DocumentationRelease Notes
Log In
Documentation

Sessions

Suggest Edits

The Sessions tab displays for users who have been assigned one or both of the two session reviewer roles for any managed systems: Recorded session reviewer and Active session reviewer. Depending on the roles assigned to your user account, you can view active or completed sessions using the buttons above the grid. By default sessions for all protocols are displayed. You can filter the list of sessions to display only RDP or only SSH sessions using the Protocol dropdown.

To view details of a completed session or to view the session, click the vertical ellipsis for the session, and then select View Details or View Session as required.

To view, lock, or terminate an active session, click the vertical ellipsis for the session, and then click View Session, Lock Session, or Terminate Session as required.

ℹ️

Note

Admin sessions are listed in the grid only for users who have read permissions to the Password SafeAdmin Session Reviewer feature, as assigned by your Password Safe administrator.

Manage Active Sessions

Password Safe Administrators, ISA users, or users that have been granted permissions to the asset through a Smart Group that is assigned the Active Session Reviewer role can view and manage active sessions in real time. While viewing an active session you can lock, terminate, and cancel the session, as detailed in the steps below.

ℹ️

Note

Admin sessions are listed in the grid only for users who have read permissions to the Password Safe Admin Session Reviewer feature.

  1. From the left navigation, click Menu, and then under Password Safe, click Active Sessions.
  2. Use the dropdowns above the grid to locate the session you wish to view or manage, and then click the vertical ellipsis for the session.
    • Click Lock to immediately lock the session.
    • Click Terminate to immediately disconnect the session.
    • Click View Session to view the active session.

ℹ️

Note

Keystrokes, such as those used when the user opens a window, accesses an application, or clicks an option, are logged in the Events pane as they are executed. You can sort these chronologically but you cannot select them during an active session.

  1. While viewing an active session, use the controls below the session display window as follows:
    • Click Lock to immediately lock the session
    • Click Terminate to immediately disconnect the session.
    • Click Terminate and Cancel to immediately end a session and check in the request.

ℹ️

Note

The Terminate and Cancel button is only present for sessions initiated by requestors. It is not available for sessions initiated by administrators or ISA users. It is also not available for Admin Sessions.

ℹ️

Note

When a session is locked or terminated, the user receives a message indicating the session has been locked or terminated and to contact their administrator. Terminated sessions are removed from the Active Sessions grid, and can be viewed from the Completed Sessions grid.

Configure Session Monitoring

Session monitoring records the actions of a user while they access your password-protected managed systems. This allows you to identify any suspicious activities while maintaining the integrity of your systems. The actions are recorded in real time with the ability to bypass inactivity in the session, allowing you to view only the actions of the user.

You configure session monitoring when you add or edit a managed system.

There are additional settings you must configure, such as concurrent sessions and screen resolution.

ℹ️

Note

All registry changes must be done on each machine hosting a resource broker.

File location

When a session is complete, the logs are copied to your Azure storage account and they can be played from there. If the copy fails, logs are saved in the folder C:\program files\beyondtrust\resource broker\session manager\data\sessionmonitoring\failed. By default, the file save is attempted three times over a 60 second retry period before it is copied to this folder.

We allocate whatever space is required to retain the data. Session data is retained for 1 year.

Configure concurrent sessions

Remote sessions can be limited to a set number of concurrent sessions.

The option to increase or limit the number of sessions a user can open at one time is configured from the schedule settings within an Access Policy.

To modify the number of concurrent sessions:

  1. Navigate to Configuration > Privilege Access Management Policies > Access Policies.
  2. Select an Access Policy or create a new one.
  3. From the Schedule tab, select an existing schedule or click Create New Schedule to create a new one.
  4. Scroll down to Policy Types and select RDP or SSH.
  5. Set the number for the Concurrent option.
  6. Click Update Schedule or Create Schedule to save the schedule.

If a user tries to open more sessions than allowed, a message displays on the Requests page.

Use session masking

Passwords can be hidden from session replays by applying a mask. When session masks are active, an SSH session recording at that time checks the keystrokes against the mask. Any matches are replaced. When the keystroke session is replayed, the viewer sees asterisks instead of the password. More than one mask can be active at a time.

Masks can be created, changed, and deleted. These actions are captured in user auditing.

  1. Navigate to Configuration > Privileged Access Management > Session Masks.
  2. To create a mask:
    • Click Create New Mask above the grid.
    • Enter a name for the mask and provide the mask pattern.
    • Leave the Active option checked.
    • Click Create Session Mask.  
  3. To edit a mask:
    • Locate the mask in the grid and click the vertical ellipsis button for it.
    • Select Edit Session Mask.
    • Edit the name and pattern for the mask as desired.
    • Check or uncheck the Active option as appropriate.
    • Click Update Session Mask.
  4. To delete a mask, click the vertical ellipsis button for the mask, and then select Delete.

Configure keystroke logging

Password Safe records keystrokes for all recorded sessions. Keystroke logging is enabled by default. When you open a recorded session, the pane on the right displays keystrokes. You can select a keystroke entry to view where that keystroke occurred. You can also filter keystroke entries by date, time, or keystroke in the Search box.

Turn off keystroke logging

You can turn off keystroke logging for ISA users and admin sessions as follows:

  1. Navigate to Configuration > Privileged Access Management > Global Settings.
  2. Under the Session Monitoring settings, clear the applicable keystroke logging options.
  3. Click Update Session Monitoring Settings.

Keystroke logging can be enabled for all other users when setting the scheduling options for an access policy.

Enhanced session auditing

Enhanced session auditing captures and records all mouse activity in the Keystrokes menu of Recorded Sessions for RDP and RDP application sessions. Enhanced session auditing is enabled by default. It uses the rules in the access policy for Admin Session multi-session checkouts. During a recorded RDP session, an agent called pbpsmon is installed on the host for the duration of the session. The agent monitors and audits Windows click events.

ℹ️

Note

Session monitoring captures text that is copied in an RDP session window. The copied text is captured only the first time. Any subsequent copy tasks of the same text are not captured for the session.

ℹ️

Note

To use enhanced session auditing, the functional account of the managed Windows host or Remote Desktop Services host must have administrative rights.

Turn off enhanced session auditing ISA users

  1. Navigate to Configuration > Privileged Access Management > Global Settings.
  2. Under the Session Monitoring settings, clear the applicable enhanced session auditing options.
  3. Click Update Session Monitoring Settings.

You can turn off enhanced session auditing for admin sessions and all other non-ISA users, when setting the scheduling options for an access policy.

Troubleshoot enhanced session auditing

The following files are deployed as part of enhanced session auditing:

  • pbpsdeploy (Password Safe Deployment Agent service)
  • pbpsmon
  • pbpslaunch
  • pbpsmon and pbpslaunch (These are contained in a cab file that is copied to the Windows directory and extracted to C:\pbps\.)
pbpsdeploy

The pbpsdeploy.exe file resides in the Windows directory (C:\Windows).

  • Access to ADMIN$ is required to copy pbpsdeploy.exe from Password Safe to the target server.
  • Confirm the service is displayed in the Services snap-in after deployment.
  • The output from the deployment service should be in the pbsm logs.

Example

2017/03/07 15:47:12.186 2292 6548 INFO: Pushing pbpsdeploy service to 10.200.28.39 as user backupadmin 
2017/03/07 15:47:13.528 2292 6548 INFO: Starting pbpsdeploy service on 10.200.28.39 as user backupadmin
2017/03/07 15:47:13.593 2292 6548 INFO: Copied pbpsmon.cab

2017/03/07 15:47:13.716 2292 6548 INFO: pbpsmon install:
    Using binary directory C:\Windows\
    Created directory C:\pbps
    Extracting File "pbpsmon.exe" (Size: 15872 bytes) -> "C:\pbps\pbpsmon.exe"
    Extracting File "pbpslaunch.exe" (Size: 145408 bytes) -> "C:\pbps\pbpslaunch.exe"
    Extracting File "msvcp120.dll" (Size: 455328 bytes) -> "C:\pbps\msvcp120.dll"
    Extracting File "msvcr120.dll" (Size: 970912 bytes) -> "C:\pbps\msvcr120.dll"
    Extracting File "vccorlib120.dll" (Size: 247984 bytes) -> "C:\pbps\vccorlib120.dll"
    Extracting File "libeay32.dll" (Size: 1359872 bytes) -> "C:\pbps\libeay32.dll"
    Extracting File "ssleay32.dll" (Size: 252928 bytes) -> "C:\pbps\ssleay32.dll"
    Creating registry keys
    Registry keys successfully created
    Creating task
    Task successfully created
pbpsmon

Verify the following setup has been performed by the deployment service:

  • In Task Scheduler, confirm the following task is created: BeyondTrust Password Safe Monitoring Task, or BeyondTrust Password Safe Disposable Monitoring Task. The task name depends on how enhanced session monitoring was installed.

  • In regedit, the following registry key is created, which creates the disconnect event:

    HKLM\System\CurrentControlSet\Control\Terminal Server\Addins\PBPSMON

pbpslaunch

Verify the following setup has been performed by the deployment service:

  • In regedit, the following registry key is created:

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\TerminalServer\TSAppAllowList\Applications\pbpslaunch

  • A pbpslaunch entry exists in RemoteApp Manager.

  • Locate the log statement Accepting RDP Channel . There should be one for pbpsmon, and if it is an application session, one for pbpslaunch.

    Example

2017/03/07 15:47:14.659 3672 4788 INFO: Accepting RDP Channel PBPSMON
  • The Event Viewer on the target server includes setup and cleanup results of pbpsmon and pbpslaunch sent to pbsmd.
    1. Open Event Viewer.
    2. Expand Windows Logs.
    3. Click Application.
    4. Filter the application log on Source = pbpsdeploy.

Configure Algorithms used by the session monitoring proxy

The encryption algorithms (ciphers), host key algorithms, key exchange (kex) algorithms, and MAC algorithms that may be used by Password Safe between the user's SSH client and the SSH proxy are configurable using the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\BeyondTrust\PBPS\SessionManager\ssh_proxy\host_key_algorithms
  • HKEY_LOCAL_MACHINE\SOFTWARE\BeyondTrust\PBPS\SessionManager\ssh_proxy\kex_algorithms
  • HKEY_LOCAL_MACHINE\SOFTWARE\BeyondTrust\PBPS\SessionManager\ssh_proxy\macs

The encryption algorithms (ciphers), host key algorithms, key exchange (kex) algorithms, and MAC algorithms that may be used by Password Safe between the SSH proxy and the managed system are configurable using the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\BeyondTrust\PBPS\SessionManager\ssh_proxy\client_ciphers
  • HKEY_LOCAL_MACHINE\SOFTWARE\BeyondTrust\\PBPS\SessionManager\ssh_proxy\client_host_key_algorithms
  • HKEY_LOCAL_MACHINE\SOFTWARE\BeyondTrust\PBPS\SessionManager\ssh_proxy\client_kex_algorithms
  • HKEY_LOCAL_MACHINE\SOFTWARE\BeyondTrust\PBPS\SessionManager\ssh_proxy\client_macs

Each of these keys, if defined, must hold a multi-string value (REG_MULTI_SZ), with one algorithm name per line.

For example, ciphers might be:

  • aes128-ctr
  • aes192-ctr
  • aes256-ctr

This restricts the available encryption algorithms to those named.

View recorded sessions

For auditing purposes, all RDP and SSH sessions in Password Safe can be recorded and accessible for viewing from the Sessions > Completed Sessions grid. Session recording is available for regular sessions, ISA sessions, and Admin sessions. The following users can view recorded sessions:

  • Administrators
  • Users with the Auditor role
  • Users with the Recorded Session Reviewer role
  • Users with the ISA role

To access and review completed sessions in Password Safe, follow these steps:

  1. From the left navigation, click Menu, and then click Completed Sessions under Password Safe.
  2. Use the Protocol and Filter By dropdowns above the grid to filter the list to assist with locating the desired session. Once you have located the session you wish to view, click the vertical ellipsis for it, and then select View Session .
    • Alternatively, you can select View Details and then click the View Session link from the Session Details pane.

ℹ️

Note

If a session recording has been archived, the View Session option is not available. If available, select the Restore Session option to restore the recording. You can also restore the archived session from the session's details by selecting View Details and then clicking the Restore link.

  1. Once the session displays, click Play to review the recording. You can hover over any part of the video progress bar to reveal the time stamp and click anywhere on the bar to select an instance in the recorded session. Use the control buttons below the recording to pause and restart the recording.

ℹ️

Note

Keystrokes that occurred within the session, such as the user opening a window, accessing an application, or clicking an option, are stored as events and listed in the Events pane to the left of the recorded session. You can click specific listed events or click the Prev and Next buttons below the recording to skip to those events within the recording.

To take a screenshot of a session frame and export it as a JPEG file, click the Snapshot button. The file exports with a resolution of 1024 × 768. The JPEG file is automatically saved to the default download location specified in your browser settings.

  1. Add comments and check Mark as Reviewed for auditing purposes.
  2. The number of audits is displayed as a link above the session recording. Click the link to view who viewed the session and when, as well as to see their comments.

Use keystroke search

To find sessions in either Active Sessions or Completed Sessions, enter a word or phrase in the Quick filter field. The list of sessions is automatically filtered based on what is entered in the field.

To search for global keystrokes, select Keystroke from the Filter by dropdown list, and then enter a word or phrase in the Keystroke field.

Restore archived session

In Password Safe Cloud, sessions older than six months are automatically archived. This prevents data storage issues for Cloud users. However, archived sessions can easily be restored so they can be replayed. To restore an archived session:

  1. Navigate to Password Safe > Sessions > Completed Sessions.
  2. Locate the archived session, and then click the vertical ellipsis to the right of the session.
  3. Select Restore Session. The restore takes place in the background.

Once the session has been restored, follow the steps in the View recorded sessions section to view the restored session.

Updated 5 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.