RecordTS for Terminal Services
Strengths: Ease of use, forensic management of data and good, scalable performance.
Weaknesses: None that we found.
Verdict: While monitoring remote sessions may not be the first thing you consider when you are planning DFIR, if you are accessing servers and critical/sensitive workstations remotely you should consider this product strongly, no matter what the size of your enterprise is. This is our Recommended product for this month.
RecordTS for Terminal Services is a remote desktop protocol (RDP) recording and monitoring application. Remote sessions are streamed to a central storage server and immediately available for playback. User activity may be reviewed at any time either from live or stored user sessions. Last year we looked at the single user version of this product. This year we review the enterprise version.
The product is deployed from a license server and the recorders are deployed on the servers you want to monitor. To see a recording all you need to do is go to the dashboard on the central management console, select the server you want to see and click Play. The servers may be on-premises or in the cloud and it has no trouble monitoring servers in the cloud. Originally designed for recording terminal services, the product now also recognizes Citrix XenApp and XenDesktop and uses the Xen services to communicate with servers being monitored. In addition to monitoring servers, of course, critical or sensitive workstations may be monitored as well.
If a user on a server is not active the recorder does not record, saving storage space. You can have multiple dashboards with different servers being monitored. Stored sessions are saved on a storage server using MS SQL, Postgress SQL or the TSFactory Storage server. Storage servers may be separate or they may be co-located with the dashboards and the license server. The TSFactory Storage Server is more secure and performs better. There is no additional licensing as the is for a SQL Server. The storage format is very compact.
For stability and security, if the network where the recordings are being stored becomes unstable the system has local memory buffers. When the memory runs out a file buffer for disk storage to pick up the recordings. The tool uses a proprietary file format for stored files so that unauthorized users cannot view with typical video players. There also is a "drain" mode that allows users to log off gracefully in the event of a system reboot request. The product is very scalable and is in production at sites with thousands of users and hundreds of servers.
From a forensic perspective, the availability of securely acquired and stored video records of server use are invaluable. Unauthorized access, computer abuse and other unauthorized behavior is clearly stored on proprietary video in a secured server backed up with secure licensing and auditing. Dashboards are accessible remotely and securely. While they can be viewed from a browser, access is controlled so that remote viewing is as secure as local viewing.
The web site is very well-laid-out and we were impressed by the availability of manuals, allowing the potential user to see what resources will be required to deploy and existing users to access manuals , particularly the installation guide, directly. There is basic support at no additional cost available 8X5, email only but there is a fee-based option as well at 25% of total list price per year. The web site includes an FAQ and a knowledgebase. Pricing is reasonable and deployment is quite simple. Overall, we were impressed with how far this company has come since we last looked at it and we like how a simple concept can be turned both to operational use and good forensic practice.