In our threat analysis lab - the "dirty" part of the SC Lab - we watch probes and attacks against our honeynet and we find that scans/probes/attacks are most prevalent against SSH, Telnet, FTP and RDP. However, we are concerned with any attack or probe against MS terminal services and there are not a lot of tools available to monitor that, and then collect evidence and perform analytics. RecordTS is exactly that. The simplest description is that it is a remote session recorder. The single server edition sits on a server running Terminal Services. It watches what users are doing through the server and makes a forensically sound record complete with audit trail. This not only shows connections - source and destination - as one would expect, it also logs the session content.
While this is useful for watching behavior of users, it is more useful for watching the behavior of accounts. It long has been a maxim of data security that the account is more important than the user. That is because the behavior of the account can lead to understanding what the owner is doing or, more important perhaps, what an intruder who has compromised the account is doing. So we care about the account first and the owner second. This tool lets us gather the evidence that we need. With RecordTS, everything is stored in a backend SQL database (PostgreSQL).
Architecturally, the server sits between the remote clients and the terminal server. It has a web-based dashboard/console and the recorder that acts as a man-in-the-middle between users and the terminal server. There also is the SQL database for collecting and preserving evidence. The server gets its licensing information from TSFactory, the developer. Setup is straightforward and the hardware requirements are not onerous.
One point, though: Lots of storage is a good thing. The database can grow pretty fast on a large system. But, remember that this is the single server edition. If you need a lot more power and, most important, distribution, you'll need the enterprise grade system. Even so, don't skimp on database storage. Also, make sure that your RecordTS server is in a physically secure area and that you restrict both logical and physical access. Remember, it contains evidence. The server regularly verifies its license with TSFactory so an internet connection is necessary. Take care in how you configure your firewall.
We liked the replay capabilities of the product. If you catch a questionable session, you can play back a recording of it using the RecordTS player or you can convert it to AVI or SWF for distribution and preservation as evidence.
Installation is very straightforward. Just make sure that there is constant access to the internet. If it cannot verify its license, everything stops. The good news is that you can set up buffering so that if the database is lost for a short period of time, you won't lose data. Also, the device sits inline between the terminal services server and the users. So, if the product becomes disabled, users lose connectivity. We see this as a problem, but it is unavoidable. If you are to decode the data stream as a man-in-the-middle, you must be in the middle. That means that care must be taken to ensure that the system either stays on line or is in a failover configuration with a standby server.
This is a very interesting tool and, though it does just one thing - monitor and record remote terminal services sessions - it does that quite well. Pricing is reasonable and the documentation is very good. There is basic support included at no additional cost. We liked the website and its support portal. For example, when you go to support for your product you get a screen that says: "First things first: READ THE MANUAL." It then conveniently provides access directly to the installation manual. There also is a support FAQ, all very nicely laid out.