Skip to main content
Question

Session should be enabled by default in BT passwordsafe

  • January 14, 2025
  • 5 replies
  • 109 views
N
Forum|alt.badge.img+5

How to ensure that even Admin session should be recorded. There should not be an option to avoid Recording.

      5 replies

      J
      BeyondTrust Employee
      • jchandler
      • BeyondTrust Employee
      • January 14, 2025

      Hello ​@naidu_jsts 

      If you go to Configuration | Global Settings you can hide record checkbox for ISA and Admin sessions. Once hidden users will not be able to toggle off recording if its enabled in the Access Policy.

      Regards,

      John

      GloriaB
      BeyondTrust Employee
      • GloriaB
      • BeyondTrust Employee
      • January 22, 2025

      There is now a kb article with this information:

      How to hide the Record Session option - How to record all sessions

      https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0021957

      N
      Forum|alt.badge.img+5
      • naidu_jsts
      • Author
      • Trailblazer
      • May 19, 2025

      I m referring to those which are accessed from passworsafe and not through admin session

      Paulo144
      Forum|alt.badge.img+5
      • Paulo144
      • Veteran
      • May 19, 2025

      @naidu_jsts i understand your point, but that is a option only available to administrators, unless you have more then one user as a extra admin on the console, that is not a issue, because even if the session is not recorded its still audited on the password safe session report.

      Pulitros
        MikeK
        Forum|alt.badge.img
        • MikeK
        • Veteran
        • May 20, 2025

        How to ensure that even Admin session should be recorded. There should not be an option to avoid Recording.

        One thing that could be done to prevent this, is having policies and procedures in place where Password Safe administrators do not do these types of actions to start with. If you have admin access on your normal day to day account, have this broken off into a completed separate account. 

        The way that I’ve always advised setting the system up…

        Normal Day to day account logs in, checks out password for a managed accounts. That managed account then logs into Password Safe and has administrative rights to the system.  This ensures a couple things…  If your normal day to day account gets breached its not providing those elevated rights into the system. If your administrative account password gets breached, its on a systemic rotation based on checkout time like any other managed account, limiting the amount of time its viable.

         

        This method does not affect your licensing as BT recognizes the need for these safeguards and considers a User license based on Heartbeat, not based on account that has access to the system, at least this is what has been told to me by our Account rep and Customer Success Manager.

         

        You can still use the report that was mentioned above to audit the account usage and then if you catch Admins accessing systems and avoiding session recording you can handle them internally using the policies and procedures that were put in place.

        Badge Earners

        • BCA: Privileged Remote Access
          GroSanhas earned the badge BCA: Privileged Remote Access
        • Core Concepts - Privileged Remote Access
          Ahmed Butthas earned the badge Core Concepts - Privileged Remote Access
        • BCA: Password Safe
          Abdelhamid.Saberhas earned the badge BCA: Password Safe
        • BCA: Remote Support
          DQ2has earned the badge BCA: Remote Support
        • BCA: Endpoint Privilege Management - Windows
          CHRISK1has earned the badge BCA: Endpoint Privilege Management - Windows
        Show all badges
        Terms & ConditionsCookie settingsAccessibility statement