Skip to main content

Skillber v1.0 is here!

Learn more

Session Management & Monitoring

Checking access...

Session management is the real-time control component of PAM. While credential vaulting secures who can access privileged accounts, session management monitors what they do during that access. Every privileged session — RDP, SSH, web console, database client — should be recorded, monitored, and auditable.

Session management serves three purposes: deterrence (knowing they are watched, users are less likely to abuse privileges), detection (suspicious activity triggers real-time alerts), and investigation (recorded sessions provide forensic evidence after an incident).

Session Management Architecture

Proxy-Based Architecture

The most secure approach is proxy-based session management, where the user never has direct network connectivity to the target system:

User ──→ PAM Session Proxy ──→ Target System
│ │ │
│ ┌─────┴──────┐ │
│ │ Recording │ │
│ │ Monitoring │ │
│ │ Filtering │ │
│ │ Command │ │
│ │ Control │ │
│ └────────────┘ │
│ │
└────── Session is proxied ───────────┘
(no direct network path)

Session Architecture Comparison

ModelSecurityNetwork ComplexityUser ExperiencePerformance
Direct connectionLow — user can bypass controlsSimpleBest (native client)Best
Jump host / bastionMedium — single entry pointModerateGood (SSH to jump host)Good
Proxy with recordingHigh — all traffic recordedModerateModerate (proxy negotiates)Moderate
Proxy with isolationVery High — no direct path, full controlComplexModerate (proxy appears as gateway)Moderate
Remote browser isolationVery High — no code reaches endpointComplexReducedLower

Danger

Direct connections to privileged systems should be prohibited. Every privileged session must pass through a PAM session proxy that enforces recording, monitoring, and access controls. Without a proxy, there is no way to prevent or detect credential sharing, session hijacking, or data exfiltration.

Session Recording

Recording Methods

MethodCapturesStorage SizePlayback QualityUse Case
Video recordingScreen pixelsLargeHigh (exact visual playback)Windows/RDP sessions, web consoles
Keystroke loggingKeys pressedSmallMedium (text-only reconstruction)SSH sessions, command-line tools
Metadata loggingSession timing, source/dest, commandsVery smallLow (no content)Low-risk sessions, compliance checkboxes
Text captureAll visible text outputMediumHigh (searchable text)SSH sessions with text extraction

Session Recording Architecture

Recording Pipeline:
Session Input → Capture Agent → Encoder → Storage → Index → Playback
│ │
│ ┌────┴────┐
│ │ Object │
└── Encrypted stream ─────→ Storage │
│(S3/Azure│
└─────────┘

Storage recommendations:

  • Compress recordings (H.264 for video, gzip for text)
  • Encrypt at rest (AES-256)
  • Retain based on compliance requirements (SOX: 7 years, PCI: 1 year, GDPR: as needed)
  • Tier storage: hot (30 days for active review) → warm (90 days) → cold (archive for compliance)

Real-Time Session Monitoring

Alerting Rules

Real-time monitoring can trigger alerts based on:

Alert TypeTriggerSeverityResponse
Command blacklistUser enters blocked command (rm -rf, shutdown, dsrm)CriticalSession terminated immediately
Sensitive data accessAccess to known sensitive files or databasesHighAlert + session recording flagged
Geographic anomalySession originates from unexpected locationHighMFA re-prompt, possible termination
Time anomalySession outside normal hours without approved change windowMediumAlert + session flagged for review
Concurrent sessionsSame credentials used from multiple locationsCriticalImmediate termination + credential rotation
Copy/paste detectionLarge data transfer via clipboardHighBlock copy/paste, alert security team
File transfer detectionLarge file upload or downloadHighAlert, require approval for large transfers

Session Termination Criteria

Sessions can be terminated automatically or manually:

Termination ReasonAutomaticManualPost-Action
Policy violationCommand blacklist matchYesLock account, notify security team
Session timeoutInactivity beyond thresholdNoRotate credential, log session
Approval window expiredElevation duration exceededNoForce logout, rotate credential
Suspicious activityAlert threshold reachedYesInitiate incident response process
User requestN/AUser-initiatedClean termination, log duration

Command Filtering and Control

Allowlisting vs Blocklisting

ApproachDescriptionProsCons
Command allowlistingOnly specified commands can be executedSecure by default, predictableHigh initial setup effort, blocks legitimate new commands
Command blocklistingOnly specified commands are prohibitedFlexible, low setupProne to bypass, misses novel attack commands

Recommendation: Use command blocklisting for initial deployment (block the most dangerous commands), then migrate toward command allowlisting for critical systems as you refine your understanding of required commands.

Dangerous Commands by Platform

PlatformDangerous CommandsReason
Linuxrm -rf /, chmod -R 777 /, dd if=/dev/zero of=/dev/sda, :(){ :|:& };:System destruction, fork bomb
Windows (CMD)del /F /S /Q C:\*, format, diskpart, reg deleteFile deletion, disk operations
Windows (PowerShell)Remove-Item -Recurse, Stop-Service, Disable-ADAccountBulk operations, service disruption
Windows (AD)dsrm, ntdsutil, repadmin /syncallAD object deletion, forced replication
SQLDROP DATABASE, TRUNCATE TABLE, DELETE FROM without WHEREData destruction
Cloud CLIDelete-S3Bucket, Delete-RDSInstance, Disable-KeyInfrastructure destruction

Session Forensics and Investigation

Post-Incident Investigation Using Session Recordings

Identify the Session

Using the incident timestamp and user identity, locate all privileged sessions active during the incident window. Cross-reference with incident detection system alerts.

Review Session Metadata

Examine session metadata: source IP, target system, duration, credential used, any alerts triggered during the session.

Playback Recording

Play back the session recording. For video recordings, watch the administrator’s actions. For SSH sessions, review the keystroke log and command output.

Identify Anomalous Actions

Flag commands or actions that deviate from the user’s normal pattern, from approved change plans, or from standard operating procedures.

Capture Evidence

Export relevant segments of the session recording, command logs, and metadata as evidence. Preserve in immutable storage for the duration required by the incident response policy.

Playback Features to Look For

FeatureImportanceDescription
Time-indexed playbackCriticalJump to specific timestamps in long recordings
Speed controlCritical2x, 4x, 8x for efficient review of long sessions
Activity detectionHighSkip inactivity periods automatically
Text searchHighSearch for specific commands, file names, IP addresses
Thumbnail timelineMediumVisual timeline showing activity heatmap
Session comparisonMediumSide-by-side playback of related sessions

Session Management Compliance Requirements

StandardSession RecordingSession MonitoringSession Duration Limits
PCI DSS v4.0Required for all non-console admin access (Req. 10.3)Required (Req. 10.2)Reasonable time limits
SOXRecommended for financial system accessRequired for access loggingNot specified
HIPAARequired for ePHI access (45 CFR §164.312(b))RequiredTime-limited access encouraged
NIST SP 800-53AC-6(9) — Audit of privileged functionsAU-3 — Content of audit recordsAC-2(3) — Time-limited access
GDPRArticle 5(2) — Accountability requires evidenceArticle 30 — Records of processing activitiesData minimisation principle

Key Takeaways

  • Session management provides the monitoring and control component of PAM — recording what privileged users do during their sessions through video, keystroke logging, or metadata capture
  • Proxy-based architecture is the most secure model — users never have direct network connectivity to target systems, and all traffic passes through the PAM proxy for recording and monitoring
  • Real-time session monitoring triggers alerts on suspicious commands, data access patterns, geographic anomalies, and policy violations — with automatic session termination for critical violations
  • Command filtering can use allowlisting (secure by default) or blocklisting (flexible) — start with blocklisting and migrate toward allowlisting for critical systems
  • Session recordings provide forensic evidence for post-incident investigation with key features including time-indexed playback, speed control, text search, and activity detection
  • Compliance frameworks (PCI DSS, SOX, HIPAA, NIST, GDPR) mandate session recording, monitoring, and duration limits for privileged access