You are on page 1of 292

Ekran System v.6.

0
Help File

Table of Contents

About................................................................................................................................. 15
System Requirements .................................................................................................... 16
Program Structure........................................................................................................... 19
Getting Started................................................................................................................. 21
Deployment Process ...............................................................................................................21
Working with Application ........................................................................................................22
Server and Database ....................................................................................................... 23
About .........................................................................................................................................23
Database Types Comparison ................................................................................................23
High Availability Mode ............................................................................................................23
About ......................................................................................................................................23
Standard and High Availability Modes Comparison .......................................................24
Installing/Uninstalling/Updating the Server ..........................................................................24
Installing the Server .............................................................................................................24
Backing up Ekran Master Certificate.................................................................................26
Deleting Ekran Master Certificate ......................................................................................30
Importing Ekran Master Certificate ....................................................................................30
Installing the Server in the Cloud .......................................................................................31
Adding Server Executable to Windows Firewall..............................................................31
Using an External/Cloud-Based Server Computer .........................................................34
Updating the Server .............................................................................................................34
Uninstalling the Server ........................................................................................................35
Server Tray ...............................................................................................................................35
Database Management ..........................................................................................................35
About ......................................................................................................................................35
Cleanup Parameters ............................................................................................................36
One-Time Cleanup ...............................................................................................................37
Scheduled Cleanup..............................................................................................................37
Shrinking MS SQL Database .............................................................................................38
Firebird Database Optimization .........................................................................................38
Deleting the Client ................................................................................................................39
Moving the Server Database ..............................................................................................40
About ...................................................................................................................................40

2

Moving the Server Database on the Same Computer ................................................40
Moving the Server Database to Another Computer ....................................................43
Moving Binary Data to Shared or Local Folder ...............................................................44
Validating Monitoring Data..................................................................................................45
About ...................................................................................................................................45
Validating Monitoring Data Using Hash Codes ............................................................46
Signing Monitoring Data with Certificate .......................................................................46
Moving the Server Database Signed with Certificate to another Computer ............50
Advanced SIEM Integration ...................................................................................................54
About ......................................................................................................................................54
Log File Contents .................................................................................................................54
Enabling Log File Creation .................................................................................................55
Log Cleanup ..........................................................................................................................55
Management Tool ............................................................................................................ 56
About .........................................................................................................................................56
Management Tool Installation Prerequisites .......................................................................56
Prerequisites Overview .......................................................................................................56
Turning on Internet Information Service (IIS) ..................................................................57
Turning on IIS for Windows 8 and Windows 7 .............................................................57
Turning on IIS for Windows Server 2008 R2 ................................................................58
Turning on IIS for Windows Server 2012 ......................................................................59
Installing .NET Framework .................................................................................................61
Configuring Internet Information Service (IIS) .................................................................61
Using Certificates .................................................................................................................65
Generating Self-Signed Certificate ................................................................................65
Exporting Self-Signed Certificate ...................................................................................67
Importing Trusted Certificate ...........................................................................................67
Adding Certificate to Trusted Root Certification Authorities ..........................................68
Setting HTTPS Binding for a Default Web-Site ...............................................................73
Installing/Uninstalling/Updating the Management Tool .....................................................75
Installing the Management Tool .........................................................................................75
Adjusting Computer for Remote Access ..........................................................................77
Updating Management Tool ...............................................................................................78
Uninstalling Management Tool ..........................................................................................79
Opening Management Tool ...................................................................................................79
Management Tool Interface ...................................................................................................80

3

Changing Password for Logged in User ..............................................................................81
Multi-Tenant Mode/Single-Tenant Ekran System Mode ............................................. 83
About .........................................................................................................................................83
User Types in Ekran System Deployed in Multi-Tenant Mode ........................................83
Admin of the default tenant (Technician)..........................................................................83
Tenant Admin........................................................................................................................83
Tenant User ..........................................................................................................................84
Tenant Management ...............................................................................................................85
Viewing Tenants ...................................................................................................................85
Adding Tenants ....................................................................................................................85
Editing Tenants .....................................................................................................................87
Resending Email to the Tenant Admin .............................................................................87
Deleting Tenants ..................................................................................................................88
Switching to Tenant Account ..............................................................................................88
Granting Technician Access to Tenant Account Info .........................................................89
Licensing .......................................................................................................................... 90
General Licensing Information ..............................................................................................90
Getting Licenses by the Default Tenant Admin (Technician) ...........................................91
Serial Keys ............................................................................................................................91
About Update & Support Period ........................................................................................92
Viewing License State .........................................................................................................92
Activating Serial Keys Online .............................................................................................93
Adding Activated Serial Keys Offline ................................................................................94
Deactivating Serial Keys .....................................................................................................95
License Management..............................................................................................................95
Client License Management ...............................................................................................95
Viewing Granted Licenses ...............................................................................................96
User and User Group Management .............................................................................. 97
About .........................................................................................................................................97
Viewing Users and User Groups ...........................................................................................97
User Management ...................................................................................................................98
Adding Users ........................................................................................................................98
Editing Users .......................................................................................................................102
Deleting Users ....................................................................................................................103
User Group Management .....................................................................................................103
Adding User Groups ..........................................................................................................103

4

Editing User Groups ..........................................................................................................104
Deleting User Groups ........................................................................................................104
Permissions ............................................................................................................................104
About ....................................................................................................................................104
Administrative Permissions ..............................................................................................105
Client Permissions .............................................................................................................105
Permission Example ..........................................................................................................106
Management Tool Log ..........................................................................................................108
About ....................................................................................................................................108
Viewing Management Tool Log .......................................................................................108
Management Tool Log Protection ...................................................................................110
Filtering and Sorting Log Data .........................................................................................110
Windows Clients ............................................................................................................ 111
About .......................................................................................................................................111
Monitoring via Windows Clients ..........................................................................................111
Installing Windows Clients ...................................................................................................112
About ....................................................................................................................................112
Setting up Environment for Remote Installation ............................................................112
Windows Client Installation Prerequisites ...................................................................112
Disabling Simple File Sharing in Windows XP ...........................................................113
Disabling Sharing Wizard in Windows 8.1, Windows 8, and Windows 7 ...............114
Checking System Services............................................................................................115
Setting up Firewall for Windows Vista, Windows XP, and Windows Server
2003 ..................................................................................................................................116
Setting up Firewall for Windows 10, Windows 8.1, Windows 8, Windows 7,
Windows Server 2012, Windows Server 2008 ...........................................................117
Installing Windows Clients Remotely via the Management Tool ................................120
About .................................................................................................................................120
Selecting Computers ......................................................................................................120
Remote Windows Client Installation Process .............................................................122
Remote Installation from an Existing .INI File ............................................................123
Installing Windows Clients Locally ..................................................................................123
About .................................................................................................................................123
Windows Client Installation Package ...........................................................................123
Generating Windows Client Installation Package ......................................................128
Installing Windows Clients Locally with Custom Monitoring Parameters ..............128

5

...........136 About ..........................................................................................................................................................132 Updating Windows Clients Automatically ...........................................................................................................................................................................................................................................................................................................137 User Activity Recording Parameters ...............................136 Client Tray Icon Parameter ........................................130 Cloning a Virtual Machine with Installed Client .................................................................... Downloading Windows Client Installation File (........................................................................................................................................................................................131 About ..........139 Clipboard Monitoring Parameter ........................................................................................130 Updating Windows Clients ......................................134 Uninstalling Windows Clients Locally....................................................................................136 Automatic Client Update Parameter..................................................................................................................................................................................140 URL Monitoring Parameters ...........133 Uninstalling Windows Clients Remotely ....................................131 Windows Client Status after Server Update ....................................................................................................................................................................136 Custom Path for Client Installation Folder Parameter .........144 6 ...........................................................................................ini File...............................................................................................................................137 Offline Cache Size Parameter.........................................................................................................................................................................................................139 Detect system IDLE event Parameter .....................exe) ........133 Client Uninstallation Key .................................139 Register IDLE event Parameter ..................................139 Monitoring Log Parameter ............................................................................................142 User Filtering Parameters ......................................................138 Start Monitoring on Keyword Parameter ................................................................................................................................130 Unassigning License on Virtual Machine Shutdown ...............................................133 Uninstalling Windows Clients ....129 Installing Windows Clients Locally without .....................................................129 Installing Windows Client on Amazon WorkSpace .......136 Protected Mode Parameter ..................................................................134 Viewing Windows Clients ................................................................................135 Windows Client Description ..................132 Reconnecting Windows Clients to another Server .........................................................................129 Installation via Third Party Software.............................................................................................135 Windows Client Configuration ...................................................133 About ...................................132 Updating Windows Client Manually ...............................................................................................141 Application Filtering Parameters ...................................................................................137 Keystroke Logging Parameter..................................................................................................................................

158 Logging in Using One-Time Password .................................................................................................................................................................................................................................154 About ............................162 Adding Privileged User ........................................................................................................................................ Monitoring Time Filtering Parameters ...................................................................................................................................................................................................................................................................................................................................................................................162 About ...............................153 About ............................................................................146 Forced User Authentication Parameter ............163 Using Privileged Account ......................................................................149 Viewing Windows Client Configuration .......................................................................................................................................................................148 Ticket Number Parameter .............................156 Resending the Email ..................................................................................161 Privileged User Accounts .........................................148 Additional Message on User Login Parameter .................154 Managing One-Time Passwords .................................................................................160 Adding User to Restricted List ......................................................................................................................158 Requesting One-Time Password ........................................................................................................................153 Enabling Forced User Authentication on Windows Client ..........................................................................................152 Forced User Authentication on Windows Clients ..................................................................................160 Deleting User from Restricted List .....................................................................................................................................................................................157 Terminating One-Time Password Manually ........................................................................................................157 Logging In .................................................................................................................................................................................................................................................................................................................................................................162 Deactivating Privileged Account .....................................................................159 About ....................................................................................................................................................................................................................................147 Two-Factor Authentication Parameter .......................148 User’s Comment Parameter .........159 Login Approved by Administrator ..................................................161 Logging In ..........164 7 ...............................................159 Approving User Access on Login ...........160 Defining Email Address for User Access Approval ..................................................................................................153 Granting User Permission to Log In ................................158 Logging in Using Ekran System User Additional Credentials ..........155 Viewing One-Time Passwords.....154 Generating One-Time Password .........................................163 Password Vault Configuration .....................................................................................160 Managing Restricted User List ..148 Editing Windows Client Configuration ........................

.........................................................................................................................................................171 Uninstalling macOS Clients Locally .......................................................................................................................................................................................................................................................................................................................................171 Uninstalling macOS Clients Remotely .....................................................165 Enabling Displaying Additional Message ....................................................................................................................................................................................................165 About ............................................................168 macOS Clients .............................171 About ...........................................................................................................................................................................................................................168 Logging In ...............................................170 Uninstalling macOS Clients .......................................................................................................................................................................................................................................170 Installing macOS Clients ....................................................................................................173 User Activity Recording Parameters .............................................................................................175 About .174 Linux Clients .................................................................................170 About ...............................................173 URL Monitoring Parameters ...............................................................166 Logging In ......... Informing about Monitoring ....................177 Viewing Linux Clients ........................................................................166 Enabling Displaying Client Tray Icon ...............................................................................................................173 macOS Client Configuration .....................................................................................................................................................175 Monitoring via Linux Clients ............................................................................................................................................................................................167 Integration with Ticketing Systems ..........................................................................................175 Installing Linux Client ........................................................................................................................................................................................................173 About .....................................................................................................................................................................................................................................................................................169 Installing macOS Client .............175 Downloading Linux Client Installation File.............................................................................................................................................................. 175 About ................................................................................................172 Viewing macOS Clients .......165 Enabling User’s Comment Option .................................................................................................................................167 Enabling Ticket Number Option ..............................170 Downloading macOS Client Installation File ...........................................177 8 ................................................................................ 169 About ...........................172 macOS Client Description .....................................167 About .......................................................................................................................................169 Monitoring via macOS Clients .............................................................................176 Uninstalling Linux Clients ......................................................175 Installing Linux Clients ..........

......180 Allowing User to Log In ...............................................................................................185 Viewing Blocked User List ................................................................................................................................................................................................................................................................................178 About .........189 Removing Clients from Groups ....................................................................... 192 About ........................................190 Alerts ..........................................................................................................................................................190 Deleting Client Groups........................................................185 Blocked User List ..............................................................................................................182 Logging in Using Time-Based One-Time Password .................183 Blocking User from Finished Session ..........................................................................................187 Adding Client Groups ...............................................................................186 Removing User from Blocked User List..............................................183 Blocking User from Live Session ...................................................................................................................182 User Blocking .................................................................178 Enabling Forced User Authentication on Linux Client .................................................................................... Linux Client Description ........................188 Adding Clients to Groups ...................................186 Client Group Management ..................................................................188 Adding Clients to Groups during Client Group Editing .....................................................................................................178 Forced User Authentication on Linux Clients ....................................................................................................................................................................................179 Launching the Terminal ........180 Deleting User from the List .................................................................................179 Two-Factor Authentication for Windows Clients ................185 Blocking User on Client with Secondary Authentication .....................188 Applying Group Settings to Client ........................................................................................................................... 187 About ......................................................................................................................................................................................................................................................................................................................................................................181 Enabling Two-Factor Authentication ...................................................... 183 About .................190 Removing Clients from Groups during Client Editing ..............................................................................................................192 Viewing Alerts ............................................................................................................................................................188 Adding Clients to Groups during Client Editing .............................................190 Removing Clients from Groups during Client Group Editing .......................................................192 9 .....................................184 Blocking User on Alert Triggering ......................................................................................................................................................... 180 About ...................................................................................187 Editing Client Groups ...........................178 Granting the User Permission to Work with the Terminal.......................................................................................................................................................................................................

...........................................................206 Assigning Alerts to Clients during Alert Editing .........................................................................212 About ......207 Deleting Alerts .................................................................................................................................................................................193 Alerts Management .................................................................................................................................................................................................................................................................................................................................................................................................216 Report Generator ...............................206 Assigning Alerts to Clients ...................................................................................................................................................................................................................................................212 Adding Report Rules..........................205 Editing Single Alert ......................193 Adding Alerts ...................206 Assigning Alerts to Clients during Client/Client Group Editing .......................................................................................................................................................206 Assigning Alerts to Clients during Editing Multiple Alerts .......208 Defining Global Alert Settings..................................................215 Viewing Logs ..........................................................................209 Advanced Reports.............................193 Rules ...............199 Enabling/Disabling Alerts ....................................................................................................................................................217 Creating a Scheduled Report Rule from the Report Generator Page ...........................................................................................................................196 About ...........................................................................205 Editing Alerts .............................................................207 Exporting Alerts ..............................................................................................................................208 Receiving Information on Alert Events ..........................210 Report Types ............................................................217 Report Parameters ..196 Rule Examples .............................................207 Exporting and Importing Alerts ..............................................................................................................................................................................................................................................................................................................................................................213 Editing Report Rules .......................................................................214 Deleting Report Rules ......................................................................................................................................................................................................................................................................................................................................... Default Alerts ..........................................................................................................................218 10 ..............................................................................217 Generating Report....................207 Importing Alerts ......205 Editing Multiple Alerts.............................217 About .............................214 Frequency and Time Interval for Report Creation ......................................................................................................................214 Generating Reports from the Scheduled Report Rule ............................................................................................ 210 About ...............................210 Scheduled Reports ..............................................................................................................................................................................................................................................................................................................

.................................................................232 Viewing Monitoring Results ...............226 Configuration .....................................................................................................................................................................................................................................................................................................................................................................................................................................................................229 Defining LDAP Targets ............................................................................................................................................................................................................USB Monitoring & Blocking ..........................................................................228 Defining System Settings .................236 Session Viewer Interface ...........................................................................................................................................................................................................................................................227 Defining Player Link Settings ...................................................................................................................................................................................................228 Defining SIEM Logs ...............................................................................................233 Filtering Sessions .............................................................................................230 Automatic LDAP Target ........................................................................236 Sorting Sessions .........................................230 About ...........................................................................233 About .....................................................................................................................................................................................................................................228 Defining Ticketing System Integration Settings .................................237 11 ...................................................................................222 Adding USB Monitoring Rules...... 233 Session List .....234 Filtering by Specific Parameters .....222 About ...........................................................................................................................................................................................................231 Defining Server Settings ........223 Editing USB Monitoring Rules ....................224 Deleting USB Monitoring Rules ...............................236 Playing Sessions .......................................................................................................225 Viewing Device Hardware ID...234 Searching in the Session Data .......................................................................................................................................................................................................235 Export Sessions...................................................................220 Kernel-Level USB Monitoring Rules ............................................................................................ 227 Defining Email Sending Settings ..........220 Monitored Devices ..................................................230 Adding LDAP Target Manually ......................................................................................................................................................................................... 220 About .................................................................................................................................................................................................................................................................................233 Client Sessions List.......................................................225 Defining Exceptions for USB Rules ............................................................................................................230 Editing LDAP Target ........231 Deleting LDAP Target..........................................................................................................................................................................236 About ..............................................................231 Defining Date & Time Format ...........................................

............................................253 Recent Alerts .......247 Filtering EXEC Commands ..................................................................................................................................251 Clients ...............................................................................238 Metadata Grid ..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................246 Viewing URLs .........................................................................254 12 ...................................................240 Sorting Data ..241 Windows Client Sessions ...........................................................................................................246 Playing macOS Sessions..............................................................................................................................................242 Viewing Clipboard Text Data ......................................................249 Archived Sessions .........................................................................................................................241 Live Sessions ........................................................................................248 Using Alert Viewer..............................................247 Playing Linux Sessions .................................................................244 Viewing URLs .........................................................................................245 macOS Client Sessions .........238 Getting Data URL ..250 About ..............................................................................................................250 Viewing Archived Sessions ....................................................................................................240 Filtering Data ....................................................................................................................................................................................................................................................................................................................................................................................................................................................250 Dashboards ...........................................................250 Changing Investigated Database .......................251 Licenses ....... 251 About .......................................................................................................................................................................................................................237 Magnifier ......................................................................................................................................................................................................................................................................................................................................................242 Viewing Keystrokes.............................................................................................242 Playing Windows Sessions ..........245 Viewing Idle State .............................................................................................................................239 Player and Metadata Synchronization ..................................................................................................................243 Viewing USB Device Info .............................252 Database Usage Storage...........................................................................................................................................................................................248 Alert Viewer Interface ..............246 Linux Client Sessions................................251 Dashboard Types .......................................................247 Viewing Alerts ............................................................................................................................................... Session Player ..............................................................................................................................................................................................................248 About .......................................

......................................................259 Viewing Data .................................................264 Troubleshooting .....263 Validating Exported Data .......................................................281 Linux Client ..........................................................................................................................................................................281 Possible Problems with Receiving Data from Clients ...........................................................................................................................................................................................................271 Windows Client .......................281 Checking the State of the Linux Client.......................................................................................................................................................259 Applications Monitoring Chart ..................255 Sessions out of Work Hours ......265 Database/Server Related Error Messages ..........................256 Rarely Used Logins.... Latest Live Sessions .......................................................................................260 Forensic Export ..........................................................................261 Exporting Full Session .................................................................................. 259 About .................................................................................. 265 Quick Access to Log Files ............................................................................................268 Management Tool Error Messages ...............................258 Interactive Monitoring...................................261 Exporting Multiple Sessions ....271 Viewing Monitored Data ........................................................................................................................................................................................275 Possible Problems with Receiving Data from Clients ...........................................................................................................................................................................................................................................................................266 Management Tool................................................................................................262 Playing Exported Session ..................................................................................................................................................................................................................................259 URL Monitoring Chart ....................................................................... 261 About ...........262 Viewing Forensic Export History ...................................................................257 Customizing Dashboards ............................................................................................265 Database/Server .....................................261 Exporting Session Fragment ....................273 Checking that the Client Is Installed ............................................................................................................................................................................................................................................................273 Clients Installation/Uninstallation Issues and Error Messages ...................................................................................................................................282 13 ....................................................268 Management Tool Related Issues .....................................................................255 Rarely Used Computers ...................................................................282 Restarting Linux Client .........................................................................................................................................................................................................................................................................................................................................................................265 Database/Server Related Issues .................................................................................280 Possible USB Monitoring Problems ................................................................................................................

....................283 Data Leakage..........285 Not Work-related Activity ...............................288 14 ......................................286 Standard and Enterprise Edition Comparison Chart.................................................................................................................................................................................................................................................................................................................................................................................283 Fraud Activity ....................................................................................................................................................284 Potentially Illicit Activity ................................................................Appendix .................................. 283 Default Alerts ....................

About Welcome to Ekran System! Ekran System is an application that allows you to record the activity of the target computers with installed Clients and to view the screenshots from these computers in the form of video. 15 .

microsoft. Windows 8. enabled Message Queueing and configured NLB cluster are required.System Requirements Ekran System claims different system requirements for each of its components. Windows 7 (any edition except Home).5 and 4.NET 3. Management Tool requirements:  2 GHz or higher CPU  4GB or more RAM  100 Mbit/s network adapter  Windows 10.6 for Windows Server 2016)  [For accessing the Management Tool locally or remotely] One of the following browsers:  Google Chrome 37 or higher 16 .5 or higher with enabled ASP.2 or higher  IIS 7.5.1. Make sure your hardware and software meet the following system requirements to avoid possible component malfunctions. make sure you turn on the Internet Information Service before the installation of .aspx?id=48145 NOTE: The Universal C Runtime needs to be initially installed via update KB2999226: https://support.com/en-us/help/2999226/update-for-universal-c-runtime-in- windows  .2 or higher NOTE: If the Server and the Management Tool are to be installed on the same computer. Both x86 and x64 platforms are supported.5 support (4. Please refer to the High Availability Deployment Guide for more information.5.5.  [When using MS SQL Database]: Full edition of MS SQL Server 2008R2 SP1 or higher. [recommended] Windows Server 2016. and Windows Server 2008 R2 (starting from SP1 version). Server requirements:  2 GHz or higher CPU  4GB or more RAM  Enterprise-level Ethernet card  Minimum 1 Gbit/s network adapter  Windows Server 2016.microsoft. and Windows Server 2008 R2 (x64 platform)  Universal C Runtime and Visual C++ Runtime (starting with Ekran System 5. Windows Server 2012. Windows Server 2012. Both can be installed via the Microsoft Visual C++ 2015 Redistributable: https://www.com/en-gb/download/details.2.Net Framework 4.  . Standard license or higher is required.Net Framework 4.5). NOTE: If you want to deploy the Ekran System in the High Availability mode.Net Framework 4. Windows 8.

aspx.1.  It is recommended to have not less than 500MB of free space on the disk where the Client is installed to save data during the offline session. Windows Vista. Citrix XenApp.9 and later  It is recommended to have not less than 500MB of free space on the disk where the Client is installed to save data during the offline session.com/en-us/library/security/3033929.  Mozilla Firefox 32 or higher  Internet Explorer 10 or higher  Safari S6 and Safari S5  Opera 15 or higher NOTE: The Management Tool might be opened in other browsers.26GHz Intel Core 2 Duo or higher CPU  2GB RAM  100 Mbit/s network adapter  macOS 10. Windows 7. macOS Client requirements:  2.  Citrix XenDesktop.32 and higher 17 . Windows Server 2012. Windows Server 2008.microsoft. the Microsoft Security Advisory update 3033929 needs to be installed: https://technet. Linux Client requirements:  1 GHz or higher CPU  512 MB or more RAM  100 Mbit/s network adapter  It is recommended to have not less than 500MB of free space on the disk where the Client is installed to save data during the offline session. Windows 8. Windows Client requirements:  1 GHz or higher CPU  512 MB or more RAM  100 Mbit/s network adapter  Windows 10. NOTE: Due to the new SHA-256 code signing.6. Citrix XenDesktop/XenApp with Citrix Provisioning Services (PVS).  Linux Kernel 2. Windows Server 2016. on Windows 7 SP1 and Windows Server 2008 R2 SP1. Windows XP SP3. Both x86 and x64 platforms are supported. Windows 8. but its compatibility with other browsers is not guaranteed. and Windows Server 2003 SP1.

SP3. 6.0 NOTE: When the Client is installed to the terminal server.0 CentOS 7. 15.x .0.0.x – 10. 12.0. 14. hardware requirements depend on the number of active user sessions and may increase drastically. For example.0. hardware requirements for the Client deployed on the terminal server hosting 10 active user sessions will be as follows:  Intel Core i3 or similar AMD CPU  2048 MB RAM 18 .x . SP3) RedHat RedHat 7.0 Linux Mint 17. SP2.xx – 13 openSUSE Suse Linux Enterprise Server 11(SP2.0 Ubuntu 16. 6.x Oracle Linux 7.0. Distributor Base OS Versions Supported Debian Debian 8.5. SP4).6 Sun Microsystems Solaris 11. 7. 12(SP1.

host name. You can have access to the Management Tool from any computer in the network without having to install it on this computer. Alerts.  Ekran System Windows Clients (further referred to as Windows Clients): Being hosted on the remote computers. application names. URL addresses. Managing the remote Windows Clients configuration and settings is performed via the Management Tool. Ekran System includes the following components:  Ekran System Server (further referred to as Server): It is the main part of the Ekran System used for storing the screenshots and associated information received from the Clients.  Ekran System Tray Notifications application (further referred to as Tray Notifications application): This application allows receiving notifications on alert events on Clients.  Ekran System macOS Clients (further referred to as macOS Clients): Being hosted on the remote computers. application names. host name. Server database. active window titles. activity time.Program Structure Ekran System is an application specially designed to control user activity remotely. Managing the remote macOS Clients configuration and settings is performed via the Management Tool. etc.  Ekran System Management Tool (further referred to as Management Tool): It is a central administrative unit that allows you to control and manage Clients. clipboard text data. Ekran System Session Viewer provides a usable interface for quick review of the monitored data received from the Ekran System Clients. activity time. USB Monitoring Rules. and Serial Keys. active window titles. Linux Clients capture input/output terminal data (including all executed commands) and send this interactive data to the Server. Windows Clients create screenshots with the defined frequency and send them to the Server along with metadata information such as user name. Users. etc. URL addresses. keystrokes. 19 . The work of the Server can be started or stopped via Server Tray.  Ekran System Linux/Unix Clients (further referred to as Linux Clients): Being hosted on the remote computers. macOS Clients create screenshots with the defined frequency and send them to the Server along with metadata information such as user name.

20 .

 Installing macOS Clients: The macOS Clients are installed locally. you need to turn on the Internet Information Service on your computer. first of all you need to install the Server. This would provide a high level of operational performance. Please note that several conditions have to be met for successful remote Client installation. A Windows Client can be installed on any computer in the network. 2. 4. Connection with the Server is required for the Management Tool to operate. The Server is used to store and process all records sent by the Clients hosted on the remote computers. Installing the Server: To deploy the system. Clients. For more information. 5. Completing Management Tool installation prerequisites: To install and run the Management Tool. and Database.  Installing Linux Clients: The Linux Clients are installed locally. 3. During the Server installation you can select the type of the database and define administrator credentials. Alerts. Activating serial keys (adding activated serial keys): To be able to receive data from the Clients. which allows minimizing downtime and service interruptions. Installing the Tray Notifications application: The Tray Notifications application can be installed on any computer and as long as there is connection to the Server. NOTE: You can deploy the Ekran System in the High Availability mode. you need to license the Clients by activating purchased serial keys. Ekran System is considered deployed and all its features become available. Installing Clients:  Installing Windows Clients: The Windows Clients are usually installed remotely via the Management Tool. add the self- signed or trusted certificate to the Trusted Root Certification Authorities and set HTTPS binding for a default web site (or any other IIS site). Please refer to the High Availability Deployment Guide for more information. which allows you to work with multiple Server instances in the Network Load Balancer cluster. 21 . as well as to view the monitored data received from Clients. After installing all the system components.Getting Started Getting Started Deployment Process The Ekran System installation consists of several steps: 1. see the Tray Notifications application help file. You can also activate an Enterprise serial key to get an access to the enterprise features of the Ekran System during the unlimited period of time. the Tray Notifications application displays notifications on all alert events received from Clients. Installing the Management Tool: The Management Tool is used to manage Users. 6.

3. When the Ekran System is installed. and export alerts. You can view information on the detected devices. receive notifications or block USB devices. Generating reports: The user activity can be analysed with the help of reports generated via the Management Tool. 8. 5. Assigning licenses to the Clients: An available license is automatically assigned to the Client (both Windows and Linux) during its first connection to the Server. it has a list of predefined alerts. Managing database: Not to run out of space on the Server computer. If the license hasn’t been assigned to the Client. 11. In addition. 12. Creating USB blocking rules: Kernel-level USB Monitoring allows you to detect that the USB device is plugged into the computer on which the Windows Client is installed. you can remove unnecessary uninstalled Clients from the database. Viewing monitoring results in the Management Tool: The monitored data received from the Client computer can be viewed in the Session Viewer part of the Management Tool. Adding Users/User Groups and defining their permissions: To allow others to work with the Management Tool. 10. Receiving Alert notifications: The notifications on the alert events are received via the Tray Notifications application. You can create.Getting Started Working with Application The work with the application includes the following options: 1. 7. Defining Client configuration and Client Group Configuration. 4. You can get detailed information on the total time that has been spent in each application/on each website. The notifications are displayed in the Windows notification area. You can enable the database archiving and cleanup and then access the archived data any time via the Management Tool. it is recommended to cleanup or archive and cleanup the database periodically deleting old monitored data. Interactive Monitoring: The user activity can be analysed with the help of the statistic data you can generate using Interactive Monitoring. Managing Alerts: Alerts are used to notify the investigators of a specific activity (potentially harmful/forbidden actions) on the target computers with installed Clients. Adding Client Groups: Client Groups allow you to grant access to several Clients at the same time to your users without the necessity to grant them access to all the Clients. Exporting sessions from the Session Viewer: You can export sessions in the encrypted form to view Client sessions on any computer. you need to assign it manually. You can schedule the reports to be generated and sent via email at the specified time or generate the reports manually via Report Generator. 2. you can create new users and define their permissions in the Management Tool. 9. 22 . assign. import. even without access to the Management Tool. 6.

which provides interaction between other components. Ekran System deployed in the High Availability mode includes a special License Server.Server and Database Server and Database About The Server is the main component of the system. and system settings in the database. NOTE: The High Availability mode is available only if you have an activated Enterprise serial key. These databases have the following differences: Feature MS SQL Database Firebird Database Free ✘ (has a limited free version) ✔ NOTE: Using MS SQL Express does not guarantee the stable work of the Server. This would allow balancing the load of data sent to the servers by Ekran Clients and ensure data integrity in case any of the instances goes offline for any number of reasons. Additionally. you can choose between the two types of databases (MS SQL database and Firebird database). The Server stores all monitored data. 23 . Database Types Comparison When installing the Server. user accounts. Processing speed High Low Remote access to database ✔ ✘ Requires additional software ✔ ✘ installation Security High Low High Availability Mode About The High Availability mode allows you to configure and deploy Ekran System in such a way that it can work with multiple Server instances in the Network Load Balancer cluster. which manages Client licenses in the whole system.

24 .Server and Database Standard and High Availability Modes Comparison The Standard and High Availability modes have the following differences: Feature Standard Mode High Availability Mode Serial key types One of the following Enterprise serial key and one of the serial keys: following keys:  Permanent  Permanent  Trial  Trial  Update and  Update and support support Database type Firebird or MS SQL MS SQL Number of Servers One Multiple System requirements Standard system Standard system requirements. Run the EkranSystem_Components.exe installation file. do the following: 1. Component Physical IP address Logical IP address connection Recommended for Average number of Large number of Client computers Client computers Installing/Uninstalling/Updating the Server Installing the Server To install the Server. We cannot guarantee the High Availability Mode to function with other load balancers correctly. enabled Message Queueing. and configured NLB cluster. Additional Ekran None License Server System components Additional Software None NLB cluster NOTE: We recommend using Windows NLB. requirements.

25 . on the Database Location page. the existing database will be deleted. define the password for the administrator (the default user of Ekran System with login admin and full permissions).Server and Database 2. then only name of the PC with the MS SQL server must be defined. The installation process starts. NOTE: If you click No. the Uninstallation key is allowed. 4. On the Choose Components page. In other case. Carefully read the terms of the End-User License Agreement and click I Agree. 3. 10. 16. select the type of the database you want to use for storing data. If you already have a backed up master certificate and re-using the database. NOTE: You have to define either the SA credentials or the credentials of the user with the dbcreator permission. On the Administrator password page. Click Next. On the Choose Install Location page. 9. on the MS SQL Server Database Configuration page. 5. If you have selected Firebird database. enter the database path or click Browse to navigate to the database installation folder. you will be offered to re-use it. On the Client Uninstallation Key page. click Finish to exit the wizard. The backed up certificate might be required for Server recovery or during updates. enter the key that will be used during the Client local uninstallation and click Next. If you want to use the existing database. On the Database Type page. delete the master certificate and import the backed up one instead of it. If you already have a database created during the usage of previous program versions.  Define the User name and Password of a user account via which the connection to the Server will be established. 6. Its progress is displayed on the Installing page. You will be able to change this key via the Management Tool any time later. Click Install. Click Next. 15.  Define the Database name for the database. 13. Click Next on the Welcome page. Click Next. If you are installing the Server for the first time. 7. define the connection parameters and then click Next. 14. click No and the new database will be created. NOTE: If the default instance of the MS SQL is used. enter the installation path or click Browse to navigate to the Server installation folder. back up EkranMasterCertificate. which is the instance name assigned to the TCP/IP port. For more information see the Database Types Comparison chapter. By default. 8. After the end of the installation process. If you have selected MS SQL Server.  Define the MS SQL Server instance name. Click Next. click Yes. select Ekran System Server. do one of the following and click Next:  In the drop-down list.  Select Ekran System Server in the box. 12. 11.

In the Console window. These rules will be added to Windows Firewall automatically if Windows Firewall is enabled during the Server installation. select Certificates and click Add. In the Add or Remove Snap-ins window. press Windows+R. On the Ekran Server computer with the certificate you want to back up. Backing up Ekran Master Certificate To back up Ekran Master Certificate. 4. In Windows Firewall.Server and Database 17. select File > Add/Remove Snap-in. In the opened User Account Control window. click Yes. 26 . 3. 2. you must allow the Server executable to accept TCP connections via ports 9447 and 9449 (for the connection between the Server and the Clients). do the following: 1. and 22713 (for the connection between the Server and the Management Tool). type mmc in the Run text box and press Enter.

In the Select Computer window.Server and Database 5. In the Certificates Snap-in window. 27 . 6. select the Computer account option and click Next. select the Local computer option and click Finish.

12. In the Add or Remove Snap-ins window. In the Certificates (Local computer) tree-view. On the Certificate Export Wizard Welcome page. select the Yes. select the following options :  Personal Information Exchange  Include all certificates in the certification path if possible  Export all extended properties 14. 10. On the Export File Format page. export the private key option and click Next. 9. Click Next. click Next. select Personal > Certificates. The Certificate Export Wizard opens. 28 . 8. 11. On the Export Private Key page. Select EkranMasterCertificate and in its context menu select All Tasks > Export. 13.Server and Database 7. click OK.

On the Completing the Certificate Export Wizard page. 29 . specify the location to store the certificate and the certificate name manually or click Browse. select the Password option and enter the password in the Password and the Confirm password fields. 17. On the File to Export page. 16.Server and Database 15. click Finish. moving it to another computer. NOTE: Make sure that you remember the password since you will need it when restoring the certificate or transferring it to another server. Click Next. or creating the High Availability cluster. and click Next. On the Security page. NOTE: You will need the certificate for reinstalling the Server.

11. 3. select Personal > Certificates. type mmc in the Run text box and press Enter. In the Console window. select Certificates and click Add. Click Next. In the Add or Remove Snap-ins window. select the Local computer option and click Finish. 4. Click Next. 2. click Next. 6. In the Add or Remove Snap-ins window. 9. 30 . 7. 2. In the Certificates (Local computer) tree-view. 10. select Certificates and click Add. 9. select the Place all certificates in the following folder option. In the Certificates Snap-in window. 10. In the opened User Account Control window. On the Ekran Server computer. click Finish. 13. 14. Importing Ekran Master Certificate To import Ekran Master Certificate. On the File to Import page. 15. On the Ekran Server computer. In the Add or Remove Snap-ins window. do the following: 1. In the Select Computer window. On the Certificate Store page. do the following: 1. click Yes. select File > Add/Remove Snap-in. The Certificate Import Wizard opens. press Windows+R.Server and Database Deleting Ekran Master Certificate To delete Ekran Master Certificate. click OK. click Browse and select the file with the backed up certificate. In the Select Computer window. In the Certificates (Local computer) tree-view. click OK. and select the Personal node. click Browse. 5. In the Console window. select Actions > All Tasks > Import. On the Private key protection page. Select EkranMasterCertificate and in its context menu select Delete. select the Computer account option and click Next. On the Completing the Certificate Export Wizard page. select Personal > Certificates. 8. Click Yes in the confirmation message. type mmc in the Run text box and press Enter. select the Local computer option and click Finish. select File > Add/Remove Snap-in. In the Add or Remove Snap-ins window. enter the password and click Next. 7. 4. 6. On the Certificate Import Wizard Welcome page. 5. 3. In the Certificates Snap-in window. 12. In the Console window. click Yes. press Windows+R. In the opened User Account Control window. select the Computer account option and click Next. 8.

31 . click Advanced settings. In the Control Panel. select System and Security > Windows Firewall. In the cloud management console. right-click Inbound Rules and select New rule. 2. install the Server in a usual way. In the Windows Firewall window.Server and Database Installing the Server in the Cloud To install the server in the cloud. In the Windows Firewall with Advanced Security window. do the following: 1. 3. Adding Server Executable to Windows Firewall Please note that Windows Firewall will be adjusted automatically if it is enabled during the Server installation. To add the Server executable to the Windows Firewall. and 22713 (for the connection between the Server and the Management Tool). allow the Server executable to accept TCP connections via ports 9447 and 9449 (for the connection between the Server and the Clients). 2. In the cloud. do the following: 1. NOTE: It is recommended to install the Server and Management Tool on the same computer. If you use any other Firewall. it should be adjusted as well.

6. 32 . 5. select Allow the connection and then click Next. then click Browse and navigate to the Server executable. select This program path. On the Action page.Server and Database 4. The New Inbound Rule Wizard opens. On the Rule Type page. The default path is "C:\Program Files\Ekran System\Ekran System\Server\EkranServer. 7. select Program and click Next.exe ". On the Program page. Click Next.

The Properties window opens. By default. 10. 33 . select the profile of the network used for connecting remote computers and the Server. 9. On the Profile page. double-click the created rule. the rule allows any connections via all ports. Click Next. To define the protocol and ports. Click Finish. The rule is created for the Server application. 11. define the Name of the rule. On the Name page.Server and Database 8.

Specify this address when installing the Management Tool and installing the Client. define the password for the administrator (the default user of Ekran System with login admin and full permissions). If necessary. Run the EkranSystem_Components.exe installation file. Type the following port numbers in the box below: o 9447 and 9449 (for the connection between the Server and the Clients) o 22713 (for the connection between the Server and the Management Tool) 13. Make sure your Server has a unique external IP address. click Finish to exit the wizard. To update the Server. During an update you may select to update the existing database to a newer version or simply reinstall it. 2. After the end of the update process. On the Administrator password page. select Specific Ports. do the following: 1. do the following:  In the Protocol Type list. Close the Windows Firewall window. If you are updating Server from version lower than 5. select Update/Add/Remove components and click Next. import it from the backed up copy. If you are updating Server from version 5. 9. 5. otherwise select Reinstall the database. 8. Using an External/Cloud-Based Server Computer If your Server is not in the same network as Clients or the Management Tool. 7. select Update database to a new version. Click Next. you need to reinstall the whole system. On the Already Installed page. back up EkranMasterCertificate . 3. select TCP. NOTE: To change the type of the database.  In the Local port list.Server and Database 12. 10. if you want to keep the existing database. Click OK. 4. 2. click Next. On the Database Update page. Click Next. Updating the Server The updating of the Server is performed via the installation file of a newer version. 6.5 and higher. Click Apply to save changes. The update process starts. do the following: 1. make sure that the master certificate is correct. 14.5. 34 . On the Welcome page. On the Choose Components page. select Ekran System Server in the box and then click Next. In the Protocols and Ports tab.

Database Management About Database management is performed via the Management Tool by the user with the administrative Database management permission. make sure you have uninstalled all the Clients from the remote computers. If you do not uninstall the Clients. If you want to delete the database. do the following: 1.exe installation file or click Uninstall/Change on the Ekran System application in the Programs and Features window of the Windows Control Panel. During the database management process you can delete monitoring data. click Yes in the confirmation message. On the Already Installed page. 6. To uninstall the Server from the local computer. Wait for the uninstallation process to complete. Run the EkranSystem_Components. 2. It also automatically restarts the Server in case of its failure. shrink the database depending on its type.Server and Database Uninstalling the Server NOTE: Before uninstalling the Server. You can start/stop the Server or hide the icon from the notification area. Server Tray The Server Tray application informs you about the Server state. The user is informed about the Server failure in the notification area. It will be impossible to remove them in a common way. On the Uninstall Ekran System page. Click Next on the Welcome page. 5. The setup wizard opens. 4. In other case. and enable using the password vault. click Uninstall. 3. it does not restart. The first three times the restart is performed automatically. 7. select Uninstall and click Next. delete offline or uninstalled Clients. they will remain installed on the remote computers and collect the data locally. This application is installed on the computer where the Server is installed. 35 . click No and you will be able to use the saved database during the next installation of the program. If the Server fails for the fourth time.

you have to define the binary data folder location.Server and Database Two types of the cleanup operation are available:  Cleanup: Allows deleting monitored data collected by the Clients from the database. You can view the archived sessions in the Session Viewer any time. Archive database The name of the database. Parameters applied to the Archiving & Cleanup operation for MS SQL database type SQL server instance The path to the SQL server instance. Binary data location In case the binary data is stored separately. it will be created on Archiving & Cleanup start. Cleanup Parameters The following parameters are available for cleanup operation: Parameter Description Parameters applied to both Cleanup and Archiving & Cleanup operations Leave sessions in Sessions stored in the database longer than the defined period of database (days) time will be deleted during the cleanup process. name NOTE: If you do not have an archive database. it will be created on Archiving & Cleanup start. You can configure the cleanup execution frequency as follows:  Once: The one-time cleanup operation will be performed by click on Save. 36 . They are added on the Adding Exceptions page. Client exceptions The Clients whose monitoring data will not be deleted during the cleanup process.  On schedule: The scheduled cleanup operation will be performed every few days at a specified time. NOTE: The Archiving & Cleanup option is available only if you have an activated Enterprise serial key. location NOTE: If you do not have an archive database.  Archiving & Cleanup: Allows saving the monitored data in the secure storage and then deleting it from the database. Parameters applied to the Archiving & Cleanup operation for Firebird database type Archive database The location of the database.

On the Database Management page. 2. On the Archiving & Cleanup Options tab. Define the necessary parameters. 3. in the Settings section. Define the following options:  Perform every (days): The frequency of the cleanup operation. select the Cleanup option to delete the monitored data from the database or the Archive & Cleanup option to archive and then delete the monitored data. When all cleanup settings are defined. select the Archiving & Cleanup Options tab. The cleanup process starts. click Add Exceptions. Use filters to find a specific Client. do the following: 1. 37 . select the Run once option. 3. On the Adding Exceptions page. Scheduled Cleanup To delete data from the Server on schedule. select the necessary Clients and then click Add selected. 5. To select the Clients whose monitoring data will not be deleted during the cleanup process. 8. select the Repeat by scheduler option.Server and Database Parameter Description User name and Credentials of the user with access to the database. 2.  Start database cleanup at: The time to execute the cleanup operation. In the Frequency section. On the Database Management page. in the Action type drop- down list. 6. Log in to the Management Tool as a user with the administrative Database management permission. 6. Click the Database Management navigation link to the left. On the Archiving & Cleanup Options tab. click Test Database Connection in the Archive parameters section. select the Archiving & Cleanup Options tab. 7. NOTE: To check connection with the archive database before Archiving & Cleanup start. 4. Click the Database Management navigation link to the left. click Save. select the Cleanup option to delete the monitored data from the database or the Archive & Cleanup option to archive and then delete the monitored data. Password One-Time Cleanup To delete data from the Server once. 10. In the Frequency section. in the Action type drop- down list. 5. 9. in the Settings section. Log in to the Management Tool as a user with the administrative Database management permission. do the following: 1. 4.

2. 38 . On the Database Options tab. Shrinking MS SQL Database The database shrinking feature allows you to shrink the size of the MS SQL database to the actual amount of the data stored in it by cutting the space reserved by the database. To shrink a database. When all cleanup settings are defined. 3. Click the Database Management navigation link to the left. select the Database Options tab. click Update statistics.Server and Database 7. On the Database Options tab. 4. Click the Database Management navigation link to the left. 2. click Save. To perform the Update statistics procedure. click Shrink database. but which is not used by it. Log in to the Management Tool as a user with the administrative Database management permission. NOTE: To check connection with the archive database. On the Database Management page. 9. Use filters to find a specific Client. Firebird Database Optimization When using the Firebird database it is recommended to perform the Update statistics procedure at least every two months in order to optimize the database and increase the speed of reports generation. select the Database Options tab. NOTE: The database shrinking procedure may take some time (up to several hours) and cause performance slowdown. NOTE: The progress of the database shrinking process is not displayed in the Management Tool and there is no indication of the process finishing. 8. Log in to the Management Tool as a user with the administrative Database management permission. 4. click Add Exceptions. 10. do the following: 1. On the Database Management page. On the Adding Exceptions page. 3. do the following: 1. select the necessary Clients and then click Add selected. Define the necessary parameters. click Test Database Connection in the Archive parameters section. To select the Clients whose monitoring data will not be deleted during scheduled cleanup process.

select the needed offline or uninstalled Client from the list and click Edit Client. It is possible to delete only offline or uninstalled (both after local or remote uninstallation) Clients. 2. On the Clients page. do the following: 1. On the Clients page. After this. In the confirmation message. 3. click Delete. Log in to the Management Tool as a user with the administrative Database management permission. If after deletion the Client connects to the Server again. 6.Server and Database Deleting the Client To delete the Client means to delete it completely from the database with cleaning up all its captured sessions. 4. the Client disappears from the Management Tool and its captured data is not displayed in the Session Viewer. Log in to the Management Tool as a user with the administrative Database management permission. On the Editing Client page. on the Properties tab. click Delete Client. 3. 5. 39 . To delete several offline/uninstalled Clients. To delete one offline/uninstalled Client. click Delete Clients. Click the Client Management navigation link to the left. it will appear in the Management Tool but its deleted data will be unavailable. 2. Click the Client Management navigation link to the left. The Client is deleted. do the following: 1.

The Client Deletion from Database page opens. The Clients are deleted from the Server (with all captured sessions) and disappear from the Management Tool. 8. enter its name in the Contains box and click Apply Filters. 40 . To find a specific Client. It contains all Clients that can be deleted. 5. click Add Clients to list. 6. When all Clients are selected. Stop the Server by clicking Stop in the context menu of the Server icon in the notification area or find the EkranServer service in the Task Manager and click Stop. 2. click Delete on the Client Deletion from Database page. 7.Server and Database 4. do the following: 1. Moving the Server Database on the Same Computer To change the location for the MS SQL Server Database. Log in to the SQL Management Studio as a user with administrative permissions. Select the needed Clients from the list and then click Next. On the Client Deletion page. Moving the Server Database About Ekran System allows you to move the Server database either to another computer or to another location on the same computer. NOTE: Only offline and uninstalled Clients are displayed in the list.

Start the EkranServer service to continue working with the program. The Database location is changed. detach the Ekran databases (select the database and in its context menu. 3. 6. EKRANManagementDatabase. Move the following files to another location: EkranAlphaActivityDB. click Add and select the moved database. 4. NOTE: The folder contains the EKRANACTIVITYDB. do the following: 1. Navigate to the location where the Ekran databases are stored. 41 . click Attach. 7. Default names of the databases are EkranActivityDB and EKRANManagementDatabase. 5. select Task > Detach). 4. In the Registry Editor window.FDB files and the Cache subfolder (unless your Cache subfolder is stored in the shared folder). EkranAlphaActivityDB_log. Find the Database values (Database and ManagedDatabase) and see where the Database files are located on your computer.Server and Database 3. In the SQL Management Studio. 5. reattach the Ekran databases as follows:  In the context menu of the Database partition. Move the folder with database files to a new location.  In the opened Attach Databases window.  Click OK. The default location is C:\Program Files\Microsoft SQL Server\MSSQL11. and EKRANManagementDatabase_log. To change the location for the Server Firebird database.FDB and MANAGEMENTDATABASE. Open the Windows Registry Editor.MSSQLSERVER\MSSQL\DATA. In the SQL Management Studio. 2. Stop the Server by clicking Stop in the context menu of the Server icon in the notification area or find the EkranServer service in the Task Manager and click Stop. select the HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem key.

fdb file (including the file name) in its new location and then click OK.Server and Database 6. modify the following values:  Database: Enter the full path to the EkranActivityDB.  Managed Database: Enter the path to the folder with Ekran database in its new location and then click OK. 42 . In the Registry Editor window.

4. Upload the copied files to a suitable location on the new computer with the SQL Server. Stop the Server by clicking Stop in the context menu of the Server icon in the notification area or find the EkranServer service in the Task Manager and click Stop. EkranAlphaActivityDB_log. detach the Ekran databases (select the database and in its context menu. and EKRANManagementDatabase_log. The Database location is changed. 2. do the following: 1. 6. select Task > Detach). Moving the Server Database to Another Computer To move the MS SQL Server Database to another computer. Default names of the databases are EkranActivityDB and EKRANManagementDatabase.MSSQLSERVER\MSSQL\DATA. 5. you have to copy it too. The default location is C:\Program Files\Microsoft SQL Server\MSSQL11. In the SQL Management Studio. Start the EkranServer service to continue working with the program.Server and Database 7. Copy the following database and log files: EkranAlphaActivityDB. NOTE: If the binary data is stored in the shared or local folder. Log in to the SQL Management Studio as a user with administrative permissions. EKRANManagementDatabase. Navigate to the location where the Ekran databases are stored. 43 . 3.

 Move the Cache folder with binary file to a new location. 10.Contact the support team at support@ekransystem.  In the Registry Editor window. click Add and select the uploaded database. select the MS SQL database.Reinstall all Clients. do the following (for the MS SQL database. To move binary data to the shared folder.Copy the certificates from the Server installation folder on the original computer. and confirm its usage.  Find the Database value and check where the Database files are located on your computer. do the following: . Start the EkranServer service to continue working with the program.Server and Database 7.com to change the HWID associated with your serial keys to a new one. Moving Binary Data to Shared or Local Folder If necessary. log in to the SQL Management Studio as a user with the administrative permissions and attach the Ekran databases as follows:  In the context menu of the Database partition.  Click OK. click Attach. This feature has the following limitations:  Shared Folders on mapped and mounted disks cannot be used for storing binary data. Stop the Server by clicking Stop in the context menu of the Server icon in the notification area or find the EkranServer service in the Task Manager and click Stop. This might be necessary for storing large amounts of data.  After you select to store binary data in the shared folder instead of MS SQL database.  In the opened Attach Databases window. do the following: 1. Uninstall the Server on the original computer. skip this step):  Open the Windows Registry Editor. . 8. you can store binary data received from Clients in the shared or local folder on your computer. The Database location is changed. The newly received screenshots will be displayed. Install the Server:  If you are reinstalling the Server on the original computer. In the Registry Editor window. click Edit > New > String value and add a new value:  Value type: String  Value name: StorageDirectory  Value data: Shared Folder location as \\<computer IP>\<folder path> or \\<computer name>\<folder path> 44 . configure the connection to the moved database. 3.  If you are installing the Server on the computer with the moved database. select the HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem key. the already existing screenshots will no longer be displayed (only metadata will be available for them). On the computer the MS SQL database is moved to. 9. For the Firebird database. . 2.

Two types of monitoring data validation are available: 45 . and click Apply. 5. it is recommended to do the following:  Open Computer Management.  In the Log On tab. Validating Monitoring Data About If necessary.Server and Database 4. It can be enabled for both Firebird and MS SQL databases. select the This account option. find the EkranServer service and select Properties in the context menu.  In the Services pane. Start the EkranServer service to continue working with the program.  In the EkranServer Properties window navigate to the Log On tab. open Services and Applications > Services. which allows checking that data integrity in the database has not been altered. Make sure the user with the specified credentials has administrator permissions on your Server computer and full access to the shared folder on the different computer. you can enable the validation of monitoring data of Windows Clients. specify the credentials for the EkranServer service to start under.  Restart the service.  In the Computer Management window. To access binary data in the shared folder on a different computer from your Server.

If some screenshots or metadata records have been deleted or modified. NOTE: After the enabling validation of monitoring data. Validating Monitoring Data Using Hash Codes To enable calculating of hash codes for monitoring data. the hash codes will be calculated for each screenshot and metadata record received from Windows Clients. In the Registry Editor window. In the opened User Account Control window. Stop the Server by clicking Stop in the context menu of the Server icon in the notification area or find the EkranServer service in the Task Manager and click Stop. the integrity of monitoring data within a Windows Client session is checked on the session opening via the Session Player. Open the Windows Registry Editor. each screenshot and metadata record received from Windows Clients will be signed with the trusted certificate. After validation of monitoring data is enabled or validation type is changed. all previously recorded sessions of Windows Clients will be considered as invalid. that were not viewed before. NOTE: If both types of validation are enabled. With enabled validation of the monitoring data. On the Ekran Server computer. Create a special string value in the Windows Registry. do the following: 1. NOTE: When the validation of monitoring data is enabled. 2. Step 2. Signing Monitoring Data with Certificate To enable signing of monitoring data with certificate. Step 1. for existing sessions. type mmc in the Run text box and press Enter. you have to do the following on the Ekran Server computer: Step 1. only signing monitoring data with certificate will be used. Start the EkranServer service to continue working with the program. 46 . 4. the CPU usage will rise while viewing the Client sessions in the Session Player. press Windows+R. the warning message “Session data is not valid!” will be displayed in the Session Player. click Yes. Importing Trusted Certificate 1.Server and Database  Calculating hash codes for monitoring data: in this case. select the HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem key.  Signing monitoring data with certificate: in this case. Select Edit > New > DWORD (32-bit) Value and define the following:  Value name: SignMonitoredData  Value data: 1 5. 2. Import the trusted purchased certificate or the self-signed one. 3. screenshots will not be shown.

select the Computer account option and click Next. select File > Add/Remove Snap-in. In the Certificates Snap-in window. In the Certificates (Local computer) tree-view. 5. find the Personal node. 47 . 4. In the Add or Remove Snap-ins window. 6.Server and Database 3. In the Add or Remove Snap-ins window. In the Console window. 8. select the Local computer: (the computer this console is running on) option and click Finish. In the Select Computer window. click OK. select Certificates and click Add. 7.

In the context menu of the Personal node. specify the location and name of the certificate to be imported manually or click Browse. On the Certificate Import Wizard Welcome page. 48 . and then click Next. click Next. 10. select All Tasks > Import. 12. The Certificate Import Wizard opens.Server and Database 9. On the File to Import page. 11.

and then click OK in the confirmation message. click Finish. 14. Select Certificates (Local Computer) > Personal > Certificate and double-click the imported certificate. 49 .Server and Database 13. If required. enter the password for the private key and then click Next. 16. on the Private key protection page. On the Certificate Store page. On the last page of the Certificate Import Wizard. click Next. 15.

In the Certificate window. Select Edit > New > String Value > and add a new value:  Value name: SignMonitoredDataCert  Value data: <copied Thumbprint value of the imported certificate (without spaces)> 5. 3. Open the Windows Registry Editor. 4. Step 2. you have to do the following: Step 1. Stop the Server by clicking Stop in the context menu of the Server icon in the notification area or find the EkranServer service in the Task Manager and click Stop.Server and Database 17. select the HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem key. 50 . 2. and then import it. select Details > Thumbprint and then copy the Thumbprint value. copy it to the new computer. Start the EkranServer service to continue working with the program. On the Ekran Server computer. Moving the Server Database Signed with Certificate to another Computer About If you want to move the Ekran database whose monitoring data is signed with certificate to the new computer. In the Registry Editor window. export the certificate used for signing the monitoring data. Enabling Monitoring Data Signing with Certificate 1.

Move the database to the new computer. On the Ekran Server computer. In the Console window. 3. 5. In the opened User Account Control window. press Windows+R. Install the Ekran Server on the new computer and then enable signing of monitoring data with imported certificate. 51 . Step 3. Exporting Trusted Certificate 1. type mmc in the Run text box and press Enter.Server and Database Step 2. 4. 2. select Certificates and click Add. In the Add or Remove Snap-ins window. click Yes. select the Computer account option and click Next. select File > Add/Remove Snap-in. In the Certificates Snap-in window.

Select the trusted certificate used for signing the monitoring data in the database and in its context menu select All Tasks > Export. The Certificate Export Wizard opens. On the Export Private Key page. 12. 8. In the Add or Remove Snap-ins window. 9. 10. In the Certificates (Local computer) tree-view. click Next. On the Export File Format page. 7. 52 . select Personal > Certificates. click Next. 11. select the Local computer: (the computer this console is running on) option and click Finish. On the Certificate Export Wizard Welcome page.Server and Database 6. In the Select Computer window. click OK. select the file format for the certificate and click Next. 13.

and then click Next. specify the location to store the certificate and the certificate name manually or click Browse.Server and Database 14. 53 . 16. On the File to Export page. click Finish. On the Completing the Certificate Export Wizard page. 15. Copy the exported certificate to a suitable location on the new computer and then import it.

NOTE: The Advanced SIEM Integration functionality is available only if you have an activated Enterprise serial key. Session Player URL. activity Name = title. remote IP. 54 . the log file name is EventLog and it is stored in the Server installation folder.Server and Database Advanced SIEM Integration About Advanced SIEM integration provides the ability to create a separate log file in one the following formats: . EkranClientEvent keystrokes.Common Event Format (CEF): can be viewed and analysed by the Splunk or ArcSight monitoring software . Session Player URL. Session cat = ClientEvents Player URL. keystrokes. URL. Alert events EventID = 200 Windows Client alert events: alert Device Event Class ID = ID. command. Client name. function.Log Event Extended Format (LEEF): can be viewed and analysed by the IBM QRadar monitoring software When SIEM integration is enabled. parameters. application name. Log File Contents Depending on the defined log settings. alert/USB Rule. alert name. CEF header information LEEF header information Log data Client events Device Event Class ID = EventID = 100 Windows Client events: username 100 (with the secondary username). application name. IPv6. Linux Client events: username. Client name. activity time. IPv6. activity title. 200 Cat = AlertEvents username (with the secondary username). By default. Cat = ClientEvents Client name. alert description. IPv4. OS. the log file will be created on the Ekran Server computer. domain name. alert. activity Name = EkranAlertEvent time. URL. different types of monitoring data can be written to the log file. activity time. IPv4. OS.

EkranMTLogEvent cat = MTLogEvents Enabling Log File Creation To enable the creation of a log file. user Cat = MTLogEvents groups. do the following: 1. remote IP. 6. Select the log file format: CEF log or LEEF log. category. 55 . Log Cleanup Depending on the defined log cleanup settings. 5. Define the log settings. Management Tool Log Events Device Event Class ID = EventID = 300 Management Log entry ID. alert name. object. domain name. IPv4. Linux Client alert events: alert ID. 3. OS. activity time.Server and Database cat = AlertEvents OS. Click the Configuration navigation link to the left and open the SIEM Integration tab. Client name. Log in to the Management Tool as a user with the administrative Database management permission. IPv6. or minutes. alert description. During the log cleanup operation the current log file is renamed (the date and time of the cleanup operation is added to its name) and a new one is created in the same folder. parameters. NOTE: Not to run out of space on the computer where the log files are stored. action. Select the Create a log file option to enable creating a log file. If a log file achieves its maximum size before the cleanup start time. hours. 300 Ekran System username. 4. IPv6. 2. Session Player URL. Click Save. IPv4. function. time. username. the cleanup operation can be performed either daily at a specified time or every few days. it also will be renamed. command. Name = details. it is recommended to check the used disk space periodically and delete the log files that are no longer in use.

It can be installed on any computer. Turn on the Internet Information Service. Configure the Internet Information Service. 4. Install . 5. 6. Management Tool Installation Prerequisites Prerequisites Overview The following prerequisites are necessary for successful installation of the Management Tool. Set HTTPS binding for a default web site (or any other IIS site). Add the certificate to the Trusted Root Certification Authorities on the computer on which the Management Tool will be installed. For Windows 7. Generate a self-signed certificate or import a purchased SSL certificate issued for the computer on which the Management Tool will be installed. NOTE: If you already have a certificate generated for the computer on which the Management Tool will be installed. Otherwise a certificate error will be displayed in your browser when opening the Management Tool.NET Framework. you need to: 1. it is important that you follow these steps in the correct order. you can skip certificate generation step and use an existing certificate. but a network connection to the Server is required for the Management Tool to operate. 2. 3. The work with the Management Tool is performed via your browser. There can be several computers with the installed Management Tool in the system. 56 .Management Tool Management Tool About The Management Tool is the component for managing the whole system and viewing monitored data received from Clients. To be able to install the Management Tool.

4. In the features tree-view. The Windows Features window opens. Click the Turn Windows features on or off navigation link. select the Internet Information Services option. 57 .Management Tool Turning on Internet Information Service (IIS) Turning on IIS for Windows 8 and Windows 7 To turn on the Internet Information Service for Windows 8 and Windows 7 do the following: 1. Click OK. 3. 2. 5. Select Control Panel > Programs and Features (Program uninstallation).

click Next. 2. On the Before You Begin page.Management Tool Turning on IIS for Windows Server 2008 R2 To turn on the Internet Information Service for Windows Server 2008 R2. 4. do the following: 1. select Web Server (IIS). and then click Add Roles. In the Start menu. select All Programs > Administrative Tools > Server Manager. select Roles. 5. click Next. 3. On the Server Roles page. The Add Roles Wizard opens. and then go to the Role Services page to start configuring Web Server (IIS). 58 . In the navigation pane.

2. Web-Mgmt-Tools To turn on the Internet Information Service for Windows Server 2012 using Server Manager. select Dashboard. The Add Roles and Features Wizard opens. select Windows PowerShell. and then click Next.Management Tool Turning on IIS for Windows Server 2012 The Internet Information Service can be turned on using the Windows PowerShell or Windows Server 2012 Server Manager. 5. select Role-based or feature-based installation. On the Before You Begin page. 4. then click Manage > Add roles and features. On the Installation type page. To turn on the Internet Information Service for Windows Server 2012 using Windows PowerShell. 3.Web-Server. 2. do the following: 1. Enter the following command and press Enter: Install-WindowsFeature . click Next. 59 . do the following: 1. In the Start menu. In the navigation pane. select Server Manager. In the Start menu.

60 . 7. click Next and then click Add Features to start configuring Web Server (IIS). select Select a server from the server pool. On the Server Selection page. select Web Server (IIS). select your server from the Server Pool list. and then click Next.Management Tool 6. On the Server Roles page.

2 on other Windows versions.5. NET-Framework-45-ASPNET.5.  Internet Information Services > World Wide Web Services > Application Development Features > ASP. Web-Asp- Net45. 61 . Enter the following command and press Enter: Install-WindowsFeature .aspx?id=42642 and run the installation file on your computer.NET 4. 2.2 using Windows PowerShell. on Windows Server 2012. Web-ISAPI-Ext. Windows Server 2012.1.  Internet Information Services > World Wide Web Services > Common HTTP Features > Static Content.6 Advanced Services.2 and configure Internet Information Service (IIS) for Windows Server 2012 using Windows PowerShell.NET Framework 4.NET Framework 3. Windows Server 2008. Web-ISAPI-Filter Configuring Internet Information Service (IIS) Windows 10 Make sure that all the following options are selected in the Windows Features window and then click OK:  .NET Framework 4. do the following: 1.NET Framework Windows 10 and Windows Server 2016 usually have . you can download it from the Microsoft official website http://www.microsoft. Alternatively. Windows 8.5 and . To install . Windows 7.NET Framework 4. you can install . If you are using Windows 8.5. In the Start menu. or if there is no .NET 3.  Internet Information Services > Web Management Tools > IIS Management Console.6.NET Framework 4.NET-Framework-Core.5 and ASP.Management Tool Installing .com/en- us/download/details.NET Framework 4.6 installed. select Windows PowerShell.

Windows 7 Make sure that all the following options are selected in the Windows Features window and then click OK:  Internet Information Services > Web Management Tools > IIS Management Console.Management Tool Windows 8 Make sure that all the following options are selected in the Windows Features window and then click OK:  .5.NET 4.NET Framework 4.  Internet Information Services > World Wide Web Services > Common HTTP Features > Static Content.5 and .5 Advanced Services.  Internet Information Services > World Wide Web Services > Application Development Features > ASP.NET Framework 3. 62 .NET.  Internet Information Services > World Wide Web Services > Application Development Features > ASP.5 and ASP.  Internet Information Services > Web Management Tools > IIS Management Console.NET 3.

6.NET Framework 4.5 (Installed) > ASP. make sure that the following options are selected:  Management Tools > IIS Management Console. Windows 1. Click Next.NET 4. In the Add Roles and Features Wizard window. On the Role Services page.NET 4. 2. on the Role Services page. on the Server Server 2012 Roles page.  . Click Next and then click Add Required Role Services. make sure that the following options are selected:  .NET Framework 3. Click Next and then click Install. Server 2008 make sure that the following options are selected:  Common HTTP Features > Static Content. select the ASP.NET. On the Features page. click Next. 3. 63 . On the Web Server Role IIS page. On the Role Services page. 4. make sure that the Web Server (IIS) option is selected and then click Next. Windows 3.5. 4. 7. click Close.5. 5.NET Framework 3. In the Add Roles Wizard window. After the end of installation.5 Features (Installed) > .Management Tool  Internet Information Services > World Wide Web Services > Common HTTP Features > Static Content. 5.5 option (under Application Development).  Application Development > ASP.

NET Framework 3.6 3. 5. select the ASP. 2.NET 4. make sure that the following options are selected:  . Click Next and then click Add Features. make sure that the Web Server (IIS) option is selected and then click Next. 9. make sure that the following options are selected: 64 . Click Next and then click Add Features. on the Server Server 2016 Roles page.6 and ASP. 4.NET Framework 4.6 Features > . On the Role Services page.Management Tool 6.NET Framework 4. 8.NET Extensibility 4. Windows 1. After the end of installation.5 > ISAPI Extensions > ISAPI Filters. Click Next. click Next.5  .5 > ASP > NET 4. On the Web Server Role IIS page. make sure that the following options are selected:  Application Development > . Click Next and then click Install.NET 4. On the Role Services page.5 Features > .NET Framework 3. click Close. In the Add Roles and Features Wizard window. 6. 7. On the Role Services page.6 option (under Application Development). On the Features page. 7.

click Close. 65 .NET Extensibility 4. Open the Internet Information Service Manager:  For Windows 8 or Windows 7: Open Computer > Manage > Services and Applications > Internet Information Services (IIS) Manager.6  ISAPI Extensions  ISAPI Filters 8. NOTE: Using the inetmgr command is a common way of opening the Internet Information Service Manager for any version of the Windows operating system.Management Tool  Application Development >  .  For Windows Server 2012 or Windows Server 2008: Press Windows+R. Click the main node in the Connections tree-view and then double-click the Server Certificates item under the IIS category. Click Next and then click Install. do the following: 1.NET 4. enter inetmgr in the Run window and then press Enter. Using Certificates Generating Self-Signed Certificate To generate a self-signed certificate on the computer on which you will install the Management Tool.6  ASP. 2. After the end of installation. 9.

The Create Self-Signed Certificate window opens. 4.Management Tool 3. 5. The certificate is created. 7. 66 . The Server Certificates pane opens. Click OK. click Create Self-Signed Certificate. 6. Enter the name for a certificate in the Specify a friendly name for the certificate box and select Personal in the Select a certificate store for the new certificate drop-down list. On the Actions pane (to the right).

enter inetmgr in the Run window and then press Enter. 2. define the location and password for the certificate. 67 . The Server Certificates pane opens. Click OK. on the Server Certificates pane. The certificate is exported and can be added to the Trusted Root Certification Authorities. select the generated certificate and click Export on the Actions pane or in the certificate context menu. do the following: 1. In the Export Certificate window. In the Internet Information Service Manager. NOTE: Using the inetmgr command is a common way of opening the Internet Information Service Manager for any version of the Windows operating system. On the Actions pane (to the right). do the following: 1. Open the Internet Information Service Manager:  For Windows 8 or Windows 7: Open Computer > Manage > Services and Applications > Internet Information Services (IIS) Manager.  For Windows Server 2012 or 2008: Press Windows+R. 3. 2.Management Tool Exporting Self-Signed Certificate To export self-signed certificate. 4. Importing Trusted Certificate To import a purchased certificate issued for the computer. click Import. 3. Click the main node in the Connections tree-view and then double-click the Server Certificates item under the IIS category.

Management Tool

5. In the Import Certificate window, click the Browse button to browse for the file of the
purchased certificate and enter its password in the Password field.

6. Click OK.
7. The certificate is imported and displayed on the Server Certificates pane of the Internet
Information Services (IIS) Manager.

Adding Certificate to Trusted Root Certification Authorities
Before adding the self-signed certificate to the Trusted Root Certification Authorities, it should
be exported. For purchased certificates that were issued for your computer this procedure is
not needed.

To add the certificate to the Trusted Root Certification Authorities, do the following:
1. Press Windows+R, type mmc in the Run text box and press Enter.
2. In the opened User Account Control window, click Yes.
3. In the Console window, select File > Add/Remove Snap-in.

68

Management Tool

4. In the opened Add or Remove Snap-ins window, select Certificates > Add.

5. In the opened Certificates snap-in window, select Computer account and click Next.

6. In the opened Select Computer window, select Local computer: (the computer this console
is running on) and click Finish.

7. In the Add or Remove Snap-ins window, click OK.

69

Management Tool

8. In the Console window, expand the Certificates (Local computer) node.
9. In the Certificates (Local computer) tree-view, find the Trusted Root Certification
Authorities node.

10. In the context menu of the Trusted Root Certification Authorities node, select All Tasks >
Import.

11. The Certificate Import Wizard opens.
12. On the Certificate Import Wizard Welcome page, click Next.
70

Management Tool

13. On the File to Import page, click Browse to find the certificate to be imported and then click
Next.

14. On the Private key protection page, enter the certificate password and then click Next.

71

Management Tool

15. On the Certificate Store page, click Next.

16. On the last page of the Certificate Import Wizard, click Finish.
17. In the confirmation message, click OK.
18. The certificate is imported and is displayed in the Console window in the Certificates node.
Please note that the Issued To field contains the name of the computer on which the
Management Tool will be installed in the format that will be used when opening the
Management Tool.

72

Click the Bindings navigation link to the right. 5. Expand the Sites node. 73 . Select the Default Web Site.  For Windows Server 2012 or Windows Server 2008: Press Windows+R. NOTE: Using the inetmgr command is a common way of opening the Internet Information Service Manager for any version of the Windows operating system. Expand the node with the name of the target computer in the central pane. 4. 6. 2. enter inetmgr in the Run window and then press Enter. NOTE: If there is no such site in the Internet Information Services (IIS) Manager of your computer. Setting HTTPS Binding for a Default Web-Site To set HTTPS binding for a default web-site. you can select any other site (the name of the site does not matter). Close the Console window. The Site Bindings window opens.Management Tool 19. Open the Internet Information Service Manager:  For Windows 8 or Windows 7: Open Computer > Manage > Services and Applications > Internet Information Services (IIS) Manager. do the following: 1. 3.

If there is no binding of HTTPS type in the Site Bindings window. click Select. 11. In the Site Bindings window. 74 . In the Select Certificate window. 14. 15. 13. The Edit Site Binding window opens. The Select Certificate window opens. select https. click Close. 9. In the Add Site Binding window. 10. select the certificate generated for the Management Tool and then click OK. In the Type box. where the list of existing certificates is displayed. click OK. Now the Internet Information Service is fully adjusted and you can start installing the Management Tool. 8. Next to the SSL certificate drop-down list. 12. click Add.Management Tool 7.

On the Connection Settings page. 75 . Carefully read the terms of the End-User License Agreement and click I Agree. do the following: 1. Run the EkranSystem_ManagementTool. 5. enter the destination folder in the corresponding field or click Browse and in the Browse For Folder window. 4.exe installation file.  In the URL address field enter the folder where the Management Tool will be located within IIS. On the Choose Install Location page. do the following and then click Next:  In the Server address box. enter the name or IP address of the computer on which the Server is installed. 2. define the destination folder. click Next.Management Tool Installing/Uninstalling/Updating the Management Tool Installing the Management Tool To install the Management Tool. Click Install. On the Welcome page. This URL will be used when opening the Management Tool. 3.

click Close to exit the wizard. 8. 76 . The Management Tool is displayed as an application of a default web site or any other site with https connection in the Internet Information Services (IIS) Manager. Its progress is displayed on the Installing page. 7. The installation process starts. After the end of the installation process. 9.Management Tool 6. Now you can open the Management Tool via your browser from the same computer or a remote one.

On the Rule Type page. there is no need to configure Firewall. you need to adjust Firewall settings to be able to access this computer. 4. In the Windows Firewall window. The New Inbound Rule Wizard opens. In the Control Panel. click Advanced settings. 77 . select Predefined and then select Secure World Wide Web Services (HTTPS) in the list. Click Next. 5. 2. To adjust Firewall on the computer where the Management Tool is installed.Management Tool Adjusting Computer for Remote Access If you want to open the Management Tool from the computer different from the one where the Management Tool is installed. right-click Inbound Rules and select New rule. If the users access Management Tool only from computers where it is installed. In the Windows Firewall with Advanced Security window. 3. select System and Security > Windows Firewall. do the following: 1.

Updating Management Tool To update the Management Tool. 2.Management Tool 6. 7. The new inbound rule for Firewall is created. 4. select the World Wide Web Services (HTTPS Traffic-In) option. On the The program is already installed page. Click Finish. 3. Run the Management Tool installation file (EkranSystem_ManagementTool. The Management Tool will be updated to the new version. On the Predefined Rules page. do the following: 1. Follow the installation instructions. select Update and then click Next. 78 . select Allow the connection. Click Next. 8. On the Action page.exe) of a newer version.

2. do the following: 1. click Close to exit the setup wizard. your browser will display a certificate error when opening the Management Tool. Open the browser and enter https://<name of the computer or IP on which the Management Tool is installed>/<URL address that has been specified during the Management Tool installation> in the address line. The setup wizard opens and starts the uninstallation process. 4. the users belonging to it can login using their Windows credentials. see the Troubleshooting chapter. For example. select the Remember me on this computer check box. 3. find the Ekran System Management Tool application. To save your login for the next authorization. When the process is completed. since IIS is not used constantly and its processes are stopped and restarted on the connection. The Management Tool opens. if the Active Directory user group has been added to the system. 79 .Management Tool Uninstalling Management Tool To uninstall the Management Tool. 2. NOTE: If the certificate is not added to the Trusted Root Certification Authorities or the name of the computer entered in the browser address does not match the subject (Issued To field) of the certificate. The Management Tool Home page opens. In the Programs and Features window. 5. Open the Programs and Features window of the Windows Control Panel. Please note. In the context menu of the application. 4. If you encounter any problems when opening the Management Tool. enter the login in the form <domain name>\<user name> and Windows authentication password. 6. Enter the credentials of the existing user added to the system:  For an internal user.  For a Windows user. 3. Please note. enter the login and password defined during user creation. Opening Management Tool To open the Management Tool. https://john-pc/MyMonitoringSystem. The Management Tool is uninstalled and removed from the Internet Information Service (IIS). do the following: 1. select Uninstall. the Management Tool may take a while to launch on first connection.

Management Tool

Management Tool Interface
The Management Tool interface is divided into the following areas:
 Navigation pane
 Data View pane
 Filtering pane
 Toolbar
Panes
The Navigation pane
The Navigation pane allows you to navigate between different sections of the Management
Tool and consists of the following navigation links:
 Home: Opens the page on which dashboards are displayed, containing information on
the system state, recent user activity, and any suspicious user behaviour.
 Monitoring Results: Opens the page on which the user can view the list of all Client
sessions received from Clients the user has the View monitoring results permission for,
and export these sessions.
 Forensic Export History: Displays the list of sessions exported via Forensic Export. A user
can download any exported session and validate the already exported session.
 Report Generator: Opens the Report Generator page on which the user can generate
the report of the required type by defined parameters and then save it or print it.
 Interactive Monitoring: Opens the Interactive Monitoring page on which the user can
view statistic data on user activity displayed in two column charts (Applications
Monitoring and URL Monitoring).
 Client Management: Displays the information about all Clients in the system. The
number of Clients displayed on the page depends upon permissions given to users that
log in to the Management Tool. Additionally, the user can navigate to the Blocked User
list from the Client Management page.
 User Management: Displays the information about all Users in the system and is
available to users that have the User management permission.
 Access Management: Opens the Access Management page on which the user can
manage Two-Factor Authentication keys, One-Time Passwords, and Restricted Users.
 Alert Management: Displays the information about alerts assigned to your Clients.
 Kernel-level USB monitoring: Displays the list of all USB monitoring rules for all the
Clients in the system and is available to users with the administrative Client installation
and management permission.
 Scheduled Reports: Opens the Scheduled Reports page on which the user can view and
manage report generation rules, and view rule logs.
 Database Management: Opens the page on which the user with the Database
management permission can perform archiving and cleanup of the Database.

80

Management Tool

 Serial Key Management: Displays the information about your Serial key and contains
keys activating/deactivating options and is available to users that have the Serial keys
management permission.
 Configuration: Opens the page on which the user can define the Email sending settings,
Player link settings, System settings, Log settings, Ticketing system integration settings,
LDAP Targets, Date & Time Format, and Server settings.
 Management Tool Log: Contains information on all user actions performed in the
Management Tool.
 Diagnostics: Provides quick access to Server and Management Tool log files for users
that have the Database management permission.
The Data View pane
The Data View pane contains a grid with the information about your Clients, Users, Alerts,
database, and Serial keys.
The Filtering pane
The Filtering pane allows you to filter the Clients, Users, and Alerts by keywords of their names
and hide offline/online/uninstalled/licensed/Windows/macOS/Linux Clients.
Toolbar
The Toolbar of the Management Tool allows you to perform basic actions with Clients, Users,
and Alerts. The options of the Toolbar are the following:
 For Client Management: Add Client Group, Install Clients, Manage Licenses, Edit
Uninstallation Key, Uninstall Clients, Delete Clients, Blocked User List, and One-Time
Passwords.
 For User Management: Add User and Add User Group.
 For Alert Management: Add Alert, Manage Multiple Alerts, Export Alerts, Import Alerts,
and Global Alert Settings.
 For Kernel-Level USB Monitoring Management: Add Rule.
 For Scheduled Reports: Add Rule.
 For Forensic Export: Validate Export Results.

Changing Password for Logged in User
Internal users, including the Built-in administrator, can change their passwords after logging in
to the Management Tool. This action is not available for Active Directory users.

To change your password, do the following:
1. Click your user name in the upper right corner of any Management Tool page.

81

Management Tool

2. The Manage account page opens.
3. In the Current password box, type your current password.
4. In the New password box, type the new password.
5. Re-enter the password in the Confirm password box.
6. Click Change password.

7. Your password is changed. You will need to use it during the next log in.

82

Multi-Tenant Mode/Single-Tenant Ekran System Mode

Multi-Tenant Mode/Single-Tenant Ekran
System Mode
About
By default, Ekran System is installed in the Single-Tenant mode, so all Clients and settings are
shared with all users according to their permissions.
If necessary, you can use the Ekran System in the Multi-Tenant mode. In this mode, all tenant
users have access to their tenant Clients, but they have no access to other tenants’ Clients,
configurations, alerts, reports, etc.
NOTE: If you update the Ekran System to version 6.0 from the version without tenants, the
built-in default tenant will be created and all users, Clients and licenses will be assigned to it.

User Types in Ekran System Deployed in Multi-Tenant
Mode
There are three types of users in the Multi-Tenant mode.
NOTE: Tenant admins or users can see the only information belonging to their tenant.

Admin of the default tenant (Technician)
Technicians are able to perform the next actions:
 Manage serial keys (activate/deactivate serial keys and grant licenses to tenants)
 Manage Tenants:
 View
 Add
 Edit
 Delete
 Download Server and Management Tool log files
 Configure all custom settings.
 Is the tenant admin for default tenant

Tenant Admin
Tenant Admin is the account created by the technician during tenant creation. Tenant-Admins
are able to perform such actions:
 Manage tenant users and define their permissions
 Manage user groups containing tenant users
 Generate Client installation packages (and view the automatically generated token for
manual definition during the Offline Client installation).

83

Multi-Tenant Mode/Single-Tenant Ekran System Mode

 Manage Client Groups (for tenant’s Clients)
 Edit uninstallation key (for tenant’s Clients)
 Manage alerts
 Manage kernel-level USB monitoring rules
 Assign licenses from the license pool provided by the technician to Clients
 Manage blocked and restricted users
 Allow users to use time-based one-time passwords and one-time passwords
 View, export, and download sessions of tenant’s Clients and validate the export results
 Use Interactive Monitoring to view statistic information on tenant’s Clients
 Generate reports with data received from tenant’s Clients, schedule report generation
 View the Management Tool Log for tenant users and admins
 View and manage dashboards

Tenant User
Tenant User is able to perform the same actions as the Tenant Admin according to granted
permissions.

84

Log in to the Management Tool as a user with the administrative Tenant management and system configuration permission. define the tenant name and the description. select the corresponding option and do the next:  For registering the tenant admin via email. 5. click Add Tenant. 4. Adding Tenants To add a new tenant. you can add new Tenants and edit existing Tenants (including deletion). 2. 85 . Click the Tenant Management navigation link to the left. define the email of the tenant admin. On the Tenant Settings tab. The email with credentials will be sent to the tenant admin  For selecting the tenant admin from the domain users. 3. 6. do the following: 1. On the Tenants page.Multi-Tenant Mode/Single-Tenant Ekran System Mode Tenant Management Viewing Tenants The Tenants are displayed on the Tenant Management page in the Management Tool. The list of Tenant contains the following information:  Tenant Name  Tenant Admin  Description  Tenant Key On the Tenant Management page. To register the tenant admin via email or select the tenant admin from the domain user. You can register the tenant admin via email or select an admin from the domain users. select the domain and user from the drop-down lists.

Multi-Tenant Mode/Single-Tenant Ekran System Mode 7. On the Licenses tab. 86 . enter the amount of licenses of each type to be granted to the tenant.

9.Multi-Tenant Mode/Single-Tenant Ekran System Mode 8. click Resend Email. To resend email with credentials to the tenant admin. The tenant is added and displayed on the Tenants page. they will return in the license pool. Editing Tenants To edit an existing tenant. Click Finish. On the Tenants page. Click the Tenant Management navigation link to the left. 4. Click the Tenant Management navigation link to the left. click Edit Tenant for the required tenant. 3. 3. do the following: 1. The tenant is edited. you can resend an email. Edit tenant properties on the corresponding tabs in the same way as when adding a new tenant. Log in to the Management Tool as a user with the administrative Tenant management and system configuration permission. 87 . 2. 2. this feature is unavailable. 4. click Edit Tenant for the required tenant. NOTE: If the tenant admin is a domain user. 5. 5. do the following: 1. If the user unassigned the licenses. On the Tenants page. On the Tenant Settings tab. Log in to the Management Tool as a user with the administrative Tenant management and system configuration permission. The email with a new password is sent. Resending Email to the Tenant Admin If you need to change the tenant admin or the tenant admin forgot password.

3.Multi-Tenant Mode/Single-Tenant Ekran System Mode Deleting Tenants Deleting a tenant means that a tenant admin will not be able to use the system and all data and users. log off and login with your credentials. In the Management Tool you can see and perform all actions available for the selected tenant account. 6. 4. The Grant access to tenant account option for tenant account must be enabled. 3. click Delete. Click the Tenant Management navigation link to the left. Select the necessary tenant account from the Tenants list. click Edit Tenant for the required tenant. 5. Switching to Tenant Account 1. Log in to the Management Tool as a user with the administrative Tenant management and system configuration permission. click Delete Tenant. On the Tenant Settings tab. it cannot be deleted. The tenant is deleted. the Management Tool will become unavailable to the tenant admin at once and none of its pages will be displayed. On the Tenants page. Сlick the Tenant Management navigation link to the left. 88 . 2. NOTE: This action is available only for tenants with the enabled Grant access to the tenant account option. 2. NOTE: If the tenant has at least one Client. and then click the Switch to link. You will be logged out and automatically logged in as selected tenant admin. If you delete the tenant when its admin is logged in the Management Tool. 4. Log in to the Management Tool as a user with the administrative Tenant management and system configuration permission. 5. do the following: 1. In the confirmation message. To switching back to the technician account. The Tenants page opens. To delete a tenant. 6.

Now the technician can login and view as the tenant admin. On the Settings tab. To grant access to tenant account info. select the Grant access to tenant account option and click Save. The access to tenant account has been provided to the technician. After getting an access. 89 . 4. Click the Configuration navigation link to the left. 6. The Configuration page opens. click OK. only tenant users have an access to the tenant data.Multi-Tenant Mode/Single-Tenant Ekran System Mode Granting Technician Access to Tenant Account Info By default. 2. 5. do the following: 1. 3. you can do this. If you need to grant access the technician. In the warning message. Log in to the Management Tool as a tenant admin. the technician can login under the tenant admin account and will be able to perform all actions as tenant admin.

you have to assign licenses to them. IBM AIX NOTE: Licenses of the workstation type cannot be assigned to a computer with Server OS. Oracle . 1 Client OS. the license corresponding to the Client computer operating system is automatically assigned to a Client.Licensing Licensing General Licensing Information To start receiving information from the Clients. 2 Server Client installed Remote Desktop Services/Terminal Services Terminal or unlimited Server Client Windows Server Citrix Server or Published App Server deployed on Cloud Server Microsoft Azure 2 Client or Amazon Web Services Linux/UNIX Linux. Each Client can have only one license assigned. macOS Infrastructure . If the license has not been automatically assigned. unlimited Server Client Solaris. Five types of licenses are available: Required additional Number of recorded License OS configuration concurrent sessions Workstation Windows desktop . During the first connection to the Server. then you will have to assign the license to the Client manually. 90 .

You need the administrative Serial keys management permission to activate serial keys. Five types of serial keys are available:  Permanent serial keys: These keys allow you to use licenses they contain during the unlimited period of time. To use the system permanently and with a greater number of licenses. trial. Once you have purchased serial keys. you can either activate serial keys online or add activated serial keys if you have no Internet connection on a computer with the installed Server. One-Time Password. Contact your vendor for information on purchasing serial keys.  Update and Support serial keys: These keys allow you to extend your update and support period. Please note. serial keys are bound to a specific computer and cannot be used on another computer. and update and support serial key contains the following data:  Update & support period  Licenses for the Clients The enterprise serial key does not contain any Client licenses and is active during the unlimited period of time. 91 . and Multi-Tenant Mode. Advanced SIEM Integration. you have to license it with purchased serial keys on a computer with the installed Server. This key grants you an access to such valuable features of the Ekran System as Database Archiving. 3 Linux/UNIX Server Client licenses. High Availability. the embedded trial key expires.  Enterprise serial keys: These keys allow you to get access to the enterprise features of the Ekran System during the unlimited period of time. after the activation. The trial serial key will be sent to the email address you specify in the request form. Each permanent. and 1 Terminal Server Client license for 30 days. you can request a trial serial key which allows you to use 3 Workstation Client licenses.Licensing Getting Licenses by the Default Tenant Admin (Technician) Serial Keys When you log into the Management Tool for the first time.  Trial enterprise keys: These keys allow you to get access to the enterprise features of the Ekran System for 30 days (may vary) from activation and update the product during this period. See the detailed information on the Standard and Enterprise Editions of Ekran System in the Appendix. NOTE: After activation of any serial key.  Trial serial keys: These keys allow you to use the licenses they contain for 30 days (may vary) from activation and update the product during this period.

open the Management Tool and click the Serial Key Management navigation link to the left. but you will be unable to update the System to versions released after the update & support period expiration date. the update & support period is prolonged accordingly. If your update & support period expires. The following information is displayed on the Serial Keys tab:  Update & support period end date: The update & support period end date is calculated basing on dates of serial keys activation and their subscription periods. simultaneously. if you activate a key with 12 months update & support period after a key with 30 days update & support period. current update & support period does not change. which does not contain any licenses. which is summed up from all activated serial keys. one with a 30 days update & support period and one with a 12 months update & support period. but extends your update & support period. you can purchase a special serial key. Updates are defined by their release date. To view the license state.  Workstation/Terminal Server/Infrastructure Server/Cloud Server/Linux/UNIX Server Client licenses used: The number of licenses of the corresponding type used out of total number. Select the Serial Keys tab. or you can activate any other serial key. the update & support period end date will be set to 12 months from the activation date. But if you activate a key with 30 days update & support period after a key with 12 months update & support period.  Not licensed Clients: The number of installed Clients with no licenses assigned. For example. Please note. Viewing License State You can view the information on serial keys you have activated or added and license details on the Serial Key Management page in the Management Tool. Example: If you activate two keys. When a new serial key is being activated. The following information is displayed in the Serial Keys table: o Serial key 92 . the update & support end date will be set to 12 months since the activation date. After the update & support period expires. The update & support period end date is defined during the serial key activation (either via the Management Tool or on the vendor’s site).  Enterprise key: Displays whether the target Server computer has an activated enterprise serial key.Licensing About Update & Support Period An Update & support period is a period that defines what updates can be applied to your copy of the product. if the current update & support period is longer than the one of a key being activated. It is calculated using a serial key with the longest update & support period. the update & support period end date will not change. you can still assign licenses to Clients.

On the Serial Keys tab. The activated keys will appear on the Serial Key Management page. Click the Serial Key Management navigation link to the left. In the Serial Key Activation window. enter serial keys to be activated separating them with semicolons or paragraphs and click Activate. 5. do the following: 1. type and number of licenses Activating Serial Keys Online To activate purchased serial keys online. The number of available licenses and the update & support period end date change. 3. 6. 93 . 2. 4. 7.Licensing o Activation date o Type: Enterprise/Permanent/Update and Support/Trial/Trial Enterprise o State: activated/deactivated/expired o Details: expiration/deactivation date. Make sure you have an active Internet connection on the computer with the installed Server. click Activate keys online. Log in to the Management Tool as a user with the administrative Serial keys management permission.

10.txt.txt file will be generated. click Add activated keys. start the UniqueIdentifierGenerator. Copy the unique identifier from the text box to a text file on a removable drive. Click the Serial Key Management navigation link to the left. 3. Copy and paste the purchased serial keys to the Serial Keys box separating them with paragraphs or spaces. The newly added serial keys appear on the Serial Key Management page. 11. do the following: 1. To add activated serial keys in offline mode. Copy the file to the computer on which you will open the Management Tool. 4. If there are both licensed and unlicensed Clients in your network and you want to license the rest of Clients with a purchased key. Click Add.com/sites/default/files/ekransystem/UniqueIdentifierGenerator. When a unique identifier for your computer is generated. The activatedKeys. Log in to the Management Tool as a user with the administrative Serial keys management permission. 8. 2. it will appear in a text box under the Unique Identifier group of options. 7. 7. The Unique Identifier Generator window opens.ekransystem. do the following: 1. exe 2. For more information. Click Activate. 4. 8. click Choose File and navigate to the activatedKeys. 3. which you can download at https://www. you can activate them on the license site and then add the activated serial keys offline.com NOTE: Update and Support serial keys cannot be activated offline.txt file with activated serial keys. send an email to info@ekransystem. 94 .Licensing Adding Activated Serial Keys Offline If you have no Internet connection on a computer on which the serial keys are to be activated. Click Generate to generate a unique identifier for your computer. NOTE: Please do not edit the generated file activatedKeys. On the Serial Keys tab. To activate serial keys offline on the license site. On the Activated Serial Key Adding page. The number of available licenses and the update & support period end date change. Save the file on a removable drive. Enter the CAPTCHA text in a text box near the CAPTCHA image. 6. 12. 6. 9. Go to the license site. 5. Enter the generated unique identifier in the Unique Identifier box. you will have to assign the license to the remaining unlicensed Clients manually. 5.exe file. On the computer with the installed Server.

4. License Management Client License Management The Client license management is performed in the Management Tool by the user with the administrative Client installation and management permission. you can deactivate serial keys. The number of available licenses and the update & support period end date change. do the following: 1. on the Properties tab. Log in to the Management Tool as a user with the administrative Client installation and management permission. do the following: 1. The license is assigned to the Client. NOTE: When a trial serial key expires. select a serial key to be deactivated and click Deactivate selected. click Deactivate. 95 . The deactivated serial key is marked as Deactivated in the State column of the Serial Key Management page. 4. The license can be assigned to an offline Client. NOTE: Expired serial keys can’t be deactivated. On the Serial Keys tab. 6. Click the Serial Key Management navigation link to the left. and it will be applied after the Client is online. To deactivate a serial key. select the type of license you want to assign to the Client. 5. 3. in the License box. its license becomes free and can be assigned to another Client. You can assign a license to a Client or unassign it manually any time. 6. To assign a license to one Client. 5. Log in to the Management Tool as a user with the administrative Serial keys management permission. 7. select the needed Client from the list and then click Edit Client. Make sure you have an active Internet connection on the computer with the installed Server. Information about the number of used and free licenses of each type is displayed on the License Management page in the Management Tool. Click Finish. 2. In the confirmation message. On the Clients page. 3.Licensing Deactivating Serial Keys If for some reason you decide to discontinue using Ekran System. If the Client is uninstalled. the corresponding number of licenses is automatically unassigned from Clients. 2. Click the Client Management navigation link to the left. On the Editing Client page.

enter its name in the Contains box and click Apply Filters. Log in to the Management Tool as a user with the administrative Client installation and management permission. click Manage Licenses. When the Clients are selected. Click the Client Management navigation link to the left. This will be done automatically. 2. 5. you do not need to unassign the current license. NOTE: To change the Client license type. To view the granted licenses. Select the Granted Licenses tab. If the corresponding type of license is missing. do the following: 1. The following information is displayed in the Granted Licenses table: o Tenant Name o Count of Workstation licenses/Terminal Server licenses/Infrastructure Server licenses/Cloud Server licenses/Linux licenses 96 .Licensing To manage licenses to several Clients. Viewing Granted Licenses You can view the information on licenses you have granted on the Serial Key Management page in the Management Tool.  Unassign license: Removes licenses from the selected Clients. On the Clients page. a license of a higher type can be assigned. 4.  Assign license of specific type: Assigns selected licenses of a specific type to the selected Clients. select the Clients to which the licenses should be assigned. To find a specific Client. 3. automatically defining the type of license basing on the operating system of the Client computers. open the Management Tool and click the Serial Key Management navigation link to the left. On the License Management page. click one of the following:  Assign recommended license: Assigns licenses to the selected Clients.

In order to grant others access to the system. you can create user groups. they receive all administrative and Client permissions within the system. If the Multi-tenant mode is enabled. you can add users and define their permissions. Viewing Users and User Groups The Users and User Groups are displayed on the User Management page in the Management Tool. you can assign other permissions to a specific user. Please note. One user can belong to several user groups. they inherit all permissions from a group. these permissions can be removed only by removing the user from this group. Users are grouped by the User Groups which they belong to.  Administrators: A group of users that can perform administrative functions within the system. they receive the Viewing monitoring results permission for All Clients. The administrator has all the rights for work in the system. Apart from permissions received from the group. whose login is admin and whose password is defined during the Server installation.User and User Group Management User and User Group Management About By default. the administrator is the technician and is able to create tenants. If a user is added to this group. there is one administrator in the system. If a user is added to this group. There are two types of users:  Internal users  Active Directory users (Windows domain users and Windows domain user groups) To define permissions for users. If the user inherited some permissions from a group.  Supervisors: A group of users that perform major investigative work with the Clients. The lists of Users contain the following information:  Login  First Name  Last Name  Description 97 . user and user group management is allowed only to the users with the administrative User management permission. By default. there are three user groups in the system:  All Users: A group that contains all created users. You can also add other custom user groups and manage them yourself. When the user is added to a group.

User Management Adding Users To add a new user. their first name and last name will be filled automatically after the first log in to the system. 12. click Add User. 13. you can add new Users/User Groups and edit existing Users/User Groups (including deletion). To find a required User. On the User Type tab. On the User Management page. enter a part of their user name. last name or description in the Contains box and click Apply Filters. Log in to the Management Tool as a user with the administrative User management permission. Click the User Management navigation link to the left. 11.  Click Add an Active Directory user/user group to add an existing Windows user/user group.User and User Group Management NOTE: For Active Directory users. do the following: 10. 98 . select the type of the user you want to add:  Click Add an Internal user to create an internal application user. first name. On the Users page.

do one of the following and click Next:  For an internal user. last name. On the User Details tab. select the domain in the Domain list and then enter at least two characters into the User/User group box to search for the required user/user group.User and User Group Management 14.  For an Active Directory user/user group. The maximum length of the first name. 99 . NOTE: Login and password are required. define user credentials and additional information about the user. and description is 200 characters. The password must be at least 6 characters long.

NOTE: If the user has inherited some permissions from user groups. 16. you need to remove the user from these groups. 15. To find a specific group. To remove permissions inherited from user groups. On the User Groups tab. select the user groups the user will belong to. 100 . enter its name in the Contains box and click Apply Filters. you can only add new permissions. Click Next. select administrative permissions that will be given to the user. On the Administrative Permissions tab. Click Next. NOTE: The user is automatically added to the default All Users group and can’t be removed from it.User and User Group Management NOTE: The Active Directory user/user group cannot be added if there is no LDAP target added for the required domain on the Configuration page or if the connection with the domain is lost (the domain is unavailable).

do the following:  Select the necessary Client/Client Group. enter its name in the Contains box and click Apply Filters. The user is added and displayed on the Users page. On the Client Permissions tab. the first name and last name properties will be automatically filled after the user’s first login to the system.  Click Edit Permissions and then. define the Client permissions which will be given to a user for the corresponding Client/Client Group.  When the permissions are defined. in the Client Permissions/Client Group Permissions window.User and User Group Management 17. 101 . 19. click Save to close the Client Permissions/Client Group Permissions window. 18. NOTE: For an Active Directory user. Click Finish. To find a specific Client/Client Group.

Click the User Management navigation link to the left. 102 . 8. do the following: 6. NOTE: Click Next or Finish to save the changes on each tab. The user is edited. 10.User and User Group Management Editing Users To edit an existing user. Edit user properties and permissions on the corresponding tabs in the same way as when adding a new user. 9. 7. On the Users page. click Edit User for the required user. Log in to the Management Tool as a user with the administrative User management permission.

in the Client Permissions/ Client Group Permissions window. On the User Details tab. select administrative permissions that will be given to all users belonging to this user group. On the Client Permissions tab. 3. define the name for the user group and. find the Client/Client Group for which permissions are to be defined. Log in to the Management Tool as a user with the administrative User management permission. optionally. the Management Tool will become unavailable to the user at once and none of its pages will be displayed. In the confirmation message. do the following: 1. 5. Click Next. 10. 9. Click Next.  After you have defined all Client permissions. 11. 8. To find a specific user. click Delete. User Group Management Adding User Groups To add a new user group. To delete a user. 9. enter its name in the Contains box and click Apply Filters. click Add User Group.  Click Edit Permissions and then. define the Client permissions which will be given to a user for the corresponding Client/Client Group. The user group is added. Click Next. On the Client Permissions tab. click Edit User for the required user. On the User Management tab. 2. If you delete the user who is logged in the Management Tool. Click the User Management navigation link to the left. 8. Click the User Management navigation link to the left. On the Users page. enter its name in the Contains box and click Apply Filters. On the Group Properties tab. click Delete User. define its description. 6. 103 . The user is deleted.User and User Group Management Deleting Users Deleting a user means that a user will not be able to use the system. select users that will belong to the user group. click Finish. On the Administrative Permissions tab. click Save to close the Client Permissions/ Client Group Permissions window. On the Users page. 7.  To find a specific Client/ Client Group. 12. do the following: 7. Log in to the Management Tool as a user with the administrative User management permission. 4.

If you define permissions for the group. To delete a user group. The user group is edited. Apart from permissions inherited from the group. Log in to the Management Tool as a user with the administrative User management permission. any user belonging to this group inherits these permissions. 4. To remove permissions inherited by the user from a group. you need to remove the user from a group. 4.  Client permissions define actions that a user can perform with selected Clients. click Delete Group. click Delete. If the group is deleted. In the confirmation message. 3. On the Users page. On the Group Properties tab. you can assign a user their own permissions. The user group is deleted. click Edit User Group for the required user group. NOTE: Click Next or Finish to save the changes on each tab. 5. Click the User Management navigation link to the left. On the Users page. Log in to the Management Tool as a user with the administrative User management permission. NOTE: The user group All Users cannot be deleted.User and User Group Management Editing User Groups To edit an existing user group. 2. 104 . do the following: 1. Edit user group properties and permissions on the corresponding tabs in the same way as when adding a new user group. There are two types of permissions:  Administrative permissions define actions that a user can perform with the whole system. click Edit User Group for the required user group. do the following: 1. its users no longer have permissions given by this user group unless these permissions are inherited from another user group. The permissions can be defined during user and user group adding/editing. 2. Deleting User Groups Deleting a user group does not delete users belonging to it. Permissions About The permissions allow you to define which functions a user will be able to perform with the system and Clients. Click the User Management navigation link to the left. 3. 6. 5.

It is available for Linux and Windows computers.  Database management: Allows a user to get information on the database. and delete Client groups.  User management: Allows a user to add. o Generate reports in the Management Tool.  Access Client computer: Allows a user to log in to the Client computer with enabled forced user authentication. It also allows a user to view the Management Tool log.  Viewing archived data: Allows a user to view and export sessions from archive databases. create and manage the USB monitoring & blocking rules. 105 .  [Windows Clients] Viewing text data: Allows a user to view keystrokes and clipboard text data recorded during Client monitoring  [Windows Clients] Client uninstallation: Allows a user to uninstall a Client.  Client installation and management: Allows a user to install Clients. manage alerts. view report logs. add. edit. edit. in the Management Tool they will see only those Clients for which they have at least one Client permission. define Email sending settings. delete Users/User groups and define permissions for them.  Viewing monitoring results: Allows a user to: o View the results of Client monitoring and Forensic Export results in the Management Tool. perform database cleanup.User and User Group Management Administrative Permissions The following administrative permissions are available:  Serial keys management: Allows a user to activate and deactivate serial keys. This permission is available only for the users of the default tenant. create and manage scheduled report rules. delete Tenants and grant licenses to them.  Tenant management and system configuration: Allows a user to add. If a user does not have the administrative Client installation and management permission. as well as block users. delete Clients from the database. o View Client configuration. define alert settings. and download Server and Management Tool log files. Client Permissions Client permissions define which actions a user will be able to perform with the Clients. The following Client permissions are available:  Client configuration management: Allows a user to define Client configuration. NOTE: Client permissions are defined for each Client or Client Group individually. edit. assign licenses to Clients.

the user Joe will have the following permissions:  Administrative o User management permission (Because he belongs to Group 1). and thus will have it even if Group 2 is deleted or its permissions are edited). For example: There is a user Joe who belongs to Group 1 and Group 2 user groups. If the user belongs to several Groups. and Group 2 by the administrator: User/User Group Administrative Client permissions permissions Permission For Group 1 User management Client uninstallation Client 1 Group 2 Serial keys management Viewing monitoring Client 2 results User Joe Client installation and Viewing monitoring Client 1 management results Serial keys management Client configuration All Clients management As a result. Besides. But he also has his own Serial keys management permission. they will inherit all the permissions defined for them. Group 1. The following permissions are given to the user Joe. o Serial keys management permission (Because he belongs to Group 2. o Client installation and management permission (He will have this permission irrespective to user groups which he will be added to).User and User Group Management Permission Example You can define the permission for a user. 106 . there are Client 1 and Client 2 that belong to All Clients group. by selecting the Edit User option and selecting the option next to the required permission on the Administrative Permissions tab.

User and User Group Management

 Client permissions for Client 1
o Client uninstallation permission (Because he belongs to Group 1).
o Viewing monitoring results permission (Because it is his own permission and he
will have it irrespective to user groups which he will be added to).
o Client configuration management permission (Because the Client belongs to All
Clients group).

 Client permissions for Client 2
o Viewing monitoring results permission (Because he belongs to Group 2).
o Client configuration management permission (Because the Client belongs to All
Clients group).

107

User and User Group Management

Management Tool Log
About
The Management Tool Log is a component that contains information on all user actions
performed in the Management Tool. Such information might be useful for the administrator to
manage and monitor the actions of all users in the system.
Viewing the Management Tool Log is available only to users with the administrative User
management permissions.

Viewing Management Tool Log
To view the log, log into the Management Tool and click the Management Tool Log navigation
link to the left.
On the Management Tool Log page, the Log Grid with the following data is displayed:
 Time: Displays the date & time the action was performed.
 User Name: Displays the name of the user who performed the action.
 User Groups: Displays the list of the User Groups the user belongs to.
 Category: Displays the category the action performed belongs to.
 Action: Displays the action performed.
 Object: Displays the list of the objects affected by the action.
 Details: Displays additional information about the action performed.
You can define the number of the log entries to be displayed per page: 10/100/250/1000.

All actions performed by the users in the Management Tool are grouped by the following
categories:
1. Alert management. Contains the information on the alert configuration being changed,
as well as exporting, importing, deleting older alerts, creating new ones, and changing
the Global Alert settings.
2. Alert player viewing. Contains the information on viewing alert events in the Alert
Viewer by a user.

108

User and User Group Management

3. Archived Sessions Viewing. Contains the information on the archived sessions being
opened in the Session Viewer or being exported via Forensic Export.
4. Log settings. Contains the information on the log settings being changed.
5. Client editing. Contains the information on the Client configuration being changed. If
there were multiple configuration changes, they are combined in a single log entry.
6. Client group management. Contains the information on the Client Group configuration
being changed, as well as deleting older Client Groups and creating new ones.
7. Client installation/Uninstallation. Contains the information on installation and
uninstallation of the Clients performed by a user, as well as the Client uninstallation key
being changed.
8. Database cleanup. Contains the information on the manual & automatic cleanup being
performed and the changes made to the automatic cleanup settings by a user.
9. Database management. Contains the information on the database shrinking, database
archiving and cleanup, and statistics update performed by a user.
10. Date & Time Format. Contains the information on the date and time format settings
being changed.
11. Diagnostics. Contains the information on downloading the server and Management Tool
log files by a user.
12. Email sending settings. Contains the information on the email sending settings being
changed.
13. Forensic Export. Contains the information on users performing Forensic Export,
downloading and deleting the Forensic Export results, as well as validating those results.
14. Interactive monitoring. Contains the information on Clients, users on Client computers,
and time period, for which the Application Monitoring and URL Monitoring widgets
were generated.
15. Kernel-level USB monitoring. Contains the information on the USB monitoring &
blocking rules being changed by a user, as well as deleting older rules and creating new
ones.
16. LDAP targets. Contains the information on the added, edited, and deleted LDAP targets.
17. Log in / Log off. Contains the information on users logging in/logging off (including MT
being closed, session expiring, etc.).
18. One-time password. Contains the information on generated, used, expired and
manually terminated one-time passwords.
19. Report generation. Contains the information on the reports generated by a user, both
via Report Generator and from the Scheduled rule. It also contains information about
the generated reports being downloaded by a particular user.
20. Scheduled report management. Contains the information on the Scheduled Report
rules being changed by a user, as well as deleting older rules and creating new ones.
21. Serial key management. Contains the information on adding, activation, and
deactivation of the serial keys by a user.
22. Session Viewing. Contains the information on the sessions opened in the Session Viewer
by a user.
23. Ticketing system integration. Contains the information on the ticketing system
integration being enabled or disabled and on the ticketing system access parameters
being edited.

109

User and User Group Management

24. Two-Factor Authentication. Contains the information on the users being added or
deleted on the Two-Factor Authentication page and on editing of two-factor
authentication keys.
25. User blocking. Contains the information on users being added to and removed from the
Blocked User list.
26. User group management. Contains the information on the user group configuration
being changed by a user, as well as deleting older user groups, creating new ones,
changing the Client and administrative permissions.
27. User management. Contains the information on the user configuration being changed
by a user, as well as deleting older users, creating new ones, changing the Client and
administrative permissions.

Management Tool Log Protection
The Management Tool Log is protected against log-altering attacks, its data being encrypted in
the database. The database encrypting is unique for each server. If the log has been modified, a
warning is displayed that the log data is not valid, and the invalid log entries are marked red.

Filtering and Sorting Log Data
You can filter Management Tool log entries using the column header menu in the Log grid. You
can filter data by multiple fields.
To filter data by the not date field (User Name, User Groups, Category, Action, Object), click
near the required column name, select one or several options, and then click OK.

To filter data by the Time field, click near the required column name, select the From and
To dates, and then click OK.
To sort data in the Log grid, click the required column header. You can change column sort
order from ascending to descending, and vice versa. To do this, click the Sort arrow near the
column header.

110

Windows Clients

Windows Clients
About
Windows Client is a program that can be installed on the target computers to monitor the
activity of their users. The monitored data is sent to the Server and can be viewed in the
Management Tool.
Depending upon their permissions, a user can install/uninstall Clients remotely, manage their
configuration, and manage Client groups.

Monitoring via Windows Clients
The Windows Clients work as follows:
 Each Windows Client starts automatically on computer start.
 A licensed Windows Client monitors a certain number of local and remote sessions,
depending on the license type:
- Workstation Client license (one local/remote session)
- Infrastructure/Cloud Server Client licenses (up to two concurrent sessions)
- Terminal Server Client license (several concurrent sessions)
 Every time the computer is restarted, the Windows Client starts recording user activity in a
new session. The maximum duration of one session can be 24 hours. At 00:00 all live
sessions are terminated. After their termination (their status changes from live to finished),
new live sessions automatically start.
 If a user works with several monitors, the Windows Client creates screenshots from all of
them.
 The Windows Client sends its monitoring results to the Server. On the Client side, the
monitoring data is compressed before sending it to the Server.
To disable the data compression on the Client side, in the Windows Registry Editor, select
the HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem\Client key and add a new value:
o Value type: DWORD
o Value name: Compression
o Value data: 0
 If there is no connection with the Server, the Client stores the monitored data locally and
automatically sends it to the Server when the connection is restored. The data is stored in
the TempWrite.dat file in the Client installation folder. The Client can stop writing data to
an offline cache in one of the following cases:
o If the amount of data stored offline reaches the limit at which the Client must
stop writing to offline cache. This limit is defined during remote Client
installation or during generation of Client installation package.
o There is 500 MB of free space on the hard drive left.

111

The following conditions have to be met for successful Windows Client installation:  The remote computer has to be online and accessible via network. you need to know the administrator account credentials for each remote computer.  Shared folders have to be accessible on the remote computer. To change the frequency of user activity recording. select the HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem\Client key and modify a value data: 1. 112 . Typing o Value name: SmartScrTimer 2. Mouse clicking o Value name: SmartScrTimerMouse User activity recording triggers usually influence each other. Thus you can distribute the installation package of the Client with predefined settings among the network computers and install it. knowing the domain administrator credentials is enough. o Mouse clicking: every 3 seconds. o Active window changing: every 3 seconds. The Windows Clients can also be installed locally via the installation package generated in the Management Tool. remote installation of the Windows Clients is used. Remote installation of the Clients is performed via the Management Tool. in the Windows Registry Editor. Installing Windows Clients About During the system deployment. Otherwise. you have to set up the network environment beforehand. the Windows Client records user activity as follows: o Typing: every 10 seconds. Setting up Environment for Remote Installation Windows Client Installation Prerequisites The majority of Windows Client installation/uninstallation issues are caused by incorrect system or network settings. If your computers belong to a workgroup but not a domain. though the average frequency of user activity recording is higher. Simple file sharing (Sharing Wizard) has to be disabled if the computer is in a workgroup (for domain computers this requirement can be skipped). This kind of installation is useful when you experience difficulties with installing the Clients remotely via the Management Tool.Windows Clients  By default. To ensure successful remote installation of the Windows Clients. or the computers in your network are a part of a workgroup and do not have the same administrative account for each computer.

In Windows Firewall on the Server side.  In Windows 8.  The Server and the Remote Procedure Call (RPC) system services have to be running on the remote computer.com/en-us/library/security/3033929.Windows Clients  You need to know the domain administrator or local administrator account credentials for the remote computer. Make sure the conditions mentioned above are met to avoid possible problems with Client remote installation.aspx. Windows 7. In the Folder Options window. Disabling Simple File Sharing in Windows XP To disable simple file sharing in Windows XP. 2. the Microsoft Security Advisory update 3033929 needs to be installed: https://technet.  Windows Vista and Windows XP Firewall has to be properly set up on the remote computer during the Clients remote installation. NOTE: These rules will be added to Windows Firewall automatically if Windows Firewall is enabled during the Server installation. Windows Server 2012 and Windows Server 2008 Firewall. inbound connections have to be allowed in the Remote Service Management (RPC) rule for the remote computers and the File and Printer Sharing option has to be enabled (in this case it is not necessary to disable Windows Firewall). allow the Server executable to accept TCP connections via ports 9447 and 9449 (for the connection between the Server and the Clients).  Due to the new SHA-256 code signing. 113 . Select Tools > Folder Options in the menu. do the following: 1. select the View tab. on Windows 7 SP1 and Windows Server 2008 R2 SP1. Open My Computer.microsoft. 3.

and Windows 7 To disable the Sharing wizard in Windows 8. and Windows 7. Click Apply and OK to close the window. Open the Folder options window:  For Windows 8. Disabling Sharing Wizard in Windows 8.1/Windows 8: Open the Control Panel and then select Appearance and Personalization. Windows 8.Windows Clients 4. Clear the Use simple file sharing option.1. In the Folder Options window. do the following: 1. select the View tab. 114 .1. 2. Windows 8. 5.  For Windows 7: Open Computer and then select Organize > Folder and search options.

Expand the Services and Applications node and select Services. Click Apply and OK to close the window. The Computer Management window opens. 115 . Make sure both services are running (their status is displayed as Started). To quickly access Windows Services. Right-click Computer and select Manage.Windows Clients 3. Checking System Services To check that the Server and Remote Procedure Call (RPC) system services are running: 1. Find the Server service and the Remote Procedure Call (RPC) service in the list of services. 3. type services. Clear the Use Sharing Wizard option. 2. 4.msc in the Run text box and press Enter. press Windows+R.

select the File and Printer Sharing option. Select Start > Control Panel > Windows Firewall. Windows XP. do the following: 1. To start the service. 3. 4. Click OK. 116 . For successful remote installation of the Clients. select the Exceptions tab. you have to enable the File and Printer Sharing option. On the Exceptions tab.Windows Clients 4. and Windows Server 2003 Firewall. In the Windows Firewall window. To set up Windows Vista. and Windows Server 2003. Setting up Firewall for Windows Vista. The selected service is started. right-click it and select Start from the context menu. 2. Windows XP. and Windows Server 2003 It is not necessary to disable the Firewall in Windows Vista. start them manually. Windows XP. If one or both services are not running.

and Windows Server 2008.Windows Clients Setting up Firewall for Windows 10. 117 . Windows Server 2012. In the Windows Firewall with Advanced Security window. click Inbound Rules and then double-click the Remote Service Management (RPC) rule in the rules list. do the following: 1. Windows 7. To enable inbound connections for the Remote Management Service (RPC). Windows Server 2012. Select Control Panel > System and Security > Windows Firewall. 2.1. 4. 3. The Remote Service Management (RPC) Properties window opens. select Enabled under General and click Allow the connection under Action. Windows 8. 5. Windows 7. In the Windows Firewall window. On the General tab. you have to allow inbound connections in the Remote Service Management (RPC) rule for the remote computers and enable the File and Printer Sharing option. For successful remote installation of the Clients. Windows Server 2008 It is not necessary to disable the Firewall in Windows 8. Windows 8.1. click Advanced settings. Windows 8.

118 . under Profiles. select the profile of the network used for connecting remote computers and the Server. Click Apply and then OK to save the settings and close the Properties window.Windows Clients 6. Close the Windows Firewall window. On the Advanced tab. 7. 8.

In the opened Allowed apps window. 2. 3. click Allow an app or feature through Windows Firewall. click Change settings. Select the File and Printer Sharing option and then click OK. do the following: 1.Windows Clients To enable the File and Printer Sharing option. 119 . Select Control Panel > System and Security > Windows Firewall. In the Windows Firewall window. 4.

On this page. Remote Windows Client Installation is performed by a user who has the Client installation and management permission in two steps: 1. 6. This way of installation is very convenient if all computers in your network have the same domain administrator credentials. 2. Selecting computers on which Clients will be installed. Log in to the Management Tool as a user with the Client installation and management permission. click Install Clients. Click the Client Management navigation link to the left. click Deploy via IP range. click Deploy on specific computers. Select how you would like to search for computers where the Windows Clients will be installed:  To select computers from the list of all computers in your network. 120 . click Deploy via network scan. 2. The Computers without Clients page opens.Windows Clients Installing Windows Clients Remotely via the Management Tool About You can install the Windows Clients remotely via the Management Tool.  To select computers by IP range (IPv4 or IPv6 addresses). you can see the computers for which the previous installations failed.  To select computers by their names. In the Choose search results window:  Click Start new search to look for computers with defined parameters. On the Clients page. 3. Defining installation parameters and installing the Clients. Selecting Computers To select the computers for Client installation. 5. do the following: 1. 4.

To stop the scanning process. Click Next. To find only one computer. When the scanning process finishes. If you have selected the Deploy on specific computers option. click Stop. If you have not performed any searches yet. click Refresh.Windows Clients  Click Previous search results to choose the computers found in the previous search. The scanning process starts. Enter the names of computers on which Windows Clients must be installed in the box Name and click Scan. If it is not updated. the Adding Computers page opens. enter the same IP address in both boxes. 9. If you want to remove some computers from this list. 7. 12. The selected computers are added to the list on the Computers without Clients page. 10. click Remove from list next to the selected computer. 11. select check boxes next to the computers that you want to install the Clients on. enter the IP range (either IPv4 or IPv6) for which the network should be scanned. If you have selected the Deploy via IP range option. Click Scan. The list of found computers will be updated automatically. this option will be absent. the Computers Scan page opens. Please note that you should enter the full name of the computer. 8. Use semicolon to separate computer names. 121 . In the From Address and To Address boxes.

You can add several names and IP addresses separated with comma or semicolon. the entered credentials will be used as the credentials of a local user of a target computer and the Client will be installed under the <target PC name>\<user name> account.Windows Clients Remote Windows Client Installation Process When all computers for Windows Client installation are selected. If you leave the Domain box empty. NOTE: The Server IP address has to be static for Clients to connect to it successfully. enter the credentials of a local administrator for target computers. define the name/IP of the Server to which the Windows Clients will connect. 122 . 2. Click Next. you are ready to start installation. and define the Client configuration for the Clients you are installing. On the Computers without Clients page. NOTE: All workgroup computers must have the same administrator account credentials. The installation process starts. Otherwise use installation via installation package method to deploy the Clients. click Install. 3. enter the credentials of a user with administrator permissions on the target computers for Client installation and then click Next. If it is not updated. do the following: 1. Please make sure that all selected computers are correctly adjusted.  If the computers are in a domain. On the Installation credentials page. The progress of installation will be updated automatically on the Client installation page. To install the Windows Clients remotely. click Refresh. 4. On the Client Configuration page. Unique external IP addresses should be used for cloud-based Servers. enter the domain name and domain administrator account credentials.  If the computers are in workgroup.

click Choose file to select the . 123 . 3. on Windows 7 SP1 and Windows Server 2008 R2 SP1. the installed Clients will appear on the Clients page in All Clients group. Once the . On the INI file selection page. the Microsoft Security Advisory update 3033929 needs to be installed: https://technet. To install the Windows Clients remotely using an existing . 5. Please note.ini file that will be used for configuration of new Clients. You have two options for downloading the Client installation file from the Management Tool:  Generate the installation package and set the Windows Client configuration during generation.microsoft. 2. these computers will remain in the Computers without Clients list and you can click Retry to start the installation again.ini file.Windows Clients NOTE: If the connection with the Server fails. the Client will be not installed. NOTE: Due to the new SHA-256 code signing. you can use it for installing the Windows Clients. Remote Installation from an Existing . The RemoteHost parameter is ignored in this type of installation. After the end of the installation. On the Computers without Clients page.ini file with defined settings generated in the Management Tool and saved to your computer.ini file is chosen.com/en-us/library/security/3033929.exe) to install the Client with default parameters. do the following: 1. click Next and continue the installation the same way as when installing the Clients remotely in a common way. Windows Client Installation Package The installation package consists of 2 components:  A signed EkranSystemClient. If the installation of some Clients fails.aspx. click Install using existing .exe installation file. if any parameter except RemoteHost is absent or not valid. its value will be set to default.  Use Client installation file (.ini file.INI File If you already have an . The Windows Client will connect to the Server to which the Management Tool is connected. Installing Windows Clients Locally About You can install the Windows Clients locally using the Client installation file generated in the Management Tool.

Enabled eation If the value is 1. This parameter might contain several names and IP addresses separated with comma or semicolon. its value will be set to default. if the value is 0 — disabled. 8 — 8 bits. if the value is 0 — disabled. This parameter is needed if the EnableTimer parameter is set. If the value is 1. If the value is 1. MonitorUSBStorage Monitoring plugged in USB-based storage devices. If the value is 1. This period can’t be less than 30 seconds. 16 — 24 bits. (Grayscal e)) EnableScreenshotCr Creating screenshots along with recording user activity. if the value is 0 – disabled. 124 . ColourDepth A colour scheme used for screenshots saving. and the Client configuration. Parameter Description Default Value RemoteHost A name or IP address of the computer on which the No Server is installed. Timer Time interval of user activity recording and screenshot 30 creation in seconds. the option is enabled. NOTE: The Server IP address has to be static for Clients to connect to it successfully. EnableActiveWindo Screenshots and recorded metadata will contain Disabled w information on active window only. If Enabled the value is 1. EnableTimer Recording user activity and creating screenshots with a Disabled certain time interval.Windows Clients  An EkranSystemClient. the option is enabled. Unique external IP addresses should be used for cloud-based Servers. If any parameter except RemoteHost is absent or not valid.ini text configuration file that contains the Windows Client installation parameters defining the Server to which the Client will connect. the option is enabled. The table below lists all the Windows Client installation parameters. if the value is 0 — disabled. EnableActivity Recording user activity and creating screenshots when Enabled an active window is changed. the option is enabled. the option is enabled. if the value is 0 – disabled. 7— 4 bits 7(4 bits (Grayscale).

if the value is 0 — disabled. the option is enabled. If the value is 1. Keywords A list of keywords. If the value is 1.Windows Clients Parameter Description Default Value EnableWndNmChan Recording user activity and creating screenshots when Enabled ges a window name is changed.g. DisplayClientIcon The Client tray icon displaying. If Enabled the value is 1. the option is enabled. EnableKeystrokes Logging of a keystroke. which being typed trigger the Empty session start. if the value is 0 – disabled. the LIKE operator is applied to the typed keywords (if drug is written. If the value is 1. the option is enabled. StartSessionOnKey Starting monitoring on detecting a suspicious keyword Disabled word in the keystrokes. if the value is 0 — disabled. the Enabled option is enabled. EnableProtectedMo The mode of Client work. Keywords are combined with OR logic. if the value is 0 — disabled. the option is Enabled enabled. separated with comma (e. If the value is 1. if the value is 0 — disabled. URLMonitoring Monitoring of URL addresses. if the value is 0 — disabled. If the value is 1. NOTE: This parameter works only if URLMonitoring=1. drugs. the Disabled de protected mode is enabled.. if the value is 0 – hidden. EnableClipboardMo Logging of copy and paste operations. EnableKBandMouse Recording user activity and creating screenshots on Enabled clicking and a key pressing. 125 . Enabled n the option is enabled. medicine). the option is enabled. then drugstore will trigger the session start). if the value is 0 — disabled. if the value is 0 — disabled. MonitorTopDomain Monitoring of top and second-level domain names. If the value is 1. If the value is 1. If the value is 1. the Disabled Client tray icon is displayed.

FilterAppTitle The list of application titles separated with comma Empty (e.g. 126 . If the value is Disabled “disabled”. the application filtering is disabled and all applications are monitored.g. If the value is Disabled “disabled”... FilterAppName The list of application names separated with comma Empty (e. the user activity is recorded twenty-four seven.work\john). If the value is “exclude”.. the application filtering is enabled in the Exclude mode. If the value is “include”.exe is written then winword. If the value Disabled ate is “disabled”.Windows Clients Parameter Description Default Value FilterState Application filtering during monitoring. If the value is “include”.g... the application filtering is enabled in the Include mode.exe. If the value is “exclude”.exe). and only activity of users not listed in UserFilterNames is monitored. the LIKE operator is applied to titles (if Facebook is written. UserFilterState User filtering during monitoring. UserFilterNames The list of user names separated with a semicolon (e. if word. the application filtering is enabled in the Exclude mode. skype. the user filtering is enabled in the Include mode. then Facebook-Messages will be monitored). word. and only applications not listed in FilterAppName or FilterAppTitle are monitored. the user activity is not recorded on days defined in MonitoringDays and during hours defined in MonitoringHours. *\administrator or *\admin*). Names are combined with OR logic. the LIKE operator is applied to names (e. Google). MonitorTimeFilterSt Filtering the time of recording user activity. If the value is “exclude”. Names are combined with OR logic. activity of all users is monitored. and only applications listed in FilterAppName or FilterAppTitle are monitored. Empty work\jane. the user activity is recorded only on days defined in MonitoringDays and only during hours defined in MonitoringHours. If the value is “include”.exe will be monitored).g.g. Using asterisk (*) as name/domain mask is allowed (e. Names are combined with OR logic. Facebook. and only activity of users listed in UserFilterNames is monitored.

Using C:\Progr environment variables (%appdata%. If the value is 1.) is amData\ allowed. the option is enabled. the option is enabled. Wed. The days of the week are Tue. if the value is 0 — disabled. if the value is 0 – disabled. If the value is 1. if the value is 0 — disabled. Disabled monitoring logs creation is disabled.monitoring text log will be created in the LogPath location. the option is enabled. Ekran System\ MonLogs EnableForcedAuth Additional identification of users that log in to the Disabled Client computer with server operation system. If the value is 1. EnableTwoFactorAu The option that requires the user to enter a time-based Disabled th one-time password to log in. the option is enabled. combined by OR logic. Fri MonitoringHours The hours during which the Client will or will not record 8:00 – users' activity. If the value is 1. RequireTicketNumb Additional option that requires the user to enter a valid Disabled er ticket number of an integrated ticketing system to start working with the Client computer. Disabled word time password to get a temporary access. 0 . EnableOneTimePass Additional option that allows the user to request a one. if the value is 0 — disabled. the option is enabled. If the value is 1. LogPath The path to the monitoring logs location. not record users' activity. EnableNotificationC Additional option that requires the user to comment on Disabled omment the additional message displayed on login to the system. Windows Clients Parameter Description Default Value MonitoringDays The days of the week during which the Client will or will Mon. %temp%. 18:00 MonLogging Creation of monitoring logs on the Client computer. 1 . if the value is 0 — disabled. etc. NotificationMessag The message that is displayed on user login to the Disabled e system. Thu. 127 .

define the name/IP of the Server to which the Clients will connect. %temp%. Generating Windows Client Installation Package To generate an installation package. 500 InstallDir The path to the Client installation folder. 2. Unique external IP addresses should be used for cloud-based Servers. Click the Client Management navigation link to the left. The download settings depend upon the settings of your browser. click Generate Client installation package (*. and define the Client configuration to be applied to the Client and then click Next. 3. 5. On the Clients page. The installation package is successfully created and downloaded to your computer.ini file) to the target computer. do the following: 1. etc. If the value is 1. 128 . Start the EkranSystemClient. Copy the package (the EkranSystemClient. Using %Progra environment variables (%appdata%. click Install Clients. 7. 4. On the Generate Installation Package page. the automatic Enabled y Client update is enabled. Log in to the Management Tool as a user with the Client installation and management permission. Windows Clients Parameter Description Default Value LocalCacheLimit Size of the Client offline data cache in MB.ini + *. Installing Windows Clients Locally with Custom Monitoring Parameters To install the Windows Client locally using the installation package. click Download installation file.) is mFiles%\ allowed. On the Installation File Download page. Ekran System\E kran System UpdateAutomaticall The Client update mode. if the value is 0 – disabled and the Client requires manual update.exe). NOTE: The Server IP address has to be static for Clients to connect to it successfully.exe installation file under the administrator account on the target computer.exe installation file and the EkranSystemClient. 2. do the following: 1. On the Computers without Clients page. 6.

exe). Log in to the Management Tool as a user with the Client installation and management permission. click Install Clients.exe installation file under the administrator account on the target computer. This way you will need only an EkranSystemClient. Installing Windows Clients Locally without . the installed Client appears in the list on the Client Management page in the Management Tool.g. 2.).exe file for Client installation. Downloading Windows Client Installation File (. enter EkranSystemClient. etc. 6. installation will failed and error message will be displayed. Then in the opened window. Installation via Third Party Software If you want to install the Windows Client via a third-party tool (e. NOTE. enter the names and IP addresses of the computer on which the Server is installed and click Install. To install the Windows Client locally using the installation package on the target computer: 1.exe) started under administrator.ini File This type of installation allows you to install the Windows Clients with the default configuration.exe /ServerName=<Server Name>. After the package is deployed. On the Computers without Clients page.ini file with the default parameters will be generated automatically. On the Clients page. the name of the required computer appears on the Client Management page in the Management Tool.exe /ServerName=<Server Name>. Active Directory. The EkranSystemClient. After the package is deployed. 4. File downloading starts. Copy the downloaded EkranSystemClient. On the Installation File Download page.. click Download default Client Installation (*. click Download installation file. do the following: 1. If there is no connection with the server. Click the Client Management navigation link to the left. 3.Windows Clients 3. The Client will be installed with a default configuration. The download settings depend upon the settings of your browser. 2.exe) To download the file for Windows Client installation. via System Center Configuration Manager.exe file to the target computer and do one of the following:  Start the EkranSystemClient.  In the Command Prompt (cmd. 5. 129 . download the Client installation file and use the following command: EkranSystemClient.

which it receives when it connects to the Server. in some cases the master image might be used multiple times.exe). NOTE: Make sure that Ekran Server is allowed to accept TCP connections via 9447 and 9449 ports for connection between Ekran Server and Ekran Clients. Select the AgentGUID value and click Delete in the context menu. Open the Windows Registry Editor. In the Windows Registry Editor. Open the Windows Registry Editor. When you prepare a virtual machine. Cloning a Virtual Machine with Installed Client Each Windows Client has its own unique ID. All new Amazon WorkSpaces created from the bundle will automatically connect to the Ekran Server. In the Amazon WorkSpaces management console. To prevent wasting Client licenses when this occurs. uninstall_client. you can configure the Client license to be unassigned on the virtual machine shutdown. click Yes. Make sure the Client is offline (does not have any connection with the Server). do the following:  Create an image of the Amazon WorkSpace with installed Windows Client. which is to be monitored. In the opened confirmation message.  Create a bundle from the newly created image. Connect to the Amazon WorkSpace and run the Client installation file (.Windows Clients Installing Windows Client on Amazon WorkSpace To install the Windows Client on Amazon Workspaces. Select the AgentGUID value and click Delete in the context menu. 3. To remove the Client ID. 4. for cloning. 2. you need to remove the Client ID to ensure the proper Client connection to Server. Unassigning License on Virtual Machine Shutdown If Ekran Windows Client is used on virtual machines. NOTE: You will not be able to edit the registry values in the Protected Mode. select the following key: HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem\Client 4. In the Registry Editor window. Download the Client installation file. 2. 3. 7. you have to create a cmd file (for example. 5. 8. In the opened confirmation message. NOTE: You will not be able to edit the registry values in the Protected Mode. do the following: 1. click Yes.cmd) containing the following command-line command: 130 . 6.  Create new Amazon WorkSpaces from the newly created bundle. select the following key: HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem\Client 5. Before configuring a virtual machine image. do the following: 1.

exe -uninstwl allowed To configure the image of the virtual machine with the Client for the license to be unassigned on shutdown: 1. whenever you start the virtual machine using this image. the Client is going to connect to the Server as a new Client and get a license assigned to it. 5.cmd file. In the Registry Editor window. Click OK. the license is going to be unassigned from the Client. From now on. Select the AgentGUID value and click Delete in the context menu. Whenever the virtual machine is shutdown. Copy uninstall_client. select Computer Configuration -> Windows Settings -> Scripts (Startup/Shutdown) -> Shutdown 12. NOTE: If you need the license to be unassigned on Logoff. Start your virtual machine image. 15. you have to edit the Logoff script in a similar way in the Local Group Policy Editor (User Configuration -> Windows Settings -> Scripts (Logon/Logoff) -> Logoff -> Properties). It is recommended to use the automatic Client update. 7.Windows Clients start /wait <path to EkranClient. select the following key: HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem\Client 6. 11. click Add and select the uninstall_client. In the opened confirmation message. update of selected Clients via the Management Tool The automatic Client update is performed when a Windows Client connects to the Server of a newer version. Open the Windows Registry Editor. Configure the system and install the necessary software.exe> -uninstwl <uninstallation key> For example (default installation parameters used): start /wait C:\Progra~1\EkranS~1\EkranS~1\Client\EkranClient. Create the master snapshot (gold image). Enter the gpedit command. click Yes. 3. In the Local Group Policy Editor window. 14. 13. In the Shutdown Properties window. 10. 2. Run the Command Prompt (cmd.exe) as administrator. 9.cmd to the target folder on your virtual machine. 8. Install Ekran Client (via remote installation or locally) with the Protected Mode option disabled. automatic update . 131 . Updating Windows Clients About Ekran System offers two update options for Windows Clients: . 4.

If the Update Client automatically option is disabled for the Windows Client and it requires manual update. Log in to the Management Tool as a user that has the Client configuration management permission. Windows Client Status after Server Update If the Update Client automatically option is enabled for the Windows Client. it is updated automatically when it connects to the Server of a newer version. Such Clients store the monitoring data locally.Windows Clients If you want to control the update of target Client computers yourself. you will still be able to access the monitored data received before its update. The Client will be updated automatically when it connects to the Server of a newer version. select the Update Client automatically option. On the Editing Client page. clear the Update Client automatically option. 132 . 4. In this case. do the following: 1. you need to re-install the Clients. 6. Updating Windows Client Manually To update a selected Windows Client via the Management Tool. Updating Windows Clients Automatically To update a Windows Client automatically. Log in to the Management Tool as a user that has the Client configuration management permission. 3. 3. on the Properties tab. select the Client that needs to be updated automatically and click Edit Client. Click the Client Management navigation link to the left. On the Clients page. Click Finish. NOTE: Windows Clients of very old versions might not be able to update. 2. On the Editing Client page. it is displayed with the icon in the grid on the Clients page. After the Windows Client is updated. 5. you can disable the automatic update on the required Clients and update them via the Management Tool. Click the Client Management navigation link to the left. 4. They restart sending monitoring data to the Server after update. on the Properties tab. select the Client that needs to be updated and click Edit Client. do the following: 1. On the Clients page. 2.

select the Client that needs to be updated and click Edit Client.Windows Clients 5. follow the steps described in the Deleting the Client section. Update the Server. Client Uninstallation Key During the Server installation. the Client stops sending its data to the Server. Uninstalling Windows Clients About Windows Clients can be uninstalled locally or remotely. the Windows Client will receive it after connection to the Server. The Clients will be reconnected. If the Client has not connected to the Server after the Uninstallation key has been changed. To delete the Client from the Server (with all its captured data) and from the Management Tool. it is possible to define the Client Uninstallation key. After uninstallation. on the Properties tab. first disable the protected mode and then reconnect the Clients. Please note that this way of reconnection can be used only for the Clients that work in the non- protected mode. 133 . 11. 8. If the Client has not connected to the Server yet. then its Uninstallation key is allowed. The user is able to view or change the Client Uninstallation key in the Management Tool. start the remote installation from that Server. If your Clients work in the protected mode. 6. By default. Reconnecting Windows Clients to another Server If you want to reconnect the Windows Clients to another Server. Click the Client Management navigation link to the left. this key is allowed. click Update. the Client will be updated to a newer version. 10. Click Finish to save the changes. The Client status in the Management Tool becomes offline after uninstallation. 9. On its next connection to the Server. On the Editing Client page. the Client has to be uninstalled with the help of an old Uninstallation key. 7. Log in to the Management Tool as a user that has the Client configuration management permission. The Client Uninstallation key is used during the local Client uninstallation. On the Clients page. If you change the Uninstallation key. It is possible to uninstall the Windows Client locally only with the help of the Uninstallation key. but its data is not deleted from the Server and the Client is displayed in the Management Tool.

To uninstall the Windows Client locally. 5. The Client is uninstalled. 4. 8. On the Clients page. 5. 3. On the Custom Uninstall Key page. enter the new uninstallation key in the New Key field. click Edit Uninstallation Key. click Uninstall. Click the Client Management navigation link to the left. select the Client you want to uninstall and click Edit Client. On the Clients page. Log in to the Management Tool as a user that has the Client uninstallation permission. 6. 2. Uninstalling Windows Clients Remotely To uninstall a Windows Client.exe) as administrator. The selected Clients are uninstalled. To find a specific Client. In the Command Prompt.Windows Clients To change the uninstallation key. NOTE: This option is not displayed if the Client is already uninstalled or you do not have the Client uninstallation permission for it. do the following: 1. By default. In the confirmation message. click Add Clients to list. 2. 5. 7. To uninstall several Windows Clients. do the following: 1. it is located here: C:\Program Files\Ekran System\Ekran System 134 . go to the Client installation folder. Select the Clients that you want to uninstall and click Next. 6. 3. enter its name or a part of its name in the Contains box and click Apply Filters. click Uninstall Client. Click the Client Management navigation link to the left. do the following: 1. 3. Log in to the Management Tool as a user with the Client uninstallation permission. Uninstalling Windows Clients Locally It is possible to uninstall the Windows Client locally only with the help of the Uninstallation key that is defined during the Server installation or in the Management Tool. 4. 4. do the following: 1. On the Clients page. Log in to the Management Tool as a user with the Client uninstallation permission. Make sure you have added all necessary Clients to the uninstallation list and click Uninstall. 2. On the Editing Client page on the Properties tab. 6. The uninstallation key is changed. 2. select Uninstall Clients. Click the Client Management navigation link to the left. Run the Command Prompt (cmd. The page with the Clients for which you have the Client uninstallation permission opens. On the Client Uninstallation page. Re-enter the new uninstallation key in the Confirm Key field and then click Save.

Enter the following command: UninstallClient.  To hide offline/online/uninstalled/licensed Clients. the confirmation message for uninstalling the Client will be displayed on the Client computer. Manage Licenses. Windows Client Description Client description is used as additional information about your Windows Clients. The list of Clients contains the following information:  Client name  Status  Type  Domain  IPv4  IPv6  Description Please note. which makes it easier to find a specific Client. the user will see only those Clients for which they have at least one Client permission. they will see all Clients.exe /key=<uninstallation key> /silent=true. Client description can be defined on the Editing Client page on the Properties tab. Press Enter. select Hide Linux Clients and Hide macOS Clients and click Apply Filters.Windows Clients 3. Install Clients.  To find Windows Clients only. The number of available options depends upon permissions. only those IPv4 and IPv6 addresses used by Windows Clients will be displayed in the Management Tool. Edit Client Configuration and Edit Client Groups. Viewing Windows Clients Windows Clients are displayed in groups on the Client Management page.  To find Clients by their host name or description. 4. 135 . Uninstall Clients. You can filter your Clients by their descriptions as well as by their names. enter the name/description or a part of it in the Contains box and click Apply Filters. On the Client Management page you have the following options: Add Client Group. Edit Uninstallation Key. select the corresponding option in the Filtering pane and click Apply Filters. Delete Clients. NOTE: If you do not add the /silent=true parameter to the uninstallation command. You can filter Windows Clients in the following ways:  To sort Clients by the type of operating system. In other case. The Client is successfully uninstalled. If the user has an administrative Client installation and management permission. if there are several network cards on the Client computer. 5. click the Type column header.

Windows Client Configuration About Windows Client Configuration includes its monitoring parameters (screenshot creation. edit/remove/modify/rename Client files (*. updating.dlls). etc. Client Tray Icon Parameter The Client tray icon is displayed to notify the users that their actions are being monitored when they log into the Client computer and while they are working on it. etc. This feature can be enabled during Clients installation and editing in the Management Tool.). Protected Mode Parameter The Windows Client can work in two modes:  Non-protected mode: a regular mode without enhanced Client security. You can set the Client configuration during remote installation and during Client editing. Client mode. keystrokes logging. The Client configuration can be defined in the . In such situation. you will have to uninstall the Client locally or change its mode to non- protected. 136 . the Client will be updated automatically when it connects to the Server of a newer version. this change will come into effect immediately.). generated screenshots. this change will come into effect after the computer is rebooted. the Client needs to be updated manually via the Management Tool. they restart sending monitoring data to the Server.ini file. If the protected mode is enabled during Client editing. which is included to the installation package. The protected mode can be enabled when installing. After they are updated to a newer version.Windows Clients To edit the description for the Windows Client. Windows Clients requiring manual update store the monitoring data locally.  Protected mode: a mode with enhanced Client security: the user is not able to edit Client data (log files. Automatic Client Update Parameter If the Update Client automatically option is enabled. edit Client settings in the registry. or editing the Client.exe and *. enter it in the Description box and click Finish. NOTE: It is impossible to reconnect the Client working in protected mode to another Server. If the option is disabled. If the protected mode is enabled during Client installation.

It can be defined during remote Client installation or generation of Client installation package. are the main results of the Windows Client monitoring. the Client will display a tray notification to inform the logged-in users that they are being monitored by a Server. you can define a custom path for the Client installation folder. the Client writes monitoring data to a local cache and automatically sends it to the Server as soon as the connection is restored. URL. It is recommended to use this option along with the application filtering to fully prevent sensitive data from being monitored. only metadata (active window title. only the current active window will be displayed on a screenshot. %temp%. If this option is selected. o Capture active window only: By default. You can use the environment variables (%programfiles%. etc. The default value is 500 MB. URL. Offline Cache Size Parameter If there is no connection with the Server. etc. If the defined location is not accessible or write- protected. Custom Path for Client Installation Folder Parameter During remote Client installation or generation of Client installation package.). When the amount of monitoring data reaches the defined limit. etc. screenshots of the complete screen are created.Windows Clients If the Display Client tray icon option is enabled. the Client stops writing to the offline cache. the Client is installed to <systemdisk>\Program Files\Ekran System\Ekran System. You can adjust the Offline cache size (MB) value via the Windows Registry Editor any time by selecting the HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem\Client key and modifying the LocalCaсheLimit value. text data. You can define the following user activity recording parameters for the Client:  Screenshot settings: o Enable screenshot creation along with user activity recording: This option allows you to enable the screenshot creation. %appdata%. text data.) will be monitored and recorded. 137 . If this option is not selected on the Client. The Offline cache size (MB) parameter allows you to define the size of the Client offline cache. User Activity Recording Parameters Screenshots and associated metadata like an active window title.

This guarantees the smallest database size with a normal screenshot quality. The Windows Client logs the following types of keystrokes:  Character keys: Keys that contain alphabet symbols (upper or lower case).  Frequency settings for user activity recording: These options allow you to define how often the user activity on the Client computer will be captured.  Modifiers: This group of keys includes Control key. irrespective to whether something changes on the screen or not. 138 . a new window opens (program starts). o Active window change User activity is captured on the change of the active window. User activity recording can be can be triggered by the following events: o Time interval: User activity is captured with a certain time interval. o Clicking or key pressing: User activity is captured on each mouse click or keyboard key pressing. a new tab in the browser opens. Keystroke Logging Parameter If Enable keystroke logging option is enabled. all kinds of punctuation symbols. the Windows Client logs users’ keystrokes. and space. Please note. etc.Windows Clients o Bit depth: By default. screenshots are grayscale with 4 bit colour depth. and Windows key. For example. The minimal time interval is 30 seconds. (influences the keystroke logging as well). in this mode. o Active window title change: User activity is captured on the change of the name of the active window (influences the keystroke logging as well). the recorded user activity is sent not oftener than once in 3 seconds to avoid affecting the performance of the Client computer and database size increasing. Shift key. Alt key. numerals (0- 9). by default. any secondary window opens. You can also set colour depth to 8 bits or 24 bits.

Windows Server 2012. Escape. etc. mouse moving and key pressing more than the Timeout (min) value. 139 . the idle event is registered in two cases:  On computers with Windows 10. and Break/Pause key. For more information. or the screen is set to be turned off automatically.e. Clipboard Monitoring Parameter The clipboard monitoring allows you to monitor the Cut. and Caps Lock).Windows Clients  Navigation and typing modes: The arrow keys. the Client starts recording the user activities only after the user enters one of the specified keywords. or paragraph.F12 and are located along the top of the keyboard. and Lock keys (Num Lock. which has been copied or cut. Home/End.  Function keys: Keys that perform some functions. Insert. semicolon (. Usually. Delete/Backspace.1. The words in phrases must be always separated with spaces. Windows Vista. Menu. Scroll Lock. they are labelled as F1. For the sessions start to be triggered by specific words or phrases. Ctrl+Ins. or the screen is set to be turned off automatically. Copy. Page Up/Page Down. Windows Server 2016. A new session will be recorded after detecting one of the specified keywords again. Ctrl+X. and Paste operations performed on the Client computers. define them separating from each other with comma (. The Client continues recording the user activities until the session is finished. The logged text data is displayed in the Text Data column in the Session Player. Detect system IDLE event Parameter If the Detect system IDLE event option is enabled. the idle event is registered when there is no Client activity. Windows 8.  System commands: Print Screen. Start Monitoring on Keyword Parameter If the Start monitoring after detecting one of the following keywords option is enabled.). Windows 7. Enter. computer is in sleep or hibernation modes.  On computers with Windows XP and Windows Server 2003: If the computer is in sleep or hibernation modes. The default timeout is 15 minutes. and then pasted by using either the context menu commands or such key combinations as Ctrl+C. If the Enable clipboard monitoring option is enabled. Register IDLE event Parameter If the Register IDLE event when user is inactive option is enabled. and Windows Server 2008: If the user is inactive for more than 15 minutes. such as printing or saving files. Shift+Del. Tab. see the Viewing clipboard text data chapter.). the Client logs the text data. i. Windows 8.

and user name. and application name. You can use the environment variables (%appdata%. two log files will be created on the Client computer:  Client_<yyyy_mm_dd>: The log includes the following information on monitored activities on the Client computer: activity time. Both logs are stored in the user defined location. Client computer name (host name).Windows Clients Monitoring Log Parameter Monitoring logs are text files created on the Client computer. activity title. If the Enable creating log files of the monitored events option is enabled. Client computer name (host name). make sure MonLogging=0 that the Enable creating log files of the monitored events option is not selected.ini File Parameters Parameters Set in Management Tool Do not create monitoring logs [ActivityLogsParameters] On the Monitoring options tab. do the MonLogging=1 following: LogPath=C:\1\Logs 1.  Login_<yyyy_mm_dd>: The log includes the following information on all user logins to the Client computer: login time. Select the Enable creating log files of the monitored events option.) when defining the path. If this location is not accessible or write-protected. LogPath= Create monitoring logs in the C:\1\Logs folder [ActivityLogsParameters] On the Monitoring options tab. logs are saved to <systemdisk>\ProgramData\Ekran System\MonLogs. Parameters examples: . LogPath= Create monitoring logs in the default location %ProgramData%\EKRAN\MonLogs [ActivityLogsParameters] On the Monitoring options tab. user name. 140 . %temp%. the new log files will be created in the defined location and the old log files (if any) will remain in the previous location. NOTE: Please do not confuse monitoring logs with Client activity logs (service logs for internal use) stored in <client installation folder>\ActivityLogs. If you change the log files location via the Management Tool. make sure MonLogging=1 that the Enable creating log files of the monitored events option is selected. session ID. etc.

 URLs from Metro versions of browsers Chrome/Internet Explorer are not monitored. you can also select the Monitor top and second-level domain names only option. There are several restrictions for the URL monitoring option in the current version of the program:  Only URLs from the standard browsers (Firefox.ini File Parameters Parameters Set in Management Tool 2.g. on John Doe . Parameters examples: . The monitored URL addresses are displayed in the Management Tool on the Session Viewer page in the URL column and in the Details pane. type =%AppData%\EKRAN_Logs..  URLs entered in web anonymizers are not monitored. type C:\1\Logs.ini File Parameters Set in Example of monitored Parameters Management Tool data (activity title) [AgentParameter On the Editing Client page. due to user’s settings). 2. In this case only the main part of the URL (e. example. If the Enable URL monitoring option is selected in the Management Tool.Windows Clients . In the Log files creation field.g. Opera.g. Please note that proxy server anonymizers are supported. Russian) are not monitored.. Create monitoring logs in the <current user profile>\AppData\EKRAN_Logs [ActivityLogsParameters] On the Monitoring options tab.Google s] the Monitoring Options tab. In the Log files creation field. Chrome. This feature also allows you to set an alert to send notifications each time when the user opens the forbidden URL.  Unicode symbols in domain names (e. URL Monitoring Parameters The URL monitoring option enables recording the text entered in the browser address line at the moment of screenshot creation and allows the investigator to receive information about websites visited by the user of the Client computer. URLs are not monitored. Chrome clear the Enable URL monitoring option. 141 . Select the Enable creating log files of the monitored events option..  If there is no address line in the browser (e.com) will be monitored. and Internet Explorer) are monitored. do the MonLogging=1 following: LogPath=%AppData%\EKRAN_Logs 1.

Application filtering is recommended to be used along with the enabled Capture active window only option to fully prevent sensitive data from being monitored. Application Filtering Parameters Application filtering allows you to reduce the amount of information received from the Windows Client by defining applications whose data will be skipped during the monitoring.com/ 1 monitoring option. if activity meets at least one of conditions. Information on all other activity is skipped. The applications are identified by name or window title. This mode allows you to enable monitoring only of the important applications.doe) MonitorTopDom ain=0 [AgentParameter On the Editing Client page. i. on John Doe . The Application filtering can be in one of three states:  Disabled: User activity in all applications is monitored (screenshots are created and keystrokes are logged).com) 1 monitoring option.. John. Parameters examples: 142 . This mode allows you to skip information about user activity in non-suspicious applications (for example.ini File Parameters Set in Example of monitored Parameters Management Tool data (activity title) URLMonitoring= 0 MonitorTopDom ain=0 [AgentParameter On the Editing Client page. Chrome (URL: URLMonitoring= select the Enable URL https://facebook. Word).  Exclude: User activity in all applications except predefined ones is monitored. on John Doe .Windows Clients .e.Google s] the Monitoring Options tab. Chrome (URL: URLMonitoring= select the Enable URL https://facebook.  Include: User activity in predefined applications is monitored. it’s recorded in the Include mode or skipped in the Exclude mode. then select the Monitor top and second- MonitorTopDom level domain names only ain=1 option. Both parameters are combined with OR logic.Google s] the Monitoring Options tab.

Internet. In the Application name contains box. select Disabled. select Monitor only activity matching defined parameters. Internet. in the Filter FilterState=disable State box.Windows Clients . FilterAppTitle= FilterAppName= Monitor only data from all applications containing Facebook or Gmail in the title [FilterParameters] On the Application Filtering tab. FilterAppName=Firefox. In the Active window title contains box. type Firefox. do the FilterState=include following: FilterAppTitle=Facebook 1. do the FilterState=include following: FilterAppTitle= 1. Monitor only data from applications containing Firefox. 3. type Facebook. In the Filter State box.ini File Parameters Parameters Set in Management Tool Monitor all data without applying filters [FilterParameters] On the Application Filtering tab.Chrome. do the FilterState=include following: FilterAppTitle=Facebook. type Facebook.Internet 2. select Monitor only activity matching defined parameters. type Firefox.Gmail  In the Filter State box. Monitor only data from all applications containing Firefox or Internet in the application names [FilterParameters] On the Application Filtering tab. Gmail. select Monitor only activity matching defined parameters.Inter net 2. Monitor all data except data from applications containing words Work or Doc in the title 143 . FilterAppName=Firefox. In the Filter State box. In the Application name contains box. Chrome or Internet in the application names (any title) and applications with the Facebook word in the title (any name) [FilterParameters] On the Application Filtering tab. FilterAppName=  In the Active window title contains box. Chrome.

doc 1. In the Filter State box.  Include: Activity of predefined users is monitored. doc. In the Application name contains box. Monitor all data except data from applications containing the Word word in the application name or the doc word in the title [FilterParameters] On the Application Filtering tab. FilterAppName=word. In the Application name contains box. select Monitor all activity except. FilterAppName=word 2. In the Active window title contains box. FilterAppName= 2. type Work.  Exclude: Activity of all users except predefined ones is monitored. select Monitor all activity except. In the Active window title contains box. type Word.excel 2. In the Filter State box. do the FilterState=exclude following: FilterAppTitle=doc 1. type Word. User Filtering Parameters User filtering allows you to reduce the amount of information received from the Windows Client by defining computer users whose data will be skipped during the monitoring. do the FilterState=exclude following: FilterAppTitle= 1. Excel. do the FilterState=exclude following: FilterAppTitle=work. This mode allows you to skip information about the activity of particular users (for example. select Monitor all activity except. Monitor all data except data from applications containing words Word or Excel in the application names [FilterParameters] On the Application Filtering tab. type doc.Windows Clients . The User filtering can be in one of three states:  Disabled: Activity of all users is monitored. 144 . Information on the activity of all other users is skipped.ini File Parameters Parameters Set in Management Tool [FilterParameters] On the Application Filtering tab. administrator). User filtering affects both primary and secondary users. 3. In the Filter State box.

WORK\janet. in the Filter State UserFilterState=disable box.jan. select Monitor only UserFilterNames=WORK\janet. only those users whose activities have already been monitored are listed. UserFilterNames= Monitor only the activity of the janet user or joe user in the work domain [FilterParameters] On the User Filtering tab. select Disabled..). the Adding Users page opens. *\administrator or *\admin*). WORK\janet (jan).). Please note.g. When you click Add Users. i. you need to change parentheses in the User names box to semicolon. semicolon (.g. \joe  In the User names box.WORK activity of selected users.work\joe manually or select the users from the list. NOTE: If you select a user with the Forced User Authentication on the Adding Users page e. do the following: UserFilterState=include  In the Filter State box. Monitor the activity of all users except the users with administrator login (both local and domain) 145 ..e. You can also use asterisk (*) as name/domain mask (e. enter work\janet.. Select the user names to be added and click Add selected. When you enter user names manually.ini File Parameters Parameters Set in Management Tool Monitor all user activity without applying filters [FilterParameters] On the User Filtering tab.Windows Clients You can define user names for filtering entering them manually or by clicking Add Users and selecting users from the list. they must be entered as <domain name>\<user name> and separated with comma (. Parameters examples: . or paragraph.

Windows Clients . enter work\janet.ini file.ini File Parameters Parameters Set in Management Tool [FilterParameters] On the User Filtering tab.janet manually or select the user from the list.  Include: User activity is recorded only on defined days of the week and during the defined hours.janet activity of selected users. enter *\administrator.  In the User names box. do the following: UserFilterState=exclude  In the Filter State box. using asterisk (*) as a name/domain mask Monitor only the activity of the janet Ekran system user name used for secondary authentication [FilterParameters] On the User Filtering tab. 146 . the monitoring hours must be defined in the 24-hour time format only. User activity is not recorded on defined days of the week and during the defined hours. NOTE: In the .  In the User names box. do the following: UserFilterState=include  In the Filter State box. select Monitor only UserFilterNames=WORK\janet.  Exclude: User activity outside the defined days of the week and hours is recorded. Monitoring Time Filtering Parameters Monitoring time filtering allows you to reduce the amount of information received from the Windows Client by defining the days of the week and hours during which the Client will record the user activity. User activity outside the defined days of the week and hours is not recorded. The Monitoring time filtering can be in one of three states:  Disabled: User activity is recorded twenty-four seven. select Monitor UserFilterNames=*\administrator activity of all users except.

NOTE: Forced User Authentication can only be enabled during Client editing in the Management Tool. Wed.  In the To drop-down list. select Monitor only MonitoringDays=Mon. and Friday from 8 AM to 6 PM [FilterParameters] On the Monitoring Time Filtering tab. Wednesday. enter the 11:59 PM value. and Friday options. e MonitoringDays= MonitoringHours= Record user activity only on Monday. do the MonitorTimeFilterState=exclud following: e  In the Filter State box. Fri  Select the Monday.Windows Clients Parameters examples: . do the MonitorTimeFilterState=includ following: e  In the Filter State box. Tue. select the 6 PM option. select Monitor only MonitoringDays=Fri. Thu. select Disabled. MonitoringHours=00:00-23:59  Select the Friday and Saturday options. Tuesday. Sat outside the defined hours.  In the From drop-down list. Wednesday. Thursday. Forced User Authentication Parameter Forced User Authentication provides a method for an additional identification of users that log in to the Client computer. during the defined hours. Tuesday. enter the 12 AM value. the Client will display the secondary authentication window on the user login to Windows. 147 . MonitoringHours=8:00-18:00 Thursday.  In the From drop-down list. select the 8 AM option. If the Enable secondary user authentication on log-in option is enabled. in the Filter MonitorTimeFilterState=disabl State box. Do not record user activity on Friday and Saturday [FilterParameters] On the Monitoring Time Filtering tab.  In the To drop-down list.ini File Parameters Parameters Set in Management Tool Record all user activity without applying filters [FilterParameters] On the Monitoring Time Filtering tab.

User’s Comment Parameter The user’s comment option allows you to require the user to comment on the additional message displayed on login in order to allow the Ekran System administrator to be informed about the user activity. For more information. the Client will display the additional notification message on the user login to Windows. they will be allowed to start working with the system. Ticket Number Parameter The ticket number option allows you to require the user to enter a valid ticket number created in the integrated ticketing system to start working with the Client computer. If the Enable displaying additional message option is enabled. they will be allowed to log in and continue working. see the Enabling user’s comment option chapter. they will be allowed to start working with the system. If the Require user’s comment option is enabled. If the Enable two-factor authentication option is enabled. the Client will display the additional TOTP window on the user login to Windows. the Client will prompt the user to enter a valid ticket number in the additional message window displayed on login.Windows Clients Two-Factor Authentication Parameter Two-Factor Authentication option allows you to require the users to additionally enter the time-based one-time passwords (TOTP) generated via their mobile applications (i. The ticket number option is available only if the Require user’s comment option is selected. If the Require ticket number option is enabled. NOTE: Two-Factor Authentication can only be enabled only during Client editing in the Management Tool. 148 . After the user enters a valid ticket number and comments on the additional message. Additional Message on User Login Parameter The additional message on user login allows you to inform the user that their actions are being monitored and also notify them about corporate policies or the country law. the Client will prompt the user to comment on the additional message displayed on login. see the Enable displaying additional message chapter. After the user enters a comment.. The user’s comment option is available only if the Enable displaying additional message option is selected.e. For more information. After the user confirms acknowledging the message. NOTE: The Require ticket number option is available only if you have an activated Enterprise serial key. Google Authenticator) to log in to the Client computers.

NOTE: If you do not have the Client configuration management permission for this Client.  Select the type of license to be assigned to the Client. NOTE: The Client mode will be changed after reboot of the Client computer. When the Clients are added to the group.Windows Clients Editing Windows Client Configuration You can edit the Client configuration for online and offline Clients. 149 . you can edit all Client settings. o If the Inherited from <Client group> settings type is selected.  Select the type of settings to be applied to the Client: o If the Custom settings type is selected. The configuration for offline Clients will be applied as soon as the Client goes online. To find a specific Client. If the group configuration is changed. The configuration for online Clients will be applied immediately. they can either still have their Custom configuration or they can inherit configuration from the group. and click Edit Client. On the Clients page. on the Properties tab. the configuration options will be disabled. the Client settings are inherited from the selected Client group and these settings cannot be changed. Log in to the Management Tool as a user with the Client configuration management permission. the Client configuration that is inherited from this group is changed as well. 4. define the description for the Client.  Select the Enable protected mode option if you want to enable protected mode. Click the Client Management navigation link to the left. 2. To edit the Windows Client custom configuration. select the Windows Client for which you want to edit the configuration. On the Editing Client page. The newly installed Clients have Custom configuration that can be edited for each Client individually. 3. enter its name in the Contains box and click Apply Filters. do the following: 1. do the following:  Optionally.  Select the Display Client tray icon option if you want to display the Client tray icon to the user.  Select the Update Client automatically option if you want the Client to be updated automatically.

e.  Define the screenshot creation settings.g. or the screen is set to be turned off automatically. computer is in sleep or hibernation modes.  Select the Monitor top and second-level domain names only option to monitor only the main part of the URL (e.  Select the Register IDLE event when user is inactive option to enable the idle event registering when there is no Client activity. i. On the Monitoring Options tab. The default timeout is 15 minutes.Windows Clients 5. On the User Activity Recording tab. 6. do the following:  Define user activity recording frequency.  Select the Enable URL monitoring option to receive information about websites visited by the user of the Client computer. mouse moving and key pressing more than the Timeout (min) value.  Select the Enable creating log files of the monitored events option to enable creation of monitoring logs on the Client computer and define log files location. example.  Select the Enable clipboard monitoring option to enable monitoring of the Windows Clipboard text data. 150 . do the following:  Select the Enable keystroke logging option to enable the keystroke logging..com).  Select the Detect system IDLE event option to enable registering the idle events if the user is inactive for more than 15 minutes.  Select the Start monitoring after detecting one of the following keywords option if you want the Client to start recording the user activities only after the user enters one of the specified keywords on the Client computer.

define the monitoring time filtering parameters for the Client. define the application filtering parameters for the Client. On the Monitoring Time Filtering tab. On the User Filtering tab. On the Application Filtering tab. 8. define the user filtering parameters for the Client. 151 .Windows Clients 7. 9.

3. On the opened page. you will see the tabs with the corresponding configuration parameters. Click the Client Management navigation link to the left. Log in to the Management Tool. 2. Then define the email address of the administrator to receive users’ requests. You can define several email addresses separating them with a semicolon (.  Select the Allow using one-time password option if you want to allow users to use one-time passwords to login to the Client computer. On the Authentication Options tab. A new configuration will be immediately applied to the Client. do the following: 1. and alerts assigned to the Client. 4.  Select the Enable secondary user authentication on log-in option if you want to enable the additional authorization for users that log in to the Client computer. Click Finish to except the changes. Viewing Windows Client Configuration The Windows Client configuration can be viewed by a user that has an administrative Client installation and management permission or any Client permission. select the required Client and click Edit Client.  Select the Require user’s comment option if you want the user to comment on the additional message displayed on login. click Next to proceed to defining Client Groups to which the Client belongs.  Select the Require ticket number option if you want the user to enter a valid ticket number to start working with the system.). permissions on working with it. do the following:  Select the Enable displaying additional message option if you want to enable additional message on user login. 12. and then enter the message to be displayed to a user. 152 . After defining the configuration. On the Clients page. To view the Windows Client configuration.Windows Clients 10. 11.  Select the Enable two-factor authentication option if you want to require the users to enter the time-based one-time passwords to log in to the Client computer.

select the Enable secondary user authentication on log-in option. On the Editing Client page. Click the Client Management navigation link to the left. which has the Access Client computer permission. NOTE: The one-time password feature is available only if you have an activated Enterprise serial key. 4.).g. The requests for the one-time passwords will be sent on the specified email addresses. or use their email and the generated one-time password (if such option is enabled for the Client computer). NOTE: In some situations (e.Windows Clients Forced User Authentication on Windows Clients About If the Client is installed on the computer with Windows operating system and several users may use the same account to log in to this computer. Enabling Forced User Authentication on Windows Client The Forced User Authentication parameter can be set only during Client editing and is available for the Clients installed on the computers with Windows operating system. which requires the user to enter additional credentials in the pop-up dialog after logging in. Optionally. Log in to the Management Tool as a user with the Client configuration management permission. select the Client for which you want to enable Forced User Authentication.. it is important to identify the person using the account. On the Clients page. 153 . 3. You can enter several email addresses. 5. To find a specific Client. the pop-up dialog for entering secondary credentials will not be displayed. If the connection with the Server computer is lost (the Server is unavailable). do the following: 1. The identification can be performed by means of Forced User Authentication. enter its name in the Contains box and click Apply Filters. on the Authentication Options tab. The user can either enter the credentials of the Ekran System user. after the forced restart) the Client service does not start during one minute after the computer turning on. To enable Forced User Authentication on the Client. The secondary login will then be displayed in the Client Sessions list in brackets next to the primary login under which the user is logged in to Windows. The forced user authentication works only if there is a connection between the Client computer and the Server computer. select the Allow using one-time password option and enter the administrator email address into the Send emails to box. In these situations forced authentication will not work. and click Edit Client. 2. separating them with a semicolon (.

Managing One-Time Passwords About The one-time password can be generated either on user’s request or without it by the Ekran System user with the Client configuration management permission. 4. 7. 3. To find a specific Client. 2. During the user adding/editing. Windows Clients 6. Log in to the Management Tool as a user with the administrative User management permission. NOTE: Forced user authentication does not work on Windows XP operating system. the computer must be restarted after enabling or disabling the forced authentication mode. If the Client is installed on Windows Server 2003. enter its name in the Contains box and click Apply Filters. select the Access Client computer option and then click Save. on the Client Permissions tab. In the opened Client Permissions window. 154 . 5. do the following: 1. On other Windows versions the forced authentication mode is enabled immediately. Click Finish. Click Finish. Edit the Active Directory or internal user who will log into the Client computer to the system or add a new one. click Edit Permissions for the required Client. Granting User Permission to Log In To grant an Ekran System user a permission to log in to the Client computer with enabled forced user authentication.

NOTE: For the administrator to receive the email requests correctly. 155 . To generate a one-time password via the One-Time Passwords page. 3. On the One-Time Passwords tab. the user request is sent to the email address of the administrator defined for the Client in the Client configuration. The One-Time Password Generation window opens. open the One-Time Passwords tab.  User name: Optionally. open the received email with a request for a one-time password and click the navigation link for the password generation. On the Access Management page. Log in to the Management Tool as a user with the Client configuration management permission. To generate a one-time password using the email link. Generating One-Time Password without User Request To generate a one-time password without user request. click the Generate link for the user request with the Requested state. Click the Access Management navigation link to the left. 3. enter the user name. On the One-Time Passwords tab. On the Access Management page.Windows Clients The one-time password option can be enabled only along with the forced user authentication option during Client editing in the Management Tool. The one-time password is automatically generated and sent to the user email address. The one- time password will be automatically generated and sent to the user’s email address. 4. 6. On the Access Management page. 2. Generating One-Time Password Generating One-Time Password on User Request When the user requests a one-time password for logging into the Client computer. do the following: 1. do the following: 1. Click the Access Management navigation link to the left. 4. on the One-time Password tab. 5. 5. open the One-Time Passwords tab. make sure that on the Authentication Options tab of the Clients the valid email addresses are defined. Enter the following parameters and then click Generate:  Client name: Select the needed Client from the list. click Generate Password. NOTE: The one-time password option is available only if you have an activated Enterprise serial key. 2. the requested password is displayed with the Requested state. Log in to the Management Tool as a user with the Client configuration management permission.

 Comment: Displays the user’s comment entered in the Request Password window or admin’s comment entered in the One-time Password Generation window. on the One-time Passwords tab. For one-time passwords.  Login: Displays the name of the user who requested a one-time password to log into the Client computer. 7.  Generated by: Displays the name of the administrator who generated the one-time password. The one-time password is generated and sent to the specified email address. Viewing One-Time Passwords On the Access Management page. the N/A value is displayed.  Comment: Enter your own comment or leave the default one. one-time password. the user has not used it yet and the  Resend Email: Allows resending password has not auto-expired.  State: Displays the current state of the one-time password. Sending The one-time password has been  Expire: Allows terminating a Failed generated. Generated The one-time password has been  Expire: Allows terminating a generated and sent to the user. or Manually Expired. but the email sending one-time password manually. Used. the N/A value is displayed. but one-time password manually. on which the generated one-time password will be sent. which were generated without the user’s request.  Client Name: Displays the name of the Client computer for which the one-time password was requested or generated. 156 . The one-time password can have one of the following states: State Description Possible Actions Requested The user has requested a one-time  Generate: Allows auto- password. the grid with the following information is displayed:  Time Requested: Displays the date and time the one-time password was requested. Sending Failed. The default comment is “Generated without request”. Generated & Sent.Windows Clients  User’s confirmation email: Define the user email address. the previously sent email. It is empty for the one-time password with the Requested state. but it has not been generating and sending of the generated yet.  Time Used: Displays the date and time when the one-time password was used. has failed.  Time Generated: Displays the date and time the one-time password was generated. Expired. It can be Requested.  User: Displays the user name of a user for which the one-time password was generated. For expired passwords. It is empty for not used passwords that are not expired.  User’s Email: Displays the user email address for the one-time password to be sent to.

click the Expire link for the target one-time password. 5. 157 . 6. NOTE: You can resend the emails with one-time passwords with the Generated & Sent or Sending Failed states only. 4. open the One-time Passwords tab. Click the Access Management navigation link to the left. 4. Terminating One-Time Password Manually In case. Used The one-time password has been  Open Session: Allows opening a generated and sent to the user. do the following: 1. open the One-time Passwords tab. and session of the user logged into the user has used it.Windows Clients State Description Possible Actions  Resend Email: Allows resending the previously sent email. On the One-Time Passwords tab. To terminate a one-time password manually. Click the Access Management navigation link to the left. you can terminate it manually. On the Access Management page. Log in to the Management Tool as a user with the Client configuration management permission. the one-time password has been generated for the wrong user or sent to the wrong email address. Expired The one time password has been generated and sent to the user. Manually The generated one-time password Expired has been manually terminated by the administrator. the Client computer with a one- time password. 3. do the following: 1. click OK. 3. click the Resend Email link for the target one-time password. Resending the Email To resend the email with the generated one-time password. On the One-time Passwords tab. A new one-time password is generated and sent to the user’s email address. 2. 2. but the user has not used it during 24 hours. In the confirmation message. On the Access Management page. Log in to the Management Tool as a user with the Client configuration management permission.

On the user login to Windows. In other case. As soon as the user starts working with the system. the Client displays the secondary authentication window requesting a user to enter their secondary credentials. the user will receive a corresponding message. the user is allowed to continue working with the System. Logging in Using One-Time Password The process of logging in to the Client computer with enabled forced user authentication and the one-time password option is performed as follows: 1. 4. The user enters their email address into the Login box and the one-time password received via email into the Password box. 6. If the entered email address and the one-time password are correct and the one-time password was generated for this Client computer and for this primary Windows user. These credentials are sent to the Server and the Server returns the response on whether the access to this computer is allowed. On the user login to Windows. 2. The user enters the credentials of the Ekran System user that has the Access to Client computer permission. In other case. click OK. As soon as the user starts working with the system. the Client will start recording their activity and the user’s email will be displayed in the Management Tool in the Client Sessions 158 . 2. the user will receive a corresponding message.Windows Clients NOTE: You can manually terminate the one-time passwords with the Generated & Sent or Sending Failed states only. 4. 3. the Client displays the secondary authentication window requesting a user to enter their credentials or a one-time password. 3. The user logs in to Windows in a common way (locally or remotely). The user logs in to Windows in a common way (locally or remotely). the Client will start recording their activity and the user’s name will be displayed in the Management Tool on the Monitoring Results page in the User name column in brackets: <logged in Windows user> (<forced authentication user>). If the user has the required permission for the Client computer and their entered credentials are correct. 5. the user is allowed to continue working with the System. Logging In Logging in Using Ekran System User Additional Credentials The process of logging in to the Client computer with enabled forced user authentication is performed as follows: 1. In the confirmation message. 5. These credentials are sent to the Server and the Server returns the response on whether the access to this computer is allowed. 5. The state of the one-time password changes to Manually Expired and the user will not be able to use it.

the user checks the email box for email with the generated password. The Administrator’s Approval on Login feature works for computers with Windows operating system. 5. The request is sent to the Ekran System administrators’ email addresses defined for the Client while turning on the one-time password option. The user clicks Request. 6. 2. The received one-time password can be used only once during 24 hours since its generation and only for logging into the Client computer from which it has been requested. In the opened Request Password window. the user can request it again. it is automatically terminated and cannot be used to log into the Client computer again Requesting One-Time Password While logging into the Client computer with the enabled forced user authentication and a one- time password option. optionally. NOTE: After the one-time password has been used. 3. the user enters their email address and then. Such users will be able to log in to the Client computers only with the approval of the administrator. 4. If the user does not use a one-time password during 24 hours. enters a comment to be displayed to the administrator. The administrator will generate a one-time password and the generated password will be sent to the email address defined in the Request Password window. as follows: 1. You can create a list of users whose access to the Client computers will be restricted. NOTE: The one-time password for logging into the same Client computer cannot be requested more often than once per hour. In a while. In case the email with the generated password has not been received. Login Approved by Administrator About The Administrator’s Approval on Login feature allows you to better protect the Client computers from undesired access. it automatically expires. In the secondary authentication window. 159 .Windows Clients list in the User name column in brackets: <logged in Windows user> (<user’s email address>). the user can request a one-time password to get a temporary access to the Client computer. the user clicks Request Password.

 For Local computer user. Click Save. On the Configuration page. 2. define the administrator’s email address under Administrator Email. 4. On the Access Management page. do the following: 1. In the email sent to the defined address. to which the access requests will be sent. 3. You can define several email addresses separating them with a semicolon (. During the next login. The users will be required to get approval when logging into all Client computers. open the Email sending settings tab. Log in to the Management Tool as a user with the User management permission. Define the administrator’s email address (one or several). Click the Configuration navigation link to the left. define the computer name and user login. 2. The user is added to the grid. 160 . define the user login. Click the Access Management navigation link to the left. define the domain name and user login. In the Add User window. Click Save. to which the access requests will be sent. 2. Defining Email Address for User Access Approval To define the administrator’s email address. Managing Restricted User List Adding User to Restricted List To add a user whose login into Windows Client computers must be approved by the administrator. open the Restricted Users tab and then click Add User. select the user type and define the following information:  For Active Directory user. 3. grant or forbid the user the access to the Client computer. 6. do the following: 1. 5. On the Email sending settings tab. Log in to the Management Tool as a user with the Client installation and management permission.Windows Clients Approving User Access on Login To ensure that particular users are able to log into the Windows Client computers only after the additional approval. 4. 2.  For Ekran user for secondary authentication. Define the list of the restricted users required to get the administrator’s approval. they will be able to start working with the Windows Client computers only with the approval of the administrator.). 3. do the following: 1.

161 . Logging In The process of logging into the Client computer with the approval of the administrator is performed as follows: 1. If the user is not allowed to log in. 2. 3. open the Restricted Users tab. 4. The administrator receives an email with the request. the administrator clicks the Block access hyperlink and the user is logged out. Additionally. Click Delete user for the required user and then click OK in the confirmation message. The user logs in to the Windows computer with installed Client in a common way (locally or remotely). 3. the user acknowledges it. 2. Click the Access Management navigation link to the left. An email with the request and user information is sent to the defined email address. The user is deleted from the list and will be able to log in to Windows Client computers without administrator’s approval.Windows Clients Deleting User from Restricted List To allow a user to log into Windows Client computers without administrator’s approval. 4. If the additional message on login is enabled. Log in to the Management Tool as a user with the User management permission. the user comments on the message and enters a valid ticket number. 5. if the corresponding options are enabled. the administrator clicks the Grant access hyperlink to allow the user to log in. On the Access Management page. the user enters their secondary credentials. do the following: 1. 5. If Forced User Authentication is enabled. In the received email.

The account credentials are automatically generated. it allows enhancing data access security. encrypted and stored in a Password Vault. Select the user type. Log in to the Management Tool as a user with the administrative User Management permission. Password is reset every time after the expiration date. On the Privileged Accounts page.Windows Clients Privileged User Accounts About If you want to provide the temporary access to particular computer or computer group only without revealing credentials. Click the Access Management navigation link to the left. 4. 3. 2. do the following: 1. The Privileged Accounts window appears. click Add User. 162 .  For the Active Directory user select the user login and domain. you can add a privileged user. Adding Privileged User To add a new privileged user. 5.

Click Grant Access. 2. click Delete in the selected user row. Using Privileged Account To access remote computer via Ekran System remote access application. if necessary. The Ekran System Remote Access app opens. NOTE: The selected domain must be the same as domain of user who gets access. Click Delete in the confirmation window. On the Privileged Accounts page. The privileged account is generated in the selected domain user group. 11. click Connect. 5. 2.Windows Clients  For the Local computer user select the user login and computer name. Click the Access Management navigation link to the left. 163 . Log in to the Management Tool as a user with the administrative User Management permission. 6. Enable jump server mode option on the Client. 9. Select the computer from the drop-down list or enter its name/IP.  For the Ekran System user select the user login. 4. 8. 3. 4. 3. Click Remote Access in the Tray menu. The Client tray icon appears on the Client computer. 5. do the following: 1. 7. Select a domain group from which the account will inherit permissions. 10. Deactivating Privileged Account To deactivate the privileged account. Define the access expiration date. The privileged account of the selected user is deactivated. Add comment. do the following: 1. Select a computer or computer group to access and domain.

164 .Windows Clients 6. database name. Click the Database Management navigation link to the left. do the following: 1. user. Log in to the Management Tool as a user with the administrative Database Management permission. 2. 3. select Use password vault. 5. and password. Click Save. 4. Auto-logged remote access session under the temporary account starts. Password Vault Configuration To configure password vault. On the Password Vault page. Define the instance.

the additional message will be displayed after the user enters the additional credentials in the secondary authentication window. Enabling Displaying Additional Message The additional message displaying can be enabled when editing Client/Client Group configuration and defining the Client settings during the remote installation or Client installation package generation for local installation. NOTE: The message can be up to 10 000 symbols. The Client tray icon is always displayed to the user. You can also enable the additional message option to set the message to be displayed to a user. When the Client is installed. you can enable the user’s comment option. To enable displaying the additional message when installing the Windows Client. If both forced user authentication and additional message features are enabled for the Windows Client. who must confirm acknowledging the message in order to log in to the computer. or shut down. the user will receive the default notification message on their login until the text of the message is changed when editing the Client. NOTE: The additional message and Client tray icon are not displayed for unlicensed Windows Clients. you can enable displaying the Client tray icon option in Management Tool. By default. select the Enable displaying additional message option on the Client configuration page (if the Client is to be installed remotely) or on the Generate Installation Package page (if the Client is to be installed via the installation package). The tray notification is displayed when:  The user logs in. You can enter the custom message to be displayed to users. the additional message text is: “According to company policy you must agree to the terms in order to continue working on this computer”. which will require the user to comment on the additional message displayed on login.Windows Clients Informing about Monitoring About If you want the user to be informed that their session will be monitored.  The user logs in via the remote connection. The additional message is displayed when:  Windows is started. In addition. restarted.  The user gets logged out or switched.  The user clicks the icon. 165 . The entered comments are displayed in the Client Sessions list.

Enabling User’s Comment Option The user’s comment option can be enabled when editing Client/Client Group configuration and defining the Client settings during the remote installation or Client installation package generation for local installation. To find a specific Client. select the Display Client tray icon option on the Client configuration page (if the Client is to be installed remotely) 166 . 5. 2. enter the message to be displayed to a user. select the Client for which you want to edit the configuration. enter its name in the Contains box and click Apply Filters. select the Enable displaying additional message option. enter its name in the Contains box and click Apply Filters. the Client icon is displayed in the notification area of the Client computer. On the Clients page. To find a specific Client. select the Enable displaying additional message option. do the following: 1. Log in to the Management Tool as a user with the Client configuration management permission. optionally. To enable the user’s comment option when editing the Windows Client. 2. optionally. Click Finish. the notification displayed is the following: “Your actions are being monitored by <Server name>” To enable displaying the Client tray icon when installing the Windows Client. 3. 3. Log in to the Management Tool as a user with the Client configuration management permission. 4. 4. When the option is enabled. To enable the user’s comment option when installing the Windows Client. On the Authentication options tab. and then. and then. Click the Client Management navigation link to the left. Click Finish. Click the Client Management navigation link to the left. select the Enable displaying additional message option and then select the Require user’s comment option on the Client configuration page (if the Client is to be installed remotely) or on the Generate Installation Package page (if the Client is to be installed via the installation package). do the following: 1. Select the Require user’s comment option. When the user clicks the icon. and click Edit Client. enter the message to be displayed to a user.Windows Clients To enable displaying the additional message when editing the Windows Client. 5. On the Clients page. and click Edit Client. Enabling Displaying Client Tray Icon The Client tray icon displaying can be enabled when editing Client/Client Group configuration and defining the Client settings during the remote installation or Client installation package generation for local installation. On the Authentication options tab. select the Client for which you want to edit the configuration.

If the user clicks I Agree. 6. and click Edit Client. the notification message will be displayed to the user after their login. When the Client is installed. the tray notification is displayed to the user. Log in to the Management Tool as a user with the Client configuration management permission. 4. contact our support team: support_team@ekransystem. they are allowed to continue working with the system. To find a specific Client. do the following: 1. To enable displaying the Client tray icon when editing the Windows Client. the notification message is displayed. 167 . After the user is logged in. If integration with ticketing systems is enabled. the user will be required to comment on the additional message to start working with the Windows Client computer.com. The user logs in to Windows in a common way (locally or remotely). If you want Ekran System to be integrated with any other ticketing system. the additional message will be shown to them every eight hours. NOTE: If the user logs in to the Citrix XenApp or Microsoft Shared App. Click Finish. If the Require user’s comment option is enabled. the Client prompts the user to enter the secondary credential. Click the Client Management navigation link to the left. On the Clients page. 4. Currently. integration with the SysAid ticketing system is available. 3. select the Display Client tray icon option. On the Properties tab. enter its name in the Contains box and click Apply Filters. the Client will prompt the user to enter a valid number of the not closed ticket in the additional message window displayed on login. 5. select the Client for which you want to edit the configuration. 3. The Client tray icon will be displayed on the next user login. 2. 5.Windows Clients or on the Generate Installation Package page (if the Client is to be installed via the installation package). If the Client tray icon displaying option is enabled for the Client. If the user clicks Cancel. Integration with Ticketing Systems About Integration with ticketing systems allows you to require the users to provide ticket numbers to start working with Windows Client computers. they return to the Windows login screen. NOTE: The integration with ticketing systems is available only if you have an activated Enterprise serial key. Logging In The process of logging in to the Windows Client computer with enabled additional message option is performed as follows: 1. If the Forced User Authentication is enabled. 2.

3.Windows Clients Enabling Ticket Number Option The ticket number option can be enabled when editing Client/Client Group configuration and defining the Client settings during the remote installation or Client installation package generation for local installation. Logging In The process of logging in to the Windows Client computer with enabled ticket number option is performed as follows: 1. 3. it contains the user’s comment entered in the additional message window and the link to the user session. Click Finish. 2. select the Client for which you want to edit the configuration. do the following: 1. 168 . To find a specific Client. the notification message is displayed. If the user clicks Cancel. On the Authentication options tab. 4. Additionally. 4. they return to the Windows login screen. 5. If the Forced User Authentication is enabled. and then clicks I Agree to start working with the system. After the user is logged in. 2. enter its name in the Contains box and click Apply Filters. On the Clients page. To enable the ticket number option when installing the Windows Client. a comment is added to the corresponding ticket. It contains information on who and when logged in to the Client computer. select the Enable displaying additional message and Require user’s comment options and then select the Require ticket number option on the Client configuration page (if the Client is to be installed remotely) or on the Generate Installation Package page (if the Client is to be installed via the installation package). In the ticketing system. 5. Click the Client Management navigation link to the left. comments on the additional message. select the Enable displaying additional message and Require user’s comment options. To enable the ticket number option when editing the Windows Client. the Client prompts the user to enter the secondary credential. The user logs in to Windows in a common way (locally or remotely). The user enters a valid ticket number. and click Edit Client. Log in to the Management Tool as a user with the Client configuration management permission. and then the Require ticket number option.

 A macOS Client with a Workstation Client license monitors either one local or remote session. the user activity is recorded every 3 seconds.  If there is no connection with the Server. It is recommended to have not less than 500MB of free space on the disk where the Client is installed to save data during the offline session. new live sessions automatically start. Monitoring via macOS Clients The macOS Clients work as follows:  Each macOS Client starts automatically on computer start. the Client stores the monitored data locally (default folder is /Library/Application Support/Ekran) and automatically sends it to the Server when the connection is restored. the user is logged out. 169 . the macOS Client starts recording user activity in a new session. the session status changes from Finished back to Live. After their termination (their status changes from Live to Finished). User activity recording triggers usually influence each other. The monitored data is sent to the Server and can be viewed via the Session Viewer in the Management Tool.  The session status becomes Finished whenever: the computer is turned off. the user activity is recorded every 10 seconds. the user activity is recorded on each mouse click or keyboard key pressing without using data sending time out.  Every time the computer is restarted. If the Record user activity on each event without timeout parameter is selected for the macOS Client.macOS Clients macOS Clients About macOS Client is a program that can be installed on the target computers to monitor the activity of their users. the user activity is recorded every 3 seconds. o If the user changes an active window. The maximum duration of one session can be 24 hours. It is not recommended to use this option for a large number of Clients and for a long period of time.  The frequency of user activity recording of the macOS Client is the following: o If the user is typing the text. or the macOS Client is disconnected from the Server. o If the user clicks a mouse. the macOS Client creates screenshots from all of them. though the average frequency of user activity recording is higher.  If a user works with several monitors. Whenever the macOS Client reconnects to the Server. At 00:00 all live sessions are terminated. WARNING! The Record user activity on each event without timeout option affects CPU usage on the Client computer and database size.

4.tar. 2. Installing macOS Clients This type of installation allows you to install the macOS Clients locally using the downloaded EkranSystemmacOSClientx64. 170 . After the end of the installation. On the Installation File Download page. click Download macOS x64 Client Installation (. macOS Client will appear in the list on the Clients page in the Management Tool. do the following: 1. Unpack the installation package using the following command: tar xvfz <installation package name> 6. click Download installation file. The download settings depend upon the settings of your browser. Make sure that there is only one user logged in to the computer. 5. File downloading starts. 8. 6. 4./install. To install the macOS Client on the target computer with a macOS operating system from the command line: 1. 3. 3.gz).macOS Clients Installing macOS Client About You can install the macOS Clients locally using the Client installation file generated in the Management Tool. Log in to the Management Tool as a user with the Client installation and management permission. Navigate to the unpacked EkranClient folder using the following command: cd EkranClient The EkranClient folder contains the install. Run the Terminal. Navigate to the folder with the installation package by entering the following command: cd path/to/folder 5.sh script used to install the Client. Click the Client Management navigation link to the left. Downloading macOS Client Installation File To download the file for macOS Client installation. 2. Copy the installation package to any folder. Run the macOS Client installation script specifying the Server name or Server IP address and the port used for connection to the Server (9447 is recommended): . click Install Clients. 7.sh <server_name/IP> <Agent_port>.gz package. On the Computers without Clients page.tar. On the Clients page.

On the Client Uninstallation page. 5. Log in to the Management Tool as a user with the Client uninstallation permission. To uninstall several macOS Clients. 5. On the Clients page. select the Client you want to uninstall and click Edit Client. The selected Clients are uninstalled. In the confirmation message. 3. To delete the Client from the Server (with all its captured data) and from the Management Tool. 2. 4. On the Editing Client page on the Properties tab. The page with the Clients for which you have the Client uninstallation permission opens. 6. do the following: 1. After uninstallation. click Add Clients to list. 2. 6. 7. Click the Client Management navigation link to the left. but its data is not deleted from the Server and the Client is displayed in the Management Tool. Click the Client Management navigation link to the left. follow the steps described in the Deleting the Client section. The Client status in the Management Tool becomes offline after uninstallation.macOS Clients Uninstalling macOS Clients About macOS Clients can be uninstalled locally or remotely. To find a specific Client. 8. click Uninstall Client. select Uninstall Clients. 4. do the following: 1. Make sure you have added all necessary Clients to the uninstallation list and click Uninstall. Uninstalling macOS Clients Remotely To uninstall a macOS Client. 171 . The Client is uninstalled. Select the Clients that you want to uninstall and click Next. enter its name or a part of its name in the Contains box and click Apply Filters. click Uninstall. Log in to the Management Tool as a user that has the Client uninstallation permission. On the Clients page. 3. the Client stops sending its data to the Server. NOTE: This option is not displayed if the Client is already uninstalled or you do not have the Client uninstallation permission for it.

 To find macOS Clients only. Please note. The EkranAgent folder contains the uninstall. enter the name/description or a part of it in the Contains box and click Apply Filters. In other case. Run the Terminal. You can filter macOS Clients in the following ways:  To sort Clients by the type of operating system. 172 ./uninstall. 5. select the corresponding option in the Filtering pane and click Apply Filters. 4. if there are several network cards on the Client computer. they will see all Clients. do the following: 1.  To find Clients by their host name or description. the users will see only those Clients for which they have at least one Client permission. click the Type column header. 6. macOS Client is successfully uninstalled. Run the uninstallation script by entering the following command: sudo .macOS Clients Uninstalling macOS Clients Locally To uninstall the macOS Client from the command line.sh script used to uninstall the Client. select Hide Windows Clients and Hide Linux Clinets and click Apply Filters. If the users have an administrative Client installation and management permission. Navigate to the folder with the Linux Client by entering the command: sudo cd /Library/Application\ Support/Ekran/EkranAgent 3. The Client list contains the following information:  Client name  Status  Type  IPv4  IPv6  Description The Domain column is empty for macOS Clients.sh and press Enter. only the IPv4 and IPv6 addresses used by macOS Client will be displayed in the Management Tool. 2.  To hide offline/online/uninstalled/licensed Clients. Viewing macOS Clients The macOS Clients are displayed in the Management Tool in the Clients list along with the Windows and Linux Clients. Enter the password of the superuser.

Client description can be defined on the Editing Client page on the Properties tab. For example. screenshots of the complete screen are created. application name. only the current active window will be displayed on a screenshot. You can also set colour depth to 8 bits or 24 bits. This guarantees the smallest database size with a normal screenshot quality. application name. User Activity Recording Parameters Screenshots and associated metadata like an active window title. 173 . are the main results of the macOS Client monitoring. URL. which makes it easier to find a specific Client. You can filter your Clients by their descriptions as well as by their names.  Frequency settings for user activity recording: These options allow you to define how often the user activity on the Client computer will be captured.macOS Clients macOS Client Description Client description is used as additional information about your macOS Clients. any secondary window opens. o Active window change User activity is captured on the change of the active window. etc. only metadata (active window title. frequency setting for user activity record ing. etc. a new window opens (program starts). o Capture active window only: By default. macOS Client Configuration About macOS Client Configuration includes its monitoring parameters (URL monitoring. screenshots are grayscale with 4 bit colour depth. To edit the description for the macOS Client. URL. o Bit depth: By default. etc. a new tab in the browser opens. irrespective to whether something changes on the screen or not. The minimal time interval is 30 seconds. If this option is not selected on the Client.).) will be monitored and recorded. If this option is selected. enter it in the Description box and click Finish. Only users with the Client configuration and management permission can edit the macOS Client description. User activity recording can be can be triggered by the following events: o Time interval: User activity is captured with a certain time interval. etc. You can define the following user activity recording parameters for the Client:  Screenshot settings: o Enable screenshot creation along with user activity recording: This option allows you to enable the screenshot creation.

This feature also allows you to set an alert to send notifications each time when the user opens the forbidden URL. The monitored URL addresses are displayed in the Management Tool on the Session Viewer page in the URL column and in the Details pane. example. Chrome) are monitored. Please note.. Russian) are not monitored. you can also select the Monitor top and second-level domain names only option.g.  If there is no address line in the browser (e.  Unicode symbols in domain names (e. in this mode. In this case only the main part of the URL (e. If the Enable URL monitoring option is selected in the Management Tool. the recorded user activity is sent not oftener than once in 3 seconds to avoid affecting the performance of the Client computer and database size increasing. URLs are not monitored. URL Monitoring Parameters The URL monitoring option allows the investigator to receive information about websites visited by the user on the Client computer.g.com) will be monitored. due to user’s settings).macOS Clients o Active window title change: User activity is captured on the change of the name of the active window. o Clicking or key pressing: User activity is captured on each mouse click or keyboard key pressing..  URLs entered in web anonymizers are not monitored. Please note that proxy server anonymizers are supported. 174 .. There are several restrictions for the URL monitoring option in the current version of the program:  Only URLs from the standard browsers (Safari.g.

Monitoring via Linux Clients The Linux Client monitors the following actions: 1. A new monitoring session is created each time the terminal is opened.gz package. System calls in:  SSH (local and remote)  Telnet (local and remote)  Local terminal sessions 3.tar. 3. respectively:  EkranSystemLinuxClientx64. both remote and local.Linux Clients Linux Clients About The Linux Client is a program that can be installed on the target computers to monitor the activity of their users in the terminal. A Client with a Linux/UNIX Server Client license can monitor multiple sessions simultaneously. The session status becomes Finished whenever the terminal is closed or the Linux Client is disconnected from the Server. Installing Linux Client About You can install the Linux Clients locally from the command line using the EkranSystemLinuxClient. There is no time limitation for a Linux Client session.tar.gz for the 32-bit system Downloading Linux Client Installation File To download the file for Linux Client installation. click Download installation file. the session status changes from Finished back to Live. 175 . Log in to the Management Tool as a user with the Client installation and management permission. On the Clients page. click Install Clients. 2. The monitored data is sent by the Linux Client to the Server and can be viewed via the Session Viewer in the Management Tool.tar. 4. Whenever the Linux Client reconnects to the Server. do the following: 1. On the Computers without Clients page.gz for the 64-bit system  EkranSystemLinuxClientx86. Commands being executed in the running script. Click the Client Management navigation link to the left. User actions (input commands and responses from the terminal) 2.

Navigate to the unpacked EkranClient folder using the following command: $ cd EkranClient The EkranClient folder contains the install. Run the command-line terminal. 6. Installing Linux Clients This type of installation allows you to install the Linux Clients locally from the command line using the downloaded EkranSystemLinuxClient. Navigate to the folder with the installation package by entering the following command: $ cd path/to/folder 4. 2. Copy the installation package to any folder.sh script used to install the Client.gz). The download settings depend upon the settings of your browser. On the Installation File Download page. 176 . Unpack the installation package using the following command: $ tar xvfz <installation package name> 5.tar. Make sure you use the correct installation package (x64 or x86). 3.gz) or Download Linux x64 Client Installation (. click Download Linux x86 Client Installation (.Linux Clients 5.tar.gz package.tar. File downloading starts. To install the Linux Client on the target computer with a Linux operating system from the command line: 1.

it starts monitoring the new terminal sessions. 7. do the following: 1. Linux Client is successfully uninstalled. 8.Linux Clients 6. The installed Linux Client appears in the list on the Client Management page in the Management Tool.sh script used to uninstall the Client. Uninstalling Linux Clients To uninstall the Linux Client from the command line.sh and press Enter. If the users have an administrative Client installation and management permission.Ekran folder contains the uninstall. 177 .sh <server_name/IP> <Agent_port>. 4. Run the Linux Client installation script specifying the Server name or Server IP address and the port used for connection to the Server (9447 is recommended): $ sudo ./install. 6. Run the command line terminal. restart them./uninstall. they will see all Clients. the user will see only those Clients for which they have at least one Client permission. In other case. The . The Client list contains the following information:  Client name  Status  Type  IPv4  IPv6  Description The Domain column is empty for Linux Clients. If you want to monitor the older terminal sessions. After the Client is installed. Enter the password of the superuser. 2. Viewing Linux Clients The Linux Clients are displayed in the Management Tool in the Clients list along with the Windows Clients. Navigate to the folder with the Linux Client by entering the command: $ cd /opt/.Ekran 3. 5. Run the uninstallation script by entering the following command: $ sudo .

Linux Clients

Please note, if there are several network cards on the Client computer, only the IPv4 and IPv6
addresses used by Linux Client will be displayed in the Management Tool.
You can filter Linux Clients in the following ways:
 To sort Clients by the type of operating system, click the Type column header.
 To find Linux Clients only, select Hide Windows Clients and Hide macOS Clients and
click Apply Filters.
 To find Clients by their host name or description, enter the name/description or a part
of it in the Contains box and click Apply Filters.
 To hide offline/online/uninstalled/licensed Clients, select the corresponding option in
the Filtering pane and click Apply Filters.

Linux Client Description
Client description is used as additional information about your Linux Clients, which makes it
easier to find a specific Client. You can filter your Clients by their descriptions as well as by their
names.
Client description can be defined on the Editing Client page on the Properties tab. Only users
with the Client configuration management permission can edit the Linux Client description.
To edit the description for the Linux Client, enter it in the Description box and click Finish.

Forced User Authentication on Linux Clients
About
If several users may use the same account (e.g., “root”) to work with the terminal, it might be
important to identify the person using the account. The identification can be performed by
means of Forced User Authentication, which requires the user to enter additional credentials
when they open the terminal. The user has to enter the credentials of the Ekran System user
who has the Access Client computer permission. The secondary user login will then be
displayed in the Client Sessions list in brackets next to the primary user name under which the
terminal is launched.
The forced user authentication works only if there is a connection between the Client computer
and the Server computer. If the connection with the Server computer is lost (the Server is
unavailable), the user will not be prompted to enter the secondary credentials.

Enabling Forced User Authentication on Linux Client
The Forced User Authentication parameter can be set only during Client editing.

To enable Forced User Authentication on the Client, do the following:
1. Log in to the Management Tool as a user with the Client configuration management
permission.

178

Linux Clients

2. Click the Client Management navigation link to the left.
3. On the Clients page, select the Linux Client for which you want to enable Forced User
Authentication, and click Edit Client. To find a specific Client, enter its name in the Contains
box and click Apply Filters.
4. On the Editing Client page, on the Authentication options tab, select the Enable secondary
user authentication on log-in option.
5. Click Finish.
6. The forced authentication mode is enabled immediately. When the user starts working with
the terminal, they will be prompted to enter the secondary credentials.

Granting the User Permission to Work with the Terminal
To grant an Ekran System user a permission to work with the terminal on the Linux Client
computer with enabled forced user authentication, do the following:
1. Log in to the Management Tool as a user with the administrative User management
permission.
2. Edit an existing internal user who will log into the Client computer to the system or add a
new one.
3. During the user adding/editing, on the Client Permissions tab, click Edit Permissions for the
required Linux Client. To find a specific Client, enter its name in the Contains box and click
Apply Filters.
4. In the opened Client Permissions window, select the Access Client computer option and
then click Save.
5. Click Finish.

Launching the Terminal
The process of launching the terminal on the Linux Client computer with enabled forced user
authentication is performed as follows:
1. The user launches the terminal.
2. The Client requests the user to enter their secondary credentials.
3. The user enters the credentials of the Ekran System user that has the Access to Client
computer permission.
4. These credentials are sent to the Server and the Server returns the response on whether
the access to the terminal is allowed. If the user has the required permission for the Client
computer and their entered credentials are correct, the user is allowed to continue working
with the terminal. In other case, the user will receive a corresponding message.
5. As soon as the user starts working with the terminal, the Client will start recording their
activity. The user’s name will be displayed in the Client Sessions list in the User name
column in brackets: <Linux user> (<forced authentication user>).

179

Two-Factor Authentication for Windows Clients

Two-Factor Authentication for Windows
Clients
About
The Two-Factor Authentication feature allows you to better protect the critical endpoints in
your network. When the Two-Factor Authentication feature is enabled, the Client will require
the user to enter a time-based one-time password (TOTP) on their login to Windows. TOTPs are
generated via special mobile application, i.e., Google Authenticator, Third-Party Accounts, and
Authenticator. Google Authenticator can be downloaded via one of the following applications:
 Via Google Play for Android devices
 Via App Store for Apple devices
 Via Microsoft Store for Windows phones
 Via BlackBerry App World for BlackBerry devices
Find the detailed instructions on installation and configuration of your authenticator
application using the following links:
 For Android, iOS, and Blackberry devices:
https://support.google.com/accounts/answer/1066447?hl=en
 For Android and iOS devices:
https://guide.duo.com/third-party-accounts
 For Windows Phones:
https://www.microsoft.com/en-us/store/p/authenticator/9wzdncrfj3rj
For users to be able to use TOTP, you have to provide them with a two-factor authentication
key generated in the Management Tool.
The Two-Factor Authentication option can be enabled for Windows computers during Client
editing. In addition, if you have at least one serial key activated, the Two-Factor Authentication
option can be enabled even for unlicensed Clients.

Allowing User to Log In
If only Two-Factor Authentication is enabled on the Windows Client computers, you have to
generate TOTP keys for local and domain users. If Two-Factor Authentication is enabled along
with the Forced User Authentication, you have to generate TOTP keys for secondary users.
To allow the users to log into Client computers with enabled Two-Factor Authentication, do
the following:
1. Log in to the Management Tool as a user with the User management permission.
2. Click the Access Management navigation link to the left.
3. On the Access Management page, open the Two-Factor Authentication tab and then click
Add User.

180

Two-Factor Authentication for Windows Clients

4. In the Add User window, select the user type and define the following information:
 For Active Directory user, define the domain name and user login.
 For Local computer user, define the computer name and user login.
 For Ekran user for secondary authentication, define the user login.
5. Click Generate to generate QR code and key.
6. Save the QR code or copy the key to your clipboard to send it to the corresponding user.
Alternatively, make a note of it to provide it to the user later. The user will have to enter
this key or scan the QR-code with their TOTP mobile application (i.e., Google Authenticator).
For security reasons, after you navigate off this page, no one will be able to see the
generated key again.
7. Click Save.

Deleting User from the List
To forbid the user to log into Client computers with enabled Two-Factor Authentication, do
the following:
1. Log in to the Management Tool as a user with the User management permission.
2. Click the Access Management navigation link to the left.
3. On the Access Management page, open the Two-Factor Authentication tab.
4. Click Delete user for the required user and then click OK in the confirmation message.
5. The user is deleted from the list and will be unable to log in to Client computers using TOTP.

181

Two-Factor Authentication for Windows Clients

Enabling Two-Factor Authentication
The Two-Factor Authentication parameter can be set only during Client editing.

To enable Two-Factor Authentication on the Client, do the following:
2. Log in to the Management Tool as a user with the Client configuration management
permission.
3. Click the Serial Key Management navigation link to the left and make sure you have at least
one serial key activated.
4. Click the Client Management navigation link to the left.
5. On the Clients page, select the Windows Client and then click Edit Client. To find a specific
Client, enter its name in the Contains box and click Apply Filters.
6. On the Editing Client page, on the Authentication options tab, select the Enable two-factor
authentication option.
7. Click Finish.
8. The Two-Factor Authentication is enabled immediately. During the next login, the user will
be prompted to enter a TOTP generated in their mobile application (i.e., Google
Authenticator) to start working with the system.

Logging in Using Time-Based One-Time Password
To log into the Client computer with enabled Two-Factor Authentication:
1. The user enters a two-factor authentication key in their TOTP mobile application (i.e.,
Google Authenticator).
2. The mobile application starts generating TOTPs. Each TOTP is valid for 5 minutes since the
moment of its generation.
3. The user logs in to Windows in a common way (locally or remotely).
4. If Forced User Authentication is enabled, the user enters their secondary credentials.
5. The Client displays the TOTP window requesting a user to enter a TOTP generated in their
mobile application.
6. The user specifies a valid TOTP and clicks OK. If the user has been authenticated via the
Forced User Authentication, they have to specify a TOTP generated for the secondary user.
NOTE: For the user to be authenticated using TOTP, the time on the Ekran Server and on
the user’s device must be synchronized.
7. The user name and TOTP are sent to the Server for validation. If the user is allowed to log in
to Client computers with enabled Two-Factor Authentication and the TOTP is valid, they get
logged in to the system and can start working with it.
9. As soon as the user logs into the system, the Client will start recording their activity.

182

183 . Open the user session in the Session Viewer. You need to have the Client installation and management permission to block users. You can block users while viewing their session. A blocked user is forcibly logged out of the Client and is not allowed to log back in. Blocking User from Live Session To block a user while watching their live session. do the following: 1. 3. You can add the user to the blocked user list on the selected Client computer or all Client computers in the system. 2. live or finished. You can also enable an option that allows blocking a user or killing the process when a certain alert is triggered.User Blocking User Blocking About Ekran System allows you to block users performing potentially harmful and forbidden actions on Windows Clients. NOTE: The Lock is disabled for the users already on the Blocked User list and Ekran System users without the Client installation and management permission. The Block User window opens. Click on the red lock in the Session Player.

the warning message is displayed and the desktop is blocked. If the user tries to log in to the Client computer. NOTE: The Lock is disabled for the users already on the Blocked User list and Ekran System users without the Client installation and management permission. The Block User window opens. On the Client computer. 184 . o Select On computer if you want the user to be blocked only on a current Client computer. Enter the message to display to the user if necessary. After the defined time interval. 5.User Blocking 4. Click on the red lock in the Session Player. they will be logged out on all computers where they are logged in at the time of blocking. Define the following settings: o Select On all computers if you want this user to be blocked on all computers with installed Clients. the system does not allow them to do so. Enter the reason for blocking the user. 4. 5. 2. 7. 3. 10. 8. do the following: 1. Open the user session in the Session Viewer. Click Block.” NOTE: If you have selected to block the user on all computers. Define the forced log out time if necessary. 9. 6. If the user is logged into the Client computer at that point. the user is forcibly logged out of the Client computer. the blocking process is the same as for the Live sessions. Define the following settings: o Select On all computers if you want this user to be blocked on all computers with installed Clients. and the following message is displayed: “You have been blocked. Click Block. Contact your system administrator. o Select On computer if you want the user to be blocked only on a current Client computer. Blocking User from Finished Session To block the user while watching their finished session.

the Client does not block users that are on the blocked user list. Contact your system administrator. If the connection with the Server computer is lost (the Server is unavailable). select the Show warning message to user option. then they will be logged out on all computers where they are logged in at the time of blocking. the Client displays the secondary authentication window. and the following message is displayed: “You have been blocked. On the Actions tab.” NOTE: If you have selected to block the user on all computers. select the Block user on all computers option and click Finish. Blocking User on Alert Triggering To configure an alert to block a user. If the user tries to log in to the Client computer. Contact your system administrator. do the following: 1. 2. the Client receives the latest edited list of blocked users from the Server. the system does not allow them to do so. The user will be blocked when the alert is triggered. After such user logs in to Windows. Once the connection is re-established. If you edited the blocked user list. and the following message is displayed: “You have been blocked.User Blocking 6. The list of blocked users is stored on the Server. Blocking User on Client with Secondary Authentication If the Client has secondary user authentication enabled. You can edit the message by entering the text in the box below. When the blocked user enters their credentials and tries to log in. In the Additional actions box. 3. 5. the system does not allow them to do so. Log in to the Management Tool as a user with the administrative Client installation and management permission. 4. the system blocks the primary- secondary user combination. 185 . Click the Alert Management navigation link to the left and click Add Alert or Edit Alert. The user blocked with the default parameters.” Blocked User List A blocked user is added to the blocked user list for the selected Client or all Clients in the system (depending on your choice while blocking the user). the Client receives it from the Server immediately.

To remove all users from the blocked user list.  Reason: Displays the reason for blocking the user. The user removed from the Blocked User list can log in to their computer with installed Client on again.  Blocked by: Displays a specific Ekran user that has blocked the Windows user. do the following:  Click Remove in the corresponding blocked user record in the grid. one by one or all at once.  Click Remove in the confirmation message. and then click Blocked User List.User Blocking Viewing Blocked User List To view the blocked user list. with the following information available for each record:  Windows User: has one of the following formats: o <domain>\<user name> o <domain>\<primary user name>(<secondary user name>) (for Clients with secondary user authentication enabled)  Blocked on: Displays a specific computer name or All computers. You need to have the Client installation and management permission to view the blocked user list. do the following:  Click Remove All in the blocked user grid. A list of blocked users is displayed. 186 .  Date: Displays the date when the user was blocked.  Click Remove in the confirmation message. go to Client Management. Removing User from Blocked User List You can remove users from the blocked user list. To remove a user from the blocked user list.

7. define the following and then click Next:  The name for the Client Group. Click Finish. NOTE: The maximum length of the Client Group name and description is 200 characters.  To define user/user group permissions. The Client Group is created. On the Assigned Alerts tab. there is one Client Group in the system.  The configuration that can be applied to the Windows Clients in the same way as defining Client configuration. By default. click Save. On the Permissions tab. 4. which contains all installed Clients. do the following: 1. 5. 10. 187 . the Client Group description. On the Group Settings tab. NOTE: One Client can belong to several groups. NOTE: Permissions inherited by the user from user groups to which they belong are displayed as disabled check boxes with a user group name near them. enter its name in the Contains box and click Apply Filters. On the Clients page. 2. click Define Permissions for the required users/user groups and select the check boxes near the corresponding permissions in the opened Client Permissions window. select the check boxes near the alerts that must be assigned to the group. select users/user groups which will have access to the Client Group and define their permissions:  To find a specific user/user group. Click Next. Log in to the Management Tool as a user with the administrative Client installation and management permission. click Add Client Group. Click the Client Management navigation link to the left. 3. Click Next. 9. You cannot remove Clients from this group. 8. 6.  Optionally. Adding Client Groups To add a new Client Group. add Clients to the group. After you have defined all permissions. On the Client Management tab.Client Group Management Client Group Management About Client Groups allow you to grant access to several Clients at the same time to your users without the necessity to grant them access to all the Clients (both Windows and Linux).

NOTE: Only the first 10 Clients are displayed in the list. 9. 4. 5. description or a part of it in the Find Clients field above the Clients list. Click Finish. click Add Clients. Select the Apply group settings to new Clients option if you want the added Clients to inherit Group settings. On the Editing Client Group page. Click the Client Management navigation link to the left. To view all Clients. click Edit Client for the selected Client. permissions. Log in to the Management Tool as a user with the administrative Client installation and management permission. On the Clients page. The list is filtered along with typing. do the following: 1. 10. 4. Log in to the Management Tool as a user with the administrative Client installation and management permission. 5. The drop-down list containing the Clients that have not been added to the Group opens. 3. 3. Click the Client Management navigation link to the left. on the Client Management tab. do the following: 1. Click the Client Management navigation link to the left. on the Client Groups tab. Edit Client Group properties. 7. 3. On the Clients page. Select the check boxes next to the Clients to be added to the Client Group. click Add to Group. and alerts on the corresponding tabs in the same way as when adding a new Client group. On the Clients page. The drop-down list containing the groups to which the Client has not been added opens. The added Clients are displayed in the grid. 2. Click Next or Finish to save the changes on each tab. 2. click Edit Client Group for the required Client group. Log in to the Management Tool as a user with the administrative Client installation and management permission. enter its name. Click Add. 8. 2. On the Editing Client page. Adding Clients to Groups Adding Clients to Groups during Client Group Editing 1. To find a specific Client. click the link in the bottom of the list.Client Group Management Editing Client Groups To edit an existing Client Group. click Edit Client Group for the required Client group. 4. 5. 6. Adding Clients to Groups during Client Editing To add a Client to the group. 188 .

To edit the Windows Client configuration by changing the Client Group settings.Client Group Management NOTE: Only the first 10 groups are displayed in the list. To view all groups. Click Finish. on the Client Groups tab. enter its name in the Contains box and click Apply Filters. add the Client to the group from which you want the Client to inherit configuration. enter its name or a part of it in the Find Groups field. Applying Group Settings to Client When the Client belongs to the target Client Group. The list is filtered along with typing. On the Clients page. NOTE: To find a specific group. the Client settings can be inherited from this Group. 2. do the following: 1. the configuration options editing will be disabled. 3. The Client settings type changes to Inherited from <group name> and the Applied value is displayed for this group in the grid. do the following: 1. Click the Client Management navigation link to the left. and alerts on the corresponding tabs. 6. Click Finish. In this case. click Edit Client Group for the required Group. On the Clients page. Click the Client Management navigation link to the left. 2. and click Edit Client. 5. To edit the Windows Client configuration by applying group settings to a Client. 4. 3. enter its name in the Contains box and click Apply Filters. Edit Client Group properties. 7. 189 . 7. 6. select the Windows Client for which you want to edit the configuration. Click the Apply link for the group. 8. 4. To find a specific Client Group. To find a specific Client. Select the option next to the group to which you want to add the Client. the Client settings are changed together with the Group settings. Click Finish. Click Add. Log in to the Management Tool as a user with the Client configuration management permission. click the Click to view all results link. On the Editing Client page. Log in to the Management Tool as a user with the Client configuration management permission. 5. NOTE: If you do not have the Client configuration management permission for this Client. permissions. 9. The group to which the Client was added is displayed in the grid.

Log in to the Management Tool as a user with the administrative Client installation and management permission. Removing Clients from Groups during Client Editing To remove a Client from the group. 7. 5. click OK. On the Editing Client page. do the following: 1. NOTE: The Client can be removed from all Groups except the All Clients group. 2. do the following: 1. click Edit Client for the selected Client. 4. the Clients belonging to it will not be deleted. In the confirmation message. If settings of the removed Client were inherited from this group. If settings of the removed Client were inherited from the Client Group. On the Clients page. the Client settings remain the same but they become editable. 7. The Client is removed from the Group. they are changed to Custom. 3. click OK. click the Remove link for the corresponding Client group or click Remove from All to remove the Client from all groups. click Edit Client Group for the required Client group. 6. Log in to the Management Tool as a user with the administrative Client installation and management permission. 5. 2. 3. The All Clients group cannot be deleted. The Client settings remain the same but they become editable. To delete a Client Group. The Client is removed from the Group. but the permissions of users defined for the deleted Client Group will change. 6. On the Clients page. Click the Client Management navigation link to the left. click the Remove link for the corresponding Client or click Remove all to remove all Clients from the group. On the Client Management tab. 4.Client Group Management Removing Clients from Groups Removing Clients from Groups during Client Group Editing To remove a Client from the group. 190 . NOTE: The Client can be removed from all Groups except the All Clients group. on the Client Groups tab. Click the Client Management navigation link to the left. Deleting Client Groups If you delete a Client group. Log in to the Management Tool as a user with the administrative Client installation and management permission. In this case. In the confirmation message. do the following: 1. their type is changed to Custom.

click Edit Client Group for the required Client group.Client Group Management 2. 3. The Client Group is deleted. 4. On the Group Properties tab. the configuration of all Clients that was inherited from this group changes to Custom. On the Clients page. When the group is deleted. In the confirmation message. 6. 7. 5. 191 . Click the Client Management navigation link to the left. click Delete. click Delete Client Group.

The notifications can be received via email or in the Tray Notifications application. you can add new alerts. edit existing alerts (including deleting). Viewing Alerts The alerts are displayed on the Alert Management page in the Management Tool. To find a required alert. monitored activity associated with alert events is marked as alert in the Session Viewer.  Delayed response: This allows the investigator to get information on a batch of forbidden actions on multiple Clients. To view the latest 100 events for an alert in the Alert Viewer. 192 . High or Critical. analyse them. On the Alert Management page.  Assigned To: Indicates Clients/Client Groups the alert is assigned to. A list of alerts contains the following information:  Name  Description  Risk Level: Indicates the risk level of an alert. and then respond. Besides. which can be Normal.  Alert State: Indicates if the alert is enabled.Alerts Alerts About Alerts are instances that notify the investigator of a specific activity (potentially harmful/forbidden actions) on the target computers with installed Clients and allow the investigator to respond to such activity quickly without performing searches. click View alert events in the corresponding entry.  Notification Type: Indicates how the investigators are notified about alert events (by emails or via Tray Notifications application). You can set an alert to automatically block a user or kill the process.  Email Recipient: The email address of the investigator who will be notified about alert events. Alert system can be used for two purposes:  Immediate response: This allows the investigator to get immediate information about the forbidden action and respond to it quickly (almost at once). and define Global Alert Settings. Select the Hide Enabled/Disabled/Default Alerts options and then click Apply Filters to hide the alerts. you can use a filtering option on the top of the page.

Default alerts have the High risk level by default. On the Add Alert page. Enable showing a warning message. select the Hide Default Alerts option and then click Apply Filters.Alerts Default Alerts The Ekran System contains a set of default alerts for the potentially harmful applications and websites visited on the Windows Client computers and for the important commands executed on the Linux Client computers. Click the Alert Management navigation link to the left and click Add Alert. To hide default alerts. The default alerts are automatically added when the Ekran Server is installed or updated to a new version. blocking the user or killing the process. . . Alerts Management Adding Alerts To add an alert. define the following alert properties and then click Next:  Enter a unique name for an alert. You can do the following with default alerts: . . 193 . You can assign an alert to Clients by clicking Edit alert for the required alert and selecting the needed Clients on the Assigned Clients tab or while editing multiple alerts. 3. Delete them. . Enable/disable them. These alerts are enabled by default but there are no Clients to which they are assigned. 2. Log in to the Management Tool as a user with the administrative Client installation and management permission. on the Alert Properties tab. Change the alert risk level. do the following: 1. Define the notification options.

4.Alerts  Optionally. It can be Critical. enter their names in the search box.  Select the Comparison operator. clear its Value box or click Delete.  Select the alert risk level. 5. select the Clients/Client Groups to which the alert will be assigned and click Next.  Click Add Rule to create one more rule.  Select the Enabled option to enable an alert.  Enter the Value to which Parameter will be compared.  To delete a rule. On the Assigned Clients tab. define the rules to be applied and then click Next:  Select the Parameter of the rule. On the Alert Rules tab. or High. To find specific Clients/Client Groups. Normal. 194 . enter the alert description.

195 . Click Finish to save the created alert. or select the Kill application option if you want to forcibly stop the detected application. select how you would like to receive the alert notifications and additional actions to be performed when the alert is triggered:  Select the Send emails to option and then enter the email address to which the notifications will be sent.Alerts 6. The alert is added.  Select the Show warning message to user option if you want a warning message to be displayed to the user when the alert is triggered.  In the Additional actions box. You can enter several email addresses separating them with semicolon. You can use the default message or enter your own text in the box below.  Select the Show warnings in Tray Notifications application option to activate the tray notifications. The alert notifications will then pop up from the tray. make sure that Email Sending Settings contain correct parameters for email sending. 7. On the Actions tab. select the Block user on all computers option if you want to automatically block the user performing forbidden actions. NOTE: To receive email notifications correctly. 8.

Each rule consists of the Parameter. Select this parameter type for alert to be triggered whenever the specified value is identified as the name of a launched application.Alerts Rules About Alert rules allow you to determine what events on the investigated computer will be considered an alert. The first record in the session of this user (Guest (John)) is marked as alert. Title The name that appears in the title of a window. URL URL entered in the browser address line or visited by the facebook. Select this parameter type for alert to be triggered whenever the specified value is identified as the URL address. Comparison operator. and Value.exe computer.com user. If forced user authentication is enabled and the secondary user login matches the user name alert parameter. to which the Parameter will be compared. Each alert has to have at least one rule. The user logs in to Windows as Guest and then enters John as the secondary login. Parameters applied to Windows and macOS Clients Application The name of the started application on the investigated skype. For example: The alert parameter is Login LIKE “John”. Select this My document parameter type for alert to be triggered whenever the specified value is identified in any title on the screen. the Client marks corresponding events as an alert. The following parameters are available for rules: Parameter Description Example Parameters applied to all Clients Username The name of the user whose work is to be monitored. Set John this parameter type for alert to be activated whenever the specified user uses the Client computer. 196 .

Alerts Parameter Description Example NOTE: The URL monitoring option must be enabled for the Client. Group 197 . Parameters applied to Windows Clients Keystrokes The keystrokes entered by the user. Group NOTE: Alerts containing this parameter need to be assigned to the All Clients group to work properly. Parameters of Active Directory Groups Computer The name of the domain group. Select this parameter Accounting Belonging type for an alert to be triggered on the Client computers to Domain belonging to this group. Parameter The parameter of the entered Linux command. Parameters applied to Linux Clients Command The command entered in the Linux terminal. Set this sudo parameter type for alerts to be activated whenever the specified command is entered. Select this parameter download type for alert to be triggered whenever the specified value is entered. Set this ImportantDoc parameters type for alerts to be activated when the user ument enters the command with specified parameters. Select this parameter Support Belonging type for alert to be activated whenever the users of to Domain specified domain group use the Client computers. User The name of the domain group.

For example: Parameter Operator Value Rule 1 Application Equals skype. Johan defined value.Alerts Comparison operators For all parameters except for Active Directory groups. When several rules are defined for the same parameter within one alert. Johny. Johan John Rules defined for Windows/mac OS and Linux parameters do not influence one another. Thus you can have rules for Windows/macOS and Linux Clients defined in one alert and the alert will work correctly. the alert will be triggered if the conditions of at least one rule are met. using Like or Equals operators. For example: Parameter Operator Value Rule 1 Command Equals su Rule 2 URL Like facebook. Johnatan Not equals The found result does not match John Oliver.com site from the computer with Windows or macOS operating system. Johny Not like The found result does not John Oliver. 198 .com Result The alert will be triggered by user entering the su command in the Linux terminal or visiting the facebook. Like The found result includes the John Johny. you can use the following comparison operators: Comparison Description Example operator Value Found Not found Equals The defined value fully John John Johny corresponds to the found result. John the defined value. include the defined value.exe Rule 2 Application Equals winword.exe Result The alert will be triggered by user launching either Skype or Microsoft Word.

199 . the alert will be triggered if the conditions of all the rules are met.exe Rule 2 Application Not equals winword. the alert will be triggered if the found result does not match to/include all of the defined values.Alerts When the rules are defined for the different parameters within one alert.exe Rule 2 Username Like Nancy Result The alert will be triggered by the user Nancy launching Skype application. To set up the alert notification about any user opening the facebook.exe Rule 3 Username Equals Nancy Result The alert will by triggered by user Nancy launching Skype or Microsoft Word. When you have multiple rules defined for one parameter and one rule defined for the other parameter. select the URL parameter and. For example: Parameter Operator Value Rule 1 Application Equals skype. enter facebook.com site on the investigated computer. When you have multiple rules defined for one parameter.com. Rule Examples 1.exe Rule 2 Application Equals winword. using Not equals/Not like operators. For example: Parameter Operator Value Rule 1 Application Equals skype. in the Value field.exe Result The alert will be triggered by the user launching any application except for Skype and Microsoft Word. using Like or Equals operators. the alert will be triggered if conditions of any rule from the first group and the conditions of the rule defined for a different parameter are met. For example: Parameter Operator Value Rule 1 Application Not equals skype.

Alerts NOTE: The URL monitoring option must be enabled for the Client..g. 2. Stefan) opening Facebook on the investigated computer. To set up the alert notification about a specific user (e. To set up the alert notification about any user opening opening any other site except Facebook on the investigated computer. select the Not like operator: 3. define the following parameters: 200 .

If you use the Not like operator for the entered names. 201 . the alert notification will then appear if any of them (Stefan or Rick) opens Facebook. the alert notification will appear if any user except for Stefan or Rick opens Facebook.Alerts If you enter more than one name.

define the following parameters: If you use the Not equals operator. 202 .Alerts 4. the alert notification will appear if any application except for Skype is opened.exe application on the investigated computer. To set up the alert notification about any user launching skype.

Alerts 5. To set up the alert notification about USB-based storages plugging in. define the following parameters: 6. To set up the alert notification about a specific user (e..g.com in Chrome. define the following parameters: 203 . Stefan) opening facebook.

To set up the alert notification about accessing the Client computers by users belonging to the target domain group.Alerts 7. 204 . define the following parameters: 9. define the following parameters: 8. define the following parameters: NOTE: Such alerts need to be assigned to the All Clients group to work properly. To set up the alert notification about entering any command with sudo or a command su. To set up alert notification about opening Facebook on the investigated computer. which belongs to the domain group.

do one of the following:  On the Alert Management page. Edit alert properties and rules on the corresponding tabs in the same way as when adding a new alert. click Enable/Disable next to alerts or Enable All/Disable All in the last column header. by selecting the Enabled option on the same page. 2. Log in to the Management Tool as a user with the administrative Client installation and management permission. Click the Alert Management navigation link to the left. To enable/disable multiple alerts. 4. define the following parameters: Enabling/Disabling Alerts If you do not need to receive notifications on a specific alert which you do not want to delete. The alert is edited.  On the Alert Management page. select alerts and click Enable/Disable. 3. 205 . you can disable it in the Management Tool by clearing the Enabled option on the Alert Properties tab of the Edit alert page. On the opened Manage Multiple Alerts page.Alerts 10.exe application by the users belonging to the target domain group on the Client computers belonging to the target domain group. NOTE: Click Next or Finish to save the changes on each tab. Click Edit alert for the required alert. To set up the alert notification about launching the skype. do the following: 1. click Manage Multiple Alerts. This option can be enabled again later. Editing Alerts Editing Single Alert To edit a single alert. 5.

click Edit alert for the required alert. On the Alert Selection page. On the Alert Management page. 7. select the alerts to be assigned to the Client. select the Clients or Client Groups to which the alerts will be assigned and click Next. 6. 2. Click Finish to save the changes. Log in to the Management Tool as a user with an administrative Client installation and management permission. Assigning Alerts to Clients during Editing Multiple Alerts To assign an alert to a specific Client. Click the Alert Management navigation link to the left. Click the Alert Management navigation link to the left. select the Clients/Client Groups to which the alerts will be assigned and click Next. You can edit the message by entering your text in the box below. On the Alert Management page.Alerts Editing Multiple Alerts To edit multiple alerts. Log in to the Management Tool as a user with an administrative Client installation and management permission. 3. On the Assigned Clients tab. 3. 4. Optionally. do the following: 1. enter its name in the Contains box and click Apply Filters. On the Assigned Clients tab. The alert is assigned to the selected Client. 2. Log in to the Management Tool as a user with an administrative Client installation and management permission. select how you would like to receive the alert notifications and additional actions to be performed when the alert is triggered. enter their names in the Contains box and click Apply Filters. do the following: 1. click Manage Multiple Alerts. 2. 5. Click the Alert Management navigation link to the left. The alerts settings are edited. enable/disable the required alerts. 206 . 3. do the following: 1. 4. 4. Click Manage Multiple Alerts. On the Alert Selection tab. choose Additional actions from the list. To find a specific Client. Click Finish. On the Actions tab. Assigning Alerts to Clients Assigning Alerts to Clients during Alert Editing To assign an alert to a specific Client. 6. and then click Next. To find specific Clients/Client Groups. Select Show warning message to user option if you want a warning message to be displayed to the user. 5. select the alerts to be edited.

Log in to the Management Tool as a user with the administrative Client installation and management permission. The alerts are assigned to the Client. Click the Alert Management navigation link to the left. 5. click Edit Client for the required Client or Edit Client Group for the required Client Group. 3. 207 . 6. The alerts are assigned to the Client/Client Group. Importing Alerts To import an alert. On the Alert Management page. select the Client to which the selected alerts will be assigned and click Next. click Export Alerts. click Import Alerts. On the Assigned Clients tab. 3. 5. 7. Log in to the Management Tool as a user with an administrative Client installation and management permission. 4. 3.Alerts 5. On the Clients page. Assigning Alerts to Clients during Client/Client Group Editing To assign an alert to a specific Client or Client Group.xml file containing the selected alerts and their parameters is downloaded to your computer. Click the Client Management navigation link to the left. 2. click Choose File. do the following: 1. Click Finish to save the changes. 5. On the Editing Client/Editing Client Group page. On the Alert Management page. Log in to the Management Tool as a user with the administrative Client installation and management permission. 4. Click the Alert Management navigation link to the left. The Alerts. 2. 4. enter its name in the Contains box and click Apply Filters. Exporting and Importing Alerts Exporting Alerts To export an alert. select the alerts to be assigned to the Client/Client Group and click Finish. On the Import Alerts page. In the opened window. do the following: 1. on the Assigned Alerts tab.xml file containing the alerts to be imported and click Open. 2. To find a specific Client. do the following: 1. select the required . Select the alerts to be exported and click Export.

 Minimal interval between notifications sent for the same alert event. The alerts are deleted. Click the Alert Management navigation link to the left. click Delete. On the Alert Management page. Defining Global Alert Settings Global Alert Settings allow you to define notification settings for all alerts. Log in to the Management Tool as a user with the administrative Client installation and management permission. click Delete Alert. The imported alerts are added. The alert is deleted. Their editing is available to users with the administrative Client installation and management permission. All alert events that were detected by these alerts are not marked as alert anymore. Click Define Imported Alerts Settings to assign the imported alerts to Clients/Client Groups and to define the notification options. 3.xml file. Frequency Settings The Frequency settings group allows you to define how frequently the alert notifications will appear in the Tray Notifications application and be sent via email. Deleting Alerts To delete an alert. NOTE: If Ekran Server contains an alert that has the same ID as one of the imported alerts. In the confirmation message. and rules of the imported alerts are defined according to the . 2. 4. it will be updated. 5. description. The name. 7. 4. select the required alerts and then click Delete. click Edit Alert for the required alert. click Global Alert Settings on the Alert Management page. do the following: 1. All alert events that were detected by this alert are not marked as alert anymore. These alerts are enabled by default but there are no Clients to which they are assigned. Log in to the Management Tool as a user with the administrative Client installation and management permission. 6.Alerts 6. To define Global Alert Settings. click Delete. risk level. On the Alert Properties tab. 2. These settings are applied to all alerts. 3. do the following: 1. On the Alert Management page. In the confirmation message. This option defines how frequently the notifications about the same alert event will appear. 5. To delete multiple alerts. For 208 . Click the Alert Management navigation link to the left.

 On the Recent Alerts dashboard containing information on alerts triggered within a specific time period and a list of notifications for each alert. the alert events are marked with a special icon. . 2. Receiving Information on Alert Events You can receive information on alert events in the following ways:  In the Session Viewer. The colour of the alert icon depends on the highest alert risk level detected in the session. and activity title) and the link for viewing this alert in the Session Viewer. 3. The colour of the alert bars depends on the alert risk level and the dashboard settings. 209 . o The alerts with the Normal risk level are highlighted in blue colour. if this parameter is set to 10 minutes and a user has started Skype and works in it.  If email notifications are enabled in the Alert Parameters. Client name. do the following: 1. application name. Use the Tray Notifications journal to view the history of received tray notifications and get more information on the alert event by opening the session in the Session Viewer. Start receiving alert notifications in the Windows Tray. Each email contains metadata of the alert event (user name.  In the Session List. Send notifications on every alert event option allows you to notify the investigator on every alert event. o The alerts with the High risk level are highlighted in yellow colour.Alerts example.  Define how often the notification will be sent: . the information on alert events will be sent to defined recipients. alert risk level. The name of an alert is displayed in the Alert/USB Rule column. Send batch notification every (min) option allows you to notify the investigator about all alert events that occurred during defined time interval. Also the alert events are highlighted in different colours depending on the detected alert risk level: o The alerts with the Critical risk level are highlighted in red colour. See the Tray Notifications application help file for more information. which you can click to view the alert events in the Alert Viewer. time. Time counting starts when the Server starts if this option is selected. the information on alert events will be sent via Tray Notifications component. the investigator will receive one notification every 10 minutes instead of receiving 10 notifications every minute or even more. To receive notifications via email. 4. Log in to the Tray Notifications as a user of the Ekran System. Install the Tray Notifications on the computer where alert notifications are to be received. Notifications are then sent with the defined frequency. the sessions that contain alert events have a special icon. To receive alert notifications in the Tray Notifications. define Email Sending Settings.  If the tray notifications are enabled in the Alert Parameters.

xml).  Clipboard Operation  Clipboard Text Detailed Activity Information on all activities  Activity time Report performed by a user on any  Activity title Client computer in the  Application name network during the defined  Session URL time interval.csv).pdf).mht). Rich Text Format (*.  Text data 210 .Advanced Reports Advanced Reports About The user activity can be analysed with the help of reports generated via the Management Tool. via Report Generator. You can schedule the reports to be generated and sent via email at the specified time or manually generate the reports. Excel Workbook (*. which can be saved or printed. The reports can be generated in any of the following formats: PDF (*. These reports allow you to receive the information on the activity of multiple Clients.rtf). and get statistics on time spent by the user in each application or on each web-page. alert events. Excel 97-2003 Workbook (*.xlsx). Plain Text (*. Web Page (*.xps). detected URLs.txt).html). CSV Document (*. and executed Linux commands. XPS Document (*. Report Types The following types of reports are available in the Management Tool: Report type Contains the information Consists of the following columns about Grid Reports Alert Grid Report All alert events on all  Activity time selected Clients for the  Alert name defined users and defined  Alert risk time interval.xls). Single File Web Page (*.  Details Clipboard Grid All Clipboard text data of all  Activity time Report (for selected Clients for the  Activity title Windows Clients) defined users and defined  Application name time interval. and XML (*.

 Last activity time  Remote IP  Session URL User Statistics The statistic information on  User name Report the user’s total working  Total time spent (hrs) time.  Command NOTE: Linux reports include  Parameters only exec* and sudo  Function commands.  Application name  Keystrokes (Smart)  Keystrokes (Raw) Linux Grid Report All commands executed on  Time (for Linux Clients) Linux Clients.  Session Start Time  Last Activity Time  Remote IP USB Storage Grid All detected USB devices on  Time (date and time of the USB Report (for all selected Clients for the Storage event) Windows Clients) defined users and defined  Details (Description of the USB time interval. Session Grid Report All sessions for all selected  User name Clients for the defined users  Total time spent (hrs) and defined time interval.  Remote IPs 211 . on all user’s sessions.  Session Count and on all Client computers  Computers used by the user.Advanced Reports Report type Contains the information Consists of the following columns about Kernel-level USB All USB-device-related  Time Grid Report (for events detected by the  Rule Name Windows Clients) kernel-level USB monitoring  Action (Blocked/Detected) rules. devices plugged into the Client computers) User Daily Activity All activities without idle  User name Grid Report time for all selected Clients  Total time spent (hrs) for the defined users and  First activity time defined time interval.  Risk Level  Device Class  Device Details Keystroke Grid All keystrokes of all selected  Activity time Report (for Clients for the defined users  Activity title Windows Clients) and defined time interval.

example.  Idle time. The report creation and sending options are defined in rules. example. macOS Clients) defined time interval..  Time spent on the website (%). Scheduled Reports About The Management Tool allows creating reports via Report Scheduler and sending them the defined email addresses with the defined time interval. macOS Clients) chart.Advanced Reports Report type Contains the information Consists of the following columns about Summary Reports Activity Summary  Time spent by the user in  Application title Report (for each application (by  Time spent in the application (%) Windows and application name) for the  Time spent (hrs) macOS Clients) defined users and defined time interval.com) will be added to Windows and for the defined users and the report. (e. but in the form of a macOS Clients) pie chart. (e.g.com) will be added to macOS Clients) but in the form of a bar the report. Activity Pie Chart The same information as in  Application title Report (for the Activity Summary  Time spent in the application (%) Windows and Report.  Time spent (hrs) Chart Reports Activity Chart The same information as in  Application title Report (for the Activity Summary  Total time spent (minutes) Windows and Report.  Total time spent (minutes) URL Pie Chart The same information as in  URL – only the main part of the URL Report (for the URL Summary Report. URL Summary Time spent by the user on  URL – only the main part of the URL Report (for each site (by domain name) (e. 212 . which include the following parameters: rule name and description. report type and format. URL Chart Report The same information as in  URL – only the main part of the URL (for Windows and the URL Summary Report..g.com) will be added to Windows and but in the form of a pie the report. The reports creation is available to users with the administrative Client installation and management permission. example. state (enabled or disabled). but in the form of a macOS Clients) bar chart. chart.g..

o In the Start report generation at field. On the Report Options tab. NOTE: Depending upon the Server load. NOTE: Define the Email Sending Settings to receive the scheduled reports via email. o In the Generate report filed. select the day of the week on which the report will be generated in the Day of week drop-down list. or Monthly). enter a unique name for the created rule and then optionally enter its description and select the Enable scheduled report generation option. on the Rule Properties tab. it will be generated only in those months where there are 31 days. weekly. 3. or monthly). do the following: 1. If the Monthly parameter is selected in the Generate report filed. do the following and then click Next:  Select one or several Report Types. Clients/Client groups. select the format for the report. Weekly. You can select the value from the drop-down list and edit it manually if you need to set your own number of minutes. On the Add rule page. select the frequency of report generation (Daily. Click the Scheduled Reports navigation link to the left and click Add rule. NOTE: If the Monthly parameter is selected and you want the report to be generated on the 31st day of the month. 2. and Users on Clients to which the rule must be applied. 4. define the time at which the report generation must be started.  Define the Report Parameters: o In the Report format field. Log in to the Management Tool as a user with the administrative Client installation and management permission. If the Weekly parameter is selected in the Generate report field.Advanced Reports generation frequency (daily. Click Next.  Enter the email addresses to which the report will be sent in the Emails field. the report generation can start a few minutes later than the set time. The created rules are displayed on the Scheduled Reports page in the grid with the following columns:  Name  Description  Assigned To  Monitored Users  State  Frequency  Email Recipients Adding Report Rules To add a rule. 213 . select the day of the month on which the report will be generated in the Day of month drop- down list.

8. 7. select the Windows Clients/Client Groups to which the rule will be applied and click Next. and then do the following: 1) Select the Display only users detected on selected Clients option above the grid in order to view only the list of users on Clients selected in the Clients section. Deleting Report Rules To delete a rule. you can generate a report from the Rule Properties tab any time. On the Rule Properties tab. 4. do the following: 1. Click Edit Rule for the required rule. select the Selected users option. NOTE: Click Next or Finish to save the changes on each tab. On the Assigned Clients tab. 2) Select the required users and then click Add selected. report options. Click Finish. The rule is added. 5. 2. 5. click Delete Rule. 3. Click the Scheduled Reports navigation link to the left. In the confirmation message. 6. To find specific Windows Clients/Client Groups. enter their names in the Contains box and click Apply Filters. Log in to the Management Tool as a user with the administrative Client installation and management permission. and define assigned Windows Clients and monitored users on the corresponding tabs in the same way as when adding a new rule. Edit rule properties. Click the Scheduled Reports navigation link to the left. click Delete. define the users whose activity will be included in the report:  Select the Any user option if you do not need to specify the user whose activity will be added. 214 . Editing Report Rules To edit a rule. The rule is deleted. On the Monitored Users tab. do the following: 1. Click Edit Rule for the required rule. Log in to the Management Tool as a user with the administrative Client installation and management permission. 4.Advanced Reports 5. The rule is edited. 2. Generating Reports from the Scheduled Report Rule Once the scheduled report rule is created. click Add Users. NOTE: The scheduled report rule can also be created by clicking Create Scheduled Report Rule on the Report Generator page. 6. NOTE: Only those users whose activities have already been monitored are listed.  In other case. 3.

If the Emails field contains one or more email addresses defined in the rule. the time interval of the data for this report will start on June. Frequency and Time Interval for Report Creation The time interval of the data that is added to the report depends upon the report generation frequency. click Generate Report. the time interval of the data for this report will start on Monday of the previous week at 18:00 and end on Monday of the current week at 18:00. The generation of the report starts. it is still being generated. at 17:00 and end on June. 12.Advanced Reports To generate a report from the Scheduled Report Rule. it will include the data that was monitored starting from the specified time and day of the previous month up till the specified time and day of the current month. 215 . do the following: 7. For example: If the Daily parameter is set and the report is to be generated on June. the report will be sent to those addresses. it will include the data that was monitored starting from the specified time and day of the previous week up till the specified time and day of the current week. it will include the data that was monitored starting from the specified time of the previous day up till the specified time of the current day. If the report is generated on a daily basis. 20. For example: If the Monthly parameter is set and the report is to be generated on January. 10. If the report is generated on a weekly basis. Log in to the Management Tool as a user with the administrative Client installation and management permission. 8. 13. Click Edit Rule for the required rule. 12. it will not be generated in those months where there are 30 days or less. The report can be viewed on the Scheduled Reports Generation Log page as soon as it is generated. the time interval of the data for this report will start on December. 13. at 17:00. On the Rule Properties tab. 11. Reload the page by pressing the F5 key until the report is displayed. at 19:00 and end on January. For example: If the Weekly parameter is set and the report is to be generated on Monday at 18:00. 20. at 19:00. NOTE: If the generated report is not displayed on the Scheduled Reports Generation Log page. 20. If the report is generated on a monthly basis. 9. at 19:00. NOTE: If the Monthly parameter is selected and you want the report to be generated on the 31st day of the month. at 17:00. Click the Scheduled Reports navigation link to the left.

the user can see the log which contains the information on time when the report was generated. The generated report file cannot exceed the size of allowed SMTP server attachments. Viewing Logs For each rule. report generation result (status). the time interval of the data for the report will depend upon the current date and time. NOTE: If there are too many activities in the defined time interval. at 10:00 and end on the current day at 10:00. 29. If the report is generated from the scheduled report rule. the time interval of the data for the report will start from April. the time interval of the data for this report will start February. Click View Log for the required rule. For example:  If the Daily parameter is set in the rule and the Start report generation parameter is set to 15:00. but there were less than 31 days in the previous month. On the Scheduled Reports Generation Log page. 4. 10. and you want to generate the report on May. the time interval of the data for the report will start from 14:00 of the previous day and end at 14:00 of the current day. 3. the logs are displayed in the grid with the following columns:  Generated (Time when the report was generated)  File Name (Report name)  Report Type 216 . To view the logs. at 10:00. For example: If the report is generated on March. 31. the time interval of the data for the report will start from Friday of the previous week at 12:00 and end on the current day at 12:00. and the emails to which the report was sent. the report may become too large. Click the Scheduled Reports navigation link to the left. NOTE: Only the last 100 records are stored. do the following: 1. number of results in the report. 28.  If the Monthly parameter is set in the rule and the Day of month parameter is set to the 15th day of month. and you want to generate the report at 14:00. and end on March. or February. 2. the time interval of the data for this report will start on the last day of the previous month and end on the 31st day of the current month. and you want to generate the report on Friday at 12:00. report name (file name) and type.Advanced Reports If the monthly report is set to be generated on the 31st day of month. 10. 31.  If the Weekly parameter is set in the rule and the Day of week parameter is set to Wednesday. Log in to the Management Tool as a user with the administrative Client installation and management permission.

3. NOTE: You can generate only one type of report at a time via Report Generator. The main difference between Report Scheduler and Report Generator is that Report Generator allows you to create reports for the time interval of any length. Date filters This option allows you to define the time interval for which the report will be generated. In Progress. 2. do the following: 1. Define the report parameters:  Select the type of the report and enter its Footer and Header text. Report Parameters The following parameters are defined in the Management Tool when creating a report: 1. Clients This option allows you to select the Clients/Client groups. 4. 6. 217 . 3. Users This option allows you to select the users of Client computers whose activity will be included in the report. Click the Delete link to delete the report from the log and from the Server. Click the Download link to download the report to your computer. 2. Report Generator About The reports can be generated on the Report Generator page by the user with the Viewing monitoring results permission and can be previewed before printing. Log in to the Management Tool as a user with the Viewing monitoring results permission. or an error reason in case the error occurred during report generation)  Results Count (Number of results in the report)  Sent To 5. NOTE: Only Clients for which the user has the Viewing monitoring results are displayed. Generating Report To generate a report. Click the Report Generator navigation link to the left. whose monitored data will be added to the report. Though it may take you much time to generate a report for a long time interval and for a big number of Windows Clients.Advanced Reports  Status (Finished. Report parameters This option allows you to select the type of the report and enter its custom Footer text and Header text.

5. On the Rule Properties tab. On the Report Generator page. Once the Clients are selected. do the following: 1. Click Next. The default name of the rule is GeneratorRule<number of rule>. Define the report parameters. NOTE: Only those users whose activities have already been monitored are listed. 2) Select the required users and then click Add selected. click the corresponding icons located on the toolbar above the report to perform the following actions:  Print the report  Print the current page  Export and save the report to the disk  Export a report to *. click Add selected. To create a rule. click Create Scheduled Report Rule. Creating a Scheduled Report Rule from the Report Generator Page Once the parameters for the report are defined. enter a unique name for the created rule and then optionally enter its description. The Editing Rule page opens. click Add Users. 4. The other parameters like 218 . and then do the following: 1) Select the Display only users detected on selected Clients option above the grid in order to view only the list of users on Clients selected in the Clients section. On the Report Options tab. 4. On the opened Report Preview page. 6. Log in to the Management Tool as a user with the Viewing monitoring results permission. 7. you can create a scheduled report rule basing on the defined parameters.Advanced Reports  In the From and To fields. 5.  Define the users whose activity will be included in the report: o Select the Any user option if you do not need to specify the user whose activity will be added. enter the corresponding values in the Report Parameters fields and the Emails field the same as when adding a new report rule. Click Generate Report. select the Selected users option. 3. o In other case.xml format and save it to the disk You can also navigate between the pages of the report by clicking the blue arrows and choose the format of the report by clicking the black arrow that opens a drop-down list with all supported formats . 2. enter the dates and time within which the data of the monitored Clients should be added. 8. Click the Report Generator navigation link to the left.  Click Add Clients and on the opened Adding Clients page select the check boxes next to the corresponding Clients/Client groups.

Clients. 219 . but you can edit them if you want.Advanced Reports Report Type. Header and Footer text. 9. Click Finish. and Users were defined in Report Generator.

and other devices that use nonstandard identifier. adapters between standard flash memory cards and USB connections. This monitoring is performed automatically and does not require enabling any additional settings for a Client. digital cameras. and mobile phones. you can perform the following actions: o Monitoring – allows you to view information on the detected devices in the Session Viewer. PDAs. portable flash memory devices. the user may be informed that the device on their computer is blocked. o Blocking – allows you to block the USB device from using. digital cameras.USB Monitoring & Blocking USB Monitoring & Blocking About There are two types of monitoring of USB devices available:  USB-based storage monitoring: allows you to view information on the plugged-in devices detected by Windows as mass storage. card readers.  Windows portable devices – audio players. o Sending notifications – allows you to receive notifications (by email or in the Tray Notifications app) when a device is connected to the Client computer. and alerted:  Mass storage devices – external magnetic hard drives. external optical drives (including CD and DVD reader and writer drives). PDAs. portable flash memory devices. and mobile phones. Microsoft RNDIS. In this case. digital audio and portable media players. Monitored Devices For USB-based storage monitoring: the following mass storage devices are automatically monitored and alerted – external magnetic hard drives. By adding kernel-level USB rules. card readers.  Wireless connection devices – Bluetooth adapter. 220 . The information on detected USB devices is displayed in the Session Viewer. phones.  Modems and Network adapters – network interface controllers. adapters between standard flash memory cards and USB connections. For kernel-level USB monitoring: the following classes of devices are monitored.  Kernel-level USB monitoring: provides you with the means for an in-depth analysis of plugged-in devices. blocked. digital audio and portable media players. solid-state drives. WARNING! It is recommended to add all the allowed USB devices to exceptions in order not to block them from using accidentally. external optical drives (including CD and DVD reader and writer drives). solid-state drives. It is also possible to create a list of devices that must not be monitored or blocked.

221 . http://www. etc. 02.usb. For more information. inkjet printers.  Human interface devices – keyboards. sound cards.g.org/wiki/USB. keyboards with USB ports).USB Monitoring & Blocking  Audio devices – speakers.).org/developers/defined_class.. etc.g.  Printer devices – laser printers. joysticks. which can be viewed in the device properties.  Vendor-specific devices – devices which require vendor-specific drivers and whose class is defined by the vendor.  Video devices – web cameras. WARNING! Selecting this type of device might result in blocking any USB device.  Composite devices – devices that consist of one or a few more devices (e.wikipedia. computer mouse devices. 00. MIDIs. CNC computers. microphones. The name of class allows you to define to what class the detected device belongs. check these links: http://en. Each class has its own name (e. 01.

then select Compatible Ids in the Property drop-down list. The created USB Monitoring rules are displayed on the USB Monitoring Management page in the Management Tool in a grid with the following columns:  Name  Description  Risk  State  Action  Assigned to (Clients group) 222 . the user needs to create rules in the Management Tool. Click OK or Cancel to close the window. Kernel-Level USB Monitoring Rules About In order to monitor and block the devices which are plugged into the computer. 8. 2. and view the necessary information in the Value field. the class of which you want to view. Plug the device into your computer. 6. 4. Right-click Computer and select Manage. right-click it and select Properties. 5.USB Monitoring & Blocking To view the name of the USB device class. do the following: 1. 3. Find the device. Expand the Device Manager node. The rules can be created and assigned to the Clients by the user with the administrative Client installation and management permission. In the opened window. select the Details tab. 9. Expand the node with the name of the computer in the central pane. The Computer Management window opens. 7. Select the Universal Serial Bus controllers node in the list and expand it.

3. On the Additional Actions tab.  Define the exceptions for the devices to be skipped while monitoring.  Send email notification to – allows you to receive an alert notification on USB device detection via email. on the USB Rule Properties tab.  Optionally enter the rule description.  Select the risk level. On the Rule Conditions tab. do the following:  Add the classes of devices to be monitored to the Monitored Devices list. 5. This option affects all the users. On the USB Monitoring Management page. 223 .USB Monitoring & Blocking Adding USB Monitoring Rules To add a new rule. 6. Click the USB Monitoring Management navigation link to the left. 4. 2.  Notify the user on target computer about device blocking – allows you to define the custom text to be displayed in a balloon notification on the Client computer (maximum 250 characters). define what happens when a device from the list of monitored devices is used on target computer by selecting the following options:  Block USB device – allows you to prevent the user from using the USB device from the Monitored Devices list on the target computer. On the Add USB Rule page. Log in to the Management Tool as a user with the Client installation and management permission. do the following: 1. regardless of the user filtering settings. make sure that Email Sending Settings contain correct parameters for email sending. click Add Rule.  Select the Enable USB rule option to enable the rule.  Display tray notification – allows you to receive an alert notification on USB device detection via the Tray Notification app. NOTE: To receive email notifications correctly. define the following properties and then click Next:  Enter a unique name for the rule.

click Edit Rule for the required rule. enter their names in the Contains box and click Apply Filters. to which the rule will be applied. 5.USB Monitoring & Blocking If you do not select any of the actions. the detected USB devices will be monitored and displayed in the Session Viewer only. and click Next. The rule is added. To find specific Clients/Client Groups. 2. 9. On the USB Monitoring Management page. 4. 224 . select the Clients/Client Groups. Editing USB Monitoring Rules To edit a rule. Edit rule properties on the corresponding tabs in the same way as when adding a new rule and click Finish. 3. Log in to the Management Tool as a user with the Client installation and management permission. The rule is edited. 7. On the Assigned Clients tab. do the following: 1. 8. Click Finish. Click the USB Monitoring Management navigation link to the left.

On the Add Exception page. Unlike the Monitored Devices list that contains the classes of devices. do the following: 1. 4. click Edit Rule for the required rule. click Delete Rule. Product ID (PID). 225 . click Delete. 2. the user will have to remove the devices and plug them back in. make sure you have added all allowed user devices to the list of exceptions. 5. 3. enter a description in the Description field. On the USB Monitoring Management page. click Add. On the USB Rule Properties tab. 6. The exceptions can be added on the Rule Conditions tab when adding or editing the rule. In the confirmation message.USB Monitoring & Blocking Deleting USB Monitoring Rules To delete a rule. 3. Defining Exceptions for USB Rules The list of exceptions for USB devices includes the devices are not monitored or blocked. Click the USB Monitoring Management navigation link to the left. Optionally. 2. The rule is deleted. select one of the following radio buttons:  Quick selection – allows you to enter your Device Hardware ID. do the following: 1. NOTE: The Vendor ID (VID) and the Product ID (PID) are required fields. the exceptions include the separate devices added individually. and Serial in the corresponding fields. Revision and Serial are optional fields. Log in to the Management Tool as a user with the administrative Client installation and management permission. To add an exception. In case you want to block vendor-specific devices.  Custom selection – allows you to enter the Vendor ID (VID). On the Rule Conditions tab. In case some plugged-in devices were blocked in accordance with the rule. Revision.

Expand the node with the name of the computer in the central pane. Plug the device into your computer. Select the Universal Serial Bus Controllers node in the list and expand it. 6. Click OK or Cancel to close the window. The rule is edited. 3. Find the device. select the Details tab. 9. 8. 226 . In the opened window. do the following: 1. Right-click Computer and select Manage. the information of which you want to view. The specified device is added to the list of exceptions. The Computer Management window opens. 7.USB Monitoring & Blocking 4. 2. 7. 6. Viewing Device Hardware ID To view the Device hardware ID. Expand the Device Manager node. 4. 5. then select Hardware Ids in the Property drop-down list. 5. and view the necessary information in the Value field. Click Finish to save the USB monitoring rule. Click Add. right-click it and select Properties.

If the mail server does not require entering any credentials. Their editing is available to users with the administrative Client installation and management permission. Email Connection Test This option allows you to send a test email to a specified email address to check if all email connection settings are correctly defined. To define email sending settings.  From: This option allows you to define an existing email account from which the email notifications will be sent. Email Connection Credentials This option allows you to define the login details (User and Password) for the email server.Configuration Configuration Defining Email Sending Settings Email sending settings allow you to define the options of sending email notifications for all alerts. Administrator Email This option allows you to define the administrator’s email address to which the access requests of restricted users will be sent. The settings include: 1. you can select the No authentications option. click the Configuration navigation link to the left and open the Email sending settings tab. NOTE: The delivery of email notifications via mail servers with only NTLM authentication.). Email Connection Settings  Server: This option allows you to define an existing SMTP mail server. you have to define the credentials of the email account specified in the From field under the Email Connection Settings. 3. USB monitoring. and reports via email.TLS 2.None . such as Microsoft Exchange Server. 4. is not supported. 227 . You can define several email addresses separating them with semicolon (.  Encrypted connection type: This option allows you to define the type of encrypted connection via which the email notifications will be sent. NOTE: For the email notifications to be sent correctly.  Port: This option allows you to define the email server port number via which the emails will be sent.SSL . You can choose between: .

you can add the header and footer text in the reports. click the Configuration navigation link to the left and open the SIEM Integration tab. for the reports not more than 300x80. The domain name must be entered in the following format: https://<Management Tool computer name or IP>/EkranSystem. or by IBM QRadar software (LEEF). NOTE: The Advanced SIEM Integration functionality is available only if you have an activated Enterprise serial key. Depending on the format. in Tray Notifications application journal. log files can be viewed and analysed by the Splunk and ArcSight monitoring software (CEF). and select the logo. Editing of log settings is available to users with the administrative Database management permission. you can define the data to be written to a log file. etc. Also. and select the logo. 2. define the data to be written to it.  Log file location: This option allows you to define the location to store a log file. Log File Contents In this section. To use a custom logo instead of the default logo. To change the custom header and footer for the report. To use a custom logo instead of the default logo in the generated reports. click the Upload. select the Use a custom logo instead of the Ekran System logo option in the Custom Reports Settings. define its text in the Header text and Footer text fields (the maximum length of the header and footer text is 1000 symbols). and emails. Defining System Settings Custom logo settings allow you to enable using custom graphic file instead of the default logo on the Client computer during secondary authentication.bmp format and have a size not more than 525x40. and the cleanup frequency. reports.  Log format: This option allows you to select the log file format (CEF or LEEF). user blocking. The settings include: 1.  Date format: This option allows you to define the date format for a log file. select the Use a custom logo instead of the Ekran System logo option in the Custom Logo Settings.Configuration Defining Player Link Settings This option allows you to define the Management Tool domain name that will be used in the link to the Session Viewer in alert notifications. The uploaded file must be in the . General Settings  Create a log file: This option allows you to enable log file creation. click the Upload. 228 . Defining SIEM Logs Log settings allow you to enable creation of a log file. To define log settings.

If you want Ekran System to be integrated with any other ticketing system. URL must be entered in the following format: <SysAid URL>/services/SysaidApiService  Account name: This option allows you to define the name of the account the serial key is associated with. Currently.  Alert events: This option allows adding all alert events of Windows and Linux Clients to a log file. Cleanup Settings In this section. NOTE: During each cleanup operation. 229 . Defining Ticketing System Integration Settings Ticketing system integration settings allow you to enable integration with the ticketing system and define the access parameters for it. the current log file is renamed (the date and time of the cleanup operation is added to its name) and a new one is created in the same folder.  Maximum file size (GB): This option allows you to define the maximum size of a log file. you can define the parameters for the cleanup operation. integration with the SysAid ticketing system is available.  Password: This option allows you to define the password of the user account to get the access to the ticketing system. which are no longer in use. NOTE: The Ticketing System Integration functionality is available only if you have an activated Enterprise serial key. NOTE: For the SysAid ticketing system.  Cleanup daily at: This option allows you to define the time to execute the cleanup operation on a daily basis.  Management Tool Log Events: This option allows adding all Management Tool Log records to a log file. it is recommended to check the used disk space regularly and delete the log files. Not to run out of space on the Server computer where the log files are stored.  Ticketing system URL: This option allows you to define a valid URL address for the ticketing system. Editing of ticketing system integration settings is available to users with the administrative Database management permission.Configuration  Windows and Linux Client records: This option allows adding all session records of Windows and Linux Clients to a log file. The settings include:  Enable authentication via ticketing system: This option allows you to enable integration with the ticketing system.com.  Login: This option allows you to define the login of the user account to get the access to the ticketing system. 3.  Cleanup every: This option allows you to define the frequency of the cleanup operation. contact our support team: support_team@ekransystem.

this domain will be automatically added to the LDAP targets during the Server installation. Adding LDAP Target Manually To add a new LDAP target manually.g. 3. define the following: LDAP://EKRANAPP/DC=test. you can add domain users/user groups allowing them to access the Management Tool and Client computers with enabled Forced User Authentication. do the following: 1. by clicking Edit for this target and specifying new credentials on the Edit LDAP Target page. define the following parameters and then click Finish:  LDAP Path: Define the LDAP path for the Active Directory domain controller you want to connect to in the following format: LDAP://<Domain Controller name or IP address>/DC=<Domain name>. For each LDAP target. In addition. 3. On the Configuration page. select the LDAP Targets tab and then click Add LDAP Target. you can change the credentials of the domain user. Log in to the Management Tool as a user with the administrative Database management permission. If the computer with Ekran System Server has been added to a domain after the Server installation or has been moved to another domain. On the Configuration page. Click the Configuration navigation link to the left. for the test.app. 230 . you can add/update the automatic LDAP target manually. 2. 4. Log in to the Management Tool as a user with the administrative Database management permission. which are saved for the automatic LDAP target. 4. If there is an automatic LDAP target added. To add/update the automatic LDAP target manually. If there is no automatic LDAP target.Configuration Defining LDAP Targets About You can integrate Ekran System with various domains by creating a connection with their Active Directory Domain Controllers. Click the Configuration navigation link to the left.DC=local.DC=app. On the Add LDAP Target page. In such a way..DC=<Suffix> E. It will be marked as automatic LDAP target.local domain with the EKRANAPP domain controller. 2. select the LDAP Targets tab and then click Refresh Automatic LDAP Target. it will be added. it will be updated. you have to specify the LDAP path and credentials of a domain user for the Ekran Server to be able to establish connection with the domain controller. Automatic LDAP Target If Ekran System Server is to be installed on the computer that is a member of an Active Directory domain. do the following: 1.

On the LDAP Targets tab. Deleting LDAP Target To delete the existing LDAP target. 5.  User: Define the name of the user belonging to the Active Directory domain you want to connect to. 3. In the confirmation message.Configuration  Domain NetBIOS Name: Define the NetBIOS name of the domain you want to connect to. 3. 231 . 4. On the Edit LDAP Target page. 4. Log in to the Management Tool as a user with the administrative Database management permission. 2. Editing LDAP Target To edit the existing LDAP target. do the following: 1. Defining Date & Time Format Date & time format settings allow you to define the date and time format for the Management Tool and the Server. The settings include: 1. Click the Configuration navigation link to the left. select the LDAP Targets tab and then click Delete in the grid. Log in to the Management Tool as a user with the administrative Database management permission. 5. a new LDAP target is displayed in the grid. On the Configuration page.  Password: Define the password of the user account belonging to the Active Directory domain you want to connect to. do the following: 1.  The Management Tool date format option allows you to define the date format for the Management Tool. Click the Configuration navigation link to the left. The LDAP target is deleted from the grid. On the Configuration page. Management Tool Date & Time Format These user-specific settings apply to all the pages available in the Management Tool. To define date & time format. The users from the corresponding domain will be unable to access the Management Tool and the Client computers as Forced Authentication users anymore. 2. click the Configuration navigation link to the left and open the Date & Time Format tab. select the LDAP Targets tab and then click Edit in the grid. Editing the date and time format is available to users with the administrative Client installation and management permission. click Delete. edit the LDAP target parameters and then click Finish.

Server Date & Time Format These settings apply to the features processed on the Server: Forensic Export. The settings allow you to choose between the following date formats: Date Format Example dd/mm/yyyy 23/02/2017 mm/dd/yyyy 02/23/2017 yyyy/mm/dd 2017/02/23 The settings allow you to choose between the following time formats: Time Format Example HH/mm/ss 08:20:15 H/mm/ss 8:20:15 hh/mm/ss tt 08:20:15 AM h/mm/ss tt 8:20:15 AM Defining Server Settings Server Settings allow you to define default locations for Forensic Export Storage and Reports Storage.  The Reports Storage: This option allows you to define the location to store reports. 232 .  The Server time format option allows you to define the time format for the Server. 2. click the Configuration navigation link to the left and open the Server Settings tab. and Reports (generated via the Report Generator & Scheduled Reports). Email USB Alerts.  The Server date format option allows you to define the date format for the Server.Configuration  The Management Tool time format option allows you to define the time format for the Management Tool. This might be used when working with Ekran System in the high-availability mode. To define server settings. Email Alert Notifications. The settings include:  Forensic Export Storage: This option allows you to define the location to store results of forensic export.

 Last Activity: Displays the date and time of the last created screenshot or executed Linux command. If the session has the Live status.Viewing Monitoring Results Viewing Monitoring Results Session List About Monitored data received from Windows and Linux Clients is organized in the session.  Type: Displays the session type (Live or Finished). and URLs). Client Sessions List To view monitored sessions. captured keystrokes. clipboard text data. Windows Clients start recording user activity in a new session every time the computer is restarted. The Linux Client session contains the list of executed commands. The grid includes the following information:  Alerts: Allows opening all alert events for the session in the Alert viewer.  User name: Displays the name of the user logged in to the Client computer. After their termination (their status changes from live to finished). their parameters.  Remote Host Name: Displays the the name of the remote computer.  Client Name: Displays the name of the computer on which the Client is installed. and functions.  Start: Displays the date and time when the session started. The maximum duration of one session can be 24 hours. NOTE: If Forced User Authentication is enabled on the Client. this field is empty.  OS: Displays the operating system type (Windows or Linux). 233 . click the Monitoring Results navigation link to the left and then the Client Sessions page opens. activity titles. new live sessions automatically start. from which the connection to the Client computer is established. The list of all sessions is displayed in the form of grid. The Client Sessions page is divided into two panes:  Search & Filtering pane  Sessions grid The search pane allows you to perform search in the session data and perform the Forensic Export. Linux Clients start recording a new monitoring session each time the terminal is opened. the user name is displayed as: <logged in Windows user> (<secondary authentication user> or <user’s email>). application names. The colour of the alert icon corresponds to the highest alert risk level detected in the session. There is no time limitation for a Linux Client session.  Finish: Displays the date and time when the session finished. At 00:00 all live sessions are terminated. The Windows Client session includes recorded user activity (screenshots.

 Domain: Displays the name of the domain to which the Client belongs. NOTE: If the user logs into the Client computer remotely.  User’s comment: Displays user’s comment entered on the login to the Client computer. from which the connection to the Client computer is established. For each non-date filter. drag and drop the header of the corresponding column where you want it to be in the grid.  Where: Allows filtering sessions by a specific Client. Filtering Sessions A user can filter out sessions by metadata in one of the following ways:  By specific parameters  By searching in session data Filtering by Specific Parameters This type of filtering allows you to filter sessions by a set of specific parameters.  When: Allows filtering sessions by the time period. To change the order of the columns in a grid. .  Client Group: Displays the name of the Client Group to which the Client belongs. you can select more than one filtering parameter. You can filter sessions by multiple criteria. the following filters are displayed:  Who: Allows filtering sessions by a specific user logged into the Client computer. via one of the following remote desktop applications. select one of the following: . the column is empty.Define the number of latest hours. days. To set the time period. Radmin. To hide the columns in a grid. 234 . click More criteria and select a filter from the opened list:  Type: Allows filtering sessions by their type (Live or Finished). the remote IP-address will not be detected: DameWare.  IPv6: Displays the IPv6 address of the Client computer.Viewing Monitoring Results  IPv4: Displays the IPv4 address of the Client computer. click Hidden columns . By default. You can change the order and size of the columns and hide columns. The filtering parameters are applied instantly. or TightVNC. With each selected parameter.  Client Description: Displays the custom Client description. the session list is re-filtered. or weeks. If the Client belongs to the All Clients group only. To add other filters. when the Client session has already been started. and drag the header of the corresponding column to the Hidden columns area. The result session list includes all sessions containing the activities for the set period.Define the start date and the end date of the time period. UltraVNC.  Remote IP: Displays the local or public IP address of the remote computer.

NOTE: Searching for a large number of keywords or in a large number of sessions might take much time and affect the Server performance. You can search for sessions using a list of keywords. click X on the filter button. Create a .  IPv6: Allows filtering sessions by the IPv6 address of the Client computer. select the Search in output (Linux) option. 2. This option is displayed if there is at least one Linux session recorded. this field is empty. Click the Browse button next to the search field and select the created . 235 .  Client Group: Allows filtering sessions by the name of the Client Group to which the Client belongs. You can find sessions containing the search expression in:  Application names  Activity titles  Keystrokes  Clipboard text data  URLs  Linux commands and parameters  Alert names  USB rule names  Linux command output NOTE: For the search to be performed in Linux command output. To perform search by a list of keywords. Searching in the Session Data You can search for sessions using a search expression (keyword).  Client Description: Allows filtering sessions by the custom Client description.  User’s Comment: Allows filtering sessions by the comment entered to the additional message.txt file with a list of keywords. To remove the extra filter from the filtering pane. Click the search icon to begin the search.Viewing Monitoring Results  OS: Allows filtering sessions by the operating system type (Windows or Linux).  Domain: Allows filtering sessions by the name of the domain to which the Client belongs.  Remote IP: Allows filtering sessions by the IP-address used to log into the Client computer from.  Finish: Allows filtering sessions by the date and time the session finished.txt file. 3.  IPv4: Allows filtering sessions by the IPv4 address of the Client computer. If the session has the Live status.  Start: Allows filtering sessions by the date and time the session started.  Last Activity: Allows filtering sessions by the date and time of the last screenshot or executed Linux command. do the following: 1. Keywords must be separated by a paragraph or a space. In the list. you can define the number of sessions to perform search in.

As soon as the export process finishes. To do this. 236 . Click Download to download the file with Forensic Export results. click the Sort arrow near the column header. You can change column sort order from ascending to descending. click Export. and vice versa. Playing Sessions About The Session Viewer is a part of the Management Tool that provides the possibility to view monitored data within one selected session. To open the Session Viewer. click . the Sort arrow is hidden. Export Sessions To perform forensic export of all filtered out sessions. select one of the sessions in the Sessions grid on the Monitoring Results page and click on it. Sorting Sessions To sort sessions in the Session grid. click the required column header. In the confirmation window. displaying the export progress. If data is not sorted by this column. The Forensic Export History page opens.Viewing Monitoring Results The search is performed in the sessions displayed in the Session grid in accordance with the session sorting order. the resulting files become available for downloading.

and URLs for Windows Clients. sessions of this Client will contain no screenshots. click Play/Pause. The following actions are available:  To play/pause the video playback. and Alert name for Linux Clients. USB device information. which includes: o Activity time. Parameters. Alert/USB rule name. Text data.Viewing Monitoring Results Session Viewer Interface By default. NOTE: If the screenshot creation is not enabled on the Windows Client. Activity title.  [Windows Client] Details pane: Allows viewing the keystrokes and the clipboard text data associated with the selected record. The navigation section allows you to manage the playback of the video of screenshots or commands. or visually recreated interactive data of the recorded Linux terminal (input and output as the user sees them in the terminal). or graphic representation of the recorded Linux terminal (input and output as the user sees them in the terminal). and URL addresses of websites visited by a user. 237 . Application name. Command. You can view them separately by selecting the required record from the Metadata grid or play all monitored data in the form of video. Function.  Metadata pane: Displays the session data in the form of grid. o Activity time. the Session Viewer interface is divided into the following areas:  Session Player pane: Allows viewing screenshots made on the computer with the Windows Client installed. Session Player The Session Player allows viewing screenshots made on the computer with the Windows Client installed.

To enlarge the certain part of the played data. To get data URL. Magnifier If you need to view data displayed in the Player in detail. do the following: 1.  To download a displayed screenshot. etc.  To return from the full-screen mode. click . click .  To define the speed with which monitored data changes in the Player area. The available speed options are 1/2/4/8/16 frame(s) per second. 1.  To receive the link to a certain position in the session. click . To turn off the Magnifying Glass. click . click .Viewing Monitoring Results  To move from one record to another. use the Magnifying Glass option. 2. 3. You can use this URL to:  Open the Session Viewer for playing the required session from the same position. double-click the Player or . click . click To the beginning. click the Magnifying Glass again. 2. Previous.  To block the user. do the following: 238 . double-click the Player or . Click the Magnifying Glass . Getting Data URL The Get data URL feature allows retrieving the link of the certain position of the session.  Bookmark certain position in the session using the browser bookmarking mechanism.  To view the Live session in the real-time. click All.  To view the list of alert events for this session in the Alert viewer.  To open the Player to the full-screen mode.  To move from one monitor to another in the Client sessions with multiple monitors. To the end. The Magnifier window opens on the right. click . or Next.  To perform forensic export. Move the rectangle across the displayed data.

 Application Name: Displays the name of the application started on the Client computer. o The alerts with the high risk level will be highlighted in yellow colour. the login page opens before Session Viewer. The Player starts playing records from the selected position in the session.Viewing Monitoring Results 1. 5. 2.  Activity Title: Displays the name of the active window that is associated with recorded activity. 4.  Alert/USB Rule: Displays the name of the triggered alert or USB rule. Enter the copied URL into the browser address bar. o The alerts with the high risk level will be highlighted in yellow colour. o The alerts with the critical risk level will be highlighted in red colour. o The alerts with the normal risk level will be highlighted in blue colour.  Application Name: Displays the name of the application started on the Client computer.  URL: Displays the top and second-level domain name of the visited web resource. o The alerts with the normal risk level will be highlighted in blue colour. 239 . NOTE: If you are logged out.  Text Data: Displays the keystrokes typed by the user and the clipboard text data. Information is displayed in the grid with the following columns: [Windows Client]  Activity Time: Displays the date and time or the recorded activity. Copy the URL and click Close. The colour of an alert highlighting corresponds to the alert risk level. o The alerts with the critical risk level will be highlighted in red colour.  Alert: Displays the name of the triggered alert.  URL: Displays the top and second-level domain name of the visited web resource. [macOS Client]  Activity Time: Displays the date and time or the recorded activity. 6. The colour of an alert highlighting corresponds to the alert risk level. [Linux Client]  Activity Time: Displays the date and time when the command was executed. Click on the Navigation pane under the Player. It contains detailed information on monitored user activity. 3. The URL Data window opens.  Activity Title: Displays the name of the active window that is associated with recorded activity. Metadata Grid Metadata grid is located to the right of the Player. The Session Viewer opens.

metadata associated with the data being currently played is highlighted in the Metadata grid. the Player opens in the Synced View mode.  Function: Displays the system call made. You can change the order and size of the columns..e.  In the Filtered View mode. As soon as you perform any filtering or searching. click Back to Synced View/Back to Filtered View above the Metadata grid.  Parameters: Displays the full parameters of the executed command. To switch the modes. o The alerts with the critical risk level will be highlighted in red colour. data in the Metadata grid and Player are synchronized while session playing. The colour of an alert highlighting corresponds to the alert risk level. This mode is available unless any filtering and searching is performed in the Metadata grid. the Player displays all data in the session. Filtering via searching The Search field allows you to find metadata containing search expression in:  Activity title  Application Name  Keystrokes  Clipboard text data 240 . data in the Metadata grid and Player are not synchronized while session playing. i.  Alert: Displays the name of the triggered alert. Filtering Data You can filter the metadata in the Metadata grid on the Player page in one of the following ways:  Via searching  Via filtering by column After data filtering. o The alerts with the high risk level will be highlighted in yellow colour. By default. the Synced View mode is automatically changed to the Filtered View mode. Player and Metadata Synchronization The Session Viewer can work in two modes:  In the Synced View mode. o The alerts with the normal risk level will be highlighted in blue colour.Viewing Monitoring Results  Command: Displays the command being executed. the data is sorted by Activity Time. the Session Player switches to the Filtered View mode. In this mode. whereas data is Metadata grid is being filtered and searched. After selecting the session in the Client Sessions list without previous searching.

and then click OK. data stops auto-updating and the session can be played in the same way as Finished sessions. click . 241 . the Sort arrow is hidden. To stop playing the Live session. 3. You can change column sort order from ascending to descending. OS. do the following: 1. Sorting Data To sort metadata in the Metadata grid. To filter sessions by the date field (Start. select the From and To dates.. i. If the data is not sorted in this column. and then click OK. 2.e. click . click near the required column name. To play a live session. Data in the Player will be refreshed as soon as a new monitored data is received from the Client. click the required column header. The Metadata grid is hidden. select one or several options. Data in the Metadata grid is filtered according to the search expressions. etc.). and vice versa. You can filter data by multiple fields. Filtering by Column You can filter sessions using the column header menu in the Sessions grid. To do this.Viewing Monitoring Results  USB Device Info  URL  Linux Command  Linux Command Parameters  Linux Functions To find the required metadata. To filter sessions by the not date field (Client name. or Finish). After this. click the Sort arrow next to the column header. User name. To resume playing the Live session. while the monitoring of the Client computer is still in progress. Click on the session with the type Live in the Client Sessions grid. click near the required column name. Live Sessions The Session Viewer allows you to view Client Live sessions in the real time. enter the keyword into the Search field and press Enter. Last Activity. The Session Player opens in the full screen mode.

only text characters are displayed. For example: If the user types “Helo” and then uses the left arrow to go back and correct the word by typing another “l”. You can enable displaying all keystrokes logged (e. it may affect CPU usage and cause performance slowdown due to the great number of received screenshots. Presentation of keystrokes with the selected Show only text characters option. While playing Windows sessions. Windows Client Sessions Playing Windows Sessions A user starts playing Windows Session by clicking the required Session in the Client Sessions list.g. using arrows (left/right) and Backspace or Delete keys. these keys are processed by the system to edit the logged keystrokes.) by clearing the Show only text characters option.Viewing Monitoring Results NOTE: If you are viewing the session of the Windows Client with the enabled Capture screen on each event without timeout option. The session is opened in the new tab or new window depending on the browser settings. the word “Hello” will be displayed in the Details pane as “Helol”. 242 . keystrokes. functions keys. If a record containing keystrokes or clipboard text data is selected in the Metadata grid.. only the end result of text that was meant to be typed by the user is displayed in the Details pane. If a key was pressed repeatedly. it will be displayed with an "x" sign and the number of reiterations (e. To see this result. the keystrokes associated with it are displayed in the Details pane below the Player pane. URL. [F12 x 24]). navigation keys. clipboard text data) in the Metadata grid. When the keystrokes are edited. you can view screenshots in the Player pane and associated metadata (Application name. Activity title. Then any other keys and key combinations will be displayed in square brackets.. By default. Viewing Keystrokes The captured keystrokes are displayed in the Text data column in the Metadata grid. etc. the Show only text characters option must be selected. If the user types the text.g. the detailed information is displayed in the Details pane. When you select a record in the Metadata grid.

applications. The captured clipboard text data is displayed in the Text data column in the Metadata grid. etc. NOTE: If the Enter key was pressed during input. the log will be split in the metadata grid. Ekran System is hiding the keystrokes entered in the password fields in Windows forms and most popular browsers. Ctrl+X. etc. The passwords entered by the user are displayed in the Metadata grid as asterisks. The Client monitors the Copy. and the word “Ok” will be displayed next to the screenshot associated with Word.Viewing Monitoring Results Presentation of keystrokes with the unselected Show only text characters option. instead of “Friend”. For example: If the user types “Fried” and then uses the mouse to go back and correct the word by typing letter “n”. For security reasons. Ctrl+Ins. Though to maintain text integrity. and Paste operations performed by using either the context menu commands or such key combinations as Ctrl+C. Viewing Clipboard Text Data The captured clipboard text data includes text. For example: If the user types “Hello” in Skype and then opens Word and types “Ok”. the word “Hello” will be displayed next to the screenshot associated with Skype. Shift+Del. Cut. files. the keystrokes are not edited. browser address line. which has been copied or cut and then pasted into documents. in the keystrokes box. on the Client computers. the keystroke lines having the same Title-Application pair will be put together. the word “Friedn” will be displayed in the Details pane. the logged keystrokes are split according to screenshots. If the user types the text in different applications. It has a label specific to the performed operation:  [Clipboard (Copy)]  [Clipboard (Paste)] 243 . instead of “HelloOk”. If the user corrects the word using a mouse.

the information on the plugged in device is displayed in the Metadata grid as follows:  Activity title: USBStorage . the clipboard text data associated with it is displayed in the Details pane below the Player pane.<device details>  Application name: [Monitoring event] 244 . Metadata grid Text placed to the clipboard Text pasted from the clipboard Viewing USB Device Info During the monitoring process. the activity is recorded every time the mass storage USB device is plugged in.Viewing Monitoring Results When you select a record in the Metadata grid. Along with the screenshot (if the screenshot creation is enabled).

the URL address is saved and displayed in the URL column in the Metadata grid. NOTE: If the screenshot creation is not enabled on the Windows Client. sessions of this Client will contain no screenshots. each time the alert event occurs. The URL column contains only top and second-level domain names even if the parameter is not selected in the URL monitoring settings for the Windows Client. When you select a USB-device-related screenshot or a row in the Metadata grid. Viewing URLs If the URL monitoring option is enabled for the Windows Client. the user may see a screenshot with a URL address that belongs to the previous one).. a screenshot is created. NOTE: As getting a URL address to be monitored may take about 600 milliseconds. NOTE: If the screenshot creation is not enabled on the Windows Client. this is indicated by highlighting the activity in the grid. If the device was blocked. In the Metadata grid. then all of them contain the same URL information. the USB device info associated with it is displayed in the Details pane below the Player pane. sessions of this Client will contain no screenshots. If there are several records made while the user is viewing one page on a certain website. then each time the user activity is captured while the user is working in the browser.Viewing Monitoring Results If you are using rules for kernel-level USB monitoring according to which the devices are detected or blocked. there is a possibility that the screenshot and its activity title along with URL address may be not properly synchronized in the Session Viewer (e. 245 .g. Viewing Idle State Windows Client idle activity will be registered and displayed as Idle in the Metadata grid if the appropriate options in the Monitoring parameters are selected. it is marked as BLOCKED in the parentheses. The full URL address is displayed in the Details pane.

The session is opened in the new tab or new window depending on the browser settings. While playing macOS sessions. there is a possibility that the screenshot and its activity title along with URL address may be not properly synchronized in the Session Viewer (e. 246 . URL.. etc.g.) in the Metadata grid. The URL column contains only top and second-level domain names even if the parameter is not selected in the URL monitoring settings for the Windows Client. NOTE: As getting a URL address to be monitored may take about 600 milliseconds. The full URL address is displayed in the Details pane. If there are several records made while the user is viewing one page on a certain website. the user may see a screenshot with a URL address that belongs to the previous one). you can view screenshots in the Player pane and associated metadata (Application name. Viewing URLs If the URL monitoring option is enabled for the macOS Client. the URL address is saved and displayed in the URL column in the Metadata grid.Viewing Monitoring Results macOS Client Sessions Playing macOS Sessions A user starts playing macOS Session by clicking the required Session in the Client Sessions list. Activity title. then all of them contain the same URL information. then each time the user activity is captured while the user is working in the browser.

While playing Linux sessions. including system ones. you can view all visually recreated interactive data in a form of a video in the Player pane and function and system calls. The session is opened in the new tab or new window depending on your browser settings. discard the filtering by clearing the Show only execution commands option.Viewing Monitoring Results Linux Client Sessions Playing Linux Sessions A user starts playing Linux Session by clicking on the required session in the Client Sessions list. To display the list of all commands. the commands are filtered by ‘exec’ function to display only the command executed after user input. 247 . as well as the executed commands with parameters in the metadata grid. Filtering EXEC Commands By default.

o The alerts with the normal risk level will be highlighted in blue colour.Viewing Monitoring Results Viewing Alerts About The Alert viewer is a part of the Management Tool which allows viewing detailed information on alert events. the status (detected/blocked).  The Recent Alerts dashboard: The Alert viewer displays all alert events that happened within the defined time interval for the selected alert. Alert Viewer Interface The Alert viewer displays the following information for each alert notification:  Alert Risk Level: The colour of the alert icon in the upper left corner of the Alert Viewer corresponds to the alert risk level. the application name. You can open the Alert Viewer from the following places:  The Session Player: The Alert viewer displays all alert events for the session. or graphic representation of the recorded Linux data (input and output as the user sees them in the terminal). o The alerts with the critical risk level will be highlighted in red colour. o What:  For Windows Clients: The activity title. and the device details. o Where: The name of the Client for which the alert was triggered.  Metadata information: o Who: The name of the user associated with the alert event. and the URL (if available)  For Linux Clients: The command name and the parameters  For USB events: The device class. o The alerts with the high risk level will be highlighted in yellow colour.  Alert name: The name of the alert that has triggered the event.  Alert viewing pane: A screenshot made on the computer with the Windows Client installed. 248 . o When: The time and date of the alert event.  The list of Client sessions: The Alert viewer displays all alert events for the selected session.  The Alert Management page: The Alert viewer displays the latest 100 events for the selected alert.

 To move between the alert events. and Last buttons.  To view the Alert events for the Windows Clients. First.  To open the session in the Session Player. select Linux Events tab. click Open Session. The Session Player opens in a new tab. select Windows Events tab. click the Magnifying Glass . use the Previous.Viewing Monitoring Results Using Alert Viewer You can do the following in the Alert Viewer:  To display/hide the metadata associated with the alert event.  To enlarge a certain part of the played data. The Magnifier window opens on the right. Move the rectangle across the displayed data. 249 . click below the metadata information. The session playback starts with the selected alert event. Next.  To view the Alert events for the Linux Clients.

4. 8. On the Database Management page. 3. In the Change Investigated Database window. NOTE: You can attach the archive database only of the same type as your current one. 3. 6. 250 . Define the following parameters:  For MS SQL database. select the Archived Sessions tab. and the user name and password. 6. 2. Viewing Archived Sessions To play an archived session. 5.Viewing Monitoring Results Archived Sessions About During the archiving & cleanup operation all the old Client sessions are archived and then deleted from the current Ekran database. 7. On the Database Management page. Log in to the Management Tool as a user with the administrative Viewing archived data permission. 5.  For Firebird database. Click the Database Management navigation link to the left. Changing Investigated Database To change the archive database. do the following: 1. Click Save. select the Archived Sessions tab. define the location of the archive database and the location of binary data. do the following: 1. On the Archived Sessions tab. On the Archived Sessions tab. If necessary. click Test Database Connection to check that there is a connection with the archive database. define the instance of the SQL server. Click the Database Management navigation link to the left. This allows saving the monitored data in a secure storage and viewing the archived sessions in the Session Viewer any time. the name of the archive database. select the Use current archive database option if you want to view sessions from the current database or the Use another database option if you want to view sessions from another archive database. Work with sessions from the archive databases is the same way as with Client Sessions. a list of sessions of an archive database is displayed. click Change Investigated Database. 2. 4. Click on the target session to open it in the Session Viewer. Log in to the Management Tool as a user with the administrative Viewing archived data permission.

and more. The dashboard is updated every 5 minutes. with the customization settings stored on the Server. you can see several types of data grouped in one place. add several dashboards of the same type to see the same data in different variations. You can choose which dashboards to show or hide. Dashboard Types Licenses The Licenses dashboard allows you to view statistics on the number of available licenses. and unlicensed computers. your dashboards will look the same way as you have previously customized them. free licenses. The following dashboards are available:  Licenses  Clients  Database Storage Usage  Recent Alerts  Latest Live Sessions  Sessions out of Work Hours  Rarely Used Computers  Rarely Used Logins With the dashboards. rearrange the dashboards on the screen. Dashboards provide you with convenient real-time view of the most important data.Dashboards Dashboards About Ekran System allows viewing certain types of information using dashboards displayed on the Home page. The dashboard contains the following elements: 251 . if you log into the Management Tool from any other computer. The dashboards are customizable. Thus.

 Free Licenses sector colour. If you do not have this permission.  Pie charts. where you can see the number of licenses assigned to Clients. The Clients dashboard contains the following elements:  A pie chart that presents statistics on the number of Clients which are currently online and offline. the dashboard will not be displayed in the Add dashboard drop-down list.  Offline Clients sector colour. Also.  The Install More Clients button that redirects you to the Computers without Clients page where you can install Clients on the computers. you need to have the administrative Serial Key Management permission.  The Assign Licenses to Clients button that redirects you to the License Management page where you can assign licenses to Clients. 252 . Clients The Clients dashboard allows you to view statistics on the number of Clients which are currently online and offline.Dashboards  The number of not licensed Clients. You can define the following settings for the Licenses dashboard:  Used Licenses sector colour. To view the dashboard. you will see an empty dashboard with the text saying you do not have the permissions for viewing this data. You can define the following settings for the Clients dashboard:  Online Clients sector colour. and the number of free licenses. The number of pie charts depends on the number of available license types. The dashboard is updated every minute.

you need to have one of the following permissions:  The administrative Client Installation and Management permission. you can see information on all the clients in the system. The Database Storage Usage dashboard contains the following elements:  A pie chart that displays statistics on how much space is used and free on the disk the binary files are stored at. If you do not have the administrative Client Installation and Management permission or any Client permissions. You can define the following settings for this dashboard:  Critical free space size: the free size limit at which you are alerted that available space is running low. your binary files are stored in the same place as the database. you will see an empty dashboard with the text saying you do not have the permissions for viewing this data. you will see an empty dashboard with the text 253 . To view the dashboard. With this permission.Dashboards To view the dashboard. the dashboard will not be displayed in the Add dashboard drop-down list. you will see only the Clients for which you have the Client permission(s). In this case.  At least one of the Client permissions. you can store them in a separate location. Database Usage Storage The Database Usage Storage dashboard allows you to view statistics on the disk space used by the binary data. If you do not have this permission. Also.  The Database Cleanup button that redirects you to the Database Cleanup page. By default. However.  Total storage size sector colour.  Used storage size sector colour (indicating how much storage space is used).  Warning storage size sector colour (indicating that the free space size has fallen below the critical free space size threshold). you need to have the administrative Database Management permission.

To see the list of alert events. The length of each bar corresponds to the number of notifications received within a specific time interval. click Play. In the opened window. 254 .  The alerts with the normal risk level are highlighted in blue colour. You can define the following settings for the Recent Alerts dashboard:  Time interval: the period for which the alerts are selected. Also. Recent Alerts The Recent Alerts dashboard contains a bar chart that presents information on alerts triggered within a specific time period. The colour of each bar corresponds to the alert risk level. The dashboard is updated every 15 minutes. To view the alert events in the Alert Viewer.  The alerts with the high risk level are highlighted in yellow colour.Dashboards saying you do not have the permissions for viewing this data. click on the bar with the alert name. the following information is displayed:  Time  Client name  User name To open a corresponding session in the Session Viewer. click Open Alert Viewer. the dashboard will not be displayed in the Add dashboard drop-down list. Each bar in the graph corresponds to an enabled alert.  The alerts with the critical risk level are highlighted in red colour.

If you do not have this permission for any of the Clients. 255 . In the settings. Sessions out of Work Hours The Sessions out of Work Hours dashboard contains a column chart that displays the statistics on the computers used during non-work hours and days for a defined time period. o Alphabetic: allows sorting by the alert name. The dashboard is updated every hour. Also.  Normal risk level: the colour of the bars for the alerts with the Normal risk level. Only information about the Clients the user has Client Viewing Monitoring Results permission for is displayed in the dashboard. Also. Latest Live Sessions The Latest Live Sessions dashboard contains a grid that displays the list of the sessions which are currently live and were the latest to start.  Critical risk level: the colour of the bars for the alerts with the Critical risk level. the dashboard will not be displayed in the Add dashboard drop-down list.  High risk level: the colour of the bars for the alerts with the High risk level. you will see an empty dashboard with the text saying you do not have the permissions for viewing this data. The grid has the following columns:  Start  Client name  User name To open the session in the Session Viewer. click Play.  Sort direction: the order in which the alerts are listed. If you do not have this permission for any of the Clients.Dashboards  Sort type: the category by which the alerts are sorted: o Count: allows sorting the alerts by amount of alert notifications. the dashboard will not be displayed in the Add dashboard drop-down list. you will see an empty dashboard with the text saying you do not have the permissions for viewing this data. you can define the number of sessions to be displayed in the list. Only information about the Clients the user has Client Viewing Monitoring Results permission for is displayed in the dashboard. The dashboard is updated every 5 minutes.

The height of the columns corresponds to the number of sessions recorded on the date. click the corresponding column. The dashboard is updated every hour. To see the list of sessions recorded on a specific date. Rarely Used Computers The Rarely Used Computers dashboard contains a grid with statistics on the Client computers that have the fewest sessions for the defined time interval. To see the number of sessions recorded on a specific date. you need to have the administrative Client Installation and Management permission. To view the dashboard. In the opened window.Dashboards Each column corresponds to the day with the sessions out of work hours.  Colour: set the specific colour for the columns. the following information is displayed:  Client Name  User Name  Start  Last Activity  Finish To see the session in the Session Viewer. the dashboard will not be displayed in the Add dashboard drop-down list. click Play. you will see an empty dashboard with the text saying you do not have the permissions for viewing this data. You can define the following settings for the Sessions out of Work Hours dashboard:  Period: set the specific time period for which the alerts are selected.  Work hours & Work days: set the hours and days of the week to be considered as a working schedule. If you do not have this permission. 256 . Only the sessions with the activities out of the defined schedule are displayed in the dashboard. hover over the corresponding column. Also.

Rarely Used Logins The Rarely Used Logins dashboard contains a grid with statistics on the users that have the fewest logins for the defined time interval. The dashboard is updated every hour. you will see an empty dashboard with the text saying you do not have the permissions for viewing this data. If Forced User Authentication is enabled. If you do not have this permission. the dashboard will not be displayed in the Add dashboard drop-down list. the <logged in Windows user> (<secondary authentication user>) pair is accounted for.  Sessions fewer than: the number of sessions the computer must have not to be considered rarely used. click the target Client Name link.Dashboards The grid has the following columns:  Client Name  Sessions To view detailed information on the sessions. In the opened window. Also. click Play. You can define the following settings for the Rarely Used Computers dashboard:  Period: the period for which the sessions are selected. the following information is displayed:  User Name  Start  Last Activity  Finish To open a session in the Session Viewer. The grid has the following columns:  User Name  Sessions 257 . Only information about the Clients the user has Client Viewing Monitoring Results permission for is displayed in the dashboard.

In the opened window. you will see an empty dashboard with the text saying you do not have the permissions for viewing this data. click the target Client Name link.Dashboards To view detailed information on the sessions. You can define the following settings for the Rarely Used Computers dashboard:  Period: the period for which the sessions are selected. You can also choose what your dashboards will look like. Click the icon in the top right corner to hide the dashboard. Customizing Dashboards The dashboard layout is customizable. You can choose which dashboards you want to see on the Home page. click Restore Layout over the dashboard area. Use the and icons in the top left corner of the dashboard to collapse or expand it. The customization settings are user-specific and are stored on the Server. the following information is displayed:  Client Name  Start  Last Activity  Finish To open a session in the Session Viewer. The following options are available:  Add a dashboard.  Define the settings for a dashboard. Click the icon in the top right corner of the dashboard to change its settings. You can have up to eight dashboards on the Home page. Click on one of the bottom corners of the dashboard and drag the border of the dashboard. the dashboard will not be displayed in the Add dashboard drop-down list. Click on the dashboard you want to move and drag it to a new location.  Collapse/expand a dashboard. Also. The following options are available:  Rearrange the dashboards.  Sessions fewer than: the number of sessions the user must have not to be considered rarely logging in.  Hide a dashboard. To restore the default settings. Click Add dashboard over the dashboard area and then select the desired dashboard from the drop-down list. You can add several dashboards of the same type to view the desired information in different variations. click Play. Only information about the Clients the user has Client Viewing Monitoring Results permission for is displayed in the dashboard. 258 . If you do not have this permission.  Resize a dashboard.

sessions recorded during the current day will be displayed. select one of the following: . Applications Monitoring Chart The Applications Monitoring chart displays information on the applications the users have worked with on Client computers. 2. The length of a column corresponds to the amount of time spent in that application within a specified time interval.  All (descending): all bars in the descending order. Each column in the chart corresponds to an application. do the following: 1. Click Generate. in the Applications filter select one of the following:  20 least used: 20 least used applications sorted in the ascending order. Define the specific parameters to filter out the data:  Who: filter by a specific user logged into the Client computer. 259 .  Where: filter by a specific Client. The filtered out monitored data is displayed in both charts. To view the monitored data.  When: filter by the time period. To set the time period.  All (ascending): all bars in the ascending order. If you define 1 day. The number of columns corresponds to the number of applications used and websites visited. The total time spent by the user in all applications is displayed in the top right corner of the chart. Viewing Data The information on all applications and URL monitored data is displayed in the form of two column charts (Applications Monitoring chart and URL Monitoring chart).Define the number of latest days or weeks.  20 most used: 20 most used applications sorted in the descending order. 3.Define the start date and the end date of the time period. Only information on the Clients the user has Client Viewing Monitoring Results permission for is displayed.Interactive Monitoring Interactive Monitoring About Interactive Monitoring allows viewing the detailed information on the total time spent by the user in each application/on each website. To set the order of application bars being displayed. . To zoom in and out of the Application Monitoring and URL Monitoring charts. use mouse scroll.

click Play. To open a corresponding session in the Session Viewer.  All (descending): all bars in the descending order.  User Name: the name of the user logged in to the Client computer. To set the order of URL bars being displayed. the user name is displayed as: <logged in Windows user> (<secondary authentication user>). URL Monitoring Chart The URL Monitoring chart displays information on the websites users have visited on Client computers.  Last Activity: the date and time of the last made screenshot or executed Linux command. the following information is displayed:  Client Name: the name of the Client computer on which the target application was launched. the user name is displayed as: <logged in Windows user> (<secondary authentication user>). To open a corresponding session in the Session Viewer. The total time spent on all websites is displayed in the top right corner of the chart.  Start: the start time of a session. 260 .  Finish: the date and time when the session finished.  Last Activity: the date and time of the last made screenshot or executed Linux command. To see the list of sessions containing information on the target website. click on the column with the website name.Interactive Monitoring To see the list of sessions containing information on the target application. In the opened window. Each column in the chart corresponds to a website. the following information is displayed:  Client Name: the name of the Client computer on which the target application was launched. click on the column with the application name.  User Name: the name of the user logged in to the Client computer. NOTE: If Forced User Authentication is enabled on the Client computer.  Finish: the date and time when the session finished.  20 least visited: 20 least visited sites sorted in the ascending order. The height of a column corresponds to the amount of time spent on that website within a specified time interval.  All (ascending): all bars in the ascending order. click Play. NOTE: If Forced User Authentication is enabled on the Client computer.  Start: the start time of a session. In the opened window. in the URLs filter select one of the following:  20 most visited: 20 most visited sites sorted in the descending order.

do the following: 1. the resulting file becomes available for downloading. On the Session Viewer page for the selected session. Select the Export full session option and the Include keystrokes option if necessary. 3. even without access to the Management Tool. 8. Click Export.Forensic Export Forensic Export About Forensic Export allows exporting the session in the encrypted form for viewing monitored session on any computer. 2. 10. 261 . click Session Forensic Export under the Player. In the Player. 2. Click Download to download the file with Forensic Export results. Click Export. 6. Open the Session Viewer page for the selected session. 5. do the following: 1. Select the Include keystrokes option if necessary. 4. 9. The Session Forensic Export window opens. The results of export are stored on the Server until you delete them. Exporting Full Session To export the session. As soon as export process finishes. The Forensic Export History page opens. displaying export progress. Click Session Forensic Export under the Player. select the start point of the session fragment. which contains the embedded player for displaying graphical information and metadata. The Session Forensic Export window opens. The session is exported into the signed executable file. Select the Export session fragment starting from current Player position option and enter the required fragment start and end time of the required fragment. Exporting Session Fragment To export the session fragment. 3. 7. The validity of forensic export results can be checked via the Management Tool. 4.

262 . 2.Forensic Export 5. 7. displaying export progress. do the following: 1. the resulting file becomes available for downloading. click Delete in the Forensic Export History grid. The Forensic Export History page opens. All exported sessions include keystrokes. 6. NOTE: Forensic export of a large number of sessions might take much time and affect the Server performance. click Export to continue. o Full (no keystrokes): For the full exported session without keystrokes. The Forensic Export History page opens. You can see exports performed both by you and other users. 4. 5. filter sessions by necessary criteria.  Session Start Date: Displays the date and time when the session started. 7.  Session End Date: Displays the date and the time when the session finished. Log in to the Management Tool as a user with the Viewing monitoring results permission. 8. 6. To delete the exported session from Server. o Truncated Full: For the exported session that has more than 20000 activities and while exporting has been truncated to 1 GB. which can be one of the following: o Full: For the full exported session.  Status: Displays the status of session export (Generated or Generation failed). 3. Exporting Multiple Sessions To export multiple sessions. Click the Export button in the search pane. As soon as export process finishes. On the Client Sessions page. Viewing Forensic Export History The Forensic Export History page displays the grid with all results of export for Clients you have permissions for.  Full Size: Displays the size of the resulting file (n/a for failed session exporting).  Client Name: Displays the name of the computer on which the Client is installed. click Download in the Forensic Export History grid. the resulting files become available for downloading.  Export Type: Displays the export type. In the opened message. The Forensic Export History grid contains the following information:  Export Date: Displays the date and time when the session was exported.  User: Displays the name of the user logged in to the Client computer. Сlick the Monitoring Results navigation link to the left. As soon as export process finishes. Click Download for each exported session to download the Forensic Export results. displaying export progress. To download the exported session. Click Download to download the file with Forensic Export results. o From – To: For the time interval included in the exported session.

 Metadata pane: Displays the session data in the form of grid.  [Windows Client] Details pane: Allows you to view the text data (keystrokes and clipboard text data) associated with the selected event. The Forensic Export Player interface is divided into the following parts:  Player pane: Allows viewing screenshots made from the computer on which the Windows Client is installed. and URL addresses of websites visited by a user. Sessions are played in the Forensic Export Player. o Activity time. Application name.Forensic Export Playing Exported Session To view exported data. You can do one of the following while viewing:  To play/pause the video. USB device information. Follow the instructions at http://www.com/docs/ to install Mono Framework on your computer. click Play/Pause in the Player pane. which includes: o Activity time. Function. download it and start the downloaded executable file. Activity title. and URLs for Windows Clients. you need to install Mono Framework on them. Text data. 263 . NOTE: If the screenshot creation is not enabled on the Windows Client. NOTE: To view exported data on computers with Linux or Mac operating system. sessions of this Client will contain no screenshots. Forensic Export results will contain no text data.mono- project. NOTE: If the user performing export does not have the Viewing text data permission for this Client. Command. The navigation section allows you to manage the playback of the video of screenshots or commands. or visually recreated interactive data of the recorded Linux terminal (input and output as the user sees them in the terminal). and Parameters for Linux Clients.

2. If file validity is confirmed. 3. Click the Forensic Export History navigation link to the left and then click Validate Export Results. click Choose File to select the .  To move from one monitor to another in the Client session with multiple monitors. Any other Server will consider data not valid. use the control buttons in the Player pane.Forensic Export  To move from one record to another. click the Magnifying Glass . 1. Please note that data validity must be checked only in the Management Tool connected to the Server via which data has been exported. do the following: 1. double-click the monitored data in the Player pane or . On the Forensic Export Results validation page. 4.  To define the speed with which monitored data will change in the Player pane. Validating Exported Data Using Management Tool.  To open the monitored data to the full-screen mode. click . 2. etc. To validate exported data.  To enlarge a certain part of the played data.exe file with forensic export results. The file is uploaded to the Server and validated. you will see a message: “The file is validated successfully!” 264 . The available speed options are 1/2/4/8/16 frame(s) per second. you can check that exported data is valid and its integrity has not been altered. click All.

login as the user with the Database Management permission. started under the administrator account. click the Database Management navigation link and define the cleanup settings on the corresponding tabs. To do this. the data cannot be database to a new one/I want to transferred from one database to another. NOTE: On the Server computer. the Server tray service must be Server tray. the warning message will be displayed on the Diagnostics page. I have defined a new database. In case the log files contain the information on some errors. 265 . To download the Management Tool log file. cleanup feature to remove the old records from the database. To download the Server log file. The default location of the Server installation folder is C:\Program Files\Ekran System\Ekran System. in the Management Tool. Database/Server Database/Server Related Issues Issue Cause/Solution I cannot start the Server from the To start the Server. change the type of the database without losing data. I need to transfer the data from an old Unfortunately. the Server log (Server. The log file will be downloaded to your computer. what The old database remains in place and is not happened to the old one? changed.Troubleshooting Troubleshooting Quick Access to Log Files Log files contain information that might be useful for administrator for detecting problems in the system if any. login as the user with the Database Management permission. There are too many records in the Use the automatic or manual database database.log) is stored in the Server installation folder. The log file will be downloaded to your computer. click the Diagnostics navigation link to the left and then click Download Management Tool log file. click the Diagnostics navigation link to the left and then click Download Server log file. You can either analyse the log files yourself to get more information on what is happening in your system or send them to the Support team to help them in detecting the source of problems in your system.

I have installed a new version of the If you have updated the Server. you need to reinstall the Server. Message Cause/Solution If you get the following message in the  The Server has lost the connection to Management Tool: "Connection with the MS SQL Server. database. I have used the database cleanup The cleanup feature only removes data from feature. database to another computer. Please make sure MS SQL database is lost. might detect it as a false positive during virus scan. this. but the size of the database the database.Troubleshooting Issue Cause/Solution I have transferred the SQL database to Unfortunately. move it to another location and change the corresponding values in the Windows Registry Editor. I cannot shrink the database: the  Make sure you use the MS SQL Server Shrink database button is absent in the database. from the Server tray service. but does not change the size didn’t change. These messages may appear in the Management Tool. Please check that the MS SQL Server is running 266 . Database/Server Related Error Messages The following table provides the list of error messages related to databases and the Server and their causes and possible solutions. If you have reinstalled database. I have accidentally removed the You need to define a new database. In this case. Though you can move it to another location on the same PC with SQL means. you need to use a new database. To reduce the size of the database. I have changed the location of the To redefine the location of the Firebird Firebird database. See Moving the Server Database chapter for more details. it is recommended to disable your anti-virus during Server uninstallation/update. To do database from the MS SQL Server. click Shrink database on the Database Options tab on the Database Management page of the Management Tool. you can’t relocate the SQL another computer. Management Tool on the Database  The shrinking cannot be performed if Options tab. My antivirus blocks the Server Due to the uninstaller specifics some anti-viruses uninstallation/update. the cleanup procedure is in progress. the Server. reserved by it. your old Server and I want to use the old database will remain. or during the installation of the Server.

send us logs (the Server Service file). clear the database. If you get the following message from  The Server has lost the connection to the Server tray service: "The Server the database. If you get the following message when You can restart the Server service only under trying to restart the Server service: the administrator account. To check that the computer is accessible. enter the following command in the Windows command line: ping <name of the computer with installed database> If the problem comes up again.Troubleshooting Message Cause/Solution that the database is accessible and try and it is online and accessible.  There was a problem with connection to the database. Please make sure that connection with the database has the computer on which the database been lost. which you can find in the Server sub-folder of the Ekran System installation folder. Try disabling the Firewall on the MS SQL Server side." is installed is online and accessible. please. Please make sure that the computer on which the database is installed is online and accessible. “Not enough permissions to restart the Server. Click to view logs. Try clearing the Please try again." database again." check that the MS SQL Server computer is accessible.  Make sure the Server service is running. enter the following command in the Windows command line: ping <name of the MS SQL Server computer>  The connection to the MS SQL Server is blocked by the Firewall.” If you get the following error while  The program encountered an trying to clean up the database: "Error unexpected error while trying to occurred while clearing the database. To check that the computer is accessible. enter the following command in the Windows command 267 . To again.

Please try performing the  "An error occurred when action again. please. selected in the Windows Features window: Net Framework 3. shrinking database. enter the following command in the Windows command line: ping <name of the computer with installed database> If the problem comes up again. please. If you get one of the following  The program encountered an unexpected messages while trying to perform an error while trying to perform an action action with database: with database.Troubleshooting Message Cause/Solution line: ping <name of the computer with installed database> If the problem comes up again. send us logs (the Server Service file). Management Tool Management Tool Related Issues Issue Cause/Solution HTTP 500 Internal Server error is For Windows 7.exe) as administrator: 268 . Please  "Error occurred while retrieving make sure that the computer on database info. Please try which the database is installed is again. To check that the computer is accessible. Run the Command Prompt (cmd." connection to the database. Make sure that all the following options are the Management Tool. send us logs (the Server Service file). Please try  There was a problem with again. which you can find in the Server sub-folder of the Ekran System installation folder. follow these instructions: displayed when I try to connect to 1. which you can find in the Server sub-folder of the Ekran System installation folder.5> Windows Communication Foundation HTTP Activation and Windows Communication Foundation non-HTTP Activation." online and accessible. 2.

0 or 8.  If you used an offline activation (added activated serial keys). Please purchase serial keys and activate them online or activate them on your vendor’s license site and add them offline.5> Windows Communication Foundation HTTP Activation and Windows Communication Foundation non-HTTP Activation. this permission. with the installed Server.1. The license management function is Make sure you have the administrative Client unavailable and I cannot assign installation and management permission.NET\Framework\v4. If you have licenses to Clients.xxx xx\aspnet_regiis. issues (e. but the license management function is still unavailable. make sure that all the following options are selected in the Windows Features window: Net Framework 3.0.exe –iru 3.xxxxx\ aspnet_regiis. you need to have an active Internet connection during the first start of the Server. I have reinstalled/updated the Server  If you activated serial keys online. activated serial serial keys in it.0.exe –iru (for 32 bit computer) or %windir%\Microsoft. your computer cannot connect to the local network). 30319\aspnet_regiis. For Windows 8. you need to add them in the Management Tool again.NET\Framework64\v4. Example: C:\Windows\Microsoft. I have no Internet connection on the You can activate the serial on the license site of your computer with the installed Server vendor and then add activated keys on the computer and cannot activate serial keys. keys will be automatically synchronized. Press Enter. 269 . To install Clients in such a way.NET\Framework64\v4. then your copy of the program is not licensed. The list of the domain computers is This problem can be caused by network or Windows empty during the Client installation.g.Troubleshooting Issue Cause/Solution Enter %windir%\Microsoft. If there are no network problems. on the Computers without Clients page click Add computers by IP. try searching for computers via the Add computers by IP option..0. For this purpose.exe –iru (for 64 bit computer). after you and now there are no activated reinstall or update the Server.

which is not supported. you domain. permissions for these functions. click Download installation file and then select the type of the installation file you want to download. The user is able to perform actions Check the groups which the user belongs to. I forgot the password of the internal Contact the administrator and ask them to change the user. Management Tool. Make sure you do not use Microsoft Exchange Server although the parameters are correct. Client license instead of a Workstation Client license to the Client or I have assigned a license to the wrong Client. on the Computers without Clients page. When the installation file is downloaded to your computer. To generate an installation package.. which do not installation. I do not receive email notifications. on the Computers without Clients page. There are some Clients that I did not These may be old Clients that were installed earlier.g. The target computer is out of the If DNS settings of your computer network allow. I have assigned a Terminal Server Any license can be unassigned from a Client anytime. can:  Search for computers using the Add computers by IP option. click Add computers by IP. always provide the full list of computers. I do not want to provide the user By defining the Client permissions for the user in the with access to all Clients. the user sees the these groups. Some of the Management Tool Make sure that you have the corresponding functions are unavailable. You can uninstall them remotely via the Management Tool or locally on the Client computer. you can start the installation process. 2010. They that are supposed to be prohibited might have inherited some new permissions from for them (e. install.  Create an installation package and install a Client locally on the target computer.Troubleshooting Issue Cause/Solution The list of the domain computers is Ekran System obtains the list of domain computers not complete during the Client using standard Windows methods. To install Clients in such a way. 270 . password. you can define which Clients the user will have the access to.

An alert event does not trigger an  Please check that the defined alert alert notification and is not displayed parameters are correct on the Alert Rules as alert in the Management Tool.. To do this. please contact the support. I haven’t received any reports or Check the Spam folder.Troubleshooting Issue Cause/Solution Clients that they do not have a permission for). do not forget to enter <domain username. contact administrator. Message Cause/Solution If you get the following message when The program encountered an unexpected error trying to connect to the Management while trying to perform an action. Viewing Monitored Data Issue Cause/Solution I have successfully logged into the  Please check the section “Possible Management Tool but I cannot see any Problems with Receiving Data from captured data from the Windows Clients”. tab on the Edit alert page of the Management Tool (e.” name>\<login>.”  Please make sure that the Server is running.  Contact the administrator and check if you have the Viewing monitoring results permission for the Client. If the problem comes up again.g. open the Alert Management page of Management Tool. Process name may be defined instead of Window title).  Please restart the Server and try again. alert notifications by email. click Edit alert 271 . Client. Management Tool Error Messages The following table provides the list of error messages that you may see while working in the Management Tool and their causes and possible solutions. Please  Please refresh the Management Tool. If you are logging in as a Tool: “Wrong password or Windows user. Tool: “Server is unavailable. If you get the following message when Please make sure that your login and the trying to connect to the Management password are correct.

open the Client Management page and click Edit Client for the required Client.  Please check that you have enabled the keystroke logging in the Client configuration. To do this. Please make sure the alert is enabled on the Alert properties tab in the Management Tool. and then click the User Activity Recording tab. along with user activity recording option is enabled on the required Client. stops typing. and then switches the window during the 3 seconds period. you will not receive the notification.  If a user types something continuously. So they might be attached to another screenshot. a blank screenshot is created.  The alert might be disabled.  The keystrokes are logged only after the user presses Enter or switches to another window. the keystrokes will be attached to a blank screenshot. I don’t receive alert notifications about Please check the Minimal interval between all the events that correspond to notifications sent for the same alert event notification settings. Client computer. Client sessions contain no screenshots Please check that the Enable screenshot creation at all.  If a user accesses the Client computer via the Remote Desktop Protocol (RDP) and minimizes the Remote Desktop Connection window.  Check that you have Viewing text data although the text was entered on the permission for this Client. and you see the screenshots from both of them. 272 . If less time than defined in the settings has passed since the moment when the last notification for the same alert event had been received. The Text data column is empty.Troubleshooting Issue Cause/Solution for the required alert and select the Alert Rules tab. parameter. Some screenshots look like they There are two monitors on the Client computer consist of two parts. Some screenshots are blank.

Windows Client Checking that the Client Is Installed If the Client is successfully installed. The screenshots are sent more If in the Client configuration you have enabled frequently than I defined. cut. displayed on the Client computer. If there is no Client in the Management Tool. The screenshot time does not The screenshot time corresponds to the time correspond to time on my computer. The screenshot time does not Please check that the Client computer time correspond to the time that should be settings have not been changed. Please check the Client configuration in the Management Tool. 273 . the screenshits may be created more frequently depending on the user activity.  Please check that you have enabled the clipboard monitoring in the Client configuration. you have to check whether the Client has been installed. The Client computer may have smooth interface animation – the screenshot may have been taken when the animation was in progress.exe process is running. The screenshot image is black and The Client is configured to capture screen in white. Check the Client configuration.  Check that you have Viewing text data although the text was copied. displayed on Client computer. greyscale images. options other than Capture screen periodically. pasted on the Client computer. and permission for this Client.Troubleshooting Issue Cause/Solution The Text data column is empty. Screenshot image is blurry. You can check if the Client is installed on the investigated computer in one of the following ways:  The EkranService. it will appear on the Clients page of the Management Tool in the Data View pane.  The EkranClient and EkranController services are started.

274 .Troubleshooting  There is a <system disk>:\Program Files\Ekran System\Ekran System\Client\ folder with executable files.

Try again later.  The host is unavailable now or turned off. please check whether all of the conditions for successful installation are met.  DNS service is unavailable. as a rule. Solving Remote Installation Issues If you receive the following error message during the remote Client installation: “The User doesn’t have enough permission on the remote host”.  The network name cannot be found. If you are sure that a user has administrative rights on the Client computer. 275 . Remote Installation Error Messages During remote Client installation you can get the following error messages:  The user does not have enough permission on the remote host.  Client computer must be rebooted before agent installation.Troubleshooting  The HKEY_LOCAL_MACHINE\SOFTWARE\EkranSystem\Client key has the following values: Clients Installation/Uninstallation Issues and Error Messages The common reasons of issues with remote installation or uninstallation of Clients are the inadequate network configuration or system settings. such issue may be caused by the following reasons:  There is no access to network shares.

Check the network connection and try again. In the address bar type \\<target_computer_IP/Name>\admin$ and press Enter. When the Enter Network Password window opens. 3. but the administrative share is still unavailable. enter administrator credentials and click OK. check that the Sharing Wizard or the Simple file sharing are disabled. enable it. Ekran System needs to access the administrative shares on the target computers. Check the following: 1. If the network is up. Issue: There is No Access to Network Shares For successful remote installation. try the following:  Open the Command Prompt (cmd. Enter and execute the ping <target_computer_name or IP> command. but you do not get the ping reply.  Two computers have the same computer name. the system folder opens (by default. 4. If you do not get ping replies.exe). 2. please check that you have access to administrative shares and if there is no access. If the login credentials are accepted. network may be down. How to Check: To check the administrative shares availability.  Issues with the Service Principle Name for the domain.Troubleshooting  UAC is enabled (Windows 7/8/Vista). If you get an error after performing step 2. check the firewall on the remote computer.  If you are receiving ping replies. C:\Windows). Disable the firewall on the target remote computer. At first. 276 . do the following: 1. Open Windows Explorer.  Errors in Active Directory. 2.

3. follow these steps: 1. type 1. Close the Windows Registry Editor. or select it and click Modify in the context menu. and then click OK. Type LocalAccountTokenFilterPolicy and then press ENTER.exe): ping <Computer name>. Try using the remote computer's IP address if you cannot access it by the name. 4. Double-click the LocalAccountTokenFilterPolicy value. If you get a login error after performing step 3. In the Value data box. You have to enter the credentials of a domain administrator or a local administrator account on the remote computer. you need to enable the Local Account Token Filter Policy.  Verify that the account password is not empty. 3. If the LocalAccountTokenFilterPolicy registry value does not exist. 2. Issue: DNS Service is Unavailable DNS service may be unavailable in your network. 5. or <computer_name>\<username> if the PC belongs to a workgroup. To enable Local Account Token Filter Policy: 1. In the Value data box. 2. and then click DWORD Value. click New. In the Windows Registry Editor in the Edit menu. Open the Windows Registry Editor. type 1. 277 . NOTE: This is a known Windows issue that might block remote application installation. but you still cannot access the administrative shares.Troubleshooting  If you are receiving ping replies and the sharing options are good. check that the Server system service is running on the remote computer. and then click OK. try the following:  Make sure that the credentials you enter are correct. 4. In the Registry Editor window. How to check: To check the DNS Service availability. Close the Windows Registry Editor. Accounts with empty passwords cannot be used for remote connection.  Try typing the username as <domain_name>\<username> if the remote computer is in a domain. please execute the following command in the Command line (cmd. select the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Syste m. How to Fix: To enable access to administrative shares.

please follow the instructions of the Windows Troubleshooting. In the opened window. you can use the netdiag. How to check: By default. How to Fix: To resolve errors in Active Directory. How to Check: Errors in Active Directory may occur when you have two or more replicated domains. Close the Windows Registry Editor window and then reboot the Client computer. If there is no TDO object (trusted domain object) in the System container. UAC is enabled in Windows 7/8/Vista. 3. Open the Active Directory Users > Computer Tools. Select the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System. Issue: Active Directory Errors Errors in Active Directory may be caused by the absence of the critical object that represents the trust relationship between the two Active Directory domains. 5. 3. 2. In the Windows Server 2003. you have to enable the DNS Service. or select it and click Modify in the context menu. which have a parent/child or tree root trust relationship.Troubleshooting If the command does not respond. How to fix: To enable the DNS Service. do the following: 1. 278 . do the following: 1. How to fix: To disable UAC. Double-click the EnableLUA value. 2. try disabling the User Account Control on the remote computer. in the Value data filed.exe tool. please reset the trust between parent and child relationships between domain controllers of different domains with netdom. 4. enter 0 and click OK. Open the System Container. Open the Windows Registry Editor. Issue: UAC is Enabled (Windows 7/8/Vista) If you access the administrative shares normally on the remote PC running Window Vista or Windows 7/8. but the Client remote installation fails.

 Wait for replication to complete and use the root admin account. can occur when it has not been propagated to the domain that contains the account which you use when you run the Dcpromo.Troubleshooting Issue: Errors in Service Principal Name for the Domain Issues with Service Principle Name (SPN) for the domain which is hosting the replica. Issue: Two Computers Have the Same Computer Name The computer in the child domain has the same name as the computer in the parent domain.  There is no access to Network Shares. 279 . rename the computer in the parent domain which has the same name as the computer in the child domain. it can be caused by the following reasons:  There is no access to the remote computer. do one of the following:  Login with domain admin of the child domain. If you get a message at the end of the remote Client installation: “The network name cannot be found”. How to Fix: To resolve issues with SPN. How to Fix: To resolve this issue. the access might be blocked by the remote computer Firewall. To do this. How to Fix: Try enabling the Local Account Token Filter Policy on the target computer. enter the following command in the Windows command line: ping <name of the remote computer> If you do not receive any response.exe file. This propagation may have been delayed because of replication latencies. Issue: There is No Access to Network Shares Please follow the instructions described above. Issue: There is No Access to the Remote Computer How to Check: Please check that you have access to the remote computer.

do the following:  Make sure that the Client is installed and its services are running. the Client computer must be rebooted first. 2. reboot the computer because if the Client has been recently uninstalled. Please do one of the following:  Wait until the Client appears online.  If the Client does not appear online. 4.exe). Reboot the Client computer. the UninstallClient. 3. in the Command line (cmd. If you get a message after clicking Uninstall Ekran System Client: “The host is unavailable now or turned off.exe file is located in the Client installation folder. Possible Problems with Receiving Data from Clients If an installed Client does not appear online.  Make sure that there are no network connection problems:  On the Server computer.  Make sure there is more than 500MB on the disk on which the Client is installed. Try again later. Double-click the RemoteHost value.Troubleshooting If you get a message at the end of the remote Client installation: “Client machine must be rebooted before agent installation”.  Make sure the Client processes/services are not blocked by the antivirus software. please. If a Client is online and not sending any data.exe /key=<uninstallation key> By default. Open the Windows Registry Editor. do the following:  Make sure the user activity recording is enabled in the Client configuration. resolve them. NOTE: If the Client works in the non-protected mode. 5. this means that the Client may be offline or may not be able to connect to the Server. If you changed the name of the Server computer. by installing the Client remotely via the Management Tool once more.”. you have to change it on the Client computer through the registry. Enter the new name or IP address of the Server to which the Client must connect. or select it and click Modify in the context menu. To change the Server name: 1. uninstall it locally on the Client computer via the Windows command line by executing the following command: UninstallClient. The default path is C:\Program Files\Ekran System\Ekran System\. you can change the name of the Server to which it connects. execute the following command: ping <Client computer name>. Select the following key: HKEY_LOCAL_MACHINE/SOFTWARE/EkranSystem/Client. If the command displays network issues.  Make sure a license is assigned to the Client. 280 .

 Make sure there is enough free space on the disk on which the Client is installed. on the Client computer. do the following:  Make sure that the Linux Client is installed and running by checking the state of the Client.  The sending of data is prevented by antivirus software.exe /usb=false /key=<uninstall key> Linux Client Possible Problems with Receiving Data from Clients If an installed Client does not appear online. Possible USB Monitoring Problems If an installed Client with the USB monitoring/blocking option enabled does not detect the USB devices. in the Command line (cmd. To do this. Uninstall the drivers to reinstall them afterwards. If the command displays network issues. Check if the USB drivers are installed. If a Linux Client is online and not sending any data. If an installed Client has stopped sending data.  The connection might be blocked by Firewall. it may be caused by the following issues:  The Client processes on the Client computer may have been terminated.exe). To do this. do the following: 1.exe /usbcheck 2. Try unblocking the connection. Make sure the Client processes/services are not blocked by the antivirus software. resolve them. Make sure it is online and has no network connection problems. do the following:  Make sure a license is assigned to the Client. Install the drivers if they are not installed.exe /usb=true /key=<uninstall key> 3. To do this.  Make sure that there are no network connection problems: On the Server computer.  The Client computer may be offline.Troubleshooting  Make sure the database is not full: there may be no free space left on the disk where the database is located in the Server database. in the Command line (cmd. execute the following command: ping <Client computer name>. Please make sure it is started.exe).  The Client service (EkranClient) might have been stopped.  Make sure the database is not full: there may be no free space left on the disk where the database is located in the Server database. 281 . execute the following command: UninstallClient. execute the following command: UninstallClient. execute the following command: UninstallClient. Make sure the Client processes are running on the Client computer (see Checking that the Client is installed topic in the help file).

it may be caused by the following issues:  The Linux Client might have been stopped. stop and restart the Linux Client using the following commands:  $ sudo service Ekran stop  $ sudo service Ekran start 282 . Please make sure it is started. If there is no Linux Client in the Management Tool. Checking the State of the Linux Client If the Linux Client is successfully installed.Troubleshooting If an installed Client has stopped sending data. use the following command in the terminal of the Client computer:  $ sudo service Ekran restart Alternatively. you have to check whether the Client has been installed. To check the status of the Linux Client. run the command-line terminal and enter the following command: $ service Ekran status Restarting Linux Client To restart the Linux Client. it will appear on the Clients page of the Management Tool in the Data View pane. Make sure it is online and has no network connection problems.  The Client computer may be offline.

Cain & Abel. 283 .Appendix Appendix Default Alerts The Management Tool contains the default alerts. HashCat. Kali. Date/Time changing This alert is triggered when the user changes the Date and Time settings on the Windows Client computer. File Shredder. Ettercap. or Internet Explorer. Hacking software This alert is triggered when the user on the Windows Client computer is using the different kinds of hacking software such as Angry IP Scanner. Firefox. Internet Explorer proxy settings This alert is triggered when the user on the Windows Client computer is changing the Internet Explorer Proxy Settings. Burp Suite. Firefox. or Internet Explorer. Snort. IIS Binding Settings This alert is triggered when the user on the Windows Client computer is changing IIS binding settings. Wapiti. which are triggered on the different kinds of potentially harmful or forbidden actions performed on the computers with installed Clients. Nmap (Network Mapper). PC Decrapifier. John The Ripper. Wifite. Metasploit. Editing Windows Registry This alert is triggered when the user on the Windows Client computer is editing the Windows registry via the Windows Registry Editor. and CleanUp. THC Hydra. File Upload via Internet browser This alert is triggered when the user on the Windows Client computer is uploading files via such Internet browsers as Chrome. File Download from Internet browser This alert is triggered when the user on the Widows Client computer is downloading files via such Internet browsers as Chrome. Fraud Activity Cleanup applications This alert is triggered when the user on the Windows Client computer is opening the PC cleanup applications such as CCleaner. and Wireshark. Command prompt This alert is triggered when the user on the Windows Client computer is executing the command prompt.

SugarSync. GigaSize. sugarsync. [Linux] User adding This alert is triggered when the user on the Linux Client computer is adding users. BackupRunner. ElephantDrive. Bitcasa.com. Backblaze. Fyels.me. letscrate. FileSavr.to. avast!. box.nz. Livedrive. KineticD. FileDropper. BackUp.com.com.com. SpiderOak. amazon.Appendix Remote desktop connection This alert is triggered when the user on the Windows Client computer is initiating RDP connection to another computer. Jungle Disk. MailBigFile.com. Carbonite. SafeSync.it . Fileshare. YouSendIt. zipcloud. Ge. LargeDocument. Streaky. Uploadingit.com. Mozy. Backup Lizard. Wappwolf. icloud. Total Defense Online Backup. CloudApp. Cyphertite.org. [Linux] Root privileges This alert is triggered when the user on the Linux Client computer is gaining the Root privileges. mega. Memonic. Otixo. sosonlinebackup. Windows user creation/editing This alert is triggered when the user on the Windows Client computer is adding or editing the Windows users. drive. Cloud file sharing This alert is triggered when the user on the Windows Client computer is sharing the files using the cloud based services 2Big2Send. code42. SendYourFiles.net. Doxo.com. Filecamp. 284 . RapidShare. Fluxiom.com.com. justcloud.com. bitcasa. JustBeamIt. DivShare. Mevvo.google. pastebin.com. PasteLink. Jottacloud. Dropcanvas. Symform. IDrive.com. Dropmark. NitroBackup.com. BitLet.com. EFShare.com. Send6. Uploadie.com.com. WeTransfer. 4shared. sosonlinebackup. Iozeta. Kicksend. adrive.live. DropSend. OpenDrive. Comodo Backup.com. CrashPlan.tt.com/crashplan. spideroak. Wikisend. eSnips. [Linux] Installation detection This alert is triggered when the user on the Linux Client computer is utilizing commands for installation. carbonite. Data Leakage Cloud backup This alert is triggered when the user on the Windows Client computer is opening a cloud backup service such as ADrive.com. Senduit.com. Gillware. AltDrive. livedrive. MyOtherDrive. Nomadesk. and Zoolz. MyPC Backup. Addie. Cloud storages This alert is triggered when the user on the Windows Client computer is visiting the following cloud storage websites: Dropbox. onedrive. Minus. Droplr. Malwarebytes.com. Uploaded. mozy. Digital Pigeon. and zShare.

Novell GroupWise. rarbg. mail.com. 777. ShowMyPC.com. this alert is triggered on any website. casino.eu. isohunt.com. bitsnoop. Transmission. Adam4adam.com. 285 . mail.com. ebaumsworld.com.eztv. and The Bat!. Windows Live Mail.com. and Zoom.com.yandex.com. login. yts.cr. G. IBM Notes.com. which contains the words xxx or porn in its URL.Appendix Desktop email clients This alert is triggered when the user on the Windows Client computer is opening the desktop email clients such as AOL Mail.com.live. qBittorrent.com. LogMeIn. Screenleap. Apache OpenMeetings.com. leovegas.com. join. Also.com.yahoo. Torch. inbox. youporn. [Linux] Mounting device This alert is triggered when the user on the Linux Client computer attempts to execute the commands for mounting devices on the Linux servers.com. Mikogo. login.com. freeones. Potentially Illicit Activity Adult sites This alert is triggered when the user on the Windows Client computer is visiting the following websites with illicit content for adults: flirt4free. redtube. Vuze.com. Literotica. Remote Access Viewer. Nudevista. kat.com. adultfriendfiner.com.com.com. icloud.com. BitTorrent clients This alert is triggered when the user on the Windows Client computer is opening the BitTorrent Client applications such as Utorrent. AnyMeeting. Post-box. mail. Thunderbird. Microsoft Outlook. 1337x.com.org.com. bet365. Screen sharing applications This alert is triggered when the user on the Windows Client computer is opening the screen sharing application such as TeamViewer.com. BitTorrent sites This alert is triggered when the user on the Windows Client computer is visiting the following BitTorrent websites: thepiratebay. cam4. FTP access This alert is triggered when the user on the Windows Client computer is visiting the FTP websites. titanbet.com. imlive.betway. livejasmin. hushmail. casino.screenname. Gambling sites This alert is triggered when the user on the Windows Client computer is visiting the following online gambling websites: grosvenorcasinos.com. GoToMeeting.com.e-hentai.com.com. my.lycos. zoho.aol.com.me. Deskhop.com. extratorrent. Mingle View.google. and BitLord. Online email services This alert is triggered when the user on the Windows Client computer is using the following online email services: mail. WebEx. torrentz. gmx. foxycasino. xnxx. Deluge. Tixati.

meetup.com/upwork.com/careerbuilder. hidemyass.com.net.com. MSN Messenger.com. Pidgin.com.com.com. seniorpeoplemeet.us.com. bind2. BS. KMPlayer.com.com.com. jobsearch.com. DAPlayer. swtor. eharmony.com.com.com. DivX Player.net.com.com. the-cloak. fresh-proxy. Desktop media players This alert is triggered when the user on the Windows Client computer is opening the desktop media players such as Windows Media Player. proxysite. Google Talk.com.com. Tor Browser. youhide.com.com.com.org. elance.com.com.com. newgrounds. Proxy anonymizers This alert is triggered when the user on the Windows Client computer is visiting the following proxy anonymizer websites: proxify.com.org.com.com. worldoftanks. Anonymouse.com.com.com. Miranda IM.com.com.my-addr. plarium. totaljerkface. badoo.com.org. ziprecruiter. zoosk. newipnow.com. and Trillian.com.leagueoflegends. VLC.com. armorgames. zophar.gov. simplyhired.com. datehookup. trionworlds. PotPlayer.com. beyond.Appendix 888casino. this alert is triggered on any website. pch. freelancer. zynga. kongregate. dontfilter. proxfree. minecraft. theladders. alter- ip. ourtime. speeddate. dota2.com. pof.com. and iTunes. linkedin. kproxy. megaproxy.com. battle.com.com.com.com.com. snagajob. hirezstudios.com. glassdoor. Not Work-related Activity Dating sites This alert is triggered when the user on the Windows Client computer is visiting the following dating websites: match.com. jdate. proxy.com. Also. monster. SMPlayer. proxy. deadwhale. Online games This alert is triggered when the user on the Windows Client computer is visiting the following online games websites: eune.com. linkup. GOM Player. okcupid. christianmingle.com. addictinggames. careerarc. chemistry. usajobs.com.com.appspot. Yahoo! Messenger. maskedip.com. peopleperhour.com. which contains the words casino or poker in its URL. steampowered. popcap. europacasino. Job search This alert is triggered when the user on the Windows Client computer is visiting the following job search websites: indeed. jobdiagnosis.com. proxywebsite. 286 . Kantaris Media Player. aol-careers. Digsby.com. crazymonkeygames. howaboutwe.com. blewpass. uas2.com. Instant messengers This alert is triggered when the user on the Windows Client computer is opening the instant messengers Skype. gotinder.com. ICQ.Player. dice.com.com. anonymizer.com.com.com. Media Player Classic.

com.google.co.com.com. tumblr. ted.com.com. myheritage.Appendix Online video This alert is triggered when the user on the Windows Client computer is visiting the following online video websites: Youtube. pinterest.aol.jp. Social networks This alert is triggered when the user on the Windows Client computers is visiting the following social network websites: facebook. schtik.com. mixi.com. metacafe. gopro. break.com.com. tagged. tripadvisor. meetup. ask. plus.com. veoh.com. classmates. mtv. funnyordie.com. vk. vimeo.com. vine. myspace.com.fm. on. foursquare.com.com. dailymotion.com.com. 287 . weeworld. twitter. flickr. instagram. linkedin.com. meetme.

Feature Standard Enterprise Edition Edition Ekran System Technical Features High Availability ✘ ✔ Two types of database (Firebird.Appendix Standard and Enterprise Edition Comparison Chart The enterprise Ekran System features are available only if you have an activated Enterprise serial key. MS SQL) ✔ ✔ Database cleanup ✔ ✔ Database archiving ✘ ✔ Signing monitoring data with certificate ✔ ✔ Validation of monitoring data using hash codes ✔ ✔ Storing screenshots in the form of deltas ✔ ✔ NAS support for binary file storing ✔ ✔ Advanced SIEM Integration ✘ ✔ Integration with Active Directory ✔ ✔ Integration with ticketing systems ✘ ✔ Client offline work mode ✔ ✔ Displaying notifications about the Server state ✔ ✔ (Server Tray) 288 .

uninstallation. and auto-update ✔ ✔  Remote [Windows Clients]  Local [Windows & Linux Clients] Client protection ✔ ✔  Client mode (protected.Appendix Feature Standard Enterprise Edition Edition Ekran System Client Features Client installation. non-protected)  Protection from uninstallation (uninstallation key) Alert policies ✔ ✔ Client group management ✔ ✔ Windows Client Monitoring Screenshot creation ✔ ✔ Monitoring without screenshots ✔ ✔ Keystroke logging ✔ ✔ Monitoring triggered by keyword ✔ ✔ Clipboard monitoring ✔ ✔ URL monitoring ✔ ✔ USB-based storage monitoring ✔ ✔ Kernel-level USB monitoring & blocking ✔ ✔ Application filtering ✔ ✔ 289 .

Appendix Feature Standard Enterprise Edition Edition User filtering ✔ ✔ Client monitoring logs creation ✔ ✔ User authentication on the Client computer with Windows operating system Secondary authentication ✔ ✔ One-time password ✘ ✔ Two-factor authentication ✔ ✔ Administrator’s approval on login ✔ ✔ Informing about monitoring on the Client computer Displaying additional message on login ✔ ✔ User’s comment to additional message on login ✔ ✔ Displaying Client tray icon ✔ ✔ Linux Client Monitoring User actions monitoring ✔ ✔  Input commands  Terminal responses System calls monitoring ✔ ✔ User Management Features Active Directory users/user groups ✔ ✔ 290 .

Appendix Feature Standard Enterprise Edition Edition Internal users ✔ ✔ User permissions ✔ ✔  Administrative permissions  Client permissions User group management ✔ ✔ Logging of all user actions ✔ ✔ Displaying Monitoring Results Interaction with the investigator ✔ ✔  Displaying notifications on alert events (Tray Notifications app)  Sending email notifications Web-based Player ✔ ✔  Searching Client sessions by metadata  Playing Client sessions (live and finished) Interactive monitoring ✔ ✔ Dashboards ✔ ✔ Alert Viewer ✔ ✔ Reports (Report Generator & Scheduled Reports) ✔ ✔ Export of Monitoring Results Forensic Export of a session ✔ ✔ Screenshot export ✔ ✔ 291 .

Appendix Feature Standard Enterprise Edition Edition Validation of Forensic Export results ✔ ✔ 292 .