authentication, do the following:
permission.
2. Edit an existing internal user who will log into the Client computer to the system or add a
new one.
3. During the user adding/editing, on the Client Permissions tab, click Edit Permissions for the
required Linux Client. To find a specific Client, enter its name in the Contains box and click
Apply Filters.
4. In the opened Client Permissions window, select the Access Client computer option and
then click Save.
5. Click Finish.
Launching the Terminal

The process of launching the terminal on the Linux Client computer with enabled forced user
authentication is performed as follows:
1. The user launches the terminal.
2. The Client requests the user to enter their secondary credentials.
3. The user enters the credentials of the Ekran System user that has the Access to Client
computer permission.
the access to the terminal is allowed. If the user has the required permission for the Client
computer and their entered credentials are correct, the user is allowed to continue working
with the terminal. In other case, the user will receive a corresponding message.
5. As soon as the user starts working with the terminal, the Client will start recording their
activity. The user’s name will be displayed in the Client Sessions list in the User name
column in brackets: <Linux user> (<forced authentication user>).
179
Two-Factor Authentication for Windows Clients
Two-Factor Authentication for Windows

Clients
About
The Two-Factor Authentication feature allows you to better protect the critical endpoints in
your network. When the Two-Factor Authentication feature is enabled, the Client will require
the user to enter a time-based one-time password (TOTP) on their login to Windows. TOTPs are
generated via special mobile application, i.e., Google Authenticator, Third-Party Accounts, and
Authenticator. Google Authenticator can be downloaded via one of the following applications:
 Via Google Play for Android devices
 Via App Store for Apple devices
 Via Microsoft Store for Windows phones
 Via BlackBerry App World for BlackBerry devices
Find the detailed instructions on installation and configuration of your authenticator
application using the following links:
 For Android, iOS, and Blackberry devices:
https://support.google.com/accounts/answer/1066447?hl=en
 For Android and iOS devices:
https://guide.duo.com/third-party-accounts
 For Windows Phones:
https://www.microsoft.com/en-us/store/p/authenticator/9wzdncrfj3rj
For users to be able to use TOTP, you have to provide them with a two-factor authentication
key generated in the Management Tool.
The Two-Factor Authentication option can be enabled for Windows computers during Client
editing. In addition, if you have at least one serial key activated, the Two-Factor Authentication
option can be enabled even for unlicensed Clients.
Allowing User to Log In

If only Two-Factor Authentication is enabled on the Windows Client computers, you have to
generate TOTP keys for local and domain users. If Two-Factor Authentication is enabled along
with the Forced User Authentication, you have to generate TOTP keys for secondary users.
To allow the users to log into Client computers with enabled Two-Factor Authentication, do
the following:
3. On the Access Management page, open the Two-Factor Authentication tab and then click
Add User.
180
4. In the Add User window, select the user type and define the following information:
 For Active Directory user, define the domain name and user login.
 For Local computer user, define the computer name and user login.
 For Ekran user for secondary authentication, define the user login.
5. Click Generate to generate QR code and key.
6. Save the QR code or copy the key to your clipboard to send it to the corresponding user.
Alternatively, make a note of it to provide it to the user later. The user will have to enter
this key or scan the QR-code with their TOTP mobile application (i.e., Google Authenticator).
For security reasons, after you navigate off this page, no one will be able to see the
generated key again.
7. Click Save.
Deleting User from the List

To forbid the user to log into Client computers with enabled Two-Factor Authentication, do
the following:
3. On the Access Management page, open the Two-Factor Authentication tab.
4. Click Delete user for the required user and then click OK in the confirmation message.
5. The user is deleted from the list and will be unable to log in to Client computers using TOTP.
181
Enabling Two-Factor Authentication

The Two-Factor Authentication parameter can be set only during Client editing.
To enable Two-Factor Authentication on the Client, do the following:

permission.
3. Click the Serial Key Management navigation link to the left and make sure you have at least
one serial key activated.
5. On the Clients page, select the Windows Client and then click Edit Client. To find a specific
Client, enter its name in the Contains box and click Apply Filters.
6. On the Editing Client page, on the Authentication options tab, select the Enable two-factor
authentication option.
7. Click Finish.
8. The Two-Factor Authentication is enabled immediately. During the next login, the user will
be prompted to enter a TOTP generated in their mobile application (i.e., Google
Authenticator) to start working with the system.
Logging in Using Time-Based One-Time Password

To log into the Client computer with enabled Two-Factor Authentication:
1. The user enters a two-factor authentication key in their TOTP mobile application (i.e.,
Google Authenticator).
2. The mobile application starts generating TOTPs. Each TOTP is valid for 5 minutes since the
moment of its generation.
4. If Forced User Authentication is enabled, the user enters their secondary credentials.
5. The Client displays the TOTP window requesting a user to enter a TOTP generated in their
mobile application.
6. The user specifies a valid TOTP and clicks OK. If the user has been authenticated via the
Forced User Authentication, they have to specify a TOTP generated for the secondary user.
NOTE: For the user to be authenticated using TOTP, the time on the Ekran Server and on
the user’s device must be synchronized.
7. The user name and TOTP are sent to the Server for validation. If the user is allowed to log in
to Client computers with enabled Two-Factor Authentication and the TOTP is valid, they get
logged in to the system and can start working with it.
9. As soon as the user logs into the system, the Client will start recording their activity.
182
User Blocking
User Blocking
About
Ekran System allows you to block users performing potentially harmful and forbidden actions
on Windows Clients. You can add the user to the blocked user list on the selected Client
computer or all Client computers in the system. A blocked user is forcibly logged out of the
Client and is not allowed to log back in. You can block users while viewing their session, live or
finished. You can also enable an option that allows blocking a user or killing the process when a
certain alert is triggered. You need to have the Client installation and management permission
to block users.
Blocking User from Live Session

To block a user while watching their live session, do the following:
1. Open the user session in the Session Viewer.
2. Click on the red lock in the Session Player.
NOTE: The Lock is disabled for the users already on the Blocked User list and Ekran
System users without the Client installation and management permission.
3. The Block User window opens.
183
User Blocking
4. Define the following settings:

o Select On all computers if you want this user to be blocked on all computers
with installed Clients.
o Select On computer if you want the user to be blocked only on a current Client
computer.
5. Define the forced log out time if necessary.
6. Enter the message to display to the user if necessary.
7. Enter the reason for blocking the user.
8. Click Block.
9. On the Client computer, the warning message is displayed and the desktop is blocked.
10. After the defined time interval, the user is forcibly logged out of the Client computer. If
the user tries to log in to the Client computer, the system does not allow them to do so,
and the following message is displayed: “You have been blocked. Contact your system
administrator.”
NOTE: If you have selected to block the user on all computers, they will be logged out
on all computers where they are logged in at the time of blocking.
Blocking User from Finished Session

To block the user while watching their finished session, do the following:
1. Open the user session in the Session Viewer.
2. Click on the red lock in the Session Player. If the user is logged into the Client computer
at that point, the blocking process is the same as for the Live sessions.
NOTE: The Lock is disabled for the users already on the Blocked User list and Ekran
System users without the Client installation and management permission.
3. The Block User window opens.
4. Define the following settings:

o Select On all computers if you want this user to be blocked on all computers
with installed Clients.
o Select On computer if you want the user to be blocked only on a current Client
computer.
5. Click Block.
184
User Blocking
6. The user blocked with the default parameters. If the user tries to log in to the Client
computer, the system does not allow them to do so, and the following message is
displayed: “You have been blocked. Contact your system administrator.”
NOTE: If you have selected to block the user on all computers, then they will be logged out
on all computers where they are logged in at the time of blocking.
Blocking User on Alert Triggering

To configure an alert to block a user, do the following:
2. Click the Alert Management navigation link to the left and click Add Alert or Edit
Alert.
3. On the Actions tab, select the Show warning message to user option. You can edit the
message by entering the text in the box below.
4. In the Additional actions box, select the Block user on all computers option and click
Finish.
5. The user will be blocked when the alert is triggered.
Blocking User on Client with Secondary Authentication

If the Client has secondary user authentication enabled, the system blocks the primary-
secondary user combination. After such user logs in to Windows, the Client displays the
secondary authentication window. When the blocked user enters their credentials and tries to
log in, the system does not allow them to do so, and the following message is displayed: “You
have been blocked. Contact your system administrator.”
Blocked User List

A blocked user is added to the blocked user list for the selected Client or all Clients in the
system (depending on your choice while blocking the user).
The list of blocked users is stored on the Server. If you edited the blocked user list, the Client
receives it from the Server immediately. If the connection with the Server computer is lost (the
Server is unavailable), the Client does not block users that are on the blocked user list. Once the
connection is re-established, the Client receives the latest edited list of blocked users from the
Server.
185
User Blocking
Viewing Blocked User List

To view the blocked user list, go to Client Management, and then click Blocked User List.
You need to have the Client installation and management permission to view the blocked user
list.
A list of blocked users is displayed, with the following information available for each record:
 Windows User: has one of the following formats:
o <domain>\<user name>
o <domain>\<primary user name>(<secondary user name>) (for Clients with
secondary user authentication enabled)
 Blocked on: Displays a specific computer name or All computers.
 Blocked by: Displays a specific Ekran user that has blocked the Windows user.
 Date: Displays the date when the user was blocked.
 Reason: Displays the reason for blocking the user.
Removing User from Blocked User List

You can remove users from the blocked user list, one by one or all at once.
The user removed from the Blocked User list can log in to their computer with installed Client
on again.
To remove a user from the blocked user list, do the following:

 Click Remove in the corresponding blocked user record in the grid.
 Click Remove in the confirmation message.
To remove all users from the blocked user list, do the following:
 Click Remove All in the blocked user grid.
 Click Remove in the confirmation message.
186
Client Group Management

About
Client Groups allow you to grant access to several Clients at the same time to your users
without the necessity to grant them access to all the Clients (both Windows and Linux).
By default, there is one Client Group in the system, which contains all installed Clients.
You cannot remove Clients from this group.
NOTE: One Client can belong to several groups.
Adding Client Groups

To add a new Client Group, do the following:
3. On the Clients page, click Add Client Group.
4. On the Group Settings tab, define the following and then click Next:
 The name for the Client Group.
 Optionally, the Client Group description.
 The configuration that can be applied to the Windows Clients in the same way
as defining Client configuration.
NOTE: The maximum length of the Client Group name and description is 200
characters.
5. On the Client Management tab, add Clients to the group. Click Next.
6. On the Permissions tab, select users/user groups which will have access to the Client
Group and define their permissions:
 To find a specific user/user group, enter its name in the Contains box and click
Apply Filters.
 To define user/user group permissions, click Define Permissions for the
required users/user groups and select the check boxes near the corresponding
permissions in the opened Client Permissions window. After you have defined
all permissions, click Save.
NOTE: Permissions inherited by the user from user groups to which they belong are
displayed as disabled check boxes with a user group name near them.
7. Click Next.
8. On the Assigned Alerts tab, select the check boxes near the alerts that must be
assigned to the group.
9. Click Finish.
10. The Client Group is created.
187
Editing Client Groups

To edit an existing Client Group, do the following:
1. Log in to the Management Tool as a user with the administrative Client installation and
3. On the Clients page, click Edit Client Group for the required Client group.
4. Edit Client Group properties, permissions, and alerts on the corresponding tabs in the same
way as when adding a new Client group.
5. Click Next or Finish to save the changes on each tab.
Adding Clients to Groups

Adding Clients to Groups during Client Group Editing
4. On the Editing Client Group page, on the Client Management tab, click Add Clients.
5. The drop-down list containing the Clients that have not been added to the Group
opens.
NOTE: Only the first 10 Clients are displayed in the list. To view all Clients, click the
link in the bottom of the list.
6. Select the check boxes next to the Clients to be added to the Client Group. To find a
specific Client, enter its name, description or a part of it in the Find Clients field above
the Clients list. The list is filtered along with typing.
7. Select the Apply group settings to new Clients option if you want the added Clients to
inherit Group settings.
8. Click Add.
9. The added Clients are displayed in the grid.
10. Click Finish.
Adding Clients to Groups during Client Editing

To add a Client to the group, do the following:
3. On the Clients page, click Edit Client for the selected Client.
4. On the Editing Client page, on the Client Groups tab, click Add to Group.
5. The drop-down list containing the groups to which the Client has not been added
opens.
188
NOTE: Only the first 10 groups are displayed in the list. To view all groups, click the
Click to view all results link.
6. Select the option next to the group to which you want to add the Client.
NOTE: To find a specific group, enter its name or a part of it in the Find Groups field.
The list is filtered along with typing.
7. Click Add.
8. The group to which the Client was added is displayed in the grid.
9. Click Finish.
Applying Group Settings to Client

When the Client belongs to the target Client Group, the Client settings can be inherited from
this Group. In this case, the Client settings are changed together with the Group settings.
To edit the Windows Client configuration by changing the Client Group settings, do the
following:
permission.
3. On the Clients page, click Edit Client Group for the required Group. To find a specific
Client Group, enter its name in the Contains box and click Apply Filters.
4. Edit Client Group properties, permissions, and alerts on the corresponding tabs.
5. Click Finish.
To edit the Windows Client configuration by applying group settings to a Client, do the
following:
permission.
3. On the Clients page, select the Windows Client for which you want to edit the
configuration, and click Edit Client. To find a specific Client, enter its name in the
NOTE: If you do not have the Client configuration management permission for this
Client, the configuration options editing will be disabled.
4. On the Editing Client page, on the Client Groups tab, add the Client to the group from
which you want the Client to inherit configuration.
5. Click the Apply link for the group.
6. The Client settings type changes to Inherited from <group name> and the Applied
value is displayed for this group in the grid.
7. Click Finish.
189
Removing Clients from Groups

Removing Clients from Groups during Client Group Editing
To remove a Client from the group, do the following:
4. On the Client Management tab, click the Remove link for the corresponding Client or click
Remove all to remove all Clients from the group.
6. The Client is removed from the Group.
NOTE: The Client can be removed from all Groups except the All Clients group.
7. If settings of the removed Client were inherited from this group, they are changed to
Custom. The Client settings remain the same but they become editable.
Removing Clients from Groups during Client Editing

To remove a Client from the group, do the following:
3. On the Clients page, click Edit Client for the selected Client.
4. On the Editing Client page, on the Client Groups tab, click the Remove link for the
corresponding Client group or click Remove from All to remove the Client from all
groups.
6. The Client is removed from the Group.
NOTE: The Client can be removed from all Groups except the All Clients group.
7. If settings of the removed Client were inherited from the Client Group, their type is
changed to Custom. In this case, the Client settings remain the same but they become
editable.
Deleting Client Groups

If you delete a Client group, the Clients belonging to it will not be deleted, but the permissions
of users defined for the deleted Client Group will change.
The All Clients group cannot be deleted.
To delete a Client Group, do the following:

190

4. On the Group Properties tab, click Delete Client Group.
6. The Client Group is deleted.
7. When the group is deleted, the configuration of all Clients that was inherited from this
group changes to Custom.
191
Alerts
Alerts
About
Alerts are instances that notify the investigator of a specific activity (potentially
harmful/forbidden actions) on the target computers with installed Clients and allow the
investigator to respond to such activity quickly without performing searches.
The notifications can be received via email or in the Tray Notifications application. Besides,
monitored activity associated with alert events is marked as alert in the Session Viewer.
Alert system can be used for two purposes:
 Immediate response: This allows the investigator to get immediate information about
the forbidden action and respond to it quickly (almost at once). You can set an alert to
automatically block a user or kill the process.
 Delayed response: This allows the investigator to get information on a batch of
forbidden actions on multiple Clients, analyse them, and then respond.
Viewing Alerts
The alerts are displayed on the Alert Management page in the Management Tool. A list of
alerts contains the following information:
 Name
 Description
 Risk Level: Indicates the risk level of an alert, which can be Normal, High or Critical.
 Assigned To: Indicates Clients/Client Groups the alert is assigned to.
 Alert State: Indicates if the alert is enabled.
 Notification Type: Indicates how the investigators are notified about alert events (by
emails or via Tray Notifications application).
 Email Recipient: The email address of the investigator who will be notified about alert
events.
To view the latest 100 events for an alert in the Alert Viewer, click View alert events in the
corresponding entry.
To find a required alert, you can use a filtering option on the top of the page.
Select the Hide Enabled/Disabled/Default Alerts options and then click Apply Filters to hide
the alerts.
On the Alert Management page, you can add new alerts, edit existing alerts (including
deleting), and define Global Alert Settings.
192
Alerts
Default Alerts
The Ekran System contains a set of default alerts for the potentially harmful applications and
websites visited on the Windows Client computers and for the important commands executed
on the Linux Client computers.
The default alerts are automatically added when the Ekran Server is installed or updated to a
new version. These alerts are enabled by default but there are no Clients to which they are
assigned. You can assign an alert to Clients by clicking Edit alert for the required alert and
selecting the needed Clients on the Assigned Clients tab or while editing multiple alerts.
Default alerts have the High risk level by default.
You can do the following with default alerts:
- Enable/disable them.
- Change the alert risk level.
- Define the notification options.
- Enable showing a warning message, blocking the user or killing the process.
- Delete them.
To hide default alerts, select the Hide Default Alerts option and then click Apply Filters.
Alerts Management
Adding Alerts
To add an alert, do the following:
2. Click the Alert Management navigation link to the left and click Add Alert.
3. On the Add Alert page, on the Alert Properties tab, define the following alert
properties and then click Next:
 Enter a unique name for an alert.
193
Alerts
 Optionally, enter the alert description.

 Select the Enabled option to enable an alert.
 Select the alert risk level. It can be Critical, Normal, or High.
4. On the Alert Rules tab, define the rules to be applied and then click Next:
 Select the Parameter of the rule.
 Select the Comparison operator.
 Enter the Value to which Parameter will be compared.
 Click Add Rule to create one more rule.
 To delete a rule, clear its Value box or click Delete.
5. On the Assigned Clients tab, select the Clients/Client Groups to which the alert will be
assigned and click Next. To find specific Clients/Client Groups, enter their names in the
search box.
194
Alerts
6. On the Actions tab, select how you would like to receive the alert notifications and
additional actions to be performed when the alert is triggered:
 Select the Send emails to option and then enter the email address to which the
notifications will be sent. You can enter several email addresses separating them with
semicolon.
NOTE: To receive email notifications correctly, make sure that Email Sending
Settings contain correct parameters for email sending.
 Select the Show warnings in Tray Notifications application option to activate the tray
notifications. The alert notifications will then pop up from the tray.
 Select the Show warning message to user option if you want a warning message to be
displayed to the user when the alert is triggered. You can use the default message or
enter your own text in the box below.
 In the Additional actions box, select the Block user on all computers option if you want
to automatically block the user performing forbidden actions, or select the Kill
application option if you want to forcibly stop the detected application.
7. Click Finish to save the created alert.

8. The alert is added.
195
Alerts
Rules
About
Alert rules allow you to determine what events on the investigated computer will be
considered an alert. Each alert has to have at least one rule.
Each rule consists of the Parameter, Comparison operator, and Value, to which the Parameter
will be compared.
The following parameters are available for rules:
Parameter Description Example
Parameters applied to all Clients
Username The name of the user whose work is to be monitored. Set John
this parameter type for alert to be activated whenever
the specified user uses the Client computer.
If forced user authentication is enabled and the
secondary user login matches the user name alert
parameter, the Client marks corresponding events as an
alert.
For example:
The alert parameter is Login LIKE “John”. The user logs in
to Windows as Guest and then enters John as the
secondary login. The first record in the session of this user
(Guest (John)) is marked as alert.
Parameters applied to Windows and macOS Clients
Application The name of the started application on the investigated skype.exe

computer. Select this parameter type for alert to be
triggered whenever the specified value is identified as the
name of a launched application.
Title The name that appears in the title of a window. Select this My document
parameter type for alert to be triggered whenever the
specified value is identified in any title on the screen.
URL URL entered in the browser address line or visited by the facebook.com
user. Select this parameter type for alert to be triggered
whenever the specified value is identified as the URL
address.
196
Alerts
Parameter Description Example
NOTE: The URL monitoring option must be enabled for

the Client.
Parameters applied to Windows Clients
Keystrokes The keystrokes entered by the user. Select this parameter download
type for alert to be triggered whenever the specified
value is entered.
Parameters applied to Linux Clients
Command The command entered in the Linux terminal. Set this sudo
parameter type for alerts to be activated whenever the
specified command is entered.
Parameter The parameter of the entered Linux command. Set this ImportantDoc
parameters type for alerts to be activated when the user ument
enters the command with specified parameters.
Parameters of Active Directory Groups
Computer The name of the domain group. Select this parameter Accounting
Belonging type for an alert to be triggered on the Client computers
to Domain belonging to this group.
Group NOTE: Alerts containing this parameter need to be
assigned to the All Clients group to work properly.
User The name of the domain group. Select this parameter Support
Belonging type for alert to be activated whenever the users of
to Domain specified domain group use the Client computers.
Group
197
Alerts
Comparison operators
For all parameters except for Active Directory groups, you can use the following comparison
operators:
Comparison Description Example

operator
Value Found Not found
Equals The defined value fully John John Johny

corresponds to the found result.
Like The found result includes the John Johny, Johan

defined value. Johnatan
Not equals The found result does not match John Oliver, John
the defined value. Johny
Not like The found result does not John Oliver, Johny,
include the defined value. Johan John
Rules defined for Windows/mac OS and Linux parameters do not influence one another. Thus
you can have rules for Windows/macOS and Linux Clients defined in one alert and the alert will
work correctly.
For example:
Parameter Operator Value
Rule 1 Command Equals su
Rule 2 URL Like facebook.com
Result The alert will be triggered by user entering the su command in the Linux
terminal or visiting the facebook.com site from the computer with Windows
or macOS operating system.
When several rules are defined for the same parameter within one alert, using Like or Equals
operators, the alert will be triggered if the conditions of at least one rule are met.
For example:
Rule 1 Application Equals skype.exe
Rule 2 Application Equals winword.exe
Result The alert will be triggered by user launching either Skype or Microsoft Word.
198
Alerts
When the rules are defined for the different parameters within one alert, the alert will be
triggered if the conditions of all the rules are met.
For example:
Rule 2 Username Like Nancy
Result The alert will be triggered by the user Nancy launching Skype application.
When you have multiple rules defined for one parameter and one rule defined for the other
parameter, using Like or Equals operators, the alert will be triggered if conditions of any rule
from the first group and the conditions of the rule defined for a different parameter are met.
For example:
Rule 2 Application Equals winword.exe
Rule 3 Username Equals Nancy
Result The alert will by triggered by user Nancy launching Skype or Microsoft Word.
When you have multiple rules defined for one parameter, using Not equals/Not like operators,
the alert will be triggered if the found result does not match to/include all of the defined
values.
For example:
Rule 1 Application Not equals skype.exe
Rule 2 Application Not equals winword.exe
Result The alert will be triggered by the user launching any application except for
Skype and Microsoft Word.
Rule Examples
1. To set up the alert notification about any user opening the facebook.com site on the
investigated computer, select the URL parameter and, in the Value field, enter
facebook.com.
199
Alerts
NOTE: The URL monitoring option must be enabled for the Client.
2. To set up the alert notification about any user opening opening any other site except
Facebook on the investigated computer, select the Not like operator:
3. To set up the alert notification about a specific user (e.g., Stefan) opening Facebook on
the investigated computer, define the following parameters:
200
Alerts
If you enter more than one name, the alert notification will then appear if any of them
(Stefan or Rick) opens Facebook.
If you use the Not like operator for the entered names, the alert notification will appear if
any user except for Stefan or Rick opens Facebook.
201
Alerts
4. To set up the alert notification about any user launching skype.exe application on the
investigated computer, define the following parameters:
If you use the Not equals operator, the alert notification will appear if any application except
for Skype is opened.
202
Alerts
5. To set up the alert notification about a specific user (e.g., Stefan) opening
facebook.com in Chrome, define the following parameters:
6. To set up the alert notification about USB-based storages plugging in, define the
following parameters:
203
Alerts
7. To set up the alert notification about entering any command with sudo or a command
su, define the following parameters:
8. To set up the alert notification about accessing the Client computers by users
belonging to the target domain group, define the following parameters:
9. To set up alert notification about opening Facebook on the investigated computer,

which belongs to the domain group, define the following parameters:
NOTE: Such alerts need to be assigned to the All Clients group to work properly.
204
Alerts
10. To set up the alert notification about launching the skype.exe application by the users
belonging to the target domain group on the Client computers belonging to the target
domain group, define the following parameters:
Enabling/Disabling Alerts
If you do not need to receive notifications on a specific alert which you do not want to
delete, you can disable it in the Management Tool by clearing the Enabled option on the
Alert Properties tab of the Edit alert page. This option can be enabled again later, by
selecting the Enabled option on the same page.
To enable/disable multiple alerts, do one of the following:
 On the Alert Management page, select alerts and click Enable/Disable.
 On the Alert Management page, click Manage Multiple Alerts. On the opened
Manage Multiple Alerts page, click Enable/Disable next to alerts or Enable
All/Disable All in the last column header.
Editing Alerts
Editing Single Alert
To edit a single alert, do the following:
2. Click the Alert Management navigation link to the left.
3. Click Edit alert for the required alert.
4. Edit alert properties and rules on the corresponding tabs in the same way as when
adding a new alert.
5. The alert is edited.
205
Alerts
Editing Multiple Alerts

To edit multiple alerts, do the following:
1. Log in to the Management Tool as a user with an administrative Client installation and
3. Click Manage Multiple Alerts.
4. On the Alert Selection page, select the alerts to be edited, enable/disable the required
alerts, and then click Next.
5. On the Assigned Clients tab, select the Clients/Client Groups to which the alerts will be
assigned and click Next. To find specific Clients/Client Groups, enter their names in the
6. On the Actions tab, select how you would like to receive the alert notifications and
additional actions to be performed when the alert is triggered. Select Show warning
message to user option if you want a warning message to be displayed to the user. You can
edit the message by entering your text in the box below. Optionally, choose Additional
actions from the list. Click Finish.
7. The alerts settings are edited.
Assigning Alerts to Clients

Assigning Alerts to Clients during Alert Editing
To assign an alert to a specific Client, do the following:
3. On the Alert Management page, click Edit alert for the required alert.
4. On the Assigned Clients tab, select the Clients or Client Groups to which the alerts will be
assigned and click Next. To find a specific Client, enter its name in the Contains box and
6. The alert is assigned to the selected Client.
Assigning Alerts to Clients during Editing Multiple Alerts

To assign an alert to a specific Client, do the following:
3. On the Alert Management page, click Manage Multiple Alerts.
4. On the Alert Selection tab, select the alerts to be assigned to the Client.
206
Alerts
5. On the Assigned Clients tab, select the Client to which the selected alerts will be assigned
and click Next. To find a specific Client, enter its name in the Contains box and click Apply
Filters.
7. The alerts are assigned to the Client.
Assigning Alerts to Clients during Client/Client Group Editing

To assign an alert to a specific Client or Client Group, do the following:
3. On the Clients page, click Edit Client for the required Client or Edit Client Group for the
required Client Group.
4. On the Editing Client/Editing Client Group page, on the Assigned Alerts tab, select the
alerts to be assigned to the Client/Client Group and click Finish.
5. The alerts are assigned to the Client/Client Group.
Exporting and Importing Alerts

Exporting Alerts
To export an alert, do the following:
3. On the Alert Management page, click Export Alerts.
4. Select the alerts to be exported and click Export.
5. The Alerts.xml file containing the selected alerts and their parameters is downloaded to
your computer.
Importing Alerts
To import an alert, do the following:
3. On the Alert Management page, click Import Alerts.
4. On the Import Alerts page, click Choose File.
5. In the opened window, select the required .xml file containing the alerts to be imported and
click Open.
207
Alerts
6. The imported alerts are added. These alerts are enabled by default but there are no Clients
to which they are assigned. The name, description, risk level, and rules of the imported
alerts are defined according to the .xml file.
NOTE: If Ekran Server contains an alert that has the same ID as one of the imported alerts,
it will be updated.
7. Click Define Imported Alerts Settings to assign the imported alerts to Clients/Client Groups
and to define the notification options.
Deleting Alerts
To delete an alert, do the following:
3. On the Alert Management page, click Edit Alert for the required alert.
4. On the Alert Properties tab, click Delete Alert.
6. The alert is deleted. All alert events that were detected by this alert are not marked as
alert anymore.
To delete multiple alerts, do the following:

3. On the Alert Management page, select the required alerts and then click Delete.
5. The alerts are deleted. All alert events that were detected by these alerts are not
marked as alert anymore.
Defining Global Alert Settings

Global Alert Settings allow you to define notification settings for all alerts. Their editing is
available to users with the administrative Client installation and management permission.
These settings are applied to all alerts.
To define Global Alert Settings, click Global Alert Settings on the Alert Management page.
Frequency Settings
The Frequency settings group allows you to define how frequently the alert notifications will
appear in the Tray Notifications application and be sent via email.
 Minimal interval between notifications sent for the same alert event. This option
defines how frequently the notifications about the same alert event will appear. For
208
Alerts
example, if this parameter is set to 10 minutes and a user has started Skype and works
in it, the investigator will receive one notification every 10 minutes instead of receiving
10 notifications every minute or even more.
 Define how often the notification will be sent:
- Send notifications on every alert event option allows you to notify the
investigator on every alert event.
- Send batch notification every (min) option allows you to notify the investigator
about all alert events that occurred during defined time interval. Time counting
starts when the Server starts if this option is selected. Notifications are then sent
with the defined frequency.
Receiving Information on Alert Events

You can receive information on alert events in the following ways:
 In the Session Viewer, the alert events are marked with a special icon. The name of an
alert is displayed in the Alert/USB Rule column. Also the alert events are highlighted in
different colours depending on the detected alert risk level:
o The alerts with the Critical risk level are highlighted in red colour.
o The alerts with the High risk level are highlighted in yellow colour.
o The alerts with the Normal risk level are highlighted in blue colour.
 In the Session List, the sessions that contain alert events have a special icon, which you
can click to view the alert events in the Alert Viewer. The colour of the alert icon
depends on the highest alert risk level detected in the session.
 On the Recent Alerts dashboard containing information on alerts triggered within a
specific time period and a list of notifications for each alert. The colour of the alert bars
depends on the alert risk level and the dashboard settings.
 If email notifications are enabled in the Alert Parameters, the information on alert
events will be sent to defined recipients. To receive notifications via email, define Email
Sending Settings. Each email contains metadata of the alert event (user name, Client
name, time, application name, alert risk level, and activity title) and the link for viewing
this alert in the Session Viewer.
 If the tray notifications are enabled in the Alert Parameters, the information on alert
events will be sent via Tray Notifications component. To receive alert notifications in
the Tray Notifications, do the following:
1. Install the Tray Notifications on the computer where alert notifications are to be
received.
2. Log in to the Tray Notifications as a user of the Ekran System.
3. Start receiving alert notifications in the Windows Tray.
4. Use the Tray Notifications journal to view the history of received tray
notifications and get more information on the alert event by opening the
session in the Session Viewer.
See the Tray Notifications application help file for more information.
209
Advanced Reports
Advanced Reports
About
The user activity can be analysed with the help of reports generated via the Management Tool.
These reports allow you to receive the information on the activity of multiple Clients, alert
events, detected URLs, and executed Linux commands, and get statistics on time spent by the
user in each application or on each web-page.
You can schedule the reports to be generated and sent via email at the specified time or
manually generate the reports, which can be saved or printed, via Report Generator.
The reports can be generated in any of the following formats: PDF (*.pdf), Web Page (*.html),
Single File Web Page (*.mht), Rich Text Format (*.rtf), Plain Text (*.txt), Excel Workbook
(*.xlsx), Excel 97-2003 Workbook (*.xls), XPS Document (*.xps), CSV Document (*.csv), and
XML (*.xml).
Report Types
The following types of reports are available in the Management Tool:
Report type Contains the information Consists of the following columns

about
Grid Reports
Alert Grid Report All alert events on all  Activity time

selected Clients for the  Alert name
defined users and defined  Alert risk
time interval.  Details
Clipboard Grid All Clipboard text data of all  Activity time

Report (for selected Clients for the  Activity title
Windows Clients) defined users and defined  Application name
time interval.  Clipboard Operation
 Clipboard Text
Detailed Activity Information on all activities  Activity time

Report performed by a user on any  Activity title
Client computer in the  Application name
network during the defined  Session URL
time interval.  Text data
210
Advanced Reports

about
Kernel-level USB All USB-device-related  Time

Grid Report (for events detected by the  Rule Name
Windows Clients) kernel-level USB monitoring  Action (Blocked/Detected)
rules.  Risk Level
 Device Class
 Device Details
Keystroke Grid All keystrokes of all selected  Activity time

Report (for Clients for the defined users  Activity title
Windows Clients) and defined time interval.  Application name
 Keystrokes (Smart)
 Keystrokes (Raw)
Linux Grid Report All commands executed on  Time

(for Linux Clients) Linux Clients.  Command
NOTE: Linux reports include  Parameters
only exec* and sudo  Function
commands.
Session Grid Report All sessions for all selected  User name
Clients for the defined users  Total time spent (hrs)
and defined time interval.  Session Start Time
 Last Activity Time
 Remote IP
USB Storage Grid All detected USB devices on  Time (date and time of the USB
Report (for all selected Clients for the Storage event)
Windows Clients) defined users and defined  Details (Description of the USB
time interval. devices plugged into the Client
computers)
User Daily Activity All activities without idle  User name

Grid Report time for all selected Clients  Total time spent (hrs)
for the defined users and  First activity time
defined time interval.  Last activity time
 Remote IP
 Session URL
User Statistics The statistic information on  User name

Report the user’s total working  Total time spent (hrs)
time, on all user’s sessions,  Session Count
and on all Client computers  Computers
used by the user.  Remote IPs
211
Advanced Reports

about
Summary Reports
Activity Summary  Time spent by the user in  Application title

Report (for each application (by  Time spent in the application (%)
Windows and application name) for the  Time spent (hrs)
macOS Clients) defined users and
defined time interval.
 Idle time.
URL Summary Time spent by the user on  URL – only the main part of the URL
Report (for each site (by domain name) (e.g., example.com) will be added to
Windows and for the defined users and the report.
macOS Clients) defined time interval.  Time spent (hrs)
Chart Reports
Activity Chart The same information as in  Application title

Report (for the Activity Summary  Total time spent (minutes)
Windows and Report, but in the form of a
macOS Clients) bar chart.
Activity Pie Chart The same information as in  Application title

Report (for the Activity Summary  Time spent in the application (%)
Windows and Report, but in the form of a
macOS Clients) pie chart.
URL Chart Report The same information as in  URL – only the main part of the URL
(for Windows and the URL Summary Report, (e.g., example.com) will be added to
macOS Clients) but in the form of a bar the report.
chart.  Total time spent (minutes)
URL Pie Chart The same information as in  URL – only the main part of the URL
Report (for the URL Summary Report, (e.g., example.com) will be added to
Windows and but in the form of a pie the report.
macOS Clients) chart.  Time spent on the website (%).
Scheduled Reports
About
The Management Tool allows creating reports via Report Scheduler and sending them the
defined email addresses with the defined time interval. The reports creation is available to
users with the administrative Client installation and management permission.
The report creation and sending options are defined in rules, which include the following
parameters: rule name and description, report type and format, state (enabled or disabled),
212
Advanced Reports
generation frequency (daily, weekly, or monthly), Clients/Client groups, and Users on Clients to
which the rule must be applied.
The created rules are displayed on the Scheduled Reports page in the grid with the following
columns:
 Name
 Description
 Assigned To
 Monitored Users
 State
 Frequency
 Email Recipients
Adding Report Rules

To add a rule, do the following:
2. Click the Scheduled Reports navigation link to the left and click Add rule.
3. On the Add rule page, on the Rule Properties tab, enter a unique name for the created rule
and then optionally enter its description and select the Enable scheduled report generation
option. Click Next.
4. On the Report Options tab, do the following and then click Next:
 Select one or several Report Types.
 Define the Report Parameters:
o In the Report format field, select the format for the report.
o In the Generate report filed, select the frequency of report generation (Daily,
Weekly, or Monthly).
o In the Start report generation at field, define the time at which the report
generation must be started.
NOTE: Depending upon the Server load, the report generation can start a
few minutes later than the set time.
You can select the value from the drop-down list and edit it manually if you
need to set your own number of minutes. If the Weekly parameter is
selected in the Generate report field, select the day of the week on which
the report will be generated in the Day of week drop-down list. If the
Monthly parameter is selected in the Generate report filed, select the day of
the month on which the report will be generated in the Day of month drop-
down list.
NOTE: If the Monthly parameter is selected and you want the report to be
generated on the 31st day of the month, it will be generated only in those
months where there are 31 days.
 Enter the email addresses to which the report will be sent in the Emails field.
NOTE: Define the Email Sending Settings to receive the scheduled reports via
email.
213
Advanced Reports
5. On the Assigned Clients tab, select the Windows Clients/Client Groups to which the rule will
be applied and click Next. To find specific Windows Clients/Client Groups, enter their names
in the Contains box and click Apply Filters.
6. On the Monitored Users tab, define the users whose activity will be included in the report:
 Select the Any user option if you do not need to specify the user whose activity will be
added.
 In other case, select the Selected users option, click Add Users, and then do the
following:
1) Select the Display only users detected on selected Clients option above the grid
in order to view only the list of users on Clients selected in the Clients section.
2) Select the required users and then click Add selected.
NOTE: Only those users whose activities have already been monitored are
listed.
7. Click Finish.
8. The rule is added.
NOTE: The scheduled report rule can also be created by clicking Create Scheduled Report
Rule on the Report Generator page.
Editing Report Rules

To edit a rule, do the following:
2. Click the Scheduled Reports navigation link to the left.
3. Click Edit Rule for the required rule.
4. Edit rule properties, report options, and define assigned Windows Clients and monitored
users on the corresponding tabs in the same way as when adding a new rule.
5. The rule is edited.
Deleting Report Rules

To delete a rule, do the following:
4. On the Rule Properties tab, click Delete Rule.
6. The rule is deleted.
Generating Reports from the Scheduled Report Rule

Once the scheduled report rule is created, you can generate a report from the Rule Properties
tab any time.
214
Advanced Reports
To generate a report from the Scheduled Report Rule, do the following:

10. On the Rule Properties tab, click Generate Report.
11. The generation of the report starts.
12. The report can be viewed on the Scheduled Reports Generation Log page as soon as it is
generated. If the Emails field contains one or more email addresses defined in the rule, the
report will be sent to those addresses.
NOTE: If the generated report is not displayed on the Scheduled Reports Generation Log
page, it is still being generated. Reload the page by pressing the F5 key until the report is
displayed.
Frequency and Time Interval for Report Creation

The time interval of the data that is added to the report depends upon the report generation
frequency.
If the report is generated on a daily basis, it will include the data that was monitored starting
from the specified time of the previous day up till the specified time of the current day.
For example:
If the Daily parameter is set and the report is to be generated on June, 13, at 17:00, the time
interval of the data for this report will start on June, 12, at 17:00 and end on June, 13, at 17:00.
If the report is generated on a weekly basis, it will include the data that was monitored starting
from the specified time and day of the previous week up till the specified time and day of the
current week.
For example:
If the Weekly parameter is set and the report is to be generated on Monday at 18:00, the time
interval of the data for this report will start on Monday of the previous week at 18:00 and end
on Monday of the current week at 18:00.
If the report is generated on a monthly basis, it will include the data that was monitored
starting from the specified time and day of the previous month up till the specified time and
day of the current month.
For example:
If the Monthly parameter is set and the report is to be generated on January, 20, at 19:00, the
time interval of the data for this report will start on December, 20, at 19:00 and end on January,
20, at 19:00.
NOTE: If the Monthly parameter is selected and you want the report to be generated on the
31st day of the month, it will not be generated in those months where there are 30 days or
less.
215
Advanced Reports
If the monthly report is set to be generated on the 31st day of month, but there were less than
31 days in the previous month, the time interval of the data for this report will start on the last
day of the previous month and end on the 31st day of the current month.
For example:
If the report is generated on March, 31, the time interval of the data for this report will start
February, 28, or February, 29, and end on March, 31.
If the report is generated from the scheduled report rule, the time interval of the data for the
report will depend upon the current date and time.
For example:
 If the Daily parameter is set in the rule and the Start report generation parameter is set
to 15:00, and you want to generate the report at 14:00, the time interval of the data for
the report will start from 14:00 of the previous day and end at 14:00 of the current day.
 If the Weekly parameter is set in the rule and the Day of week parameter is set to
Wednesday, and you want to generate the report on Friday at 12:00, the time interval
of the data for the report will start from Friday of the previous week at 12:00 and end
on the current day at 12:00.
 If the Monthly parameter is set in the rule and the Day of month parameter is set to the
15th day of month, and you want to generate the report on May, 10, at 10:00, the time
interval of the data for the report will start from April, 10, at 10:00 and end on the
current day at 10:00.
NOTE: If there are too many activities in the defined time interval, the report may become
too large. The generated report file cannot exceed the size of allowed SMTP server
attachments.
Viewing Logs
For each rule, the user can see the log which contains the information on time when the report
was generated, report name (file name) and type, report generation result (status), number of
results in the report, and the emails to which the report was sent.
NOTE: Only the last 100 records are stored.
To view the logs, do the following:

3. Click View Log for the required rule.
4. On the Scheduled Reports Generation Log page, the logs are displayed in the grid with the
following columns:
 Generated (Time when the report was generated)
 File Name (Report name)
 Report Type
216
Advanced Reports
 Status (Finished, In Progress, or an error reason in case the error occurred during
report generation)
 Results Count (Number of results in the report)
 Sent To
5. Click the Download link to download the report to your computer.
6. Click the Delete link to delete the report from the log and from the Server.
Report Generator
About
The reports can be generated on the Report Generator page by the user with the Viewing
monitoring results permission and can be previewed before printing.
The main difference between Report Scheduler and Report Generator is that Report Generator
allows you to create reports for the time interval of any length. Though it may take you much
time to generate a report for a long time interval and for a big number of Windows Clients.
NOTE: You can generate only one type of report at a time via Report Generator.
Report Parameters
The following parameters are defined in the Management Tool when creating a report:
1. Report parameters
This option allows you to select the type of the report and enter its custom Footer text and
Header text.
2. Date filters
This option allows you to define the time interval for which the report will be generated.
3. Clients
This option allows you to select the Clients/Client groups, whose monitored data will be added
to the report.
NOTE: Only Clients for which the user has the Viewing monitoring results are displayed.
4. Users
This option allows you to select the users of Client computers whose activity will be included in
the report.
Generating Report
To generate a report, do the following:
1. Log in to the Management Tool as a user with the Viewing monitoring results permission.
2. Click the Report Generator navigation link to the left.
3. Define the report parameters:
 Select the type of the report and enter its Footer and Header text.
217
Advanced Reports
 In the From and To fields, enter the dates and time within which the data of the
monitored Clients should be added.
 Click Add Clients and on the opened Adding Clients page select the check boxes
next to the corresponding Clients/Client groups. Once the Clients are selected, click
Add selected.
 Define the users whose activity will be included in the report:
o Select the Any user option if you do not need to specify the user whose
activity will be added.
o In other case, select the Selected users option, click Add Users, and then do
the following:
1) Select the Display only users detected on selected Clients option above
the grid in order to view only the list of users on Clients selected in the
Clients section.
2) Select the required users and then click Add selected.
NOTE: Only those users whose activities have already been monitored
are listed.
4. Click Generate Report.
5. On the opened Report Preview page, click the corresponding icons located on the toolbar
above the report to perform the following actions:
 Print the report
 Print the current page
 Export and save the report to the disk
 Export a report to *.xml format and save it to the disk
You can also navigate between the pages of the report by clicking the blue arrows
and choose the format of the report by clicking the black
arrow that opens a drop-down list with all supported formats .
Creating a Scheduled Report Rule from the Report Generator

Page
Once the parameters for the report are defined, you can create a scheduled report rule basing
on the defined parameters.
To create a rule, do the following:
1. Log in to the Management Tool as a user with the Viewing monitoring results permission.
2. Click the Report Generator navigation link to the left.
3. Define the report parameters.
4. On the Report Generator page, click Create Scheduled Report Rule.
5. The Editing Rule page opens.
6. On the Rule Properties tab, enter a unique name for the created rule and then optionally
enter its description. The default name of the rule is GeneratorRule<number of rule>.
7. Click Next.
8. On the Report Options tab, enter the corresponding values in the Report Parameters fields
and the Emails field the same as when adding a new report rule. The other parameters like
218
Advanced Reports
Report Type, Header and Footer text, Clients, and Users were defined in Report Generator,
but you can edit them if you want.
9. Click Finish.
219
USB Monitoring & Blocking

About
There are two types of monitoring of USB devices available:
 USB-based storage monitoring: allows you to view information on the plugged-in
devices detected by Windows as mass storage. This monitoring is performed
automatically and does not require enabling any additional settings for a Client. The
information on detected USB devices is displayed in the Session Viewer.
 Kernel-level USB monitoring: provides you with the means for an in-depth analysis of
plugged-in devices. By adding kernel-level USB rules, you can perform the following
actions:
o Monitoring – allows you to view information on the detected devices in the
Session Viewer.
o Sending notifications – allows you to receive notifications (by email or in the
Tray Notifications app) when a device is connected to the Client computer.
o Blocking – allows you to block the USB device from using. In this case, the user
may be informed that the device on their computer is blocked.
It is also possible to create a list of devices that must not be monitored or
blocked.
WARNING! It is recommended to add all the allowed USB devices to
exceptions in order not to block them from using accidentally.
Monitored Devices
For USB-based storage monitoring: the following mass storage devices are automatically
monitored and alerted – external magnetic hard drives, external optical drives
(including CD and DVD reader and writer drives), portable flash memory devices, solid-state
drives, adapters between standard flash memory cards and USB connections, digital cameras,
digital audio and portable media players, card readers, PDAs, and mobile phones.
For kernel-level USB monitoring: the following classes of devices are monitored, blocked, and
alerted:
 Mass storage devices – external magnetic hard drives, external optical drives
(including CD and DVD reader and writer drives), portable flash memory devices, solid-state
drives, adapters between standard flash memory cards and USB connections, digital
cameras, digital audio and portable media players, card readers, PDAs, and mobile phones.
 Windows portable devices – audio players, phones, and other devices that use
nonstandard identifier.
 Wireless connection devices – Bluetooth adapter, Microsoft RNDIS.
 Modems and Network adapters – network interface controllers.
220
 Audio devices – speakers, microphones, sound cards, MIDIs, etc.

 Video devices – web cameras.
 Human interface devices – keyboards, computer mouse devices, joysticks.
 Printer devices – laser printers, inkjet printers, CNC computers.
 Composite devices – devices that consist of one or a few more devices (e.g. keyboards with
USB ports).
 Vendor-specific devices – devices which require vendor-specific drivers and whose class is
defined by the vendor.
WARNING! Selecting this type of device might result in blocking any USB device.
Each class has its own name (e.g., 00, 01, 02, etc.), which can be viewed in the device
properties. The name of class allows you to define to what class the detected device belongs.
For more information, check these links: http://en.wikipedia.org/wiki/USB,
http://www.usb.org/developers/defined_class.
221
To view the name of the USB device class, do the following:

1. Plug the device into your computer.
2. Right-click Computer and select Manage.
3. The Computer Management window opens.
4. Expand the Device Manager node.
5. Expand the node with the name of the computer in the central pane.
6. Select the Universal Serial Bus controllers node in the list and expand it.
7. Find the device, the class of which you want to view, right-click it and select
Properties.
8. In the opened window, select the Details tab, then select Compatible Ids in the
Property drop-down list, and view the necessary information in the Value field.
9. Click OK or Cancel to close the window.
Kernel-Level USB Monitoring Rules

About
In order to monitor and block the devices which are plugged into the computer, the user needs
to create rules in the Management Tool. The rules can be created and assigned to the Clients by
the user with the administrative Client installation and management permission.
The created USB Monitoring rules are displayed on the USB Monitoring Management page in
the Management Tool in a grid with the following columns:
 Name
 Description
 Risk
 State
 Action
 Assigned to (Clients group)
222
Adding USB Monitoring Rules

To add a new rule, do the following:
permission.
2. Click the USB Monitoring Management navigation link to the left.
3. On the USB Monitoring Management page, click Add Rule.
4. On the Add USB Rule page, on the USB Rule Properties tab, define the following properties
and then click Next:
 Enter a unique name for the rule.
 Optionally enter the rule description.
 Select the Enable USB rule option to enable the rule.
 Select the risk level.
5. On the Rule Conditions tab, do the following:

 Add the classes of devices to be monitored to the Monitored Devices list.
 Define the exceptions for the devices to be skipped while monitoring.
6. On the Additional Actions tab, define what happens when a device from the list of
monitored devices is used on target computer by selecting the following options:
 Block USB device – allows you to prevent the user from using the USB device from
the Monitored Devices list on the target computer. This option affects all the users,
regardless of the user filtering settings.
 Notify the user on target computer about device blocking – allows you to define
the custom text to be displayed in a balloon notification on the Client computer
(maximum 250 characters).
 Send email notification to – allows you to receive an alert notification on USB device
detection via email.
NOTE: To receive email notifications correctly, make sure that Email Sending
Settings contain correct parameters for email sending.
 Display tray notification – allows you to receive an alert notification on USB device
detection via the Tray Notification app.
223
If you do not select any of the actions, the detected USB devices will be monitored and
displayed in the Session Viewer only.
7. On the Assigned Clients tab, select the Clients/Client Groups, to which the rule will be
applied, and click Next. To find specific Clients/Client Groups, enter their names in the
8. Click Finish.
9. The rule is added.
Editing USB Monitoring Rules

To edit a rule, do the following:
permission.
3. On the USB Monitoring Management page, click Edit Rule for the required rule.
4. Edit rule properties on the corresponding tabs in the same way as when adding a new rule
and click Finish.
224
Deleting USB Monitoring Rules

To delete a rule, do the following:
3. On the USB Monitoring Management page, click Edit Rule for the required rule.
4. On the USB Rule Properties tab, click Delete Rule.
6. The rule is deleted. In case some plugged-in devices were blocked in accordance with the
rule, the user will have to remove the devices and plug them back in.
Defining Exceptions for USB Rules

The list of exceptions for USB devices includes the devices are not monitored or blocked. Unlike
the Monitored Devices list that contains the classes of devices, the exceptions include the
separate devices added individually. The exceptions can be added on the Rule Conditions tab
when adding or editing the rule. In case you want to block vendor-specific devices, make sure
you have added all allowed user devices to the list of exceptions.
To add an exception, do the following:
1. On the Rule Conditions tab, click Add.
2. On the Add Exception page, select one of the following radio buttons:
 Quick selection – allows you to enter your Device Hardware ID.
 Custom selection – allows you to enter the Vendor ID (VID), Product ID (PID),
Revision, and Serial in the corresponding fields.
NOTE: The Vendor ID (VID) and the Product ID (PID) are required fields, Revision
and Serial are optional fields.
3. Optionally, enter a description in the Description field.
225
4. Click Add.
5. The specified device is added to the list of exceptions.
6. Click Finish to save the USB monitoring rule.
Viewing Device Hardware ID

To view the Device hardware ID, do the following:
1. Plug the device into your computer.
2. Right-click Computer and select Manage.
3. The Computer Management window opens.
4. Expand the Device Manager node.
5. Expand the node with the name of the computer in the central pane.
6. Select the Universal Serial Bus Controllers node in the list and expand it.
7. Find the device, the information of which you want to view, right-click it and select
Properties.
8. In the opened window, select the Details tab, then select Hardware Ids in the
Property drop-down list, and view the necessary information in the Value field.
9. Click OK or Cancel to close the window.
226
Configuration
Configuration
Defining Email Sending Settings
Email sending settings allow you to define the options of sending email notifications for all
alerts, USB monitoring, and reports via email. Their editing is available to users with the
To define email sending settings, click the Configuration navigation link to the left and open
the Email sending settings tab.
The settings include:
1. Email Connection Settings
 Server: This option allows you to define an existing SMTP mail server.
NOTE: The delivery of email notifications via mail servers with only NTLM
authentication, such as Microsoft Exchange Server, is not supported.
 From: This option allows you to define an existing email account from which the email
notifications will be sent.
 Port: This option allows you to define the email server port number via which the
emails will be sent.
 Encrypted connection type: This option allows you to define the type of encrypted
connection via which the email notifications will be sent. You can choose between:
- None
- SSL
- TLS
2. Email Connection Credentials
This option allows you to define the login details (User and Password) for the email server.
NOTE: For the email notifications to be sent correctly, you have to define the credentials
of the email account specified in the From field under the Email Connection Settings.
If the mail server does not require entering any credentials, you can select the No
authentications option.
3. Email Connection Test
This option allows you to send a test email to a specified email address to check if all email
connection settings are correctly defined.
4. Administrator Email
This option allows you to define the administrator’s email address to which the access
requests of restricted users will be sent. You can define several email addresses separating
them with semicolon (;).
227
Configuration
Defining Player Link Settings

This option allows you to define the Management Tool domain name that will be used in the
link to the Session Viewer in alert notifications, in Tray Notifications application journal, and
emails.
The domain name must be entered in the following format:
https://<Management Tool computer name or IP>/EkranSystem.
Defining System Settings

Custom logo settings allow you to enable using custom graphic file instead of the default logo
on the Client computer during secondary authentication, user blocking, reports, etc. Also, you
can add the header and footer text in the reports.
To use a custom logo instead of the default logo, select the Use a custom logo instead of the
Ekran System logo option in the Custom Logo Settings, click the Upload, and select the logo.
To use a custom logo instead of the default logo in the generated reports, select the Use a
custom logo instead of the Ekran System logo option in the Custom Reports Settings, click the
Upload, and select the logo.
The uploaded file must be in the .bmp format and have a size not more than 525x40, for the
reports not more than 300x80.
To change the custom header and footer for the report, define its text in the Header text and
Footer text fields (the maximum length of the header and footer text is 1000 symbols).
Defining SIEM Logs

Log settings allow you to enable creation of a log file, define the data to be written to it, and
the cleanup frequency. Depending on the format, log files can be viewed and analysed by the
Splunk and ArcSight monitoring software (CEF), or by IBM QRadar software (LEEF). Editing of log
settings is available to users with the administrative Database management permission.
NOTE: The Advanced SIEM Integration functionality is available only if you have an activated
To define log settings, click the Configuration navigation link to the left and open the
SIEM Integration tab.
1. General Settings
 Create a log file: This option allows you to enable log file creation.
 Log format: This option allows you to select the log file format (CEF or LEEF).
 Log file location: This option allows you to define the location to store a log file.
 Date format: This option allows you to define the date format for a log file.
2. Log File Contents
In this section, you can define the data to be written to a log file.
228
Configuration
 Windows and Linux Client records: This option allows adding all session records of
Windows and Linux Clients to a log file.
 Alert events: This option allows adding all alert events of Windows and Linux Clients to
a log file.
 Management Tool Log Events: This option allows adding all Management Tool Log
records to a log file.
3. Cleanup Settings
In this section, you can define the parameters for the cleanup operation.
 Cleanup daily at: This option allows you to define the time to execute the cleanup
operation on a daily basis.
 Cleanup every: This option allows you to define the frequency of the cleanup
operation.
 Maximum file size (GB): This option allows you to define the maximum size of a log file.
NOTE: During each cleanup operation, the current log file is renamed (the date and time of
the cleanup operation is added to its name) and a new one is created in the same folder. Not
to run out of space on the Server computer where the log files are stored, it is recommended
to check the used disk space regularly and delete the log files, which are no longer in use.
Defining Ticketing System Integration Settings

Ticketing system integration settings allow you to enable integration with the ticketing system
and define the access parameters for it.
Currently, integration with the SysAid ticketing system is available. If you want Ekran System to
be integrated with any other ticketing system, contact our support team:
support_team@ekransystem.com.
Editing of ticketing system integration settings is available to users with the administrative
Database management permission.
NOTE: The Ticketing System Integration functionality is available only if you have an activated
 Enable authentication via ticketing system: This option allows you to enable integration
with the ticketing system.
 Ticketing system URL: This option allows you to define a valid URL address for the ticketing
system.
NOTE: For the SysAid ticketing system, URL must be entered in the following format:
<SysAid URL>/services/SysaidApiService
 Account name: This option allows you to define the name of the account the serial key is
associated with.
 Login: This option allows you to define the login of the user account to get the access to
the ticketing system.
 Password: This option allows you to define the password of the user account to get the
access to the ticketing system.
229
Configuration
Defining LDAP Targets

About
You can integrate Ekran System with various domains by creating a connection with their Active
Directory Domain Controllers. In such a way, you can add domain users/user groups allowing
them to access the Management Tool and Client computers with enabled Forced User
Authentication.
For each LDAP target, you have to specify the LDAP path and credentials of a domain user for
the Ekran Server to be able to establish connection with the domain controller.
Automatic LDAP Target

If Ekran System Server is to be installed on the computer that is a member of an Active
Directory domain, this domain will be automatically added to the LDAP targets during the
Server installation. It will be marked as automatic LDAP target.
If the computer with Ekran System Server has been added to a domain after the Server
installation or has been moved to another domain, you can add/update the automatic LDAP
target manually. In addition, you can change the credentials of the domain user, which are
saved for the automatic LDAP target, by clicking Edit for this target and specifying new
credentials on the Edit LDAP Target page.
To add/update the automatic LDAP target manually, do the following:
permission.
3. On the Configuration page, select the LDAP Targets tab and then click Refresh Automatic
LDAP Target.
4. If there is no automatic LDAP target, it will be added. If there is an automatic LDAP target
added, it will be updated.
Adding LDAP Target Manually

To add a new LDAP target manually, do the following:
permission.
3. On the Configuration page, select the LDAP Targets tab and then click Add LDAP Target.
4. On the Add LDAP Target page, define the following parameters and then click Finish:
 LDAP Path: Define the LDAP path for the Active Directory domain controller you want
to connect to in the following format:
LDAP://<Domain Controller name or IP address>/DC=<Domain name>,DC=<Suffix>
E.g., for the test.app.local domain with the EKRANAPP domain controller, define the
following:
LDAP://EKRANAPP/DC=test,DC=app,DC=local.
230
Configuration

Domain NetBIOS Name: Define the NetBIOS name of the domain you want to connect
to.
 User: Define the name of the user belonging to the Active Directory domain you want
to connect to.
 Password: Define the password of the user account belonging to the Active Directory
domain you want to connect to.
5. On the LDAP Targets tab, a new LDAP target is displayed in the grid.
Editing LDAP Target

To edit the existing LDAP target, do the following:
permission.
3. On the Configuration page, select the LDAP Targets tab and then click Edit in the grid.
4. On the Edit LDAP Target page, edit the LDAP target parameters and then click Finish.
Deleting LDAP Target

To delete the existing LDAP target, do the following:
permission.
3. On the Configuration page, select the LDAP Targets tab and then click Delete in the grid.
5. The LDAP target is deleted from the grid. The users from the corresponding domain will be
unable to access the Management Tool and the Client computers as Forced Authentication
users anymore.
Defining Date & Time Format

Date & time format settings allow you to define the date and time format for the Management
Tool and the Server. Editing the date and time format is available to users with the
To define date & time format, click the Configuration navigation link to the left and open the
Date & Time Format tab.
1. Management Tool Date & Time Format
These user-specific settings apply to all the pages available in the Management Tool.
 The Management Tool date format option allows you to define the date format for the
Management Tool.
231
Configuration
 The Management Tool time format option allows you to define the time format for the
Management Tool.
2. Server Date & Time Format
These settings apply to the features processed on the Server: Forensic Export, Email Alert
Notifications, Email USB Alerts, and Reports (generated via the Report Generator &
Scheduled Reports).
 The Server date format option allows you to define the date format for the Server.
 The Server time format option allows you to define the time format for the Server.
The settings allow you to choose between the following date formats:
Date Format Example
dd/mm/yyyy 23/02/2017
mm/dd/yyyy 02/23/2017
yyyy/mm/dd 2017/02/23
The settings allow you to choose between the following time formats:
Time Format Example
HH/mm/ss 08:20:15
H/mm/ss 8:20:15
hh/mm/ss tt 08:20:15 AM
h/mm/ss tt 8:20:15 AM
Defining Server Settings

Server Settings allow you to define default locations for Forensic Export Storage and Reports
Storage. This might be used when working with Ekran System in the high-availability mode.
To define server settings, click the Configuration navigation link to the left and open the
Server Settings tab.
 Forensic Export Storage: This option allows you to define the location to store results of
forensic export.
 The Reports Storage: This option allows you to define the location to store reports.
232
Viewing Monitoring Results

Session List
About
Monitored data received from Windows and Linux Clients is organized in the session.
The Windows Client session includes recorded user activity (screenshots, application names,
activity titles, captured keystrokes, clipboard text data, and URLs). Windows Clients start
recording user activity in a new session every time the computer is restarted. The maximum
duration of one session can be 24 hours. At 00:00 all live sessions are terminated. After their
termination (their status changes from live to finished), new live sessions automatically start.
The Linux Client session contains the list of executed commands, their parameters, and
functions. Linux Clients start recording a new monitoring session each time the terminal is
opened. There is no time limitation for a Linux Client session.
Client Sessions List

To view monitored sessions, click the Monitoring Results navigation link to the left and then
the Client Sessions page opens. The Client Sessions page is divided into two panes:
 Search & Filtering pane
 Sessions grid
The search pane allows you to perform search in the session data and perform the Forensic
Export.
The list of all sessions is displayed in the form of grid. The grid includes the following
information:
 Alerts: Allows opening all alert events for the session in the Alert viewer. The colour of
the alert icon corresponds to the highest alert risk level detected in the session.
 User name: Displays the name of the user logged in to the Client computer.
NOTE: If Forced User Authentication is enabled on the Client, the user name is
displayed as: <logged in Windows user> (<secondary authentication user> or <user’s
email>).
 Client Name: Displays the name of the computer on which the Client is installed.
 Remote Host Name: Displays the the name of the remote computer, from which the
connection to the Client computer is established.
 OS: Displays the operating system type (Windows or Linux).
 Type: Displays the session type (Live or Finished).
 Start: Displays the date and time when the session started.
 Last Activity: Displays the date and time of the last created screenshot or executed
Linux command.
 Finish: Displays the date and time when the session finished. If the session has the
Live status, this field is empty.
233
 IPv4: Displays the IPv4 address of the Client computer.

 IPv6: Displays the IPv6 address of the Client computer.
 Remote IP: Displays the local or public IP address of the remote computer, from which
the connection to the Client computer is established.
 Domain: Displays the name of the domain to which the Client belongs.
 User’s comment: Displays user’s comment entered on the login to the Client computer.
 Client Description: Displays the custom Client description.
 Client Group: Displays the name of the Client Group to which the Client belongs. If the
Client belongs to the All Clients group only, the column is empty.
You can change the order and size of the columns and hide columns. To change the order of
the columns in a grid, drag and drop the header of the corresponding column where you want
it to be in the grid. To hide the columns in a grid, click Hidden columns , and drag the
header of the corresponding column to the Hidden columns area.
NOTE: If the user logs into the Client computer remotely, when the Client session has already
been started, via one of the following remote desktop applications, the remote IP-address
will not be detected: DameWare, Radmin, UltraVNC, or TightVNC.
Filtering Sessions
A user can filter out sessions by metadata in one of the following ways:
 By specific parameters
 By searching in session data
Filtering by Specific Parameters

This type of filtering allows you to filter sessions by a set of specific parameters. The filtering
parameters are applied instantly.
You can filter sessions by multiple criteria. For each non-date filter, you can select more than
one filtering parameter. With each selected parameter, the session list is re-filtered.
By default, the following filters are displayed:

 Who: Allows filtering sessions by a specific user logged into the Client computer.
 Where: Allows filtering sessions by a specific Client.
 When: Allows filtering sessions by the time period. The result session list includes all
sessions containing the activities for the set period.
To set the time period, select one of the following:
- Define the number of latest hours, days, or weeks.
- Define the start date and the end date of the time period.
To add other filters, click More criteria and select a filter from the opened list:
 Type: Allows filtering sessions by their type (Live or Finished).
234
 OS: Allows filtering sessions by the operating system type (Windows or Linux).
 Start: Allows filtering sessions by the date and time the session started.
 Last Activity: Allows filtering sessions by the date and time of the last screenshot or
executed Linux command.
 Finish: Allows filtering sessions by the date and time the session finished. If the session
has the Live status, this field is empty.
 IPv4: Allows filtering sessions by the IPv4 address of the Client computer.
 IPv6: Allows filtering sessions by the IPv6 address of the Client computer.
 Remote IP: Allows filtering sessions by the IP-address used to log into the Client
computer from.
 Domain: Allows filtering sessions by the name of the domain to which the Client
belongs.
 Client Description: Allows filtering sessions by the custom Client description.
 Client Group: Allows filtering sessions by the name of the Client Group to which the
Client belongs.
 User’s Comment: Allows filtering sessions by the comment entered to the additional
message.
To remove the extra filter from the filtering pane, click X on the filter button.
Searching in the Session Data

You can search for sessions using a search expression (keyword). You can find sessions
containing the search expression in:
 Application names
 Activity titles
 Keystrokes
 Clipboard text data
 URLs
 Linux commands and parameters
 Alert names
 USB rule names
 Linux command output
NOTE: For the search to be performed in Linux command output, select the Search in output
(Linux) option. This option is displayed if there is at least one Linux session recorded.
You can search for sessions using a list of keywords.

To perform search by a list of keywords, do the following:
1. Create a .txt file with a list of keywords. Keywords must be separated by a paragraph or a
space.
2. Click the Browse button next to the search field and select the created .txt file.
3. Click the search icon to begin the search.
NOTE: Searching for a large number of keywords or in a large number of sessions might take
much time and affect the Server performance.
In the list, you can define the number of sessions to perform search in.
235
The search is performed in the sessions displayed in the Session grid in accordance with the
session sorting order.
Export Sessions
To perform forensic export of all filtered out sessions, click . In the confirmation window,
click Export. The Forensic Export History page opens, displaying the export progress.
As soon as the export process finishes, the resulting files become available for downloading.
Click Download to download the file with Forensic Export results.
Sorting Sessions
To sort sessions in the Session grid, click the required column header. You can change column
sort order from ascending to descending, and vice versa. To do this, click the Sort arrow near
the column header.
If data is not sorted by this column, the Sort arrow is hidden.
Playing Sessions
About
The Session Viewer is a part of the Management Tool that provides the possibility to view
monitored data within one selected session.
To open the Session Viewer, select one of the sessions in the Sessions grid on the Monitoring
Results page and click on it.
236
Session Viewer Interface
By default, the Session Viewer interface is divided into the following areas:
 Session Player pane: Allows viewing screenshots made on the computer with the
Windows Client installed, or visually recreated interactive data of the recorded Linux
terminal (input and output as the user sees them in the terminal). The navigation
section allows you to manage the playback of the video of screenshots or commands.
NOTE: If the screenshot creation is not enabled on the Windows Client, sessions of
this Client will contain no screenshots.
 [Windows Client] Details pane: Allows viewing the keystrokes and the clipboard text
data associated with the selected record, USB device information, and URL addresses of
websites visited by a user.
 Metadata pane: Displays the session data in the form of grid, which includes:
o Activity time, Activity title, Application name, Text data, Alert/USB rule name,
and URLs for Windows Clients;
o Activity time, Command, Function, Parameters, and Alert name for Linux Clients.
Session Player
The Session Player allows viewing screenshots made on the computer with the Windows Client
installed, or graphic representation of the recorded Linux terminal (input and output as the
user sees them in the terminal).
You can view them separately by selecting the required record from the Metadata grid or play
all monitored data in the form of video.
The following actions are available:
 To play/pause the video playback, click Play/Pause.
237
 To move from one record to another, click To the beginning, To the end, Previous, or
Next.
 To open the Player to the full-screen mode, double-click the Player or .
 To return from the full-screen mode, double-click the Player or .

 To move from one monitor to another in the Client sessions with multiple monitors,
click All, 1, 2, etc.
 To define the speed with which monitored data changes in the Player area, click
. The available speed options are 1/2/4/8/16 frame(s) per second.
 To block the user, click .
 To view the list of alert events for this session in the Alert viewer, click .
 To receive the link to a certain position in the session, click .
 To download a displayed screenshot, click .
 To perform forensic export, click .
 To view the Live session in the real-time, click .
Magnifier
If you need to view data displayed in the Player in detail, use the Magnifying Glass option.
To enlarge the certain part of the played data, do the following:
1. Click the Magnifying Glass .

2. The Magnifier window opens on the right.
3. Move the rectangle across the displayed data.
To turn off the Magnifying Glass, click the Magnifying Glass again.
Getting Data URL

The Get data URL feature allows retrieving the link of the certain position of the session. You
can use this URL to:
 Open the Session Viewer for playing the required session from the same position;
 Bookmark certain position in the session using the browser bookmarking mechanism.
To get data URL, do the following:
238
1. Click on the Navigation pane under the Player.

2. The URL Data window opens.
3. Copy the URL and click Close.

4. Enter the copied URL into the browser address bar.
5. The Session Viewer opens.
NOTE: If you are logged out, the login page opens before Session Viewer.
6. The Player starts playing records from the selected position in the session.
Metadata Grid
Metadata grid is located to the right of the Player. It contains detailed information on
monitored user activity. Information is displayed in the grid with the following columns:
[Windows Client]
 Activity Time: Displays the date and time or the recorded activity.
 Activity Title: Displays the name of the active window that is associated with recorded
activity.
 Application Name: Displays the name of the application started on the Client computer.
 URL: Displays the top and second-level domain name of the visited web resource.
 Text Data: Displays the keystrokes typed by the user and the clipboard text data.
 Alert/USB Rule: Displays the name of the triggered alert or USB rule. The colour of an
alert highlighting corresponds to the alert risk level.
o The alerts with the critical risk level will be highlighted in red colour.
o The alerts with the high risk level will be highlighted in yellow colour.
o The alerts with the normal risk level will be highlighted in blue colour.
[macOS Client]
 Activity Time: Displays the date and time or the recorded activity.
 Activity Title: Displays the name of the active window that is associated with recorded
activity.
 Application Name: Displays the name of the application started on the Client computer.
 URL: Displays the top and second-level domain name of the visited web resource.
 Alert: Displays the name of the triggered alert. The colour of an alert highlighting
corresponds to the alert risk level.
[Linux Client]
 Activity Time: Displays the date and time when the command was executed.
239
 Command: Displays the command being executed.

 Function: Displays the system call made.
 Parameters: Displays the full parameters of the executed command.
 Alert: Displays the name of the triggered alert. The colour of an alert highlighting
By default, the data is sorted by Activity Time. You can change the order and size of the
columns.
Player and Metadata Synchronization

The Session Viewer can work in two modes:
 In the Synced View mode, data in the Metadata grid and Player are synchronized while
session playing, i.e., metadata associated with the data being currently played is
highlighted in the Metadata grid. This mode is available unless any filtering and
searching is performed in the Metadata grid.
 In the Filtered View mode, data in the Metadata grid and Player are not synchronized
while session playing. In this mode, the Player displays all data in the session, whereas
data is Metadata grid is being filtered and searched.
After selecting the session in the Client Sessions list without previous searching, the Player
opens in the Synced View mode. As soon as you perform any filtering or searching, the Synced
View mode is automatically changed to the Filtered View mode.
To switch the modes, click Back to Synced View/Back to Filtered View above the Metadata
grid.
Filtering Data
You can filter the metadata in the Metadata grid on the Player page in one of the following
ways:
 Via searching
 Via filtering by column
After data filtering, the Session Player switches to the Filtered View mode.
Filtering via searching
The Search field allows you to find metadata containing search expression in:
 Activity title
 Application Name
 Keystrokes
 Clipboard text data
240
 USB Device Info

 URL
 Linux Command
 Linux Command Parameters
 Linux Functions
To find the required metadata, enter the keyword into the Search field and press Enter. Data in
the Metadata grid is filtered according to the search expressions.
Filtering by Column
You can filter sessions using the column header menu in the Sessions grid.
To filter sessions by the not date field (Client name, OS, User name, etc.), click near the
required column name, select one or several options, and then click OK.
To filter sessions by the date field (Start, Last Activity, or Finish), click near the required
column name, select the From and To dates, and then click OK.
You can filter data by multiple fields.
Sorting Data
To sort metadata in the Metadata grid, click the required column header. You can change
column sort order from ascending to descending, and vice versa. To do this, click the Sort arrow
next to the column header.
If the data is not sorted in this column, the Sort arrow is hidden.
Live Sessions
The Session Viewer allows you to view Client Live sessions in the real time, i.e., while the
monitoring of the Client computer is still in progress.
To play a live session, do the following:
1. Click on the session with the type Live in the Client Sessions grid.
2. The Session Player opens in the full screen mode. The Metadata grid is hidden.
3. Data in the Player will be refreshed as soon as a new monitored data is received from the
Client.
To stop playing the Live session, click . After this, data stops auto-updating and the
session can be played in the same way as Finished sessions.
To resume playing the Live session, click .
241
NOTE: If you are viewing the session of the Windows Client with the enabled Capture screen
on each event without timeout option, it may affect CPU usage and cause performance
slowdown due to the great number of received screenshots.
Windows Client Sessions

Playing Windows Sessions
A user starts playing Windows Session by clicking the required Session in the Client Sessions
list. The session is opened in the new tab or new window depending on the browser settings.
While playing Windows sessions, you can view screenshots in the Player pane and associated
metadata (Application name, Activity title, URL, keystrokes, clipboard text data) in the
Metadata grid. If a record containing keystrokes or clipboard text data is selected in the
Metadata grid, the detailed information is displayed in the Details pane.
Viewing Keystrokes
The captured keystrokes are displayed in the Text data column in the Metadata grid. When you
select a record in the Metadata grid, the keystrokes associated with it are displayed in the
Details pane below the Player pane. By default, only text characters are displayed. You can
enable displaying all keystrokes logged (e.g., navigation keys, functions keys, etc.) by clearing
the Show only text characters option. Then any other keys and key combinations will be
displayed in square brackets. If a key was pressed repeatedly, it will be displayed with an "x"
sign and the number of reiterations (e.g., [F12 x 24]).
If the user types the text, using arrows (left/right) and Backspace or Delete keys, these keys are
processed by the system to edit the logged keystrokes. When the keystrokes are edited, only
the end result of text that was meant to be typed by the user is displayed in the Details pane.
To see this result, the Show only text characters option must be selected.
For example:
If the user types “Helo” and then uses the left arrow to go back and correct the word by typing
another “l”, the word “Hello” will be displayed in the Details pane as “Helol”.
Presentation of keystrokes with the selected Show only text characters option.
242
Presentation of keystrokes with the unselected Show only text characters option.
If the user corrects the word using a mouse, the keystrokes are not edited.
For example:
If the user types “Fried” and then uses the mouse to go back and correct the word by typing
letter “n”, the word “Friedn” will be displayed in the Details pane, instead of “Friend”.
If the user types the text in different applications, the logged keystrokes are split according to
screenshots.
For example:
If the user types “Hello” in Skype and then opens Word and types “Ok”, the word “Hello” will
be displayed next to the screenshot associated with Skype, and the word “Ok” will be displayed
next to the screenshot associated with Word, instead of “HelloOk”.
NOTE: If the Enter key was pressed during input, the log will be split in the metadata grid.
Though to maintain text integrity, in the keystrokes box, the keystroke lines having the same
Title-Application pair will be put together.
For security reasons, Ekran System is hiding the keystrokes entered in the password fields in
Windows forms and most popular browsers. The passwords entered by the user are displayed
in the Metadata grid as asterisks.
Viewing Clipboard Text Data

The captured clipboard text data includes text, which has been copied or cut and then pasted
into documents, files, applications, browser address line, etc. on the Client computers.
The Client monitors the Copy, Cut, and Paste operations performed by using either the context
menu commands or such key combinations as Ctrl+C, Ctrl+Ins, Ctrl+X, Shift+Del, etc.
The captured clipboard text data is displayed in the Text data column in the Metadata grid. It
has a label specific to the performed operation:
 [Clipboard (Copy)]
 [Clipboard (Paste)]
243
When you select a record in the Metadata grid, the clipboard text data associated with it is
displayed in the Details pane below the Player pane.
Metadata grid
Text placed to the clipboard
Text pasted from the clipboard
Viewing USB Device Info

During the monitoring process, the activity is recorded every time the mass storage USB device
is plugged in. Along with the screenshot (if the screenshot creation is enabled), the information
on the plugged in device is displayed in the Metadata grid as follows:
 Activity title: USBStorage - <device details>
 Application name: [Monitoring event]
244
If you are using rules for kernel-level USB monitoring according to which the devices are
detected or blocked, each time the alert event occurs, a screenshot is created. In the Metadata
grid, this is indicated by highlighting the activity in the grid.
NOTE: If the screenshot creation is not enabled on the Windows Client, sessions of this Client
will contain no screenshots.
When you select a USB-device-related screenshot or a row in the Metadata grid, the USB
device info associated with it is displayed in the Details pane below the Player pane.
If the device was blocked, it is marked as BLOCKED in the parentheses.
Viewing URLs
If the URL monitoring option is enabled for the Windows Client, then each time the user activity
is captured while the user is working in the browser, the URL address is saved and displayed in
the URL column in the Metadata grid. If there are several records made while the user is
viewing one page on a certain website, then all of them contain the same URL information.
NOTE: If the screenshot creation is not enabled on the Windows Client, sessions of this Client
will contain no screenshots.
The URL column contains only top and second-level domain names even if the parameter is not
selected in the URL monitoring settings for the Windows Client. The full URL address is
displayed in the Details pane.
NOTE: As getting a URL address to be monitored may take about 600 milliseconds, there is a
possibility that the screenshot and its activity title along with URL address may be not
properly synchronized in the Session Viewer (e.g., the user may see a screenshot with a URL
address that belongs to the previous one).
Viewing Idle State

Windows Client idle activity will be registered and displayed as Idle in the Metadata grid if the
appropriate options in the Monitoring parameters are selected.
245
macOS Client Sessions

Playing macOS Sessions
A user starts playing macOS Session by clicking the required Session in the Client Sessions list.
The session is opened in the new tab or new window depending on the browser settings. While
playing macOS sessions, you can view screenshots in the Player pane and associated metadata
(Application name, Activity title, URL, etc.) in the Metadata grid.
Viewing URLs
If the URL monitoring option is enabled for the macOS Client, then each time the user activity is
captured while the user is working in the browser, the URL address is saved and displayed in
the URL column in the Metadata grid. If there are several records made while the user is
viewing one page on a certain website, then all of them contain the same URL information.
The URL column contains only top and second-level domain names even if the parameter is not
selected in the URL monitoring settings for the Windows Client. The full URL address is
displayed in the Details pane.
NOTE: As getting a URL address to be monitored may take about 600 milliseconds, there is a
possibility that the screenshot and its activity title along with URL address may be not
properly synchronized in the Session Viewer (e.g., the user may see a screenshot with a URL
address that belongs to the previous one).
246
Linux Client Sessions

Playing Linux Sessions
A user starts playing Linux Session by clicking on the required session in the Client Sessions list.
The session is opened in the new tab or new window depending on your browser settings.
While playing Linux sessions, you can view all visually recreated interactive data in a form of a
video in the Player pane and function and system calls, as well as the executed commands with
parameters in the metadata grid.
Filtering EXEC Commands

By default, the commands are filtered by ‘exec’ function to display only the command executed
after user input.
To display the list of all commands, including system ones, discard the filtering by clearing the
Show only execution commands option.
247
Viewing Alerts
About
The Alert viewer is a part of the Management Tool which allows viewing detailed information
on alert events.
You can open the Alert Viewer from the following places:
 The Session Player: The Alert viewer displays all alert events for the session.
 The list of Client sessions: The Alert viewer displays all alert events for the selected
session.
 The Recent Alerts dashboard: The Alert viewer displays all alert events that happened
within the defined time interval for the selected alert.
 The Alert Management page: The Alert viewer displays the latest 100 events for the
selected alert.
Alert Viewer Interface

The Alert viewer displays the following information for each alert notification:
 Alert Risk Level: The colour of the alert icon in the upper left corner of the Alert Viewer
 Alert name: The name of the alert that has triggered the event.
 Alert viewing pane: A screenshot made on the computer with the Windows Client
installed, or graphic representation of the recorded Linux data (input and output as the
user sees them in the terminal).
 Metadata information:
o Who: The name of the user associated with the alert event.
o Where: The name of the Client for which the alert was triggered.
o When: The time and date of the alert event.
o What:
 For Windows Clients: The activity title, the application name, and the
URL (if available)
 For Linux Clients: The command name and the parameters
 For USB events: The device class, the status (detected/blocked), and the
device details.
248
Using Alert Viewer

You can do the following in the Alert Viewer:
 To display/hide the metadata associated with the alert event, click below the
metadata information.
 To move between the alert events, use the Previous, Next, First, and Last buttons.
 To enlarge a certain part of the played data, click the Magnifying Glass . The
Magnifier window opens on the right. Move the rectangle across the displayed data.
 To open the session in the Session Player, click Open Session. The Session Player opens
in a new tab. The session playback starts with the selected alert event.
 To view the Alert events for the Windows Clients, select Windows Events tab.
 To view the Alert events for the Linux Clients, select Linux Events tab.
249
Archived Sessions
About
During the archiving & cleanup operation all the old Client sessions are archived and then
deleted from the current Ekran database. This allows saving the monitored data in a secure
storage and viewing the archived sessions in the Session Viewer any time.
Changing Investigated Database

To change the archive database, do the following:
1. Log in to the Management Tool as a user with the administrative Viewing archived data
permission.
3. On the Database Management page, select the Archived Sessions tab.
4. On the Archived Sessions tab, click Change Investigated Database.
5. In the Change Investigated Database window, select the Use current archive database
option if you want to view sessions from the current database or the Use another database
option if you want to view sessions from another archive database.
6. Define the following parameters:
 For MS SQL database, define the instance of the SQL server, the name of the archive
database, and the user name and password.
 For Firebird database, define the location of the archive database and the location of
binary data.
NOTE: You can attach the archive database only of the same type as your current one.
7. If necessary, click Test Database Connection to check that there is a connection with the
archive database.
8. Click Save.
Viewing Archived Sessions

To play an archived session, do the following:
1. Log in to the Management Tool as a user with the administrative Viewing archived data
permission.
3. On the Database Management page, select the Archived Sessions tab.
4. On the Archived Sessions tab, a list of sessions of an archive database is displayed.
5. Click on the target session to open it in the Session Viewer.
6. Work with sessions from the archive databases is the same way as with Client Sessions.
250
Dashboards
Dashboards
About
Ekran System allows viewing certain types of information using dashboards displayed on the
Home page. Dashboards provide you with convenient real-time view of the most important
data. The following dashboards are available:
 Licenses
 Clients
 Database Storage Usage
 Recent Alerts
 Latest Live Sessions
 Sessions out of Work Hours
 Rarely Used Computers
 Rarely Used Logins
With the dashboards, you can see several types of data grouped in one place.
The dashboards are customizable, with the customization settings stored on the Server. Thus, if
you log into the Management Tool from any other computer, your dashboards will look the
same way as you have previously customized them.
You can choose which dashboards to show or hide, rearrange the dashboards on the screen,
add several dashboards of the same type to see the same data in different variations, and
more.
Dashboard Types
Licenses
The Licenses dashboard allows you to view statistics on the number of available licenses, free
licenses, and unlicensed computers. The dashboard is updated every 5 minutes.
The dashboard contains the following elements:

251
Dashboards
 The number of not licensed Clients.

 Pie charts, where you can see the number of licenses assigned to Clients, and the
number of free licenses. The number of pie charts depends on the number of available
license types.
 The Assign Licenses to Clients button that redirects you to the License Management
page where you can assign licenses to Clients.
You can define the following settings for the Licenses dashboard:
 Used Licenses sector colour.
 Free Licenses sector colour.
To view the dashboard, you need to have the administrative Serial Key Management
permission. If you do not have this permission, you will see an empty dashboard with the text
saying you do not have the permissions for viewing this data. Also, the dashboard will not be
displayed in the Add dashboard drop-down list.
Clients
The Clients dashboard allows you to view statistics on the number of Clients which are
currently online and offline. The dashboard is updated every minute.
The Clients dashboard contains the following elements:

 A pie chart that presents statistics on the number of Clients which are currently online
and offline.
 The Install More Clients button that redirects you to the Computers without Clients
page where you can install Clients on the computers.
You can define the following settings for the Clients dashboard:
 Online Clients sector colour.
 Offline Clients sector colour.
252
Dashboards
To view the dashboard, you need to have one of the following permissions:
 The administrative Client Installation and Management permission. With this
permission, you can see information on all the clients in the system.
 At least one of the Client permissions. In this case, you will see only the Clients for which
you have the Client permission(s).
If you do not have the administrative Client Installation and Management permission or any
Client permissions, you will see an empty dashboard with the text saying you do not have the
permissions for viewing this data. Also, the dashboard will not be displayed in the Add
dashboard drop-down list.
Database Usage Storage

The Database Usage Storage dashboard allows you to view statistics on the disk space used by
the binary data. By default, your binary files are stored in the same place as the database.
However, you can store them in a separate location.
The Database Storage Usage dashboard contains the following elements:

 A pie chart that displays statistics on how much space is used and free on the disk the
binary files are stored at.
 The Database Cleanup button that redirects you to the Database Cleanup page.
You can define the following settings for this dashboard:
 Critical free space size: the free size limit at which you are alerted that available space
is running low.
 Used storage size sector colour (indicating how much storage space is used).
 Total storage size sector colour.
 Warning storage size sector colour (indicating that the free space size has fallen below
the critical free space size threshold).
To view the dashboard, you need to have the administrative Database Management
permission. If you do not have this permission, you will see an empty dashboard with the text
253
Dashboards
saying you do not have the permissions for viewing this data. Also, the dashboard will not be
displayed in the Add dashboard drop-down list.
Recent Alerts
The Recent Alerts dashboard contains a bar chart that presents information on alerts triggered
within a specific time period. The dashboard is updated every 15 minutes.
Each bar in the graph corresponds to an enabled alert. The length of each bar corresponds to
the number of notifications received within a specific time interval. The colour of each bar
 The alerts with the critical risk level are highlighted in red colour.
 The alerts with the high risk level are highlighted in yellow colour.
 The alerts with the normal risk level are highlighted in blue colour.
To see the list of alert events, click on the bar with the alert name. In the opened window, the
following information is displayed:
 Time
 Client name
 User name
To open a corresponding session in the Session Viewer, click Play.
To view the alert events in the Alert Viewer, click Open Alert Viewer.
You can define the following settings for the Recent Alerts dashboard:
 Time interval: the period for which the alerts are selected.
254
Dashboards
 Sort type: the category by which the alerts are sorted:

o Count: allows sorting the alerts by amount of alert notifications.
o Alphabetic: allows sorting by the alert name.
 Sort direction: the order in which the alerts are listed.
 Critical risk level: the colour of the bars for the alerts with the Critical risk level.
 High risk level: the colour of the bars for the alerts with the High risk level.
 Normal risk level: the colour of the bars for the alerts with the Normal risk level.
Only information about the Clients the user has Client Viewing Monitoring Results permission
for is displayed in the dashboard.
If you do not have this permission for any of the Clients, you will see an empty dashboard with
the text saying you do not have the permissions for viewing this data. Also, the dashboard will
not be displayed in the Add dashboard drop-down list.
Latest Live Sessions

The Latest Live Sessions dashboard contains a grid that displays the list of the sessions which
are currently live and were the latest to start. The dashboard is updated every 5 minutes.
The grid has the following columns:

 Start
 Client name
 User name
To open the session in the Session Viewer, click Play.
In the settings, you can define the number of sessions to be displayed in the list.
for is displayed in the dashboard.
If you do not have this permission for any of the Clients, you will see an empty dashboard with
the text saying you do not have the permissions for viewing this data. Also, the dashboard will
not be displayed in the Add dashboard drop-down list.
Sessions out of Work Hours

The Sessions out of Work Hours dashboard contains a column chart that displays the statistics
on the computers used during non-work hours and days for a defined time period. The
dashboard is updated every hour.
255
Dashboards
Each column corresponds to the day with the sessions out of work hours. The height of the
columns corresponds to the number of sessions recorded on the date.
To see the number of sessions recorded on a specific date, hover over the corresponding
column.
To see the list of sessions recorded on a specific date, click the corresponding column. In the
opened window, the following information is displayed:
 Client Name
 User Name
 Start
 Last Activity
 Finish
To see the session in the Session Viewer, click Play.
You can define the following settings for the Sessions out of Work Hours dashboard:
 Period: set the specific time period for which the alerts are selected.
 Colour: set the specific colour for the columns.
 Work hours & Work days: set the hours and days of the week to be considered as a
working schedule.
Only the sessions with the activities out of the defined schedule are displayed in the
dashboard.
To view the dashboard, you need to have the administrative Client Installation and
Management permission. If you do not have this permission, you will see an empty dashboard
with the text saying you do not have the permissions for viewing this data. Also, the dashboard
will not be displayed in the Add dashboard drop-down list.
Rarely Used Computers

The Rarely Used Computers dashboard contains a grid with statistics on the Client computers
that have the fewest sessions for the defined time interval. The dashboard is updated every
hour.
256
Dashboards

 Client Name
 Sessions
To view detailed information on the sessions, click the target Client Name link. In the opened
window, the following information is displayed:
 User Name
 Start
 Last Activity
 Finish
To open a session in the Session Viewer, click Play.
You can define the following settings for the Rarely Used Computers dashboard:
 Period: the period for which the sessions are selected.

 Sessions fewer than: the number of sessions the computer must have not to be
considered rarely used.
for is displayed in the dashboard. If you do not have this permission, you will see an empty
dashboard with the text saying you do not have the permissions for viewing this data. Also, the
dashboard will not be displayed in the Add dashboard drop-down list.
Rarely Used Logins

The Rarely Used Logins dashboard contains a grid with statistics on the users that have the
fewest logins for the defined time interval. If Forced User Authentication is enabled, the
<logged in Windows user> (<secondary authentication user>) pair is accounted for.
The dashboard is updated every hour.

 User Name
 Sessions
257
Dashboards
To view detailed information on the sessions, click the target Client Name link. In the opened
window, the following information is displayed:
 Client Name
 Start
 Last Activity
 Finish
To open a session in the Session Viewer, click Play.
You can define the following settings for the Rarely Used Computers dashboard:
 Period: the period for which the sessions are selected.

 Sessions fewer than: the number of sessions the user must have not to be considered
rarely logging in.
for is displayed in the dashboard. If you do not have this permission, you will see an empty
dashboard with the text saying you do not have the permissions for viewing this data. Also, the
dashboard will not be displayed in the Add dashboard drop-down list.
Customizing Dashboards
The dashboard layout is customizable. You can choose which dashboards you want to see on
the Home page. The following options are available:
 Add a dashboard. Click Add dashboard over the dashboard area and then select the
desired dashboard from the drop-down list. You can add several dashboards of the
same type to view the desired information in different variations. You can have up to
eight dashboards on the Home page.
 Hide a dashboard. Click the icon in the top right corner to hide the dashboard.
 Collapse/expand a dashboard. Use the and icons in the top left corner of the
dashboard to collapse or expand it.
You can also choose what your dashboards will look like. The following options are available:
 Rearrange the dashboards. Click on the dashboard you want to move and drag it to a
new location.
 Resize a dashboard. Click on one of the bottom corners of the dashboard and drag the
border of the dashboard.
 Define the settings for a dashboard. Click the icon in the top right corner of the
dashboard to change its settings.
The customization settings are user-specific and are stored on the Server.
To restore the default settings, click Restore Layout over the dashboard area.
258
Interactive Monitoring
About
Interactive Monitoring allows viewing the detailed information on the total time spent by the
user in each application/on each website.
Viewing Data
The information on all applications and URL monitored data is displayed in the form of two
column charts (Applications Monitoring chart and URL Monitoring chart). The number of
columns corresponds to the number of applications used and websites visited. Only
information on the Clients the user has Client Viewing Monitoring Results permission for is
displayed.
To view the monitored data, do the following:
1. Define the specific parameters to filter out the data:
 Who: filter by a specific user logged into the Client computer.
 Where: filter by a specific Client.
 When: filter by the time period.
To set the time period, select one of the following:
- Define the number of latest days or weeks. If you define 1 day, sessions
recorded during the current day will be displayed.
- Define the start date and the end date of the time period.
2. Click Generate.
3. The filtered out monitored data is displayed in both charts.
To zoom in and out of the Application Monitoring and URL Monitoring charts, use mouse
scroll.
Applications Monitoring Chart

The Applications Monitoring chart displays information on the applications the users have
worked with on Client computers.
Each column in the chart corresponds to an application. The length of a column corresponds to
the amount of time spent in that application within a specified time interval.
The total time spent by the user in all applications is displayed in the top right corner of the
chart.
To set the order of application bars being displayed, in the Applications filter select one of the
following:
 20 least used: 20 least used applications sorted in the ascending order.
 20 most used: 20 most used applications sorted in the descending order.
 All (descending): all bars in the descending order.
 All (ascending): all bars in the ascending order.
259
To see the list of sessions containing information on the target application, click on the
column with the application name. In the opened window, the following information is
displayed:
 Client Name: the name of the Client computer on which the target application was
launched.
 User Name: the name of the user logged in to the Client computer.
NOTE: If Forced User Authentication is enabled on the Client computer, the user name
is displayed as: <logged in Windows user> (<secondary authentication user>).
 Start: the start time of a session.
 Last Activity: the date and time of the last made screenshot or executed Linux
command.
 Finish: the date and time when the session finished.
URL Monitoring Chart

The URL Monitoring chart displays information on the websites users have visited on Client
computers.
Each column in the chart corresponds to a website. The height of a column corresponds to the
amount of time spent on that website within a specified time interval.
The total time spent on all websites is displayed in the top right corner of the chart.
To set the order of URL bars being displayed, in the URLs filter select one of the following:
 20 most visited: 20 most visited sites sorted in the descending order.
 20 least visited: 20 least visited sites sorted in the ascending order.
 All (descending): all bars in the descending order.
 All (ascending): all bars in the ascending order.
To see the list of sessions containing information on the target website, click on the column
with the website name. In the opened window, the following information is displayed:
 Client Name: the name of the Client computer on which the target application was
launched.
 User Name: the name of the user logged in to the Client computer.
NOTE: If Forced User Authentication is enabled on the Client computer, the user name
is displayed as: <logged in Windows user> (<secondary authentication user>).
 Start: the start time of a session.
 Last Activity: the date and time of the last made screenshot or executed Linux
command.
 Finish: the date and time when the session finished.
260
Forensic Export
Forensic Export
About
Forensic Export allows exporting the session in the encrypted form for viewing monitored
session on any computer, even without access to the Management Tool. The session is
exported into the signed executable file, which contains the embedded player for displaying
graphical information and metadata. The validity of forensic export results can be checked via
the Management Tool. The results of export are stored on the Server until you delete them.
Exporting Session Fragment

To export the session fragment, do the following:
1. Open the Session Viewer page for the selected session.
2. In the Player, select the start point of the session fragment.
3. Click Session Forensic Export under the Player.
4. The Session Forensic Export window opens.
5. Select the Export session fragment starting from current Player position option and
enter the required fragment start and end time of the required fragment.
6. Select the Include keystrokes option if necessary.
7. Click Export.
8. The Forensic Export History page opens, displaying export progress.
9. As soon as export process finishes, the resulting file becomes available for downloading.
10. Click Download to download the file with Forensic Export results.
Exporting Full Session

To export the session, do the following:
1. On the Session Viewer page for the selected session, click Session Forensic Export
under the Player.
2. The Session Forensic Export window opens.
3. Select the Export full session option and the Include keystrokes option if necessary.
4. Click Export.
261
Forensic Export

6. As soon as export process finishes, the resulting file becomes available for downloading.
7. Click Download to download the file with Forensic Export results.
Exporting Multiple Sessions

To export multiple sessions, do the following:
1. Log in to the Management Tool as a user with the Viewing monitoring results
permission.
2. Сlick the Monitoring Results navigation link to the left.
3. On the Client Sessions page, filter sessions by necessary criteria.
4. Click the Export button in the search pane.
5. In the opened message, click Export to continue.
7. As soon as export process finishes, the resulting files become available for downloading.
All exported sessions include keystrokes.
8. Click Download for each exported session to download the Forensic Export results.
NOTE: Forensic export of a large number of sessions might take much time and affect the
Server performance.
Viewing Forensic Export History

The Forensic Export History page displays the grid with all results of export for Clients you have
permissions for. You can see exports performed both by you and other users.
The Forensic Export History grid contains the following information:
 Export Date: Displays the date and time when the session was exported.
 Client Name: Displays the name of the computer on which the Client is installed.
 User: Displays the name of the user logged in to the Client computer.
 Session Start Date: Displays the date and time when the session started.
 Session End Date: Displays the date and the time when the session finished.
 Export Type: Displays the export type, which can be one of the following:
o Full: For the full exported session.
o Full (no keystrokes): For the full exported session without keystrokes.
o Truncated Full: For the exported session that has more than 20000 activities and
while exporting has been truncated to 1 GB.
o From – To: For the time interval included in the exported session.
 Status: Displays the status of session export (Generated or Generation failed).
 Full Size: Displays the size of the resulting file (n/a for failed session exporting).
To download the exported session, click Download in the Forensic Export History grid.
To delete the exported session from Server, click Delete in the Forensic Export History grid.
262
Forensic Export
Playing Exported Session

To view exported data, download it and start the downloaded executable file.
NOTE: To view exported data on computers with Linux or Mac operating system, you need to
install Mono Framework on them. Follow the instructions at http://www.mono-
project.com/docs/ to install Mono Framework on your computer.
Sessions are played in the Forensic Export Player.
The Forensic Export Player interface is divided into the following parts:
 Player pane: Allows viewing screenshots made from the computer on which the
Windows Client is installed, or visually recreated interactive data of the recorded Linux
terminal (input and output as the user sees them in the terminal). The navigation
section allows you to manage the playback of the video of screenshots or commands.
NOTE: If the screenshot creation is not enabled on the Windows Client, sessions of
this Client will contain no screenshots.
 [Windows Client] Details pane: Allows you to view the text data (keystrokes and
clipboard text data) associated with the selected event, USB device information, and
URL addresses of websites visited by a user.
 Metadata pane: Displays the session data in the form of grid, which includes:
o Activity time, Activity title, Application name, Text data, and URLs for Windows
Clients;
o Activity time, Command, Function, and Parameters for Linux Clients.
NOTE: If the user performing export does not have the Viewing text data permission for this
Client, Forensic Export results will contain no text data.
You can do one of the following while viewing:
 To play/pause the video, click Play/Pause in the Player pane.
263
Forensic Export
 To move from one record to another, use the control buttons in the Player pane.
 To open the monitored data to the full-screen mode, double-click the monitored data
in the Player pane or .

 To define the speed with which monitored data will change in the Player pane, click
. The available speed options are 1/2/4/8/16 frame(s) per second.
 To enlarge a certain part of the played data, click the Magnifying Glass .
 To move from one monitor to another in the Client session with multiple monitors,
click All, 1, 2, etc.
Validating Exported Data

Using Management Tool, you can check that exported data is valid and its integrity has not
been altered. Please note that data validity must be checked only in the Management Tool
connected to the Server via which data has been exported. Any other Server will consider data
not valid.
To validate exported data, do the following:
1. Click the Forensic Export History navigation link to the left and then click Validate
Export Results.
2. On the Forensic Export Results validation page, click Choose File to select the .exe file
with forensic export results.
3. The file is uploaded to the Server and validated.
4. If file validity is confirmed, you will see a message: “The file is validated successfully!”
264
Troubleshooting
Troubleshooting
Quick Access to Log Files
Log files contain information that might be useful for administrator for detecting problems in
the system if any.
You can either analyse the log files yourself to get more information on what is happening in
your system or send them to the Support team to help them in detecting the source of
problems in your system.
In case the log files contain the information on some errors, the warning message will be
displayed on the Diagnostics page.
To download the Server log file, login as the user with the Database Management permission,
click the Diagnostics navigation link to the left and then click Download Server log file. The log
file will be downloaded to your computer.
NOTE: On the Server computer, the Server log (Server.log) is stored in the Server installation
folder. The default location of the Server installation folder is C:\Program Files\Ekran
System\Ekran System.
To download the Management Tool log file, login as the user with the Database Management
permission, click the Diagnostics navigation link to the left and then click Download
Management Tool log file. The log file will be downloaded to your computer.
Database/Server
Database/Server Related Issues
Issue Cause/Solution
I cannot start the Server from the To start the Server, the Server tray service must be
Server tray. started under the administrator account.
There are too many records in the Use the automatic or manual database
database. cleanup feature to remove the old records
from the database. To do this, in the
Management Tool, click the Database
Management navigation link and define the
cleanup settings on the corresponding tabs.
I have defined a new database, what The old database remains in place and is not
happened to the old one? changed.
I need to transfer the data from an old Unfortunately, the data cannot be
database to a new one/I want to transferred from one database to another.
change the type of the database
without losing data.
265
Troubleshooting
I have transferred the SQL database to Unfortunately, you can’t relocate the SQL
another computer. database to another computer. Though you can
move it to another location on the same PC with
SQL means.
I have changed the location of the To redefine the location of the Firebird
Firebird database. database, move it to another location and
change the corresponding values in the
Windows Registry Editor. See Moving the
Server Database chapter for more details.
I have installed a new version of the If you have updated the Server, your old
Server and I want to use the old database will remain. If you have reinstalled
database. the Server, you need to use a new database.
I have used the database cleanup The cleanup feature only removes data from
feature, but the size of the database the database, but does not change the size
didn’t change. reserved by it. To reduce the size of the
database, click Shrink database on the
Database Options tab on the Database
Management page of the Management Tool.
I have accidentally removed the You need to define a new database. To do

database from the MS SQL Server. this, you need to reinstall the Server.
I cannot shrink the database: the  Make sure you use the MS SQL Server
Shrink database button is absent in the database.
Management Tool on the Database  The shrinking cannot be performed if
Options tab. the cleanup procedure is in progress.
My antivirus blocks the Server Due to the uninstaller specifics some anti-viruses
uninstallation/update. might detect it as a false positive during virus scan.
In this case, it is recommended to disable your
anti-virus during Server uninstallation/update.
Database/Server Related Error Messages

The following table provides the list of error messages related to databases and the Server and
their causes and possible solutions. These messages may appear in the Management Tool, from
the Server tray service, or during the installation of the Server.
Message Cause/Solution
If you get the following message in the  The Server has lost the connection to
Management Tool: "Connection with the MS SQL Server. Please make sure
MS SQL database is lost. Please check that the MS SQL Server is running
266
Troubleshooting
that the database is accessible and try and it is online and accessible. To
again." check that the MS SQL Server
computer is accessible, enter the
following command in the Windows
command line:
ping <name of the MS SQL Server
computer>
 The connection to the MS SQL Server
is blocked by the Firewall. Try
disabling the Firewall on the MS SQL
Server side.
If you get the following message when You can restart the Server service only under
trying to restart the Server service: the administrator account.
“Not enough permissions to restart
the Server.”
If you get the following error while  The program encountered an

trying to clean up the database: "Error unexpected error while trying to
occurred while clearing the database. clear the database. Try clearing the
Please try again." database again.
 Make sure the Server service is
running.
 There was a problem with
connection to the database. Please
make sure that the computer on
which the database is installed is
online and accessible. To check that
the computer is accessible, enter the
command line:
ping <name of the computer with
installed database>
If the problem comes up again,
please, send us logs (the Server
Service file), which you can find in
the Server sub-folder of the Ekran
System installation folder.
If you get the following message from  The Server has lost the connection to
the Server tray service: "The Server the database. Please make sure that
connection with the database has the computer on which the database
been lost. Click to view logs." is installed is online and accessible.
To check that the computer is
accessible, enter the following
command in the Windows command
267
Troubleshooting
line:
installed database>
If you get one of the following  The program encountered an unexpected

messages while trying to perform an error while trying to perform an action
action with database: with database. Please try performing the
 "An error occurred when action again.
shrinking database. Please try  There was a problem with
again." connection to the database. Please
 "Error occurred while retrieving make sure that the computer on
database info. Please try which the database is installed is
again." online and accessible. To check that
the computer is accessible, enter the
command line:
installed database>
Management Tool
Management Tool Related Issues
HTTP 500 Internal Server error is For Windows 7, follow these instructions:
displayed when I try to connect to 1. Make sure that all the following options are
the Management Tool. selected in the Windows Features window: Net
Framework 3.5> Windows Communication
Foundation HTTP Activation and Windows
Communication Foundation non-HTTP
Activation.
2. Run the Command Prompt (cmd.exe) as
administrator:
268
Troubleshooting
Enter
%windir%\Microsoft.NET\Framework\v4.0.xxxxx\
aspnet_regiis.exe –iru (for 32 bit computer) or
%windir%\Microsoft.NET\Framework64\v4.0.xxx
xx\aspnet_regiis.exe –iru (for 64 bit computer).
Example:
C:\Windows\Microsoft.NET\Framework64\v4.0.
30319\aspnet_regiis.exe –iru
3. Press Enter.
For Windows 8.0 or 8.1, make sure that all the
following options are selected in the Windows
Features window: Net Framework 3.5> Windows
Communication Foundation HTTP Activation and
Windows Communication Foundation non-HTTP
Activation.
The license management function is Make sure you have the administrative Client
unavailable and I cannot assign installation and management permission. If you have
licenses to Clients. this permission, but the license management function
is still unavailable, then your copy of the program is
not licensed. Please purchase serial keys and activate
them online or activate them on your vendor’s license
site and add them offline.
I have no Internet connection on the You can activate the serial on the license site of your
computer with the installed Server vendor and then add activated keys on the computer
and cannot activate serial keys. with the installed Server.
I have reinstalled/updated the Server  If you activated serial keys online, after you
and now there are no activated reinstall or update the Server, activated serial
serial keys in it. keys will be automatically synchronized. For
this purpose, you need to have an active
Internet connection during the first start of the
Server.
 If you used an offline activation (added
activated serial keys), you need to add them in
the Management Tool again.
The list of the domain computers is This problem can be caused by network or Windows
empty during the Client installation. issues (e.g., your computer cannot connect to the local
network). If there are no network problems, try
searching for computers via the Add computers by IP
option. To install Clients in such a way, on the
Computers without Clients page click Add computers
by IP.
269
Troubleshooting
The list of the domain computers is Ekran System obtains the list of domain computers
not complete during the Client using standard Windows methods, which do not
installation. always provide the full list of computers.
The target computer is out of the If DNS settings of your computer network allow, you
domain. can:
 Search for computers using the Add computers
by IP option. To install Clients in such a way, on
the Computers without Clients page, click Add
computers by IP.
 Create an installation package and install a
Client locally on the target computer. To
generate an installation package, on the
Computers without Clients page, click
Download installation file and then select the
type of the installation file you want to
download. When the installation file is
downloaded to your computer, you can start
the installation process.
I have assigned a Terminal Server Any license can be unassigned from a Client anytime.
Client license instead of a
Workstation Client license to the
Client or I have assigned a license to
the wrong Client.
There are some Clients that I did not These may be old Clients that were installed earlier.
install. You can uninstall them remotely via the Management
Tool or locally on the Client computer.
I do not receive email notifications, Make sure you do not use Microsoft Exchange Server
although the parameters are correct. 2010, which is not supported.
Some of the Management Tool Make sure that you have the corresponding
functions are unavailable. permissions for these functions.
I do not want to provide the user By defining the Client permissions for the user in the
with access to all Clients. Management Tool, you can define which Clients the
user will have the access to.
I forgot the password of the internal Contact the administrator and ask them to change the
user. password.
The user is able to perform actions Check the groups which the user belongs to. They
that are supposed to be prohibited might have inherited some new permissions from
for them (e.g., the user sees the these groups.
270
Troubleshooting
Clients that they do not have a
permission for).
I haven’t received any reports or Check the Spam folder.

alert notifications by email.
Management Tool Error Messages

The following table provides the list of error messages that you may see while working in the
Management Tool and their causes and possible solutions.
If you get the following message when The program encountered an unexpected error
trying to connect to the Management while trying to perform an action.
Tool: “Server is unavailable. Please  Please refresh the Management Tool.
contact administrator.”
 Please make sure that the Server is
running.
 Please restart the Server and try again.
If the problem comes up again, please contact the
support.
If you get the following message when Please make sure that your login and the
trying to connect to the Management password are correct. If you are logging in as a
Tool: “Wrong password or Windows user, do not forget to enter <domain
username.” name>\<login>.
Viewing Monitored Data

I have successfully logged into the  Please check the section “Possible
Management Tool but I cannot see any Problems with Receiving Data from
captured data from the Windows Clients”.
Client.  Contact the administrator and check if you
have the Viewing monitoring results
permission for the Client.
An alert event does not trigger an  Please check that the defined alert
alert notification and is not displayed parameters are correct on the Alert Rules
as alert in the Management Tool. tab on the Edit alert page of the
Management Tool (e.g., Process name
may be defined instead of Window title).
To do this, open the Alert Management
page of Management Tool, click Edit alert
271
Troubleshooting
for the required alert and select the Alert
Rules tab.
 The alert might be disabled. Please make
sure the alert is enabled on the Alert
properties tab in the Management Tool.
I don’t receive alert notifications about Please check the Minimal interval between
all the events that correspond to notifications sent for the same alert event
notification settings. parameter. If less time than defined in the
settings has passed since the moment when the
last notification for the same alert event had been
received, you will not receive the notification.
Some screenshots are blank.  If a user types something continuously,

stops typing, and then switches the
window during the 3 seconds period, the
keystrokes will be attached to a blank
screenshot.
 If a user accesses the Client computer via
the Remote Desktop Protocol (RDP) and
minimizes the Remote Desktop
Connection window, a blank screenshot is
created.
Client sessions contain no screenshots Please check that the Enable screenshot creation
at all. along with user activity recording option is
enabled on the required Client.
To do this, open the Client Management page and
click Edit Client for the required Client, and then
click the User Activity Recording tab.
Some screenshots look like they There are two monitors on the Client computer
consist of two parts. and you see the screenshots from both of them.
The Text data column is empty,  Check that you have Viewing text data
although the text was entered on the permission for this Client.
Client computer.  Please check that you have enabled the
keystroke logging in the Client
configuration.
 The keystrokes are logged only after the
user presses Enter or switches to another
window. So they might be attached to
another screenshot.
272
Troubleshooting
The Text data column is empty,  Check that you have Viewing text data
although the text was copied, cut, and permission for this Client.
pasted on the Client computer.  Please check that you have enabled the
clipboard monitoring in the Client
configuration.
The screenshots are sent more If in the Client configuration you have enabled
frequently than I defined. options other than Capture screen periodically, the
screenshits may be created more frequently
depending on the user activity. Check the Client
configuration.
Screenshot image is blurry. The Client computer may have smooth interface
animation – the screenshot may have been taken
when the animation was in progress.
The screenshot image is black and The Client is configured to capture screen in
white. greyscale images. Please check the Client
configuration in the Management Tool.
The screenshot time does not The screenshot time corresponds to the time
correspond to time on my computer. displayed on the Client computer.
The screenshot time does not Please check that the Client computer time
correspond to the time that should be settings have not been changed.
displayed on Client computer.
Windows Client
Checking that the Client Is Installed
If the Client is successfully installed, it will appear on the Clients page of the Management Tool
in the Data View pane.
If there is no Client in the Management Tool, you have to check whether the Client has been
installed.
You can check if the Client is installed on the investigated computer in one of the following ways:
 The EkranService.exe process is running.
 The EkranClient and EkranController services are started.
273
Troubleshooting
 There is a <system disk>:\Program Files\Ekran System\Ekran System\Client\ folder

with executable files.
274
Troubleshooting
 The HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem\Client key has the following

values:
Clients Installation/Uninstallation Issues and Error Messages

The common reasons of issues with remote installation or uninstallation of Clients are the
inadequate network configuration or system settings. If you are sure that a user has
administrative rights on the Client computer, please check whether all of the conditions for
successful installation are met.
Remote Installation Error Messages
During remote Client installation you can get the following error messages:
 The user does not have enough permission on the remote host.
 The network name cannot be found.
 Client computer must be rebooted before agent installation.
 The host is unavailable now or turned off. Try again later.
Solving Remote Installation Issues

If you receive the following error message during the remote Client installation: “The User
doesn’t have enough permission on the remote host”, as a rule, such issue may be caused by
the following reasons:
 There is no access to network shares.
 DNS service is unavailable.
275
Troubleshooting
 UAC is enabled (Windows 7/8/Vista).

 Errors in Active Directory.
 Issues with the Service Principle Name for the domain.
 Two computers have the same computer name.
Issue: There is No Access to Network Shares

For successful remote installation, Ekran System needs to access the administrative shares on
the target computers. At first, please check that you have access to administrative shares and if
there is no access, enable it.
How to Check:
To check the administrative shares availability, do the following:
1. Open Windows Explorer.
2. In the address bar type \\<target_computer_IP/Name>\admin$ and press Enter.
3. When the Enter Network Password window opens, enter administrator credentials
and click OK.
4. If the login credentials are accepted, the system folder opens (by default,
C:\Windows).
If you get an error after performing step 2, try the following:
 Open the Command Prompt (cmd.exe). Enter and execute the ping
<target_computer_name or IP> command. Check the following:
1. If you do not get ping replies, network may be down. Check the
network connection and try again.
2. If the network is up, but you do not get the ping reply, check the
firewall on the remote computer. Disable the firewall on the target
remote computer.
 If you are receiving ping replies, but the administrative share is still unavailable, check
that the Sharing Wizard or the Simple file sharing are disabled.
276
Troubleshooting
 If you are receiving ping replies and the sharing options are good, but you still cannot
access the administrative shares, check that the Server system service is running on the
remote computer.
If you get a login error after performing step 3, try the following:
 Make sure that the credentials you enter are correct. You have to enter the credentials
of a domain administrator or a local administrator account on the remote computer.
 Verify that the account password is not empty. Accounts with empty passwords cannot
be used for remote connection.
 Try typing the username as <domain_name>\<username> if the remote computer is in
a domain, or <computer_name>\<username> if the PC belongs to a workgroup.
How to Fix:
To enable access to administrative shares, you need to enable the Local Account Token
Filter Policy.
NOTE: This is a known Windows issue that might block remote application installation.
To enable Local Account Token Filter Policy:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Syste
m.
3. Double-click the LocalAccountTokenFilterPolicy value, or select it and click Modify in the
context menu.
4. In the Value data box, type 1, and then click OK.
5. Close the Windows Registry Editor.
If the LocalAccountTokenFilterPolicy registry value does not exist, follow these steps:
1. In the Windows Registry Editor in the Edit menu, click New, and then click DWORD Value.
2. Type LocalAccountTokenFilterPolicy and then press ENTER.
3. In the Value data box, type 1, and then click OK.
4. Close the Windows Registry Editor.
Issue: DNS Service is Unavailable

DNS service may be unavailable in your network. Try using the remote computer's IP address if
you cannot access it by the name.
How to check:
To check the DNS Service availability, please execute the following command in the Command
line (cmd.exe): ping <Computer name>.
277
Troubleshooting
If the command does not respond, you have to enable the DNS Service.
How to fix:
To enable the DNS Service, please follow the instructions of the Windows Troubleshooting. In
the Windows Server 2003, you can use the netdiag.exe tool.
Issue: UAC is Enabled (Windows 7/8/Vista)

If you access the administrative shares normally on the remote PC running Window Vista or
Windows 7/8, but the Client remote installation fails, try disabling the User Account Control on
the remote computer.
How to check:
By default, UAC is enabled in Windows 7/8/Vista.
How to fix:
To disable UAC, do the following:
2. Select the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System.
3. Double-click the EnableLUA value, or select it and click Modify in the context menu.
4. In the opened window, in the Value data filed, enter 0 and click OK.
5. Close the Windows Registry Editor window and then reboot the Client computer.
Issue: Active Directory Errors

Errors in Active Directory may be caused by the absence of the critical object that represents
the trust relationship between the two Active Directory domains, which have a parent/child or
tree root trust relationship.
How to Check:
Errors in Active Directory may occur when you have two or more replicated domains.
How to Fix:
To resolve errors in Active Directory, do the following:
1. Open the Active Directory Users > Computer Tools.
2. Open the System Container.
3. If there is no TDO object (trusted domain object) in the System container, please reset
the trust between parent and child relationships between domain controllers of
different domains with netdom.
278
Troubleshooting
Issue: Errors in Service Principal Name for the Domain

Issues with Service Principle Name (SPN) for the domain which is hosting the replica, can occur
when it has not been propagated to the domain that contains the account which you use when
you run the Dcpromo.exe file. This propagation may have been delayed because of replication
latencies.
How to Fix:
To resolve issues with SPN, do one of the following:
 Login with domain admin of the child domain.
 Wait for replication to complete and use the root admin account.
Issue: Two Computers Have the Same Computer Name

The computer in the child domain has the same name as the computer in the parent domain.
How to Fix:
To resolve this issue, rename the computer in the parent domain which has the same
name as the computer in the child domain.
If you get a message at the end of the remote Client installation: “The network name
cannot be found”, it can be caused by the following reasons:
 There is no access to the remote computer.
 There is no access to Network Shares.
Issue: There is No Access to the Remote Computer
How to Check:
Please check that you have access to the remote computer. To do this, enter the
following command in the Windows command line: ping <name of the remote computer>
If you do not receive any response, the access might be blocked by the remote computer
Firewall.
How to Fix:
Try enabling the Local Account Token Filter Policy on the target computer.
Issue: There is No Access to Network Shares

Please follow the instructions described above.
279
Troubleshooting
If you get a message at the end of the remote Client installation: “Client machine must be
rebooted before agent installation”, please, reboot the computer because if the Client has
been recently uninstalled, the Client computer must be rebooted first.
If you get a message after clicking Uninstall Ekran System Client: “The host is unavailable now
or turned off. Try again later.”, this means that the Client may be offline or may not be able to
connect to the Server. Please do one of the following:
 Wait until the Client appears online.
 If the Client does not appear online, uninstall it locally on the Client computer via the
Windows command line by executing the following command: UninstallClient.exe
/key=<uninstallation key>
By default, the UninstallClient.exe file is located in the Client installation folder. The default
path is C:\Program Files\Ekran System\Ekran System\.
Possible Problems with Receiving Data from Clients

If an installed Client does not appear online, do the following:
 Make sure that the Client is installed and its services are running.
 Make sure that there are no network connection problems:
 On the Server computer, in the Command line (cmd.exe), execute the following
command: ping <Client computer name>. If the command displays network issues,
resolve them.
 Make sure the Client processes/services are not blocked by the antivirus software.
If you changed the name of the Server computer, you have to change it on the Client
computer through the registry.
To change the Server name:
2. Select the following key: HKEY_LOCAL_MACHINE/SOFTWARE/EkranSystem/Client.
3. Double-click the RemoteHost value, or select it and click Modify in the context menu.
4. Enter the new name or IP address of the Server to which the Client must connect.
5. Reboot the Client computer.
NOTE: If the Client works in the non-protected mode, you can change the name of the
Server to which it connects, by installing the Client remotely via the Management Tool
once more.
If a Client is online and not sending any data, do the following:

 Make sure the user activity recording is enabled in the Client configuration.
 Make sure a license is assigned to the Client.
 Make sure there is more than 500MB on the disk on which the Client is installed.
280
Troubleshooting
 Make sure the database is not full: there may be no free space left on the disk where
the database is located in the Server database.
If an installed Client has stopped sending data, it may be caused by the following issues:
 The Client processes on the Client computer may have been terminated. Make sure the
Client processes are running on the Client computer (see Checking that the Client is
installed topic in the help file).
 The Client service (EkranClient) might have been stopped. Please make sure it is started.
 The Client computer may be offline. Make sure it is online and has no network
connection problems.
 The sending of data is prevented by antivirus software. Make sure the Client
processes/services are not blocked by the antivirus software.
 The connection might be blocked by Firewall. Try unblocking the connection.
Possible USB Monitoring Problems

If an installed Client with the USB monitoring/blocking option enabled does not detect the
USB devices, do the following:
1. Check if the USB drivers are installed. To do this, on the Client computer, in the
Command line (cmd.exe), execute the following command:
UninstallClient.exe /usbcheck
2. Install the drivers if they are not installed. To do this, execute the following command:
UninstallClient.exe /usb=true /key=<uninstall key>
3. Uninstall the drivers to reinstall them afterwards. To do this, execute the following
command:
UninstallClient.exe /usb=false /key=<uninstall key>
Linux Client
Possible Problems with Receiving Data from Clients
If an installed Client does not appear online, do the following:
 Make sure that the Linux Client is installed and running by checking the state of the
Client.
 Make sure that there are no network connection problems:
On the Server computer, in the Command line (cmd.exe), execute the following
command: ping <Client computer name>. If the command displays network issues,
resolve them.
If a Linux Client is online and not sending any data, do the following:
 Make sure a license is assigned to the Client.
 Make sure there is enough free space on the disk on which the Client is installed.
 Make sure the database is not full: there may be no free space left on the disk where
the database is located in the Server database.
281
Troubleshooting
If an installed Client has stopped sending data, it may be caused by the following issues:
 The Linux Client might have been stopped. Please make sure it is started.
 The Client computer may be offline. Make sure it is online and has no network
connection problems.
Checking the State of the Linux Client

If the Linux Client is successfully installed, it will appear on the Clients page of the Management
Tool in the Data View pane.
If there is no Linux Client in the Management Tool, you have to check whether the Client has
been installed.
To check the status of the Linux Client, run the command-line terminal and enter the following
command:
$ service Ekran status
Restarting Linux Client

To restart the Linux Client, use the following command in the terminal of the Client computer:
 $ sudo service Ekran restart
Alternatively, stop and restart the Linux Client using the following commands:
 $ sudo service Ekran stop
 $ sudo service Ekran start
282
Appendix
Appendix
Default Alerts
The Management Tool contains the default alerts, which are triggered on the different kinds of
potentially harmful or forbidden actions performed on the computers with installed Clients.
Fraud Activity
Cleanup applications
This alert is triggered when the user on the Windows Client computer is opening the PC
cleanup applications such as CCleaner, PC Decrapifier, File Shredder, and CleanUp.
Command prompt
This alert is triggered when the user on the Windows Client computer is executing the
command prompt.
Date/Time changing
This alert is triggered when the user changes the Date and Time settings on the
Windows Client computer.
Editing Windows Registry
This alert is triggered when the user on the Windows Client computer is editing the
Windows registry via the Windows Registry Editor.
File Download from Internet browser
This alert is triggered when the user on the Widows Client computer is downloading files
via such Internet browsers as Chrome, Firefox, or Internet Explorer.
File Upload via Internet browser
This alert is triggered when the user on the Windows Client computer is uploading files
via such Internet browsers as Chrome, Firefox, or Internet Explorer.
Hacking software
This alert is triggered when the user on the Windows Client computer is using the
different kinds of hacking software such as Angry IP Scanner, HashCat, Burp Suite, Cain
& Abel, Ettercap, John The Ripper, Kali, Metasploit, Nmap (Network Mapper), Snort,
THC Hydra, Wapiti, Wifite, and Wireshark.
IIS Binding Settings
This alert is triggered when the user on the Windows Client computer is changing IIS
binding settings.
Internet Explorer proxy settings
This alert is triggered when the user on the Windows Client computer is changing the
Internet Explorer Proxy Settings.
283
Appendix
Remote desktop connection

This alert is triggered when the user on the Windows Client computer is initiating RDP
connection to another computer.
Windows user creation/editing
This alert is triggered when the user on the Windows Client computer is adding or
editing the Windows users.
[Linux] Installation detection
This alert is triggered when the user on the Linux Client computer is utilizing commands
for installation.
[Linux] Root privileges
This alert is triggered when the user on the Linux Client computer is gaining the Root
privileges.
[Linux] User adding
This alert is triggered when the user on the Linux Client computer is adding users.
Data Leakage
Cloud backup
This alert is triggered when the user on the Windows Client computer is opening a cloud
backup service such as ADrive, AltDrive, Backblaze, avast!, BackUp, Backup Lizard,
BackupRunner, Bitcasa, Carbonite, Comodo Backup, CrashPlan, Cyphertite,
ElephantDrive, Gillware, IDrive, Iozeta, Jottacloud, Jungle Disk, KineticD, Livedrive,
Malwarebytes, Mevvo, Mozy, MyOtherDrive, MyPC Backup, NitroBackup, Nomadesk,
SafeSync, sosonlinebackup, SpiderOak, SugarSync, Symform, Total Defense Online
Backup, OpenDrive, and Zoolz.
Cloud file sharing
This alert is triggered when the user on the Windows Client computer is sharing the files
using the cloud based services 2Big2Send, 4shared, Addie.it , BitLet.org, CloudApp,
Digital Pigeon.com, DivShare, Dropcanvas, Droplr, Dropmark, DropSend, EFShare,
Filecamp, FileDropper, FileSavr.com, Fyels, Ge.tt, GigaSize, JustBeamIt, Kicksend,
LargeDocument.com, letscrate, MailBigFile, Minus.com, pastebin.com, PasteLink.me,
RapidShare, Send6, Senduit, SendYourFiles, Streaky, Uploaded.to, Uploadie, Wappwolf,
WeTransfer, Wikisend, YouSendIt, and zShare.net.
Cloud storages
This alert is triggered when the user on the Windows Client computer is visiting the
following cloud storage websites: Dropbox.com; drive.google.com; onedrive.live.com;
Otixo; box.com; Fluxiom; spideroak.com; Uploadingit; amazon.com; justcloud.com;
livedrive.com; sugarsync.com; code42.com/crashplan; zipcloud.com;
sosonlinebackup.com; carbonite.com; eSnips; Fileshare; mozy.com; mega.nz;
adrive.com; bitcasa.com; icloud.com; Memonic; Doxo.
284
Appendix
Desktop email clients

This alert is triggered when the user on the Windows Client computer is opening the
desktop email clients such as AOL Mail, Microsoft Outlook, Windows Live Mail, IBM
Notes, Thunderbird, Post-box, Novell GroupWise, and The Bat!.
FTP access
This alert is triggered when the user on the Windows Client computer is visiting the FTP
websites.
[Linux] Mounting device
This alert is triggered when the user on the Linux Client computer attempts to execute
the commands for mounting devices on the Linux servers.
Online email services
This alert is triggered when the user on the Windows Client computer is using the
following online email services: mail.google.com; login.live.com; login.yahoo.com;
my.screenname.aol.com; zoho.com; mail.com; inbox.com; gmx.com; icloud.com;
mail.lycos.com; hushmail.com; mail.yandex.com.
Screen sharing applications
screen sharing application such as TeamViewer, Deskhop, Screenleap, ShowMyPC,
Mingle View, Apache OpenMeetings, Mikogo, LogMeIn, join.me, Remote Access Viewer,
WebEx, GoToMeeting, AnyMeeting, and Zoom.
Potentially Illicit Activity

Adult sites
following websites with illicit content for adults: flirt4free.com; ebaumsworld.com;
imlive.com; freeones.com; redtube.com; cam4.com; adultfriendfiner.com;
youporn.com; xnxx.com; livejasmin.com; G.e-hentai.org; Nudevista.com;
Adam4adam.com; Literotica.com. Also, this alert is triggered on any website, which
contains the words xxx or porn in its URL.
BitTorrent clients
BitTorrent Client applications such as Utorrent, Vuze, Tixati, Torch, qBittorrent,
Transmission, Deluge, and BitLord.
BitTorrent sites
following BitTorrent websites: thepiratebay; kat.cr; torrentz.eu; extratorrent; yts;eztv;
1337x; isohunt; bitsnoop; rarbg.
Gambling sites
following online gambling websites: grosvenorcasinos.com; leovegas.com; 777.com;
casino.com; foxycasino.com; casino.betway.com; bet365.com; titanbet.com;
285
Appendix
888casino.com; europacasino.com. Also, this alert is triggered on any website, which

contains the words casino or poker in its URL.
Proxy anonymizers
following proxy anonymizer websites: proxify.com; Anonymouse.org; hidemyass.com;
the-cloak.com; bind2.com; maskedip.com; anonymizer.com; proxy.org; newipnow.com;
zophar.net; proxysite.com; dontfilter.us; uas2.com; blewpass.com; kproxy.com; alter-
ip.com; proxy.my-addr.com; megaproxy.com; proxfree.com; fresh-proxy.appspot.com;
youhide.com; proxywebsite.org; Tor Browser.
Not Work-related Activity

Dating sites
following dating websites: match.com; okcupid.com; gotinder.com; meetup.com;
pof.com; zoosk.com; eharmony.com; badoo.com; christianmingle.com; ourtime.com;
datehookup.com; howaboutwe.com; seniorpeoplemeet.com; speeddate.com;
chemistry.com; jdate.com.
Desktop media players
desktop media players such as Windows Media Player, BS.Player, PotPlayer, DivX Player,
GOM Player, KMPlayer, VLC, Kantaris Media Player, Media Player Classic, SMPlayer,
DAPlayer, and iTunes.
Instant messengers
instant messengers Skype, Pidgin, MSN Messenger, Yahoo! Messenger, Google Talk,
Digsby, ICQ, Miranda IM, and Trillian.
Job search
following job search websites: indeed.com; monster.com; glassdoor.com;
jobsearch.com/careerbuilder.com; simplyhired.com; aol-careers.com; jobdiagnosis.com;
beyond.com; ziprecruiter.com; snagajob.com; theladders.com; dice.com;
elance.com/upwork.com; linkedin.com; peopleperhour.com; linkup.com;
careerarc.com; freelancer.com; usajobs.gov.
Online games
following online games websites: eune.leagueoflegends; battle.net;
steampowered.com; dota2; trionworlds; hirezstudios; minecraft; worldoftanks;
swtor.com; kongregate.com; armorgames; addictinggames.com; newgrounds.com;
popcap.com; crazymonkeygames.com; pch.com; zynga.com; totaljerkface.com;
deadwhale.com; plarium.com.
286
Appendix
Online video
following online video websites: Youtube; dailymotion.com; vimeo; gopro.com;
ted.com; on.aol.com; mtv.com; funnyordie.com; break.com; metacafe.com; veoh.com.
Social networks
This alert is triggered when the user on the Windows Client computers is visiting the
following social network websites: facebook; twitter; linkedin; pinterest;
plus.google.com; tumblr; instagram; vk.com; flickr; vine.co; meetup.com; tagged.com;
ask.fm; meetme.com; classmates.com; foursquare; tripadvisor; weeworld.com; mixi.jp;
myspace.com; myheritage.com; schtik.com.
287
Appendix
Standard and Enterprise Edition Comparison Chart

The enterprise Ekran System features are available only if you have an activated Enterprise
serial key.
Feature Standard Enterprise

Edition Edition
Ekran System Technical Features
High Availability ✘ ✔
Two types of database (Firebird, MS SQL) ✔ ✔
Database cleanup ✔ ✔
Database archiving ✘ ✔
Signing monitoring data with certificate ✔ ✔
Validation of monitoring data using hash codes ✔ ✔
Storing screenshots in the form of deltas ✔ ✔
NAS support for binary file storing ✔ ✔
Advanced SIEM Integration ✘ ✔
Integration with Active Directory ✔ ✔
Integration with ticketing systems ✘ ✔
Client offline work mode ✔ ✔
Displaying notifications about the Server state ✔ ✔

(Server Tray)
288
Appendix

Edition Edition
Ekran System Client Features
Client installation, uninstallation, and auto-update ✔ ✔

 Remote [Windows Clients]
 Local [Windows & Linux Clients]
Client protection ✔ ✔
 Client mode (protected, non-protected)
 Protection from uninstallation
(uninstallation key)
Alert policies ✔ ✔
Client group management ✔ ✔
Windows Client Monitoring
Screenshot creation ✔ ✔
Monitoring without screenshots ✔ ✔
Keystroke logging ✔ ✔
Monitoring triggered by keyword ✔ ✔
Clipboard monitoring ✔ ✔
URL monitoring ✔ ✔
USB-based storage monitoring ✔ ✔
Kernel-level USB monitoring & blocking ✔ ✔
Application filtering ✔ ✔
289
Appendix

Edition Edition
User filtering ✔ ✔
Client monitoring logs creation ✔ ✔
User authentication on the Client computer with Windows operating system
Secondary authentication ✔ ✔
One-time password ✘ ✔
Two-factor authentication ✔ ✔
Administrator’s approval on login ✔ ✔
Informing about monitoring on the Client computer
Displaying additional message on login ✔ ✔
User’s comment to additional message on login ✔ ✔
Displaying Client tray icon ✔ ✔
Linux Client Monitoring
User actions monitoring ✔ ✔

 Input commands
 Terminal responses
System calls monitoring ✔ ✔
User Management Features
Active Directory users/user groups ✔ ✔
290
Appendix

Edition Edition
Internal users ✔ ✔
User permissions ✔ ✔
 Administrative permissions
 Client permissions
User group management ✔ ✔
Logging of all user actions ✔ ✔
Displaying Monitoring Results
Interaction with the investigator ✔ ✔

 Displaying notifications on alert events (Tray
Notifications app)
 Sending email notifications
Web-based Player ✔ ✔
 Searching Client sessions by metadata
 Playing Client sessions (live and finished)
Interactive monitoring ✔ ✔
Dashboards ✔ ✔
Alert Viewer ✔ ✔
Reports (Report Generator & Scheduled Reports) ✔ ✔
Export of Monitoring Results
Forensic Export of a session ✔ ✔
Screenshot export ✔ ✔
291
Appendix

Edition Edition
Validation of Forensic Export results ✔ ✔
292

Ekran System v6 Help File Setup and Configuration

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Ekran System v6 Help File Setup and Configuration

Transféré par

Droits d'auteur :

Formats disponibles

Ekran System v.6.

Management Tool requirements:

Windows Client requirements:

macOS Client requirements:

Linux Client requirements:

Debian Debian 8.0, 7.0

RedHat RedHat 7.0, 6.0

Sun Microsystems Solaris 11.x – 10.0

Ekran System includes the following components:

 Ekran System Management Tool (further referred to as Management Tool): It is a

 Ekran System Linux/Unix Clients (further referred to as Linux Clients): Being

 Ekran System Tray Notifications application (further referred to as Tray

Working with Application

Server and Database

Database Types Comparison

Feature MS SQL Database Firebird

Free ✘ (has a limited free version) ✔

Processing speed High Low

Remote access to database ✔ ✘

Requires additional software ✔ ✘

Security High Low

High Availability Mode

Standard and High Availability Modes Comparison

Feature Standard Mode High Availability Mode

Database type Firebird or MS SQL MS SQL

Number of Servers One Multiple

System requirements Standard system Standard system requirements,

Additional Ekran None License Server

Additional Software None NLB cluster

Component Physical IP address Logical IP address

Recommended for Average number of Large number of Client computers

Installing/Uninstalling/Updating the Server

2. Click Next on the Welcome page.

Backing up Ekran Master Certificate

2. In the opened User Account Control window, click Yes.

7. In the Add or Remove Snap-ins window, click OK.

10. The Certificate Export Wizard opens.

Deleting Ekran Master Certificate

Importing Ekran Master Certificate

Installing the Server in the Cloud

Adding Server Executable to Windows Firewall

4. The New Inbound Rule Wizard opens.

12. In the Protocols and Ports tab, do the following:

Using an External/Cloud-Based Server Computer

Updating the Server

To update the Server, do the following:

Uninstalling the Server

Two types of the cleanup operation are available:

 Once: The one-time cleanup operation will be performed by click on Save.

Parameters applied to both Cleanup and Archiving & Cleanup operations

Archive database The location of the database.

SQL server instance The path to the SQL server instance.

Archive database The name of the database.

7. Define the necessary parameters.

Shrinking MS SQL Database

To shrink a database, do the following:

Firebird Database Optimization

To perform the Update statistics procedure, do the following:

Deleting the Client

To delete one offline/uninstalled Client, do the following:

To delete several offline/uninstalled Clients, do the following:

4. On the Client Deletion page, click Add Clients to list.