EV Reach Console - Configuration - Auditing Operator Actions

Last modified on 2023/07/12 14:02
Contents

EV Reach Remote Access Software provides an auditing trail of operator actions as part of its security features. By default,  all actions performed by a EV Reach operator are audited. This cannot be turned off. Audits are registered in the event viewer of the endpoint when an action is executed against it. For additional security of the audits, they can be centralized using the EV Reach Server.

Overview

What is being audited?

Every action executed on a remote system within the EV Reach Operator Console is audited. This includes background system queries and executions as well remote desktop access.

However, the actions executed within a remote desktop access session via the use of the mouse and keyboard and the command line executions within a EV Reach Remote Command Prompt are not audited.

EV Reach Audits in the Event Viewer

To view the actions executed on a system through EV Reach:

  • Open the Windows Event Viewer
  • Select Windows Logs > Application
  • Search for events with the Source: EV Reach Services (event ID: 6549)

GovAudit-EventVwr.jpg

The EV Reach Audit includes the following information:

Operator IdentityIdentity information of the operator that executed the action. This includes operator ID and machine information from where the action originated.

Note: Operator identity is masked in audits resulting from On-Demand remote assistance sessions. This is to protect your organization confidential information. In such audits, a section named Secure Data contains the operator identity in an encrypted format. This encrypted data blog must be sent to our support specialist to be decrypted.

Action Type
  • Query - The operator query system information
  • Execution - The operator performed a task on the system
Action ImpactDefines the impact severity of the action performed on the local system:
  • None - Actions that do not result in any change to the local system and do not represent a security risk (e.g., Query Video Configuration.)
  • Low - Actions that have a minimal impact on the local system or pose little security risk (e.g., Modify Default Printer.)
  • Medium - Actions that may have a medium impact on the local system or may represent a medium security risk (e.g., Map a Drive).
  • High - Actions that may have a high impact on the local system or may represent a high security risk (e.g., Change Network Configuration).
Action InformationFull description of the action performed by the operator including parameters and results.

Note: When an agent is operating outside the corporate network and registered to a EV Reach Gateway Server, the audit data is encrypted for security purposes. For more information, contact EV Reach Support.

Remotely Querying Remote Control Session Activity

EV Reach remote desktop access sessions generate additional audit traces in a separate log. These audits can be queried remotely through EV Reach.

On-Demand Session Auditing

During an On-Demand remote assistance session over the internet, the assisted user will have the option to display all actions performed on his/her system during the session.

To do so, the user must select Review support actions upon exit before clicking the End Support Session button.

image33-6.png

Upon ending the support session, the user is presented with a summary of performed actions on their system:

image36-5.png

These audit traces are also located in the Application log of the Windows Event Viewer.

Centralized Auditing

Event viewer audits can be removed by any local administrator. To secure your audits, you can centralize them using the EV Reach Server - Auditing Services. Once configured, every audit generated by EV Reach are automatically registered to the EV Reach Server. These audits cannot be removed.

Tags:
Powered by XWiki © EasyVista 2022