Auditing user activity on Windows computers

Just as it is important to protect assets and resources from unauthorized access, it is equally important to track what users who have permission to access those resources have done. For users who have privileged access to computers and applications with sensitive information, auditing helps ensure accountability and improve regulatory compliance. With Centrify audit and monitoring service, you can capture detailed information about user activity and all of the events that occurred while a user was logged on to an audited computer.

If you choose to enable audit and monitoring service on Windows computers, the Centrify agent starts recording user activity when a user selects a role or logs on to a computer. The agent continues recording until the user logs out or the computer is locked because of inactivity. The user activity captured includes an audit trail of the actions a user has taken and a video record of the applications opened, any text that was entered, and the results that were displayed on the screen. Because information about user activity, called a session, is collected as it happens, you can monitor computers for suspicious activity or troubleshoot problems immediately after they occur.

When users start a new session on an audited computer, they can be notified that their session is being audited and they cannot turn off auditing except by logging off. The information recorded is then transferred to a Microsoft SQL Server database so that it is available for querying and playback. You can search the stored user sessions to look for policy violations, user errors, or malicious activity that may have led to a service degradation or outage.

In addition to saving video record of user activity, sessions provide a summary of actions taken so that you can scan for potentially interesting or damaging actions without playing back a complete session. After you select a session of interest in the Audit Analyzer, the console displays an indexed list of actions taken in the order in which they occurred. You can then select any entry in the list to start viewing the session beginning with that action. For example, if a user opened an application that stores credit card information, you can scan the list of actions for the launch of that application and begin reviewing what happened in the session from that time until the user closed that application.

If users change their account permissions to take any action with elevated privileges, the change is recorded as an audit trail event. You can search for these events to find sessions of interest.