Training Delinea Secret Server
0%
Technical Configuration Module

Session Recording
Configuration

This module covers the full session recording pipeline for the Delinea Secret Server and Delinea Platform. You will learn to configure recording storage, enable keystroke logging, set up live monitoring, manage idle-session termination, and review recordings through the audit viewer for compliance and forensic investigation.

8Sections
~45Minutes
6Config Labs
8Quiz Questions

What You'll Learn

Session recording is a critical component of privileged access security. This module walks through every configuration touchpoint — from the distributed proxy architecture to the final audit playback.

🔁
Pipeline Architecture
Understand how session data flows from endpoint through proxies into storage.
💾
Storage Configuration
Configure local server storage or cloud-based storage on the Delinea Platform.
⌨️
Keystroke Logging
Enable and tune keystroke capture for RDP and SSH protocol sessions.
👁️
Live Monitoring
Set up real-time supervisory viewing and in-session intervention controls.
⏱️
Idle Termination
Configure policies that terminate sessions after inactivity thresholds.
🔍
Audit Viewer
Search, filter, replay and export session recordings for incident response.
ℹ️
Prerequisites Familiarity with Secret Server Administration, basic understanding of RDP/SSH protocols, and Admin or Role-based access to the Secret Server configuration panel.
Section 1 of 8
SECTION 01

Session Recording Pipeline Architecture

Before configuring session recording, it's essential to understand how session data flows through the Delinea infrastructure. The recording pipeline consists of several coordinated components that capture, process, and store session content.

Pipeline Components

The session recording pipeline intercepts privileged sessions at the protocol proxy layer, encodes the session stream, and delivers it to persistent storage — all without modifying the end-user experience.

▸ Session Data Flow
💻
Admin
Workstation
🔀
Protocol
Proxy (SS)
📡
Session
Engine
🗜️
Encoder /
Compressor
💾
Recording
Storage
🎞️
Audit
Viewer

Key Components Explained

Protocol Proxy
Secret Server acts as a man-in-the-middle proxy for RDP, SSH, and other protocols. Sessions are routed through this proxy, which captures raw protocol data before forwarding packets to the target host.
Session Recording Engine
The engine processes captured protocol data, separating video stream, keystrokes, and metadata. It operates as a background service on the Secret Server node or a dedicated Session Recording server.
Encoding & Compression
RDP sessions are encoded as compressed video (proprietary format). SSH sessions store text-based stream data with millisecond timing. Compression reduces storage overhead by 40–70% vs raw streams.
Storage Destination
Recordings land in either a local file share (on-prem) or cloud blob storage (Delinea Platform). Encryption at rest is applied automatically using AES-256 before data is written to disk.

Supported Protocols

ProtocolRecording ModeKeystroke SupportLive View
RDPVideo + MetadataYesYes
SSHText Stream + TimingYesYes
HTTPS (Web)HTTP Request LogPartialLimited
TelnetText StreamYesYes
VNCVideoNoYes
⚠️
Proxy vs. Direct Launch Session recording only functions when sessions are routed through the Secret Server protocol proxy. Direct-launch connections (bypassing Secret Server) cannot be recorded. Ensure launcher policies enforce proxy routing.
Section 2 of 8
SECTION 02

Configuring Recording Storage

Secret Server supports two primary storage destinations for session recordings: local on-premise file storage, and cloud-based storage through the Delinea Platform. Each option has distinct configuration paths, capacity considerations, and lifecycle management capabilities.

Storage Architecture Options

🏢
Local Server Storage
Recordings are written to a UNC path or local directory on the Secret Server or a dedicated storage node. Best for air-gapped environments or strict data sovereignty requirements.
☁️
Delinea Cloud Storage
Recordings are transmitted to Delinea's managed cloud storage. Eliminates capacity planning overhead and enables cross-site access. Requires Delinea Platform subscription.

Configuring Local Storage

01
Navigate to Admin → Configuration → Session Recording
From the Secret Server dashboard, go to Admin > Configuration. Click the Session Recording tab. You'll see the master enable toggle and storage configuration fields.
02
Enable Session Recording
Toggle Enable Session Recording to ON. A confirmation dialog will appear noting that this action applies to all secrets governed by recording policies. Confirm to proceed.
03
Set Storage Location to Local
In the Recording Storage Location dropdown, select Local. Provide a UNC path (e.g., \\fileserver\recordings) or a local directory path. The Secret Server service account must have read/write access to this path.
04
Set Disk Space Thresholds
Configure the Maximum Storage Size to prevent disk exhaustion. Set a Warning Threshold (e.g., 80%) and a Critical Threshold (e.g., 95%) to trigger alerts. Recordings will pause at the critical threshold.
05
Configure Retention Policy
Set the Recording Retention Period in days. Expired recordings are automatically purged. For compliance workloads (SOX, PCI-DSS), align this value with your audit retention mandates (typically 90–365 days).

Interactive Config Panel — Local Storage

Admin › Configuration › Session Recording
Enable Session Recording
Master toggle — affects all recording policies
Storage Destination
Where recordings are persisted
Storage Path (UNC)
e.g. \\fileserver\ss-recordings
Max Storage Size (GB)
Recordings pause when limit reached
Retention Period (Days)
Recordings older than this are auto-purged
Encrypt Recordings at Rest
AES-256 encryption applied before write

Cloud Storage Configuration

When selecting Delinea Cloud as the storage destination, Secret Server connects to the Delinea Platform's blob storage endpoint. The configuration differs in that you provide a Platform Tenant URL and API credentials rather than a file path.

Platform Cloud Storage — Key Settings
Storage Destination: Delinea Cloud Platform Tenant URL: https://your-tenant.delinea.app Client ID: <Service Account Client ID> Client Secret: <Service Account Secret> Storage Bucket: session-recordings-prod Retention (Days): 365 # Encryption is managed by Delinea Platform — always on
Best Practice — Storage Sizing Estimate ~150 MB per hour for RDP sessions and ~5 MB per hour for SSH sessions (after compression). A team of 20 admins recording 2 hours/day requires approximately 60 GB/month for RDP.
Section 3 of 8
SECTION 03

Enabling Keystroke Logging

Keystroke logging captures every key pressed during a session and stores it as indexed, searchable metadata alongside the session recording. This dramatically enhances audit capability — reviewers can search for specific commands without scrubbing through video.

How Keystroke Capture Works

For SSH sessions, keystrokes are captured from the protocol stream directly — no agent is required on the target. For RDP sessions, Secret Server intercepts keyboard input at the proxy layer before forwarding to the remote desktop host. Captured keystrokes are timestamped and stored separately from the video stream.

⚠️
Legal & HR Notification Requirements Keystroke logging must be disclosed to users in most jurisdictions. Ensure your acceptable use policy explicitly covers keystroke monitoring before enabling this feature. Consult your legal team for jurisdiction-specific requirements.

Enabling Keystroke Logging — Configuration

Admin › Configuration › Session Recording › Keystroke Settings
Enable Keystroke Logging
Applies to all protocols with supported capture
Log RDP Keystrokes
Capture keyboard input in remote desktop sessions
Log SSH Keystrokes
Capture commands entered in SSH sessions
Mask Credential Entry
Suppress keystrokes captured in password fields
Keystroke Indexing
Makes keystrokes searchable in the audit viewer
Activity Baseline Alerting
Alert on unusual keystroke volume or patterns

Keystroke Masking

The Mask Credential Entry toggle automatically detects when a user is typing in a password field (identified by the RDP input context or SSH echo-suppression state) and replaces those keystrokes with asterisks in the log. This prevents the logging engine from capturing plaintext passwords while maintaining audit coverage for commands.

SettingEffectRecommendation
Keystroke Logging ONAll keystrokes captured and timestampedEnable
Mask Credential EntryPassword field input replaced with ****Enable
Keystroke IndexingKeystrokes become full-text searchableEnable
Activity Baseline AlertingML-based anomaly detection on keystroke velocityOptional
Export Keystroke LogAllow CSV export of keystroke dataRestricted Role Only
💡
Search Example With keystroke indexing enabled, auditors can search the audit viewer for terms like rm -rf, net user, or reg delete to instantly surface all sessions containing those commands — across thousands of recordings.
Section 4 of 8
SECTION 04

Live Session Monitoring

Live session monitoring allows authorized supervisors to view active privileged sessions in real time. This enables supervisory review of high-risk access, immediate intervention when suspicious activity is detected, and real-time compliance oversight without disrupting the active session.

Configuring Live Monitoring Access

Live session viewing is controlled through role-based access. Only users assigned the Administer Session Monitoring role permission can view live sessions. This is separate from the role required to view recorded sessions.

01
Create or Modify the Supervisor Role
Navigate to Admin › Roles › <Target Role>. Under the Session Monitoring permission group, enable Administer Session Monitoring. This grants the ability to view the live session list and open live viewers.
02
Enable Live View in Session Recording Settings
In Admin › Configuration › Session Recording, confirm that Enable Live Session Viewing is toggled ON. If this toggle is disabled, no live monitoring is available regardless of role permissions.
03
Configure User Notification on Live View
Toggle Notify User When Viewed Live to determine whether the active user sees a banner notification when a supervisor opens their session. Enabling this is recommended for transparency and may be legally required.
04
Enable Session Termination by Supervisor
Toggle Allow Supervisor to Terminate Session ON. This allows the monitoring user to immediately end an active session from the live viewer if malicious or unauthorized activity is observed.

Live Monitoring Configuration Panel

Admin › Configuration › Session Recording › Live Monitoring
Enable Live Session Viewing
Allows supervisors to view active sessions
Notify User When Viewed Live
Shows banner to user when supervisor connects
Allow Supervisor to Terminate Session
Grants kill-switch during live review
Log Supervisor View Events
Audit trail for every live view connection
Live View Refresh Rate
Screen update frequency for the supervisor viewer
Maximum Concurrent Live Viewers
Limit simultaneous supervisors per session

Accessing the Live Session Viewer

Supervisors with the correct role access the live session list by navigating to Admin › Active Sessions. This dashboard shows all currently active sessions with user, target, protocol, duration, and recording status columns. Clicking a session row opens the live viewer in a new browser pane.

🚨
Session Termination Is Immediate Clicking Terminate Session in the live viewer disconnects the privileged user without warning. This may interrupt critical operations. Use termination only when a genuine security incident is confirmed, and ensure change management processes have covered break-glass scenarios.
Section 5 of 8
SECTION 05

Idle-Session Termination

Idle-session termination automatically disconnects privileged sessions that have been inactive for a defined period. This prevents open privileged sessions from becoming attack vectors if an administrator steps away from their workstation without locking it.

Why Idle Termination Matters

🚪
Open Session Risk
An unattended RDP session to a domain controller provides direct, persistent access. Physical or network access to the admin workstation can lead to full domain compromise.
🛡️
Zero-Standing Privilege
Automatic termination enforces the principle of least privilege over time. Privileged access exists only as long as it is actively used.
📋
Compliance Alignment
PCI-DSS Requirement 8.6.3 mandates session inactivity timeouts. NIST 800-53 AC-11 requires session lock after a period of inactivity.

Idle Termination Configuration

Admin › Configuration › Session Recording › Idle Settings
Enable Idle Session Termination
Automatically disconnect inactive sessions
Idle Timeout (Minutes)
Session disconnected after this many idle minutes
Warning Before Termination (Seconds)
Advance notice shown to user before disconnect
Activity Detection Mode
What counts as 'active' for the inactivity timer
Apply to All Secret Types
Override per-secret timeout settings globally
Log Idle Termination Events
Write event to audit log on each auto-disconnect

Per-Secret Timeout Override

The global idle timeout can be overridden at the individual secret level for high-sensitivity targets. For example, you may configure a global 15-minute timeout but allow production database secrets to use a 5-minute timeout for tighter control.

01
Open the Secret and navigate to Settings tab
Find the target secret in the Secret Server vault. Click the secret to open it and navigate to the Settings tab (not the Security tab).
02
Locate Session Timeout Settings
Scroll to the Session Settings subsection. Toggle Override Global Idle Timeout to enabled.
03
Set the custom timeout value
Enter the desired idle timeout in minutes for this specific secret. This value takes precedence over the global setting for sessions launched from this secret only.
Secret Type ExampleRecommended TimeoutRationale
Domain Admin10 minHighest-risk credential, strict timeout enforced
Production DB Server5 minData sensitivity demands minimal idle window
Dev/Test Server30 minLower risk; longer timeout reduces friction
Network Device (SSH)15 minStandard timeout for infrastructure access
Cloud Console Access10 minCloud blast radius risk justifies tighter control
Section 6 of 8
SECTION 06

Audit Viewer & Session Review

The Secret Server Audit Viewer is the primary interface for searching, filtering, replaying, and exporting recorded sessions. It serves compliance auditors, incident responders, and security operations teams investigating privileged access events.

Accessing the Audit Viewer

Navigate to Admin › Session Recording › Recorded Sessions. The audit viewer is also accessible from any secret's Audit tab, where it pre-filters to sessions launched from that specific secret. Viewing recorded sessions requires the View Session Recording role permission.

Search & Filter Capabilities

🔍
Full-Text Keystroke Search
Search across all session keystroke logs for specific commands, strings, or patterns. Returns sessions containing matches with timestamp markers for instant navigation.
📅
Date & Time Range
Filter sessions by start date, end date, duration, and time of day. Essential for incident investigation where the breach window is approximately known.
👤
User & Target Filters
Filter by Secret Server user, target machine hostname/IP, secret name, folder, and protocol type. Supports wildcard patterns for bulk filtering.
📊
Status & Metadata
Filter by recording status (complete, in-progress, error), session duration, idle termination flag, and supervisor-viewed flag.

Replaying a Recorded Session

01
Locate the Session in the Audit Viewer
Use the search filters to narrow down the session list. Apply user, date, and keyword filters as appropriate. Results display session ID, user, target, duration, protocol, and recording status.
02
Click the Session to Open the Detail Pane
The detail pane shows session metadata: authentication method, secret used, client IP, server IP, start/end time, and keystroke event count. A Play Recording button launches the viewer.
03
Use the Playback Controls
The viewer provides standard playback controls: play/pause, speed (0.5×, 1×, 2×, 4×, 8×), and a timeline scrubber. Keystroke event markers appear on the timeline as colored tick marks — click any tick to jump directly to that moment.
04
Navigate with Keystroke Search
In the playback pane, use the Search Keystrokes field to search within the current session. Each match highlights on the timeline and creates a jump point list in the sidebar. Ideal for quickly locating specific commands in long sessions.
05
Export for Compliance or Legal Hold
Click Export Session to download the recording in its native format or as a video file (MP4 for RDP). Export actions are logged in the Secret Server audit trail. For legal hold, use the Legal Hold flag to prevent the session from being auto-purged by the retention policy.

Audit Viewer Filter Reference

Filter FieldValues / FormatUse Case
UserUsername or wildcardInvestigate specific admin's sessions
Target MachineHostname or IPAll sessions to a compromised server
Secret NameExact match or containsSessions launched from a specific credential
Date RangeStart/End datetimeScope investigation to incident window
ProtocolRDP / SSH / Telnet / WebFilter by access type
Keystroke ContainsFree text / regexFind sessions with specific commands
Duration (min)Greater than / less thanFind unusually long sessions
Idle TerminatedYes / NoIdentify sessions that auto-disconnected
Supervisor ViewedYes / NoTrack sessions reviewed by management
Legal HoldYes / No / SetManage compliance retention exceptions
💡
Incident Response Workflow When a security alert fires for a privileged account: (1) Filter sessions by the suspect user and incident date window. (2) Sort by duration descending to find the most significant sessions. (3) Use keystroke search for known attack indicators (e.g., whoami /all, net localgroup, mimikatz). (4) Export flagged sessions and set Legal Hold before your retention policy purges them.
Section 7 of 8
SECTION 07

Knowledge Check

Test your understanding of session recording configuration in Secret Server. Select the best answer for each question. Review any missed questions before proceeding to the module summary.

Question 1 of 4
Which component of the session recording pipeline intercepts and captures privileged session data before forwarding it to the target system?
A The Recording Storage Engine
B The Protocol Proxy within Secret Server
C An agent installed on the target host
D The Delinea Platform cloud gateway
Question 2 of 4
What is the primary benefit of enabling keystroke indexing alongside keystroke logging?
A It encrypts keystrokes before storing them
B It reduces storage space used by session recordings
C It makes keystroke content searchable in the audit viewer
D It enables real-time alerting on specific keystrokes
Question 3 of 4
A supervisor notices suspicious activity during a live session review. What action can the supervisor take directly from the live session viewer?
A Reset the privileged user's password immediately
B Send a chat message to the active user
C Terminate the active session
D Lock the target machine remotely
Question 4 of 4
During an incident investigation, how do you prevent a specific session recording from being automatically purged by the retention policy?
A Export the recording to a local drive immediately
B Extend the global retention period in Configuration
C Apply the Legal Hold flag to the session in the audit viewer
D Move the recording file to a different storage path
Section 8 of 8
SECTION 08

Module Summary & Deployment Checklist

Congratulations — you've completed the Session Recording Configuration module. Use the checklist below to verify your deployment is fully configured before signing off. Click each item to mark it complete.

Deployment Readiness Checklist

Session Recording is enabled globally in Admin › Configuration › Session Recording
Storage destination is configured — UNC path (local) or Delinea Platform credentials (cloud) verified with test write
Storage capacity thresholds are set (warning at 80%, critical at 95%) and admin alerts are configured
Retention period is defined and aligned with compliance requirements (SOX, PCI-DSS, HIPAA, etc.)
Keystroke logging is enabled for RDP and SSH, with credential masking turned on
Keystroke indexing is enabled to allow audit viewer full-text search
Keystroke monitoring disclosed in acceptable use policy and employee communications
Live session monitoring role assigned to appropriate supervisory users only
Live view user notification enabled for transparency compliance
Idle session termination configured with appropriate timeout per secret sensitivity tier
Idle termination events are logged to the Secret Server audit trail
Audit viewer access roles configured — View Session Recording permission assigned to auditors
Test session recorded and played back successfully in the audit viewer
Incident response playbook updated to include Legal Hold flag and audit viewer search procedures
0 / 14 complete

Quick Reference Summary

FeatureNavigation PathKey Toggle / Setting
Enable RecordingAdmin › Configuration › Session RecordingEnable Session Recording
Local StorageAdmin › Configuration › Session RecordingStorage Location = Local + UNC Path
Cloud StorageAdmin › Configuration › Session RecordingStorage Location = Delinea Cloud + API creds
Keystroke LoggingAdmin › Configuration › Session Recording › KeystrokesEnable Keystroke Logging + Indexing
Live MonitoringAdmin › Configuration › Session Recording › Live MonitoringEnable Live Session Viewing
Idle TerminationAdmin › Configuration › Session Recording › Idle SettingsEnable Idle Session Termination + Timeout (min)
Audit ViewerAdmin › Session Recording › Recorded SessionsSearch + Playback + Legal Hold + Export
🎓
Module Complete You have successfully covered all aspects of session recording configuration for Secret Server and the Delinea Platform. Apply these configurations in your environment using the deployment checklist above. For advanced topics, proceed to the Privileged Behavior Analytics and SIEM Integration modules.
Complete