TSFactory RecordTS Single Server Edition
October 03, 2016
£380 per year, includes support.
- Ease of Use:
- Value for Money:
- Overall Rating:
- Strengths: Solid functionality and ease of deployment.
- Weaknesses: We wish that there was a way to accomplish the same functionality without being an inline appliance.
- Verdict: If you are using remote terminal services of any kind in a Microsoft network – and most businesses are – you should take a close look at this (or its larger, beefier, siblings).
In our threat analysis lab - the "dirty" part of the SC Lab - we watch probes and attacks against our honeynet and we find that scans/probes/attacks are most prevalent against SSH, Telnet, FTP and RDP. However, we are concerned with any attack or probe against MS terminal services and there are not a lot of tools available to monitor that, and then collect evidence and perform analytics. RecordTS is exactly that. The simplest description is that it is a remote session recorder. The single server edition sits on a server running Terminal Services. It watches what users are doing through the server and makes a forensically sound record complete with audit trail. This not only shows connections - source and destination - as one would expect, it also logs the session content.
While this is useful for watching behaviour of users, it is more useful for watching the behaviour of accounts. It long has been a maxim of data security that the account is more important than the user. That is because the behaviour of the account can lead to understanding what the owner is doing or, more important perhaps, what an intruder who has compromised the account is doing. So we care about the account first and the owner second. This tool lets us gather the evidence that we need. With RecordTS, everything is stored in a backend SQL database (PostgreSQL).
Architecturally, the server sits between the remote clients and the terminal server. It has a web-based dashboard/console and the recorder that acts as a man-in-the-middle between users and the terminal server. There also is the SQL database for collecting and preserving evidence. The server gets its licencing information from TSFactory, the developer. Setup is straightforward and the hardware requirements are not onerous.
One point, though: Lots of storage is a good thing. The database can grow pretty fast on a large system. But, remember that this is the single server edition. If you need a lot more power and, most important, distribution, you'll need the enterprise grade system. Even so, don't skimp on database storage. Also, make sure that your RecordTS server is in a physically secure area and that you restrict both logical and physical access. Remember, it contains evidence. The server regularly verifies its licence with TSFactory so an internet connection is necessary. Take care in how you configure your firewall.
We liked the replay capabilities of the product. If you catch a questionable session, you can play back a recording of it using the RecordTS player or you can convert it to AVI or SWF for distribution and preservation as evidence.
Installation is very straightforward. Just make sure that there is constant access to the internet. If it cannot verify its licence, everything stops. The good news is that you can set up buffering so that if the database is lost for a short period of time, you won't lose data. Also, the device sits inline between the terminal services server and the users. So, if the product becomes disabled, users lose connectivity. We see this as a problem, but it is unavoidable. If you are to decode the data stream as a man-in-the-middle, you must be in the middle. That means that care must be taken to ensure that the system either stays on line or is in a failover configuration with a standby server.
This is a very interesting tool and, though it does just one thing - monitor and record remote terminal services sessions - it does that quite well. Pricing is reasonable and the documentation is very good. There is basic support included at no additional cost. We liked the website and its support portal. For example, when you go to support for your product you get a screen that says: "First things first: READ THE MANUAL." It then conveniently provides access directly to the installation manual. There also is a support FAQ, all very nicely laid out.
SC Webcasts UK
Information Security Manager
Infosec People - Hammersmith, West London
Information Security Risk Manager, £45-55k + bens
Infosec People - West Midlands, England, Coventry
SOC Analyst, Aldershot, £55-63k + benefits
Infosec People - England, Aldershot, Hampshire
Security Architect, Cardiff - to £70k Basic
Infosec People - Cardiff, Wales
Interim CISO (Chief Information Security Officer) - Cyber Security Director
CYBER EXECS - London (Central), London (Greater)
Sign up to our newsletters
SC Magazine UK Articles
- Gooligan ad fraud malware infects 1.3M Android users, installs over 2M unwanted apps
- Met Police grab suspect with phone unlocked to get hold of data
- Cyber-security must reflect risk not just regulation
- Data centres are on the move - where will they end up?
- The information security implications of M&A deals
- SC Awards Europe 2016 winners announcements!
- ISIS radicalises 'lone wolves' through strong social media presence
- Updated: How will Brexit affect the cyber-security industry in UK and Europe?
- 9.2 million medical records for sale on darkweb
- Microsoft Office 365 hit with massive Cerber ransomware attack, report
- Over 400,000 phishing sites have been detected each month in 2016
- TalkTalk customers urged to get routers swapped over hacker fears
- Report: Mirai 'is just the tip of the iceberg'
- Avalanche takedown involved searches in 40 countries
- India Supreme Court calls on tech giants to curb sexual assault, cyber-crime