Академический Документы
Профессиональный Документы
Культура Документы
Version 7.3
October 27, 2011
Table of Contents
Getting Started ................................................................... 7
Spector 360 Administrators Guide......................................7 The Spector 360 Components ..............................................7 What's New in This Version ...................................................8 Deploying Manually on Windows ....................................... 51 Creating a Manual Setup File ............................................. 52 Canceling a Recorder Install/Uninstall ............................. 54 Managing Computers from Active Directory ................... 55 Adding Computers from Network Discovery ................... 58 Importing a List of Computers ........................................... 59 Finalizing the List of Computers ........................................ 61 Uninstalling the Recorder.................................................... 62 Management Options ............................................................... 64 Removing Computers .......................................................... 64 Restarting a Computer ........................................................ 64 Stop or Start Recording ...................................................... 64 Reserving a Client License .................................................. 65 Assigning a Recorder Version to Computers ................... 66 Assigning a Profile to Computers ...................................... 67 Service Polling Delay ........................................................... 68 Installing a Local Viewer ..................................................... 69 Exporting the Computer List .............................................. 70 Export Selected Computers ................................................ 72 Changing the Column Layout ............................................. 72 Manage Computer Groups ...................................................... 73 Managing Computers in Groups ........................................ 73 Add or Modify a Computer Group ..................................... 74 Setting the Default Group................................................... 75 Moving Computers into Groups ......................................... 75 Removing a Group ............................................................... 76
Table of Contents
Removing a Profile ................................................................83 Selecting the Profile's Recorder Version ...........................83 Initial Profile Settings ...........................................................84 How the Recorder Stores Data at a Computer ................86 Screen Snapshots ......................................................................87 Screen Snapshot Recording ................................................87 Screen Snapshot Settings ...................................................88 Snapshot System Settings ..................................................89 Snapshot Triggers and Timing............................................90 Chat/IM ........................................................................................92 Types of Chat Recorded .......................................................92 Chat/IM Settings ...................................................................94 Chat/IM System Settings ....................................................94 Email Activity ..............................................................................96 Email Activity Recording ......................................................96 Webmail Recorded ................................................................97 Email Activity Settings .........................................................98 Add or Edit an Email Filter ..................................................99 Email Filtering Rule .............................................................101 Email System Settings .......................................................102 Document Tracking .................................................................105 Document Tracking .............................................................105 Document Tracking Settings .............................................105 File Tracking Based on Drive Type ..................................107 File Tracking for Each Drive ..............................................108 Default Document Tracking ..............................................109 Document Tracking File Filter ...........................................111 Files Transferred ......................................................................111 Files Transferred Recording ..............................................111 Files Transferred Settings..................................................113 Files Transferred System Settings ...................................113 Keystrokes Typed ....................................................................114 Keystroke Recording ..........................................................114 Keystrokes Typed Settings................................................115 Keystroke System Settings ...............................................115 Keystrokes vs. Characters.................................................116
Network Activity ...................................................................... 117 Network Activity Recording .............................................. 117 Network Activity Settings ................................................. 118 Network System Settings ................................................. 120 Online Searches ...................................................................... 121 Online Search Recording ................................................... 121 Program Activity...................................................................... 122 Program Activity Recording .............................................. 122 Program Activity Settings ................................................. 122 Program System Settings ................................................. 123 User Activity ............................................................................. 124 User Activity Recording ..................................................... 124 User Activity Settings ........................................................ 124 Web Sites Visited .................................................................... 125 Web Site Recording............................................................ 125 Web Sites Visited Settings................................................ 126 Web Site System Settings ................................................ 126 Who/When to Record ............................................................. 128 When to Record .................................................................. 128 Who to Record .................................................................... 129 Keyword Alerts (Local)........................................................... 130 Keyword Alert Recording .................................................. 130 Defining a Keyword Watch List ........................................ 131 Setting up Alert Notification ............................................. 133 Formatting the Email ......................................................... 134 Advanced Alert Notification Settings .............................. 135 Importing Keywords .......................................................... 137 Exporting Keywords ........................................................... 138 Receiving Alerts in an MS Exchange Public Folder....... 138 Blocking (Local) ....................................................................... 141 Internet Blocking ................................................................ 141 Block Web Sites .................................................................. 142 Import or Export Domains to Block ................................ 143 Block Chat/IM Settings...................................................... 144 Block Internet Access ........................................................ 146 When to Block Internet Access ........................................ 148
iii
Table of Contents
Who to Block ........................................................................149 General Options .......................................................................150 Recorder Security Settings................................................150 Advanced Recorder Security Settings .............................151 Recorder Data Files.............................................................153 Application Settings ............................................................154 Advanced Application Options ..........................................156 Server Settings ....................................................................159 Client Options ......................................................................161 Record URLs .........................................................................163 Selective Recording of Program Captions ......................164 Importing a List of URLs or Programs .............................165 Exporting a List of URLs or Programs .............................166
Control Center Server Properties .................................... 185 Control Center Server Administration ............................ 188 Data Vault Server ................................................................... 189 How the Data Vault Works ............................................... 189 Data Vault Properties......................................................... 191 Data Vault Base Path ......................................................... 193 Data Vault Administration Window ................................. 193 Primary Server ........................................................................ 194 How the Primary Server Works ....................................... 194 Primary Server Properties ................................................ 195 Primary Server Administration Window ......................... 197 Web Filtering Server............................................................... 198 How the Web Filter Server Works ................................... 198 Web Filter Server Properties ............................................ 199 Web Filter Server Administration Window ..................... 200 Web Filter Server Status ................................................... 201 Database Server ..................................................................... 202 Database Server Properties.............................................. 202 Changing the Database Computer .................................. 203 Auditing..................................................................................... 203 Viewing the Audit History ................................................. 203 Enable/Disable Auditing .................................................... 206 Audit Criteria ....................................................................... 207 Viewing Audit History by Date ......................................... 208 Viewing Audit History by Computer ................................ 210 Viewing Audit History by Component ............................. 210 Viewing Audit History by Source ..................................... 211 Viewing Audit History by Action ...................................... 212
iv
Table of Contents
Viewing Database Statistics ..............................................218 Viewing Database History..................................................220 Database Backup, Archive, Restore .....................................221 Managing Database Backups ............................................221 Creating a Full Backup .......................................................223 Creating a Differential Backup..........................................223 Archiving a Database .........................................................224 Restoring a Backup .............................................................225 Browsing for a Restore Folder ..........................................226 Full Restore Steps ...............................................................227 Restoring an Archived Database ......................................228 Deleting a Backup ...............................................................229 Database Jobs ..........................................................................229 Managing Database Jobs ...................................................229 Scheduling Database Jobs .................................................232 Viewing Job History ............................................................233 Monitoring Job Status ........................................................234 Database Configuration ..........................................................234 Managing Database Configuration ...................................234 Database Space Management ..........................................237 Deleting Event Data............................................................240 File Storage Location ..........................................................242 Database Logins.......................................................................243 Managing Database Logins ...............................................243 Login Roles and Types .......................................................244 Defining a Login Account ...................................................247 Browse for Users .................................................................251 Database Authentication Methods ...................................252 Copying a Login Profile ......................................................252 Changing an SQL Server Password .................................253 Deleting a Login Account ...................................................254 Database Support ....................................................................255 Database Support ...............................................................255 Configuring Database Support .........................................256 Viewing a Database Script ................................................256
Table of Contents
Using a Test Database....................................................... 339 Checking the Progress of Recorded Data ...................... 340 Database Connection and Compatibility ........................ 341 Recovering the SA Password............................................ 341 Centralized Alerts Troubleshooting ................................. 342
vi
Getting Started
Server Components
Server components are Windows services installed at a central location that communicate with the Recorders. Manage the Servers from the Control Center application. Primary Server - Communicates with Recorders to provide licensing and software updates. Control Center Server - Communicates with network computers to handle configuration and installation of the Recorder from the Control Center. Data Vault Server - Receives data from Recorders across the network to process and insert into the Spector 360 Database. The
Troubleshooting
Take steps to solve configuration and recording problems.
Contact Information
Contact SpectorSoft Sales or Technical Support.
Data Vault sends Email Attachment and Screen Snapshot files to the File Storage folder. Web Filter Server - OPTIONAL. Recorded computers query the Web Filter Server before accessing the Internet, and the Server applies Web Filtering rules from the Database. Database Server - The Spector 360 SQL Server instance allows the Dashboard and Control Center to access and query the database.
General enhancements
Setup - Easier Setup of Spector 360 server components. For larger networks, the ability to deploy multiple Web Filtering and Data Vault Servers at one installation.
Filter Across Platforms - Apply centralized Web Filtering to all computers (Windows and Mac) on the network. Alert Across Platforms - Set up centralized, server-based Event Alerts for all computers (Windows and Mac) based on conditions specified in Alert Profiles. In addition, the Mac Recorder now generates client-side email alerts based on keyword matches captured at the client computer.
Auditing - Organizations that need to audit their trusted users of the Control Center can turn on Auditing in the Control Center Servers section. Auditing captures all commands issued from a Control Center application, stores them in the Database, and allows filtering for viewing and reporting in an Audit History section of Servers.
Manage Client Uploads - Manage bandwidth issues by scheduling client data delivery to the Data Vault within the Recorder profile. Watch for Program Name - Receive immediate email notification from the client computer if a specific program or file was opened. Custom Client-Side Keyword Alert Messages - Receive immediate email notification, with a customized message, from a recorded Windows or Mac computer when a keyword (client-side) is detected in computer activity.
Dashboard Application
The Spector 360 Dashboard application allows managers to view and report on computer activity. A Dashboard can query the Spector 360 Database by date, time, user, computer, and other event criteria. Multiple Dashboards can be installed. See the Spector 360 Dashboard Guide for instructions on using the Dashboard.
Support for Macintosh "Lion" operating systems. Email - Email Filtering to limit recording of email at a computer. Keystrokes - Supports password masking - Do Not Capture Passwords - to protect the security of important password. Document Tracking - Now tracks Printed Documents on all computers, showing each document printed, in addition to tracking files by drive types. Keyword Alerts - Email notification via any Direct SMTP or Relay SMTP mail server (that does not use TLS) you can access. Process Server Keyword List - Include all words from Web Filtering Categories in enabled Web Filtering rules as part of the client-side Keyword Alerts.
Server Web Filtering - Turn on centralized Web Filtering for Mac computers. Data Vault "Push" Schedule - Set a time and duration for the Recorder to attempt uploads to the Data Vault.
Dashboard enhancements
Additional data will be available in all views from recorded Macintosh computers. The ability to query the database by Web Filtering Categories now covers all computers (Windows and Mac)
Logging in
When you open the Control Center application (Start > All Programs > Spector 360 > Spector 360 Control Center), a Login prompt appears. Although some Control Center features require that you log in to the Spector 360 Database, management of Computers, Recorders, and/or Servers does NOT require database login.
Windows - Choose Windows to log in to a Dashboard account that uses the current Windows authentication. If the current Windows login has been setup as a Database login, simply click the Login button. Do not enter a Login Name or Password (see Click Cancel to cancel opening the program and close the login window. Authentication Methods for more).
2.
Next to Database, select the Spector 360 SQL Server instance. Enter the SQL Server instance, computer\SPECTOR360, where computer is the Windows name of the computer where the Database is installed. If necessary, click the down arrow to display and select from a list of SQL Server instances.
3.
Next to Login, enter your SQL Login name. SQL authentication only. SQL Server login is not case sensitive. Use SA to log in as System Administrator. Leave this field blank if you are using Windows authentication.
10
4.
Next to Password, enter your SQL Password. SQL authentication only. If you are logging in as SA, this password was defined during Spector 360 Setup. Leave this blank if you are using Windows authentication.
6.
11
Click on and drag the pane divider bar just above the Home (or top) tool button. As you drag down, tool buttons are removed from the tools area and appear as icons below.
3.
Select a task and/or view information. Select a task to perform in the left pane, or view the information in the right pane. Scroll down the Task Navigation pane to see all task items. You can also use the toolbar, the menus, or right-click in the right pane and select tasks from a pop-up menu.
OR - Click the >> button below the tools and select Show Fewer
12
Click the X button in the upper right corner of the pane - OR Select View > Navigation Pane from the menu bar to show or hide the Navigation Pane. Check the item to "show," and clear the item to "hide" the pane.
Select Check for Spector 360 Updates from the Task Navigation pane - OR - Click Check for Updates on the toolbar - OR Select Help > Check for Updates from the menu bar. More...
Contact SpectorSoft Technical Support: Select Contact SpectorSoft from the Task Navigation pane - OR Click Contact SpectorSoft on the toolbar - OR Select Help > Contact Technical Support from the menu bar. More...
For other Control Center functions: Select other buttons in the lower left Navigation pane.
13
File menu:
New Add Group Open the form to add a new item appropriate to the task category. Manage Computers. Open a box where you can specify the name of a new computer group. Event Alerts. Import Keywords and Groups from a text file. Event Alerts. Exports a Keyword Group. Manage Computers. Export the entire Computers list. Manage Computers. Export selections from the Computers list. Manage Recorder Versions. Check for and download a Recorder software update. Manage Database Backup and Restore Create a Differential Backup. Create a Full Backup. Backups Restore Databases Browse for Restore Folder Databases. Archive the selected, full STORAGE database. Databases. Restore the selected, archived STORAGE database.
Back - Click the left-arrow button (enabled if you have move to a new
Control Center tool or task category) to step back through your viewing history.
Import Export Export List Export Selected Check for Updates Backup
New - Click to create a new item in this task category. Modify - Click to edit settings for the currently selected item or items. Delete - Click to delete the selected item or items after confirmation. Refresh - Click to update the display with your latest changes or the
latest data.
Refer to the section of Help for each Control Center view. For example, Manage Filtering Rules provides extensive toolbar options.
Restore
14
Exit (Alt+F4)
Close the Control Center window. Set Default Profile Open a form that allows changing the selected item. Delete the selected item(s) after confirmation. Manage Computers. Move the select computer(s) to a new computer group. Manage Computers. Assign a profile to selected computers or groups. Manage Computers. Assign a Recorder version to selected computers or groups. Manage Computers. Set the time to apply automatic Recorder Version updates. Manage Computers. Start recording on selected computers or groups where recording has been stopped. Manage Computers. Stop recording selected computers or groups where recording is currently on. Manage Computers. Install the Recorder on selected computers or groups. Manage Computers. Remove the Recorder from selected computers or groups. Manage Computers. Remove the scheduled install task from the selected computers or groups. Manage Computers (Groups). Makes the selected computer group the "Default" Disable / Enable
to which new computers will be added. Manage Recording Profiles. Select the Recorder Profile to be used as the default for Recorder installations. Manage Computer Licenses. Open the serial number registration page. Web Filtering. Move a rule down in the priority list. Web Filtering. Move a rule up in the priority list. Web Filtering. Change the rule to "ALLOW" rather than "BLOCK" the specified domains or vice versa. Web Filtering. Disable or enable the selected filtering rule.
Edit menu:
Modify Delete (Del) Move to Group
Start Recording
View menu:
Show Recordings Go Home Go Back Go Forward Recordings. View activity for the currently selected User or Computer. Go to the Control Center Home page. Go to the previously visited Control Center tool or task category. Go to the next Control Center tool or task category in the browse history (after using "Go Back"). Show (checked) or hide (unchecked) the toolbar at the top of the window. Show (checked) or hide (unchecked) the left Navigation Pane. Go to another task category for the Computers tool.
Stop Recording
15
Database views Web Filtering views Event Alerts views Recorder Log File Bootstrap Log File Groups
Go to another task category for the Database tool. Go to another task category for the Web Filtering tool. Go to another task category for the Event Alerts tools. Manage Computers. View the Log file for a selected computer where the Recorder is installed. Manage Computers. View the Bootstrap Log file, which is only available while the Recorder is being installed. Manage Computers. Switch to a view of Groups only and back to all Computers. TIP: Use the spacebar to "open" and "close" a view of computers within the currently selected group. Manage Computers. Arrange the Computers list columns for the Computers and Group view. Manage Database Backup and Restore. View backup history for the selected Database. Manage Database Backup and Restore. View statistics for the selected DATA VAULT or STORAGE Database. Manage Database Jobs. View a history of the selected job. Manage Database Jobs. Open a window that shows progress of current Database job. Manage Database Configuration. Enable and configure automatic Space Management for the Database.
Database Settings
Manage Database Configuration. Modify Database settings, such as data location, archive location, and copy snapshots with backup/restore. Manage Database Configuration. Define a share for Spector 360 File Storage folder to be used by all Dashboard logins Update the view with the latest information.
Tools menu:
Control Center tools Change Database Options Go to another tool. Select a different Spector 360 database instance or log in as a different user. Open a dialog box of general settings.
Window menu:
Switch between the main Spector 360 Control Center window and any other open Control Center window. Only the currently selected Control Center view appears if no other windows are open.
Help menu:
Online Manual Contact Technical Support Access Knowledge Base Give us your Open a web-based version of this guide. Open the SpectorSoft Technical Support Home page. Open the SpectorSoft Knowledge base web site and search or browse for answers to questions that may not be provided in this guide. Open the SpectorSoft Feedback web page on
16
Tools: Options
the Internet, where you can tell us what you think about Spector 360. View the Control Center log file.
Tools: Options
To change general Control Center settings, select Tools > Options.
If connected to the Internet, check the SpectorSoft downloads site for the latest version of Spector 360 available. You will be prompted to download if your installed version of Spector 360 is not the latest. Displays Spector 360 version information, including the Control Center version and version of each database.
About
Database Settings:
17
Tools: Options
to change this setting. Be aware that frequent refreshing on a large network can affect performance.
Show Control Center features for - By default you will see options
for Windows OS and Mac OS platforms. If you are monitoring only one or the other platform, you can clear the one you don't need, and that OS choice won't appear for Profile and Recorder assignments.
Global Settings:
Communications Port - Port where the CCS computer listens for and
receives information.
Highlight past-due Client Check-Ins - Check this option to highlight computers in the Manage Computers list where the Client Recorder has failed to check in with the CCS at the scheduled time. Clear to turn off highlighting. Highlight if more than - When highlighting of past-due client check-ins is ON, this option sets the amount of time to wait after
Refresh on the toolbar (F5). Automatically Refresh every . . . minutes - When Automatic Refresh is ON, this option sets the interval of time at which to refresh. The default is 5 minutes. Use the arrows or type a number
18
Tools: Options
the check-in was due before highlighting the computer in the list. The default is 1 hour: if the client fails to check in one hour following the scheduled time (and when the CCS refreshes the list), the computer is highlighted. Use the arrows or type a value from 1 to 720 to change this setting.
Highlight past-due Recorder Installs/Uninstalls - Check this option (default) to highlight computers where a Recorder has not been installed or uninstalled at the scheduled time. Clear this option to turn off highlighting of these past-due tasks.
Highlight if more than . . . minutes - When highlighting of pastdue install/uninstall tasks is ON, this option sets the amount of time after the scheduled task before highlighting is enabled in the Computers list. The default is 15 minutes: if the task fails to complete 15 minutes following the scheduled time (and when the CCS refreshes the list), the computer is highlighted. Use the arrows or type a value from 1 to 1440 to change this setting. Click OK to save your changes in the Spector 360 Control Center Options and close the dialog box.
19
Request automatic updates, or assign updated versions to selected computers or groups. Refer to:
Manage computers in "groups." Managing Recorder settings and updates is easier when you group computers according to department, purpose, or risk level. You can install, upgrade, or reconfigure the Recorders on all computers in a group at once. Refer to Managing Computers in Groups.
Change Recorder settings from the Control Center. Each Recorder is configured with a "profile" that determines what and who is recorded, and whether or not centralized Web Filtering is enabled. Adjust profile settings from the Control Center. The change affects all computers using the profile.
Install the Recorder. Use the easy Add Computers wizard to acquire a list of computers on your network from Active Directory, from Network Discovery, by importing a list, or by simply typing in computer names. The same wizard allows you to set the configuration and schedule the computers for automatic Spector 360 Recorder installation. At any time, add more computers and Recorder installations to your network.
Add Computers. Add Mac computers to your Control Center list just as you do Windows computers, but make sure you specify the "Mac" platform for these computers. The Recorder software version and profiles will be different, based on OS.
Update the Recorder version. Keep Spector 360 running stealthily and smoothly by downloading up-to-date Recorder versions.
20
Use manual setup to install a Mac Recorder. For this version of Spector 360, use the Control Center to build a Manual Setup file containing the Recorder Version and Profile you want to use, and then run the setup file at Mac computers.
Set up automatic Space Management. As data accumulates in the Spector 360 Database, it's critical to manage disk space and plan for restoring data if a problem occurs. By default, a Full Backup runs every week and a Differential Backup runs every night. Remove extra Backups to preserve disk space and maintain a Backup set on a DIFFERENT computer in case something happens to the Database computer.
To manage users:
Track database performance and database jobs. Performance may become an issue as your installation grows. You can adjust the frequency with which certain events are processed and control scheduling of Database jobs. Fine-tuning Database can improve performance in Dashboard queries and Web Filtering.
Apply a Dashboard "Profile" to user accounts. Give users the same Dashboard profile (groups, default criteria, and report formats) to facilitate training, troubleshooting, and standardized reports. Refer to Copying a Login Profile.
21
Online Installation Run the Setup program directly from the Internet link; use only if you have plenty of network / Internet bandwidth.
Download Compressed Install File Download a compressed, self-extracting .exe file. Once the Setup file is downloaded, execute it to update your installation.
Download CD Image Download a CD image file (.iso format) of the Spector 360 installation CD. Burn the CD image to media, and use the CD's Setup file to update Spector 360 components on any computer. This option is useful when you have distributed components and do not want to use Internet bandwidth.
22
23
Workgroup. Make sure the Control Center Server (CCS) runs under an
Administrator account common to all workstations.
24
are required to capture Full Desktop. Follow these steps to capture Published Applications. 1. 2. 3. Select General Options > Client Options. Check Enable Alternative Shell Support. Click Edit to open a box where you can specify the alternate shell that is launched when a user requests a Citrix or Terminal Server published application. NOTE: Clear this option to record applications running under the normal Windows shell.
A Recorder installed on the Citrix or Terminal server is NOT able to record applications installed and running on the local workstation.
The Recorder records each activity under the login name of the user who performed the activity. This means the Recorder will capture email, web sites visited, keystrokes, and all other activities for DOMAIN\SALLY, DOMAIN\PETER and DOMAIN\JIM as they use the terminal services, even when activity occurs simultaneously.
The data recorded and stored is accessible for viewing by user and "by computer." other criteria in the Dashboard. Keep an eye on performance and usage. The more users who connect and are recorded, the more difficult it becomes for the Recorder to take Screen Snapshots for each user every 30 seconds. Use Recorder Profile settings to reduce frequency of (or disable) Screen Snapshots, or consider disabling other activity recording.
25
The computer connects to the Servers via VPN. When the remote user connects via VPN to the network where Server Components are accessible, the computer is essentially on the same network. No different from local clients, the computer secretly delivers its recorded data and receives instructions while connected via VPN. The CCS has no trouble communicating with and managing the Recorder.
Secure access to Servers and Database at the central location. Ability to install, configure and manage the Recorder from a remote Control Center. Direct contact of the remote Recorder with the Primary Server. Direct delivery of recorded data to the central Data Vault server. Centralized Web Filtering provided by the Web Filter Server (WFS).
The computer connects to the Servers via Internet connection. When a computer connects to a static, external IP address on the network where Servers are accessible, the necessary ports must be forwarded and open to traffic. The Recorder uses its Server Settings to deliver data to the central Data Vault and receives Web Filtering from the WFS over the "raw" Internet connection. However, the CCS will NOT be able to identify or manage the remote Recorder. If that remote computer itself is configured to communicate via a static IP address, you can add the computer's IP address to your Server side DNS or host file to provide name resolution. The Control Center will then be able to fully manage the Recorder.
Opening up an external IP address leaves your network vulnerable to hackers for DoS and flood attacks. If you choose this method, it is imperative that you use industry strength, standard Firewall protection!
Recorder to CCS: 16768 (TCP/UDP) Recorder to Data Vault: 16769 (TCP) Recorder to Primary Server: 16770 (TCP) Recorder to Web Filter Server: 16771 (TCP/UDP) CCS to Recorder: 2468 (TCP)
26
the one used by local computers. In the Control Center's Recording >Manage Recording Profiles, double-click or copy a profile to modify it. Name the profile in General Options > Security. This profile will ONLY be used for computers connecting via the Internet. In the Servers panel, use the Edit button next to each Server IP field to enter the static external IP address (65.8.119.2 in the above illustration). Make sure the Port entry for each Server is correct, and click OK to save the profile.
Port Forwarding
27
4.
Install the Recorder manually. If the centralized CCS wont be able to resolve the remote computer name, install the Recorder manually. Follow instructions in Creating a Manual Setup File. Be sure to use the profile you created that specifies Servers at the external IP address. Follow instructions to install the Windows or Mac Recorder using the Manual Setup file.
5.
Configure port forwarding. Use your NAT or other system configuration interface to forward the ports used by the Recorder (as they are listed in the Server Settings panel) to the appropriate Server port. If possible, forward the Recorder listening port on the client side (at the remote computer).
General configuration:
At the branch office, install ALL Servers and applications EXCEPT the Database. The Server installation requires a computer with: - At least 100 GB free hard disk space (depending on data recorded) - Static IP address - Always available - Internet connection
Manage and configure the Recorder installations using a branch office Control Center application. Branch office Recorders communicate with the local CCS, Data Vault Server, Primary Server, and Web Filter Server, and do NOT require a direct connection to the central Database. Spector 360 Recorders require direct connection to the Primary Server, and you can install only one Primary Server under one serial number. Contact SpectorSoft Sales Support to obtain a serial number for the Primary Server at each branch office.
28
2. 3. 4.
Agree to the terms of the License Agreement. Wait for installation files to download. Click Next at the Updates panel. Because you are NOT installing the Database, you must locate the computer where the central SQL Server instance is installed. On the Setup Options panel, select the Database component. Enter the Database computer name, and enter and confirm the SA Password. Click Next.
5.
Configure the Control Center Server (CCS) with a service account that has access to all computers at this branch, as well as the remote Database computer. The Setup tests the CCS credentials to make sure the account is valid.
29
6.
Configure both the Web Filter Server and the Data Vault Server: Each service should run under a Windows network account with read/write privileges at the remote Database computer. Each service should use the SAME Database access account at the branch location as used by servers at the main location. In the example below, ALL Data Vault Servers would use the DVServer SQL Server account.
Each Dashboard computer will require a VPN connection to access the network where the central Database is installed. Queries and data display may take longer when not on the local network, otherwise there is no difference from the main office Dashboards.
7.
At the bottom of the Data Vault panel, specify the centralized File Storage base path for Screen Snapshots and Email Attachments at the Database computer.
8.
Follow normal procedure to register the local branch office serial number and apply an unlock code.
30
All Control Centers have access to the same computers as the original Control Center. Each Control Center communicates with the Control Center Server, Data Vault and Primary Server, and provides the means for a different user to manage Recorders and centralized policies All Dashboards access the same Database.
4.
31
Adding Another Control Center Adding Computer Licenses to a Serial Number Moving a Server Adding a Data Vault or Web Filtering Server Moving the Spector 360 Database Moving the File Storage Location
One central Database One central Primary Server One central Control Center Server (CCS) Data Vault Servers as needed (using the same network account) Web Filter Servers as needed (using the same network account) As many Control Center and Dashboard applications as needed
If on-site managers will be using Dashboards to review user activity, make sure you set up security access for logins as described below to prevent sites from viewing each others' data.
All Servers handle multiple serial numbers. There is no need to install separate servers for separate sites.
32
3.
Select Add Serial Number. Enter the next serial number in the box that appears. See Adding a Serial Number. Repeat this step for each serial number.
4.
Select Register Serial Number to register and unlock the licenses for the site. Repeat this step for each serial number.
See Managing Recording Profiles. Define a profile as you Add Computers, or assign a profile to computers after adding them.
All serial numbers, the number of licenses, and the number of available licenses appear in the Computer Licenses list. After the Spector 360 Recorder has been scheduled for installation, you can "open" each serial number group to view the name and status of each licensed computer. See Managing Computer Licenses.
33
Master Login Type - BE CAREFUL. This account type has full access to Dashboard Management, Web Filtering, Event Alerts, and Profiles. Select Users - Give the Dashboard login access only to users he/she needs to monitor. For example, Bank A (Staff Section 1) User Group. Make sure users belonging to groups in other departments or at other sites cannot be accessed. Select Events - Give the Dashboard login access to ALL event types (Chat/IM, Email, Web Sites, etc.). This allows the Database login to view all activity for his/her department. Select Tools - Give the Dashboard login access ONLY to appropriate tools. Under Management Tools, clear (at minimum) Computers, Users, Computer Groups, User Groups. Under Database Tools, clear all options. Read the section in this guide on Database Logins.
Populate the Dashboard with a list of Users. There are two ways to do this: Install the Recorder on all machines (as described below) and allow the Recorder to return user name information through the normal recording process - OR Add a list of users names or import an XML or CSV list of names and domains (with user group names and descriptions, if you wish). See the Dashboard Guide..
Create User Groups by site. Once you have (at least some) user names from each site, select Management > Groups and New to create the User Groups. For example In the Dashboard, select Management > Users to view the users. Bank A (All Users) Bank A (Executives) Bank A (Staff Section 1) When new users are added to the Database, add them to the correct group. Bank B (All Users) Bank B (Executives) Bank B (Staff Section 1)
Standard Login Type - This account type can view but not edit Dashboard Management items or Computer Profiles.
34
For example, create an INAPPROPRIATE DOWNLOAD - BANK A alert and another INAPPROPRIATE DOWNLOAD - BANK B alert. For each Event Alert Profile, assign the specific User Groups from one site under the WHO conditions. Assign the appropriate manager (Alert Operator) at the site by email if an alert occurs (under GENERAL conditions).
If you give an on-site Dashboard User access to the Event Alert Tools, ALL Event Alert Profiles will be visible. A Master Login with access to Event Alerts would be able to change any profile, but could only apply it to his/.her User Group.
35
Computer/Recorder Administration
Manage the Computers List
36
Managing Computers
The Manage Computers view lists computers that have been "added" to the Control Center list for Spector 360 management. If Groups is selected in the toolbar, this view shows a list of Computer Groups. Use this view to add network computers to the list, install or uninstall Recorders, assign Recorder Versions and Profiles to computers, or check the status of computers and recording.
Group - Group the computer belongs to. Initially all computers are in
DEFAULTGROUP. See Managing Computers in Groups.
Pending: The Recorder is scheduled to be installed or uninstalled. Recording: The Recorder is installed and actively recording. Disabled: The Recorder is installed but has been stopped by the Stop Recording command or by an open local Viewer.
A single Computers list is maintained by the Control Center Server (CCS). Any Control Center user may access and modify this list.
Recorder - State of the Recorder installation: Not Installed: The Recorder is not installed on the computer. Installed: The Recorder is installed on the computer. Pending: The Recorder is scheduled to be installed or uninstalled. Unknown: The Control Center is unable detect or read status from
the computer If a Recorder remains "Pending," select Run Diagnostics to see where the install failed, try re-installing, and refer to Troubleshooting Recorder Installation.
Computer Name - Name of the computer known to the network Domain Name - Name of the Windows domain network the computer
belongs to.
37
in red if the installed version is an incompatible Recorder, prior to Spector 360 Version 7 (e.g., 6.2.1205). See Managing Computer
Add Computers / New - Add Computers to the Computers list. Add Group - Add a new computer group. Modify - Change the selected computer's description, group, profile,
version. The computer will be updated when it checks in with the CCS or at the "Client Update Time" scheduled in the CCS properties.
Recorder Versions.
Move to Group - Move the selected computers to a different group. Set Default Group - (Edit Menu) Change the default computer group. Delete - Remove the selected computers from the Computer list. Start Recording - Start recording on any selected computers where
recording is OFF.
Auto: The computer will receive automatic version updates. None: The computer is not set up for automatic version updates.
The automatic version update setting is available when you Add or
Assign Profile - Apply a profile to all selected computers or groups. Assign Recorder Version - Apply the latest or any other version to
selected computers or groups.
Poll Delay - HIDDEN by default. Displays the Days and Hours of the Service Polling Delay setting. The default is 3d (days) 0h (hours).
Set Service Polling Delay - Change the period of time the selected
computers may be "off" the network.
38
Refresh - Click the Refresh button or press F5 to update the list with
the latest information. View Log File - View the Client Log File for the currently selected (single) computer.
View Groups.
Click the Groups button or select View > Groups from the menu bar. A view of Groups appears in place of the Computers list. Click the button again to return to the Computers list. More...
39
installation, the Bootstrap Service is removed. Recorder installation is complete when the computer restarts and all traces of the installation are removed. Or, you use a setup file to install at the computer. When a pre-configured install file is downloaded and installed at the device, the Recorder will be running as soon as the device restarts (or the installation process is finished).
The Recorder communicates with the Primary Server.
As soon as it starts running, the Recorder client checks in directly with the Primary Server to establish licensing. It is critical that each client Recorder receive and activate a license from the Primary Server. See How the Primary Server Works. 4.
The Recorder communicates with the CCS.
Each client checks in with the CCS at regular intervals. The CCS receives information to refresh the computer information in the Control Center, and delivers updates to the Recorder. See How The Recorder (client service) makes direct TCP contact with the servers across the network using IP addresses and ports in its Recorder Profile Server settings. It receives licensing from the Primary Server, instructions from the Control Center through the Control Center Server (CCS), and automatically delivers specially formatted data files to the Data Vault at regular intervals. 5. the Control Center Server Works. See How the Control Center Server Works.
The Recorder begins recording immediately.
As soon as it is fully installed, the Recorder begins recording, blocking, and alerting. It saves events in 15 minute chunks to compress, encrypt, and store in a hidden folder on the computer. Data on the local computer can only be read by a local Viewer. If instructed, the Recorder checks with the Web Filter Server before allowing computer access to the Internet. 6.
The Recorder uploads recordings to the Data Vault Server.
The Primary Server reserves one license when an installation is requested. You can NOT move the license to another computer. If you uninstall the Recorder, you can only reinstall the reserved license on a device with the same name and OS. 2.
The installation proceeds at the scheduled time.
Periodically, the Recorder uploads event files to the Data Vault and deletes them from the local computer. If the Recorder cannot contact the Data Vault, the data remains on the computer until a specified time period passes or a maximum data size is reached. Then, the Recorder begins to delete the oldest data.
When a client install is requested from the Control Center, the Control Center Service (CCS) deploys a Client Bootstrap Service to the computer to quietly install the Recorder. Following
40
Feature Centralized Event Alerts apply Records Screen Snapshots Records Chat/IM (see Chat/IM Recording) Records Document Activity Records Program Activity Records Web Sites Visited Records Window Caption by Program Records or excludes recording by URL Set inactivity timeout for recording
WIN
MAC
X X X X X X X X X X X X X X X X X X
X X X X3 X X
X X X X X X X X1 X X
Spector 360 provides frequent updates to Recorder capabilities and stealth. Be sure to maintain the latest software version on computers using Manage Recorder Versions.
Keyword Alerts (Client-side) Block Internet (Client-Side) Set Recorder to "visible" mode Set which servers to report to Schedule data push to server Set security at client (hotkeys/password) Install with a "Viewer"
X X X X X X X X X X X X
2
Control data size on client computer Dashboard reports data recorded 1 Does NOT support remote installation. 2 Supports "ping" test only. 3 Recording by drive letter only on Windows.
X X X
41
Deploying Recorders
3.
Select a source for computer names. On the Select Source for New Computer names panel, select how you will acquire a list of computer names to add to the Computers list. Each choice allows you to edit the resulting list before actually adding it to the Computers list. Click Next to begin.
Type one or more computer names into this wizard. Choose this option to go straight to "Finalize the List of Computers" below and enter each computer domain and name, one at a time. More on adding to and editing the list...
Retrieve computer names from the Active Directory. Choose this option to import a list of computers from the network's Active Directory. You must be on a domain network with Active Directory Service (ADS) enabled. Wait for the import to finish and click Next to continue. More on retrieving from Active Directory...
Query the network for active computers. Choose this option to use network discovery for a comprehensive list of computers. This method is not recommended for large or slow networks. Wait for the import to finish and click Next to continue. Be sure to edit out
42
computers you do not wish to record in "Finalize the List of Computers." More on Network Discovery...
Import a list of computer names. Choose this option to import a comma-separated value (.CSV) text file. This option is useful when you have an existing computers list. Simply select a file to import. Wait for the import to finish and click Next to continue. More on importing computer names...
If you are not manually entering computers, errors in retrieving computer information are displayed. Duplicate domain\computer names and invalid specifications will not be added to the list. Incomplete information, such as a missing Platform field, is called out. Click Next to continue.
You must have a license for each Recorder installed, otherwise the Recorder will not operate. You may want to start by listing computers but NOT installing Recorders.
5.
Schedule the Recorder Installation and Updates. You can choose to schedule installation of the Spector 360 Recorder
4.
Finalize the list before adding the computers. All source choices for Add New Computers result in a list of computers. If you are entering computer names one at a time, this panel initially lists no computers. If you have acquired computer names from another source, this panel offers an opportunity to add, remove and change computer specifications. See Finalizing the list of Computers. When the list is ready, click Next to go on to the Spector 360 Recorder
A Platform designation (Windows or Mac) is required for each computer being added to the Computers list.
43
Don't install the Spector 360 Recorder - (default) Do NOT schedule installation at this time. You can set an installation schedule at any time from the Computers list. Schedule installation for a date and time - Applies to Windows Computers Only. Set a day and time now to install the Recorder. This selection activates the date setting. Click the down-arrow next to the date to open a calendar and select a day. Click on the hour or minutes and use the arrow buttons to change the time. See Scheduling a Recorder Install/Uninstall for details on setting install time.
other settings for computers. Assign one profile to all Windows computers and another to all Mac computers in the list. A Master Login can click New to create a new Windows or Mac profile now and assign it to computers. Keep in mind that it's easy to update and change a computer's profile after the Recorder is installed. See Changing Recorder Profile Settings.
Automatically update the Spector 360 Recorder - When you download a new Spector 360 Recorder, Don't automatically update the Spector 360 Recorder - You can assign a new Recorder Version to these computers rather than having the software updated automatically. See Assigning a Version to Computers. Don't assign a Recording Profile or Build to these computers. Select this item ONLY if you are not scheduling the Recorder for installation at this time. If you are scheduling an installation, Spector 360 needs to know which profile and build (Recorder Version) to use. Assign the following Recording Profile to these computers. An
If you do not want to install the Recorder on ALL computers you are "adding" with this wizard, select the "Don't install" option. You can always install later.
Initial Profile with optimized recording settings is available for selection. You can always assign a new profile later
6.
Select a Recording Profile for these computers. The Recording Profile provides recording, blocking, alerting, and
44
If you are not seeing Windows and Mac choices as expected, change the Tools > Options settings.
Click Next to continue. 7. Select a Recorder Version. Select the version of the Spector 360 Recorder you would like to install on these computers. If both Windows and Mac computers are in the list, select a Version for each platform. Click Next.
Windows / Mac Recorder Version options appear as selected in Tools > Options.
8.
Finish the configuration. At the final panel, click Finish to add this list of computers to the Control Center, configured with the selected Recorder profile and build, and set to install at the time you have specified. If you "finished" earlier in the process, you can install the Recorder later at any time.
Platform - Selection active for Add Computer. The operating system of the computer: Windows or Mac. Computer Name - The computer name as known to the network. Find a Windows name in My Computer > System Properties. For Mac, look in Apple > System Preferences > File Sharing (or use the Spotlight feature to search for "computer name").
Domain Name - Selection active for Add Computer. Name of the network domain the computer logs in to. If a computer does not participate in the domain, type any name. This is a required field; if the domain is not visible on the network, a message will appear;
45
click OK to continue. As long as the computer is on the network, Spector 360 will be able to communicate with it.
The Recorder Version may affect which Profile settings are available. See Managing Computer Profiles.
Description - A descriptive name for this computer, for use in Spector 360. Type any name, or modify the name as you wish. Group Name - Name of the group the computer belongs to. Use the drop-down list to move this computer to a different group. New Group - Click this button to open the Add New Computer Group box and add a new group now.
Specify a Recorder Configuration - Check to activate the configuration fields; clear if you do not wish to configure this computer now (defaults will be used if you schedule installation).
Don't install the Spector 360 Recorder - Select to add or modify a computer without installing the Recorder. Schedule the Spector 360 Recorder installation or reinstallation for - Select to activate the date and time fields and schedule the Recorder installation or update.
Date/Time - Day and time the installation will occur. Click the down-arrow next to the date to open a calendar and select a day. Click on the hour, minutes, or AM/PM and use the arrow buttons to change the time. See Scheduling a Recorder Install/Uninstall.
Profile Name - The default profile for this platform is pre-selected (e.g., "Initial Profile"). Open the drop-down list of available profiles and select one to assign to this computer.
"Push" the Recorder - Selection active for Modify Computer. Check to force a fresh re-installation of the Recorder at the computer (when a computer remains "pending," to install/uninstall a local Viewer, or to reinstall an uninstalled Recorder).
Follow Manual Setup procedures for installing a Recorder on a Mac or on a computer in a Windows Workgroup. Keep in mind each Recorder installed requires a license to operate. You cannot "move" a license from one computer to another.
New Profile - Master Login Only. Click this button to create a new Computer Profile (based on a Recorder Version) now and assign it to the computer. Be sure to select the General tab and Client Options to give the profile a name.
Recorder Version - The default version (or version used by the profile) is pre-selected. Open the drop-down list of available versions for this platform and select one to assign to this computer.
46
Don't automatically update the Spector 360 Recorder - Select if you prefer to update the Recorder Version on this computer yourself (using this panel or Assign Recorder Version). The Recorder still checks in with the CCS to receive any Profile/Version changes.
AD has a very flexible structure, allowing a network administrator to build any type of hierarchy by domain, by geographic location, by department, by classroom, or however desired. At the top of the Active Directory structure is a forest. Under a forest are one or more trees containing domains, organization units (OUs), objects, and attributes. Typically, companies design their trees based on either geographic separation (Americas, EMEA, PacificRim) or based on organizational design (Accounting, Marketing, Technology, Sales).
Automatically update the Spector 360 Recorder as soon as possible after changes are made - Select to instruct the Recorder (once it is installed on the computer) to receive version updates automatically as soon as they are available.
Automatically update the Spector 360 Recorder at - Select to instruct the Recorder to receive version updates automatically at a specific time of the day when a new version is available. Click on the hour, minutes, or AM/PM and use the arrow buttons to change the time.
47
Hours:Minutes AM/PM: Select and type over the hour, minutes, or AM/PM value (the system clock may show 24-hour time) or use the up/down arrows to the right of the time to change the selected value.
Make sure you have an available license for each computer receiving an installation and have excluded Recorder files from antivirus scanning.
To "push" an installation:
complete software installation package. This option is useful on reinstall to make sure any previous installation is overridden with a completely new software installation. You would select this option if:
You can also click the down-arrow next to the date to open a calendar. Today's date is highlighted. Click the arrows at the top of the calendar to change the month. Click on any calendar day in the future to select it and close the calendar. When a future date is set, the calendar opens to the selected date.
You've had trouble previously installing on this computer. You're trying to "fix" an installation that has been compromised. You want to install a local Viewer on the client where one was not previously installed.
48
versions may not be able to deliver data to this version of Spector 360.
n selected Mac Computers must be installed manually - If your selection for Install Recorder includes Mac computers, a message informs you that these computers will not receive the installation. Click OK to confirm and exit (or continue installing on any Windows computers in the selection). See Deploying the Recorder to Macintosh.
Make sure the computer is restarted at some point to complete uninstall and avoid issues when reinstalling the Recorder in the future.
Please select a Date/Time in the future - This message appears following OK when the scheduled time has already passed. Click OK and set a time in the future.
Install the Recorder to n computer(s)? - This message appears following OK to confirm installing the Recorder on the selected number of computers. Click OK to confirm and continue.
Uninstall the Recorder from n computer(s)? - This message appears following OK to confirm uninstalling the Recorder on the selected number of computers. Click OK to confirm and continue.
Upgraded Recorder - If an installed Recorder will be upgraded, a message appears asking if you want to continue. Click Yes to proceed or No to skip the installation. Note that old Recorder
49
2.
Enter the Mac Admin password. The Mac Admin password is required for software installation. Click OK. Wait for the Recorder to be installed.
Select the Mac Platform. Assign the SAME profile and version used in the Manual Setup file. Do NOT schedule remote installation of the Recorder. 3. Summary of installation. When an "Install Succeeded" panel appears, the installation is complete. If you wish, click View to view a Readme file. Click Finish to end the installation and restart the computer.
50
Remove the Setup .zip and .dmg files. After the computer restarts, drag any installation files into the Trash and then choose Finder > Empty Trash from the Finder menu bar.
Delete entries in the Internet browser. If you accessed the SpectorSoft web site from this Mac, clear history in Safari or Firefox to remove any SpectorSoft entries.
Select the Windows Platform. Assign the SAME profile and version used in the Manual Setup file. Do NOT schedule remote installation of the Recorder.
Clear Recent Folders and Items from the Finder. Check Go > Recent Folders and Finder > Recent Items for evidence of activity involving Spector Client Install files. Clear these items.
Once the Recorder is installed on a Mac or Windows computer, you can assign a new profile or version to it from the Control Center without having to manually install again.
The default "Initial Profile" settings reboot the Mac or Windows computer automatically.
the Dashboard.
Windows XP Home or legacy Windows computers Computers on a Windows Workgroup Delivery of software via other network tools
You can use the same Manual Setup File to install the Recorder at all Windows computers, but you must have a license for each computer receiving a Recorder installation.
51
following installation (see Client Options). Be sure to name a revised Profile on the Security panel. Click Next.
Macintosh computers Windows Workgroup computers Windows XP Home and legacy Windows computers Computers when you prefer to use another method of deployment
Following manual setup, you can change the profile and version and uninstall the Recorder from the Control Center.
5. 3. Select a Recording Profile. Select or create a Profile for the installation. Without changes, the Initial Profile settings automatically Restart the computer
Select a serial number. Licenses will be used from the serial number you select. Each installation of a Recorder requires its own license. Highlight the serial number and click Next.
52
A Manual Setup file for Windows is an .exe file. A Manual Setup file for Mac is a .zip file.
Click Save to select the name and location, which is then 6. Name the file and location. A panel summarizes the Recorder OS, Profile, Version, and serial number. Click the folder button next to the Setup File Name at the bottom of the panel to set a name and location for the file. The default file name includes the Recorder Version and Serial Number. You can change the name, but NOT the file extension. 7. displayed in the wizard's Setup File Name field. Finish building the file. Click Finish. The file is built at the location you specified.
8.
Use the .exe or .zip file to install manually. Deliver and execute the Setup file on a computer where you want to install the Recorder. See Deploying the Recorder to Macintosh or Deploying Manually to Windows.
53
To uninstall manually:
If a Viewer is installed with the Recorder, at the computer, use the hotkeys and password to open the Viewer. Select File and Uninstall. Otherwise, use the SPUninst program: 1. Copy the spuninst.exe program from the Spector 360 program folder (C:\Program Files\SpectorSoft\Spector 360\spuninst.exe) to a medium accessible by the client computer (network drive, CD, removable media, etc.). 2. 3. 4. From the computer, run the spuninst.exe program. An Authentication window appears. In the dialog box, enter your serial number and password (if used) and then click OK. Click OK to reboot the computer.
For a Windows computer, you can run spunist.exe from a command line (Start > Run > cmd ) using parameters. Use this format:
C:\spuninst /s1111AB001245600 /q
Following a manual uninstall, select the computer from the Control Center, open the Edit menu, and select Manual Uninstall Cleanup.
54
Use Active Directory to acquire a Computers list Use Active Directory to update status in the Computers list Synchronize the Computers list to Active Directory Automatically install the Spector Recorder on ASDI computer additions Organize (group) ASDI computers in your list based on information in Active Directory (such as Department Name or Domain Name)
Click Next to continue to a panel displaying the list of computers you have retrieved from Active Directory. Edit the list, if you wish, before adding these computers to the Control Center. See Finalizing the List of Computers.
If you have selected a Group option for ADSI computers in the CCS properties (see below), new computers added from Active Directory are automatically grouped according to your selection.
Select a Computer Profile, a Recorder Version, and an installation schedule for these computers to complete the Add Computer Wizard.
If you have more computers on your network than Spector 360 licenses, you may want to create the initial list without setting an installation schedule. You must have a license for each Recorder installed, otherwise the Recorder will not operate.
55
Automatically update the Computer list using Active Directory Check this option to retrieve a list of computers from active directory to populate the manage computers view. Once these computers are added to the list, the CCS will continue to check with Active Directory and add any NEW computers to the Computers list.
Be careful using the Install Spector Recorder to all ADSI computer additions option, so that you don't commit Recorder licenses to computers you do not intend to record.
Group ADSI Computers by Finally, you can request that computers added from ADSI automatically be assigned to Control Center computers groups based on information in the organizational structure of Active Directory. This is useful for automatically organizing computers added from a large network. Once in the Computers list, computers can be moved to a different group, and Active Directory
Synchronize the computer list to Active Directory Check to keep the Control Center list in synch with Active Directory. If computers are add or removed from the ADSI Database, they are also added or removed from the Computers list.
56
No ADSI Grouping - Computers will be assigned to the current Spector 360 Default Group. ADSI grouping will not be used. Canonical Name - (CN) A constructed attribute for an organizational unit in AD. For example, if Chicago.Local/Workstations/Support/Support21 is the ADSI path for a given computer, selecting Canonical Name will add the computer to a SUPPORT the Computer Group. An example of groups created from Active Directory additions
Country Name - Groups are created using names of the Country or Region of users. <Use Custom Group> - Create a name under which to group ADSI computers that are added to the Control Center list. When you select this option, the field below the selection list becomes active. Type any name for the group. This becomes your default group.
Domain Name - (Default grouping) Groups are created using domain names. For example, Chicago.Local/Workstations/Support/Support21 will be added to a CHICAGO group. Department Name - Groups are created for the departments in which in a users work. Office Name - Groups are created by offices in which users work. Organization Name - Groups are created by the organizations within which user work. Organizational Unit Name - Groups are created using the AD Organizational-Unit-Name attribute. Locality Name - Groups are created using names of Locality based on addresses of users.
57
Wait for the discovery to finish. A message displays the number of computers discovered and the number of errors or warnings that occurred. Scroll through the provided window to see why a computer could not be added. If a computer is already in the Control Center Computers list, it will not be added again.
Click Next to continue to a panel displaying the list of computers you have retrieved from Active Directory. You can edit the list before adding these computers to the Control Center. See Finalizing the List of Computers. Continue on through the wizard by selecting a Computer Profile, a Recorder Version, and an installation schedule. See Add Computer Wizard for complete instructions.
If you have more computers on your network than Spector 360 licenses, you may want to create the initial list without setting an installation schedule. You must have a license for each Recorder installed, otherwise the Recorder will not operate.
58
GroupName - OPTIONAL. Name of the Spector 360 Computer Group the computer will belong to. If a group is not included (a blank field), the computer is assigned to the DEFAULTGROUP.
MachineType - OPTIONAL. Operating system of the computer: 1 for Windows or 2 for Mac. If the file does not have this field, you will need to specify the platform for each computer in the Finalize the List of Computers step.
For a spreadsheet list, use Save As and save as file type .CSV (comma delimited). Do NOT use commas or other punctuation within the fields.
ComputerName,DomainName,GroupName,MachineType
Header - If you use a header on the data, add an apostrophe at the beginning of the first line and spell the column names identically to the above: 'ComputerName,DomainName,GroupName,MachineType
ComputerName - REQUIRED. The name of the computer as known to the network. DomainName - REQUIRED. The network domain the computer belongs to. If the computer is not on a domain, use any other name, such as WORKGROUP or LOCAL. If a domain name is not recognized, the Control Center displays a message at the end of the ADD procedure, but the field will be added.
59
On the Open CVS Computer List panel, use Browse to navigate to and select the csv file you wish to import. Click Open.
Click Next to check and edit the imported computers in Finalize the List of Computers.
When the import is complete, a message displays the number of computers imported and the number of errors or warnings that occurred. Scroll through the provided window to see why a computer could not be added. If a computer is already in the list, it is not added again. At this point, you can:
Correct a Domain or Computer Name by typing in the field. Assign a different Group to one or more computers.
60
Assign a Platform to one or more computers. Select a computer and Remove it from the list. Click Add and type in information for another computer
You MUST select a platform (Windows or Mac) for each computer that doesn't have one assigned.
Click Next when the list is ready and proceed through the Add Computers wizard. You will select a Computer Profile, a Recorder Version, and an installation schedule. Click Finish to add the computers to the Control Center list.
If a required field is missing, an error message appears. Records with errors will be skipped and all valid records will be imported. If the specified computer already exists (in the same domain), the record will not be imported. A message informs you that Computer 'name' already exists.
If a computer does NOT exist in Spector 360, the computer is added (does not require actual network detection) and will be visible under Manage Computers after you refresh the view.
If a Computer Group does NOT exist in Spector 360 , it is created. If the group exists, any new computers are added to the existing group.
You MUST select a platform (Windows or Mac) for each computer. If a platform was not detected, this field will be blank. Click the Platform column heading to sort blank entries to the top, and then remove these entries or assign a platform to each.
61
An error appears if you attempt to move to another row or press Next on this panel when a computer definition is incomplete. Click Yes on the error message to complete the computer entry or No to remove the entry.
2. If you wish, select a Group from the drop-down list. DEFAULTGROUP is provided, but any group you have set as the "default group" will be assigned by default.
Add Add a blank row at the end of the list for a new entry. Remove Remove the selected computers from this list. Select All Select (highlight) all computers in this list. Deselect All Clears (removes highlighting from) all selections. Assign Platform Assign the Windows or Mac platform to all currently selected computers. Be sure to assign the right platform! Assign Group Assign a Group from the drop-down list to currently selected computers. New Group Add a new computer group. Enter a Group Name and Description and click OK. You can now assign this group to computers.
The computer is no longer connected to the network. Network changes are preventing Control Center / computer communication.
62
2.
Select Uninstall the Recorder in the Task Navigation pane - OR Right-click on your selection and select Uninstall Recorder.
3.
Select a Schedule for uninstallation. Check the "Reboot computer(s) after Spector Recorder is uninstalled" option to restart the computer immediately after the uninstallation. Clear this option to perform the uninstall task without restarting the computer.
4.
Click OK.
63
Management Options
Restarting a Computer
Windows Computers Only You can restart a computer from the Control Center. You may want to restart computers after applying a new Recorder profile or changing profile settings in order to close all applications and ensure capture of all activity.
Removing Computers
You can remove computers from the Manage Computers list that you no longer need to manage under Spector 360. Removing a computer from the list has no affect on the network.
To restart a computer:
1. 2. Select Recording > Manage Computers. Select the computer or computers (use Shift and Control) - OR Select Groups on the toolbar and select the group of computers you want to restart. 3. Right-click and select Restart - OR Select the computer(s) and click on Restart Computer in the Task Navigation pane. The computer or computers restart within minutes.
To stop recording:
1. 2. 3. Select Recording > Manage Computers. Select a computer where the Recorder is installed and running. In the Task Navigation pane, click Stop Recording - OR Right-click the computer and select Stop Recording.
64
To start recording:
1. 2. Select a computer where the Recorder is installed by is not recording. In the Task Navigation pane, click Start Recording - OR Right-click the computer and select Start Recording.
2.
A message asks you to confirm reserving the selected number of licenses from this serial number. Click Yes to continue or No to cancel.
3.
A second message confirms the License Reservation. It may take several minutes for the license icon to appear in the Manage Devices list, but the number of "Available" licenses in Manage Computer Licenses changes immediately. Manage Devices list shows a reserved license
To reserve a license:
1. Select one or more computers in the Manage Devices view. Select
Reserve License from the Edit menu or from the context (right-
If you are managing more than one serial number, a message cautions you to be sure to select the correct serial number for the license(s). You cannot "undo" an incorrect license reservation. Use the drop-down list to select the correct serial number, and then click OK to reserve the licenses. If you have selected more computers than you have available licenses for, a message appears. Click OK and contact SpectorSoft about purchasing additional licenses. If the Control Center is unable to communicate with the CCS or Primary Server, or if there are no available licenses, a message appears and no licenses are reserved.
click) menu. All licenses you intend to reserve must be under the same serial number. Select the serial number, if applicable. Click OK.
65
66
computers are in the selection, choose a version for each platform, from each pane. A message asks you to confirm the profile assignment for the number of selected computers (and groups). Click Yes to apply the profile or No to cancel. The assigned profile appears in the Computers list. When the Recorder is installed or checks in with the CCS, it receives its new profile assignment.
If the profile assignment adds or removes a Viewer installation you MUST reinstall the Recorder using the Push option.
To assign a profile:
1. 2. 3. In Manage Computers, select one or more computers or groups. Open the Edit menu (or right-click) and select Assign Profile. From the submenu or selection box, choose the profile you wish to apply to the selected computers. If both Windows and Mac
67
Computer is dropped from list. If the CCS fails to find the computer, it continues to be "Not Detected" and eventually is dropped from the list. Avoid "losing" the computer by changing the Service Polling Delay.
An employee takes her computer to work at home occasionally. There's no need to modify this setting. The Recorder will check in as soon as it's back on the network.
A sales person frequently leaves the network for a week. Modify that computer's properties to delay polling for 7 days. When the computer leaves the network, the CCS won't begin polling for 7 days, and the computer's status and information will be preserved. As soon as the Recorder is back on the network, it will check in.
5-minute check-in. Once a Recorder is installed on a computer, the Control Center expects it to check in with the Control Center Server (CCS) every 5 minutes (default) or as specified in the Recorder Profile. 1 hour highlight. A Recorder that fails to check in for more than an hour (default) will be highlighted in the Computers list. When a Recorder fails to check in, the network may be down, the computer is OFF, or the computer has left the network, or the Recorder installation may have been compromised. 3 days Service Polling begins. When 3 days (default) pass with no check-in, the CCS clears the information for the computer (operating system, Recorder status, etc.) and begins actively polling the network for the missing Recorder rather than waiting for it to check in.
An employee has shut down for a 3-month leave of absence. Modify this computer's properties to delay polling for 90 day to avoid losing the computer before the employee returns.
A visitor will be on the network only for a day. There's no need to modify this setting. The computer will be "dropped" automatically several days after the visitor is gone.
68
69
Only data that has NOT yet been sent to the Data Vault Server will be available at the local computer, so data could be minimal or non-existent. You can change Data File settings to retain data, or simply remove the computer from the network for a period of time to test recording of different types of activity at the local computer.
70
ComputerName,DomainName,GroupName,Description,...
For example:
\\ENG55,MYCOMPANY.LOCAL,DEFAULTGROUP,... \\MARKETING55,CHICAGO,DEFAULTGROUP,...
Or, in an Excel spreadsheet:
ComputerName - NETBIOS computer name DomainName - Domain or workgroup name GroupName - Control Center "group" computer is assigned to Description - Computer description (optional, if added by user) OsName - Operating System on the computer (if detected) SystemRootDirectory - Path to the computer's SYSTEM directory TaskDirectory - Windows Task Scheduler directory ProfileName - Name (title) of the assigned Recorder profile ConfigurationFileName - Full path and filename of the profile (.ini) file on the CCS computer ConfigApply - Number of times a configuration was applied UpdateTime - Scheduled time for updates ScheduledInstallDateTime - Date and time the Recorder was scheduled for installation or re-installation IsIntegrated - N/A ClientStatus_IsInstall - Is the Client Recorder installed? ClientStatus_isUIInstall - Is the Client Viewer installed? ClientStatus_ComputerStatus - Status of the Recorder (0=Stopped, 1=Running, 2=Not Running, 3=Service Agents stopped) ClientStatus_CommLinkStatus - Status of communication link between CCS and client (0=Inactive, 1=Active) ClientStatus_SoftwareVersion - Recorder Version installed ClientStatus_LastClientCheckTime - Last time the Recorder checked in with the CCS License_ID - License assigned to the computer License_State - State of license License_ComputerName - Computer name license is assigned to License_SerialNumber - Serial number the license belongs to License_LastRefreshTime - Date and time the license was refreshed
71
MachineType - Platform (0=Windows pre-NT, 1=Windows NT or greater, 2=Macintosh) PollDelayInterval - Period of time to delay before CCS discards computer information and begins to poll for the Client Service
72
3.
Select a field from the left "Hidden Columns" list. Click the > button to move it to the "Visible Columns" list. Click >> to move all fields to the "Visible Columns" list.
4. 5.
As you hide and show columns they are removed or returned to the Computers list. Click the Restore Defaults button to return the columns to their original layout. A message appears asking you to confirm this change. Click Yes to continue and restore the original layout. Click No to return to your custom layout.
User job functions such as Sales, Admin, Field, Temps, etc. High-risk users who will receive intensive recording settings Low-risk users who will receive minimal recording settings Computers where detailed activity logging and automatic reporting are required
If computers are automatically added to the Computers list from Active Directory, you can request these computers be grouped according to organizational units from Active Directory. See Managing Computers from Active Directory.
73
Assign a Profile to a group. Assign a recorder version to a group Install the Recorder on a group Uninstall the Recorder on a group Cancel Recorder Install/Uninstall on a group Stop or Start Recording on a group. Restart all computers in a group
Add a new group or modify its description. Set a default group to apply to new computers. Move a computer to a different group. Delete a group that contains no computers.
You can group any Windows or Mac computers from any domain as you wish. A computer, however, cannot belong to more than one group.
Group Name - Type a group name. If you are modifying a group, you
cannot change the name.
Description - Type a description for the group. Make this the default Computer Group - Check to make this group
the default group the group to which all new computers are assigned unless you specify otherwise. Clear to define the group without making it the default.
74
Click OK to add the group or save changes, or Cancel to close the box without saving change.
In any Add or Modify a Computer Group box check the Make this the default Computer Group option - OR In Manage Computers open the Edit menu, select Set Default Group, and from the submenu, choose the group to be the default. A green check appears next to the current default group. You can also simply drag and drop computers from one group list to another from within the Groups view. For example, you could expand the SEVENTH GRADE group and drag computer ROOM07A into the SIXTH GRADE group. The selected computers are now members of the new group. The Group field changes for the selected computers.
75
Removing a Group
You can remove a Control Center group completely.
To remove a group:
1. 2. 3. 4. First, move all computers in the group to another group. When the computers have been moved, click Groups on the toolbar. Right-click the group and select Delete - OR Select the group and click Delete on the toolbar. A message asks if you want to remove the group. Click Yes to continue or No to cancel. The deletion cannot be undone.
76
Create a profile set to track what happens to important files. Receive immediate notification if a specific program or file was opened. Capture activity in Published Applications in a Citrix or Terminal Server environment.
A new Recorder version may introduce new profile settings. Select the latest version when modifying a profile to see what might have changed.
An "Initial Profile" is provided for each operating system. The Initial profile contains standard, optimally useful settings, such as grayscale Screen Snapshots once every 30 seconds (while the user is active).
Default - A green check appears next to the default profile. This profile is used for Recorder installation, if no other is selected. Platform - Each profile is assigned an operating system platform, either Mac or Windows. Profile Name - Name of the profile ass, as set in the profile's General Options > Security settings. The name appears next to computers in Manage Computers where the profile is assigned.
Enable Server Web Filtering and apply a centralized web filtering policy. Turn OFF automatic computer restart following the Recorder installation. Create a "Low Surveillance" profile for trusted employees set to capture less data. Create a "High Surveillance" profile set to capture all details when the need arises.
Description - A description of the profile, as set in Security. Serial Number - The serial number to which the profile applies. Appears when you have selected "Display Serial Number" under the Control Center's Tools > Options menu.
File Name - Appears when you select Show File Names on the toolbar. This column displays the name of the configuration (.ini) file that contains Recorder settings. All Recording Profiles are stored as .ini files on the CCS computer, by default in C:\Program Files\SpectorSoft\Spector 360\SDSFiles 77
Computer/Recorder Administration
To manage profiles:
Add a new profile. Modify a profile. Copy a profile. Delete a profile. Show File Names - Adds a column in the Computer Profiles list that identifies the configuration (.ini) file. See "File Name" above. Set Default Profile - The default profile is used if no other profile is assigned or selected for a Recorder installation.
Assign profiles to computers in the Manage Computers view.
point. A copied profile starts with any selected profile's settings. All Record, Alert, Block, and General settings from the original profile are maintained, but you can adjust any settings as needed for the new profile. For example:
Full Time Employees profile - You create a New profile with Web Filtering enabled, Document Tracking turned ON for files on "network drive G:" and recording turn OFF for the known URL where employees do their 401k banking. In addition, you set up a few Email Filtering rules to avoid logging unnecessary email. These settings will be standard for your entire organization.
Temp Workers profile - You Copy "Full Time Employees" to a new "Temp Workers" profile and add local Internet Blocking of FTP, chat, and instant messaging ports, since these activities are not required for the job.
Branch B - Full Time profile - For a branch office using different Data Vault and Web Filter Servers, you Copy "Full Time Employees" to a new profile and adjust the profile's Servers.
Each profile you create appears in the Computer Profiles list and is available from profile selection lists.
A Recording Profile platform is always based on the Windows or Mac platform and must be assigned to computers with the proper operating system.
78
Computer/Recorder Administration
3.
description, option to install a Viewer (Security), and the option NOT to reboot after installing the Recorder installation (Client Options).
To copy a profile:
1. Select a profile in Computer Profiles and Copy from the Edit or from the context (right-click) menu.
To modify a profile:
1. 2. Select Recording >Manage Recording Profiles. Select a profile. Click on a profile in the right pane and select Modify the selected Profile in the Task Navigation pane, or double-click the profile in the right pane. 3. Select a Recorder Version. If necessary, select the Serial Number selection in the upper pane and in the lower pane Select the Recorder Version on which to base this profile. Different Recorder versions may have different profile settings, and if you upgrade the version, computers using this profile will receive the version. Click OK. Use the Client Recorder Settings box that appears to make changes to the profile as you wish.
2. 3.
Enter a unique Profile Name and a Description. Check Open this Profile for editing to open and change settings for the new profile when you click OK. Clear this option to copy the profile without changing settings.
4.
Change Record settings. The Record tab includes: Screen Snapshots Chat/IM Activity Web Sites Visited Email Activity Files Transferred
4.
79
Computer/Recorder Administration
Keystrokes Typed Program Activity Document Tracking Network Activity Windows Profiles Only When to Record Who to Record 5. Set up local Alerts. Use the Alert tab to set up scanning for keywords as activity occurs on the recorded computer. Use these settings in addition to centralized Event Alerts to increase the rate of Snapshots during suspect activity. Keyword Watch List Alert Notification 6. Set up local Blocking. Use the Block tab for Internet blocking at the computer. These settings add off-network web site, chat, and port blocking to centralized filtering.
If you plan to use centralized Web Filtering, you MUST enable Server Web Filtering on the Block Web Sites Visited panel.
7.
Change General Options. Use the General Options tab to make changes to the Recorder software installation, security, data management and overall recording. Security Data Files Application Servers Client Options Record URLs Windows Profiles Only Windows Profiles Only Windows Profiles Only
Program Caption 8.
Click OK at the bottom of the box to save changes. Changes will be automatically applied to computers using this profile.
Block Web Sites Block Chat/IM Activity Block Internet Access Who to Block
80
Computer/Recorder Administration
To assign a profile:
1. 2. 3. In Manage Computers, select one or more computers or groups. Open the Edit menu (or right-click) and select Assign Profile. From the submenu or selection box, choose the profile you wish to apply to the selected computers. If both Windows and Mac computers are in the selection, choose a version for each platform, from each pane. 4. A message asks you to confirm the profile assignment for the number of selected computers (and groups). Click Yes to apply the profile or No to cancel. The assigned profile appears in the Computers list.
5.
When the Recorder is installed or checks in with the CCS, it receives its new profile assignment.
If the profile assignment adds or removes a Viewer installation you MUST reinstall the Recorder using the Push option.
81
Computer/Recorder Administration
Multiple platforms
3.
Select the profile to be used as the default from the submenu or select a profile for each platform from the dialog box.
82
Computer/Recorder Administration
Removing a Profile
Master Login Only. You can remove a Computer Profile if it is not being used.
To remove a profile:
1. First, make sure no computers are currently assigned the profile you wish to delete. If you attempt to delete a profile that is being used, a message appears "Unable to delete the computer profile."
2. 3. 4.
Select Manage Computers. Click on the "Profile Name" column heading in the Computers list to sort the list by Profile Name. If the profile you want to delete is assigned to any computers, select the computers and assign them a different profile.
Select Manage Recording Profiles. Select the profile and click Delete on the toolbar - OR Open the Edit menu (or right-right click) and choose Delete. A message asks if you want to remove the profile. Click Yes to continue or No to cancel. The deletion cannot be undone.
To update the Recorder Version (if you are not automatically updating versions), see Assigning a Version to Computers.
83
Computer/Recorder Administration
Serial Number - Must be registered and unlocked to appear. Total Licenses - Total computer licenses purchased with this serial number. You can install one Recorder per license. Licenses Available - Total number of licenses still available to assign to computers. If you have 0 (zero) licenses available, you need to add computer licenses before installing another Recorder.
Click OK to proceed.
ON
ON
ON ON
OFF ON
ON ON
84
Computer/Recorder Administration
Default ON
Description One grayscale snapshot every 30 seconds while user is active (other triggers OFF). All domains and URLs visited.
Default Security settings Security Recorder is installed in Stealth Mode Viewer is not installed with Recorder Hotkey to open Viewer Setting ON OFF Ctrl+Alt+Shift+S randomly named folder ON NONE 30 days 500 MB 45 days 30 MB ON OFF ON (minimum)
ON
Default Server settings Server Settings Recorder queries the Primary Server for licensing validation at Recorder uploads recorded events to the Data Vault at Recorder sends information to the Control Center at Recorder listens for Server communication at Recorder queries the Primary Server for licensing validation at Recorder uploads recorded events to the Data Vault at Recorder sends information to the Control Center at Recorder requests access to the Internet from the Web Filter Server at Port 16770 16769 16768 2468 16770 16769 16768 16771
Recorder stores data in Data files are hidden Password to access data files Screen Snapshot data is deleted after Screen Snapshot maximum data size is Other data is deleted after Other data maximum size is Enable Spector Client Recorder when Windows starts Warning message at logon Enable log file
85
Computer/Recorder Administration
Record When allows you to limit the times of recording. Application settings allow selective recording of programs. Record URLs limits recording of web activity by URL. Screen Snapshots can be taken less frequently. Email Filters can be used to omit email of no interest. Network Activity can exclude capture of activity by program. Data File settings can delete files sooner or keep them longer.
Make sure your recording settings and data storage limits are realistic. You don't want the user to run out of available disk space because of Spector 360 recording!
Stores event records in 15-minute chunks. Creates files in .sdf (SpectorSoft Data File) format. Files are hidden within a randomly named Windows system folder. Attempts to upload files every few minutes (240 seconds). Deletes the files from the local computer after a successful upload.
If locally stored files cannot be uploaded to the Data Vault, by default the Recorder follows these procedures:
After 45 days, or when the data files exceed 30 MB, the Recorder begins deleting the oldest data files. After 30 days, or when Screen Snapshot files exceed 500 MB, the Recorder begins deleting the oldest Snapshot files.
For computers that leave the network: Increase data storage limits to avoid losing data during the time the computer is disconnected. For low-performance computers: Decrease the maximum data size or duration, or disable some recording, to avoid problems.
The frequency with which snapshots are taken The capture format (high-resolution, color, grayscale, etc.) When snapshots are deleted at the local computer
Email data:
By default, recorded email is retained for 10 days or until 10 MB of disk space is used. The Recorder automatically starts deleting the oldest email data when it reaches one of these limits. So if a Recorder
86
Computer/Recorder Administration
captures 2 MB of email a day, it will retain only 5 days of email data before it starts automatically deleting the oldest data. You can control:
Screen Snapshots
Which types of email are recorded Whether attachments are recorded The maximum size of attachments recorded Conditions (filtering) under which to record email or attachments
Email attachments are stored separately from other email data. If you enable capture of email attachments, be aware that these files (program executables, graphics, documents) can use a great deal of disk space. You can increase the Maximum Attachment Size from the default 100KB to up to 32767 bytes (about 3 MB). The Recorder will NOT store an attachment greater than 3 MB.
Chat/IM data:
By default, the Recorder retains 10 days or 3 MB of recorded Chat/IM conversations. It automatically starts deleting the oldest Chat/IM recordings when it reaches one of these limits. So, if the Recorder captures 1 MB of Chat/IM per day, then it can retain only 3 days of Chat/IM before it starts deleting the oldest data.
Keystroke data:
By default, the Recorder retains 10 days or 1 MB of recorded keystrokes. It automatically starts deleting the oldest keystroke recordings when it reaches one of these limits.
A graphic representation of the screen as the user saw it Date and time the snapshot was taken Name of the program that had Windows focus The user logged in when the snapshot was taken
87
Computer/Recorder Administration
Timed snapshots provide near real-time "video" playback of the user's screen activity. Event-triggered snapshots (e.g., when a page is loaded or when a key is pressed) guarantee that you won't miss action, such as the user clicking through a series of web pages or suddenly moving a document into a new folder.
If users frequently create documents and scroll pages as part of normal work, you may want to avoid window title and scrolling event triggers to avoid excessive snapshot recording. More...
If users submit web forms as a part of normal work, you could specifically turn ON the web form submitted trigger as a means to document work, such as orders taken. More...
You might decrease the normal timed Snapshot frequency from 30 to 60 seconds (to save disk space) and increase the snapshot frequency when a Keyword is detected. More...
ON - Select this option (or toggle the left column button to green) to enable recording. OFF - Select this option (or toggle the left column button to red) to disable recording. This will not affect other recording. System Settings - If Screen Snapshot recording is ON, click this button to set the snapshot format, special options, triggers, and timing. When the Data Vault receives Screen Snapshots, it directs these encrypted graphic files to the File Storage location. More...
Use the default gray scale format to save disk space. A hotkey combination is available to use at the recorded computer to take a manual on-the-spot snapshot. More... Set up Database Backups, Archives, and Restores to include snapshots.
88
Computer/Recorder Administration
16 Bit Color: hi-color graphic stored in 65536 colors 24 Bit Color: true-color graphic stored in 16+ million colors 32 Bit Color: true-color with alpha channel; largest file (not recommended)
You can easily read a 4-bit grayscale snapshot of a computer display set to a much higher resolution. However, there is no point in attempting a higher level of capture (e.g., 16-bit color) than the screen resolution (e.g., 256 colors).
Include Secondary Monitors Check to capture activity on multiple monitors when they are connected to the computer. Clear to capture activity only on the primary monitor.
New settings take effect when the Recorder checks in and when applications restart. You may want to restart computers from the Control Center.
Capture entire screen contents at once - Windows Profiles Only. Check this option only if snapshots are displaying screens in transition. By default, the Recorder does not capture the entire screen at once, because it is usually not necessary and may slow down some computers.
Capture Layered Windows - Windows Profiles Only. Check this option if you are missing snapshots because Window transparency (or translucency) is turned on. If you are not having problems, leave this option cleared.
Check for Blank Snapshots - Check this option if you want to remove "blank" snapshots where there is no visible desktop, windows, or commands. Clear this option to keep all snapshots, regardless of what they show.
1 Bit Monochrome: black-and-white; smallest file 4 Bit Grayscale: efficient and readable; recommended 4 Bit Color: graphic is indexed and reduced to 16 colors 8 Bit Color: graphic is indexed and stored in 256 colors
89
Computer/Recorder Administration
Snapshots have built-in efficiency. When the Recorder takes a snapshot, it stores only the parts of the picture that have changed since the previous snapshot. Compression is applied to keep the file size as small as possible.
Website Page is loaded - An Internet browser is open and a page load event occurs (a user clicks a link at a web site). Website form is submitted - Windows only. An online form is submitted. This could be a user login form, a banking moneytransfer form, a registration form, an e-commerce order form, and so on.
Program is loaded - An application is opened. This is useful if you want a picture of programs a user launches in a day. Window Title changes - Windows only. The window title bar changes. A snapshot is taken when a document is opened, a "Save As" saves a document under a new name, or a web page is loaded in a browser. Note that this option has redundancy with the "Website Page is loaded" option; you may not need both options. An MS Word window title displays the document name.
If the user is inactive (not typing or using the mouse) for 3 minutes, snapshots are stopped until activity begins again.
Window Contents are scrolled - Windows only. The user scrolls the contents of any window in any application. Only one line of scrolling is needed to trigger the snapshot. This setting is useful when you need to see everything on a window the user is viewing.
90
Computer/Recorder Administration
Left mouse button is clicked - The user depresses the primary mouse button (usually the left button). A snapshot would be taken when the user clicks a hyperlink, places the cursor to begin typing, or selects a menu and menu item.
Do NOT use the Enter or Spacebar keys as triggers on a computer where a great deal of typing occurs.
Left mouse button is double-clicked - Windows only. The user clicks the primary button twice in rapid succession. A double-click starts an application from a desktop icon or takes action as programmed within an application.
Take Snapshot Every - Check this option to turn on timed snapshots. Clear to turn OFF timed snapshots. [30] Seconds - Use the arrows or type a number from 1 - 600 to set the number of seconds between snapshots. Every 30 seconds (default) provides a compromise between detail of information and use of disk space. Increasing the time (for example, raising the interval to 90 seconds) causes fewer snapshots to be taken. You may compromise the snapshot view of the user's activity. Decreasing the time (for example, lowering the interval to 4 seconds) causes more snapshots to be taken. More snapshots provide greater detail, but use up disk space and slow the computer.
Note that Keyword Watch Settings provide an option to trigger and increase snapshot frequency if a keyword is detected.
Right mouse button is clicked - The user clicks the secondary mouse button, which usually displays a menu of shortcut actions or "what's this" help.
Enter key is pressed - The user presses Enter to submit a form, add a paragraph break in a document, or execute a selected item.
Consider carefully which triggers to use for which users. Heavy computer usage with all the triggers activated could result in large amounts of recorded data.
You can configure a hotkey combination to press at the recorded computer that takes a snapshot. See Application settings.
Snapshot settings affect performance! It's possible but NOT recommended to take a snapshot every second. Taking a snapshot every 15 seconds may require 2 times as much storage as taking one every 30 seconds. A snapshot every 5 seconds may require 6 times the storage space.
91
Computer/Recorder Administration
Chat/IM
Chat logging in as... AIM America Online Instant Messenger accounts including AIM, AIM Express, Dead AIM, and AOL Chat. BONJOUR Apple Inc.'s service discovery protocol that allows chat between users on a local network, via iChat, Adium, or other Mac programs, without an instant messaging account. ICQ "I-Seek-You" supports instant messaging in ICQ clients (Windows or Mac), with Facebook friends, and posts to Twitter. Each user has a User Identification Number (UIN). Mac.com or MobileMe These Apple accounts can be used on a Mac in iChat, Adium, and other programs. Accounts are identified as ??@mac.com or ??@me.com. MSN (Microsoft) Microsoft accounts are used in Live Messenger, MSN Messenger, MS Exchange, MSN Chat, and other chat clients.
Protocol OSCAR
Windows
Mac
BONJOUR
Date and time the conversation took place Program the conversation was recorded in Chat or messaging protocol (type) used The local user involved Other users involved Which user said what Each segment of the actual conversation
The Spector 360 Recorder does NOT provide the ability to record any oral or voice conversations.
OSCAR
XMPP
MSN
92
Computer/Recorder Administration
Chat logging in as... YAHOO Instant messaging in Yahoo Messenger, chat rooms, and other chat clients. Accounts are identified as ??@yahoo.com. Jabber Instant messaging within a Jabber application or using the XMPP protocol. Skype Text chat conversations (not voice) across a Skype connection are recorded. Skype is a peer-to-peer Internet telephony network. GOOGLE Google Talk (Gtalk) IM uses the XMPP open protocol and allows signing in via an AIM account. Meebo In-browser IM that supports multiple services, including Yahoo, MSN, AIM, ICQ, and Jabber. MySpace and Facebook IM at the MySpace and Facebook web sites is recorded. Trillian Third-party IM software that allows communication with AIM, MSN, ICQ, Yahoo, and IRC accounts simultaneously.
Protocol YAHOO
Windows
Mac
Chat logging in as... IRC Internet Relay Chat, clients include: mIRC, Trillian, ViRC, Pirch, Morpheus, ,XiRCON
Protocol IRC
Windows
Mac
XMPP
X X
If conversations are not recorded in Chat/IM Activity, look for them in Keystrokes, Web Sites Visited, Program Activity, and/or Screen Snapshots.
Depends on login
XMPP
Depends on login
XMPP
Depends on login
93
Computer/Recorder Administration
Chat/IM Settings
Spector 360 captures most conversations in online chat rooms or Instant Messaging (Yahoo, AOL, Live Messenger, MySpace, and so on). To access this panel, open the Profile and select Record > Chat/IM Activity.
ON - Select this option (or toggle the left column button to green) to enable recording. OFF - Select this option (or toggle the left column button to red) to disable recording. This will not affect capture of Chat/IM activity in Screen Snapshots, Keystrokes, and Program Activity.
System Settings - Windows Profiles Only. Click to open advanced settings. Do NOT change these settings unless you are sure you can do so without compromising the Recorder's ability to capture data. More...
Changes to these settings do not take effect until the user logs off and restarts all Chat/IM applications. You may wish to remotely restart the computer.
94
Computer/Recorder Administration
To add a port:
The Recorder monitors specific communications ports for different types of Chat/IM protocol. The Recorder can "listen" for a type of chat at multiple ports. Add a space following the default ports, and type the new port number in the appropriate field. Be sure to click OK on the Advanced Chat/IM Settings box to save your changes.
High-level - Captures content directly from the application window at "high level," resulting in a recording with greater detail (includes the Yahoo Emoticons and the HTML font being used). This approach can record conversations from encrypted communication, whereas low-level recording cannot. High-level capture is used as a backup to the low-level method, because it relies on a specific version of an application, which may change.
IRC Ports (Default) Records at ports 6660-7000. MSN Ports (Default) Records at port 1863. AOL/ICQ Ports (Default) Records at port 5190. Yahoo Ports (Default) Records at 5050, 5101, 8001, 8002. XMPP Ports (Default) Records at port 5222.
Be careful! If you remove ports, you may compromise the Recorder's ability to record.
Auto - The Recorder determines whether to use low-level or highlevel capture each time a Chat/IM event begins. Generally, the Recorder uses low-level capture unless (a) the communications protocol is encrypted or (b) it does not recognize the protocol.
Disabled - Disables capture of a Chat/IM protocol. Use this setting to turn off all recording of one chat type, such as MSN.
IRC By default, the Recorder captures Internet Relay Chat at low-level. MSN By default, the Recorder captures Microsoft Network IM on Auto. AIM/ICQ By default, the Recorder captures AOL Instant Messenger and "I Seek You" (widely used in chat rooms and games) at Auto setting.
AOL By default, the Recorder captures America Online communication at Low-Level. Yahoo By default, the Recorder captures Yahoo Instant Messenger and Chat at Auto setting. XMPP By default, the Recorder captures this XML-based protocol used by Jabber at Low-Level.
Low-level - The Recorder captures basic chat and IM conversations (text only) at "low level" when a "high level" capture is not possible. Low-level capture works well for most conversations, because it does not rely on a particular Chat/IM application version. The Recorder uses low-level capture for AOL Instant Messenger (AIM) and for third-party applications that interface with major providers (AOL, Yahoo, MSN), such as Trillian.
95
Computer/Recorder Administration
Email Activity
Capture Web IMs - Messaging at a web site, such as Windows Live Messenger or Yahoo Messenger. Capture OSCAR80 - OSCAR is a messaging protocol used by AOL. Capture MySpace443 - Messaging that occurs on MySpace. Capture MSN Exchange - Microsoft messaging on an MS Exchange Server. Capture Skype - Text chat through the Skype program.
Date and time of email To, From, CC, and BCC addresses Subject line and message contents Type of email (SMTP, Webmail, AOL, etc.) Whether or not there is an attachment
IMAP Email - Windows/Mac. Internet Message Access Protocol email is captured when the email is opened. Outlook, Thunderbird, or Eudora may be configured to receive email via IMAP.
Exchange/MAPI Email - Windows. Email is recorded when sent or received from Microsoft Exchange and other clients using MAPI (Messaging Application Programming Interface).
Exchange Webmail - Windows/Mac. Outlook Web Access 2007 and 2010 (also known as Outlook Web App, or OWA), a webmail service of Microsoft Exchange Server, is recorded. Earlier versions of Exchange Webmail (Internal Webmail) can be captured by adjusting Email System Settings.
96
Computer/Recorder Administration
AOL Email - Windows/Mac. Email sent and received from AOL Mail or AOL Communicator (using SMTP/POP) is recorded. AOL attachments are not recorded. Web-based AOL email is recorded as Webmail (see below).
Webmail Recorded
The Spector 360 Recorder captures email sent and received through web email sites, such as Yahoo, Gmail, and Facebook. Because Internet email web site signatures change, Spector 360 periodically updates its webmail capture ability. Be sure that you are receiving regular Recorder Version updates from SpectorSoft. Webmail capture differs from recording of other email in the following ways:
Webmail - Windows/Mac. Email sent and received in web browsers, such as Hotmail, Yahoo, Gmail, and so on, is recorded when the email message is opened to be read or composed. Unread messages are not recorded until they are opened. Webmail attachments are NOT recorded. For a list of all web email sites recorded, see Webmail Recording.
The Recorder captures webmail when a message is composed or opened. A message received by a user is only recorded if the user opens the email to read it.
Lotus Notes - Windows. Lotus is a division of IBM and Notes is their Windows enterprise messaging system, analogous to the Microsoft Exchange product. Lotus Notes mail is recorded.
AOL, Webmail, IMAP are recorded when the message is opened for reading by the user. The Recorder does NOT capture attachments to AOL or Webmail messages.
The Recorder does NOT record attachments sent or received through webmail.
The Recorder captures webmail when email is composed or opened at most U.S. web sites and at the following international email sites. Email Site AOL (Argentina) AOL (Brasil) AOL (Canada) AOL (France) AOL (Germany) AOL (Mexico) AOL (United Kingdom) Earthlink GMX Hotmail (English & Japanese) Netscape (Canada) Email Address http://www.aol.com.ar http://www.aol.com.br http://www.aol.com.ca http://www.aol.com.fr http://www.aol.com.de http://www.aol.com.mx http://www.aol.co.uk Gmx.de http://www.gmx.net http://www.earthlink.net http://www.gmx.net/de http://www.hotmail.com http://www.netscape.ca
Novell Groupwise - Novell's enterprise messaging system, similar to Microsoft Exchange. Yahoo - "Personals" messaging is not captured, though all other email sent or received from the Yahoo Web site is recorded. AOL Communicator - Email is captured ONLY if it is configured to be sent and received as an SMTP/POP account. Webmail Attachments - The Recorder does NOT capture email file attachments sent or received using Web email accounts (Yahoo, Google, Hotmail, etc.).
97
Computer/Recorder Administration
Email Site WebDE Yahoo (Argentina) Yahoo (Australia) Yahoo (Brazil) Yahoo (Canada) Yahoo (Denmark) Yahoo (France) Yahoo (Germany) Yahoo (India) Yahoo (Italy) Yahoo (Mexico) Yahoo (Norway Yahoo (Spain) Yahoo (Sweden) Yahoo (United Kingdom)
Email Address http://freemail.web.de http://ar.yahoo.com http://mail.yahoo.com.au http://mail.yahoo.com.br http://mail.yahoo.com.ca http://dk.yahoo.com http://fr.yahoo.com http://mail.yahoo.de http://in.yahoo.com http://mail.yahoo.it http://mx.yahoo.com http://mail.yahoo.no http://mail.yahoo.es http://mail.yahoo.se http://mail.yahoo.co.uk
ON - Select this option (or toggle the left column button to green) to enable recording. OFF - Select this option (or toggle the left column button to red) to disable recording. This setting does not affect capture of email activity in Screen Snapshots, Keystrokes, and Program Activity.
The Spector 360 Recorder captures AOL, Webmail, and incoming IMAP email when the message is opened for reading by the user. The Recorder does NOT record attachments to AOL or Webmail messages.
98
Computer/Recorder Administration
Record Attachments - Check to record email attachments. Clear to skip capture of attachment files. Maximum Attachment Size - Attachments larger than 100 KB (default) are NOT captured. Set any maximum size from 0 to 32767 KB (over 32 MB). Be careful! If you increase maximum size, you may need to increase the computer's storage space for retaining all non-snapshot data (default is 10 MB).
Email attachments can be large and numerous and take up disk space both on the local computer and in the central storage. Use an email Filter to limit capture of attachments, if necessary. Email recording must be ON, and all criteria of a rule must be TRUE before a rule is applied. To ensure new settings take effect, restart computers after changing filtering rules.
Configure Filter - Click this button to define rules that record or ignore email based on the email contents or other criteria. More... System Settings - Click this button for advanced settings. Do NOT change these settings unless you are sure you can do so without compromising the Recorder's ability to capture data. More...
99
Computer/Recorder Administration
create your filter. Each rule you Add appears at the bottom of the Rules list. Rules are applied in the order they appear in this list. 2. Set priority for the Rules. The first rule in the list is applied first and becomes an "exception" for lower rules. Use the buttons to arrange the rules and change the logic:
For example:
Your company is records too much inhouse email, but you do not want to lose valuable tracking information about legal matters. 1. Rule One. Create a rule to look for email with "legal" in the Subject or Body AND "MyCompany.com" in both the To and From addresses. Email matching this condition should be recorded. 2. Rule Two. Create a second rule that looks for inhouse email (SMTP/POP email with "MyCompany.com" in the To OR From address). Email matching this condition should be ignored. 3. Set Rule Priority. On the Email Filter box, Position the first rule as an exception at the top of the list. Select "If none of the rules apply, then the email should be recorded." The following logic will be applied: (a) Inhouse "legal" email: Record (b) Other inhouse email: Ignored (c) All other email not matching these rules: Record.
3.
Add - Add another rule. Delete - Select a rule and click Delete to remove it. Edit - Select a rule and click Edit to open the Email Rule box and change the conditions for a rule. Move Up - Select a rule and click Move Up to move it up the list of rules and change the filtering logic. Move Down - Select a rule and click Move Down to move it down the list and change the filtering logic.
If NONE of the rules apply, either record or ignore the email and/or its attachment.
4.
recorded - (Default) Record email if the rules do not apply. ignored - Ignore email if the rules do not apply.
Finally, click OK on the Email Filter box to set the rules and return to the Email Activity settings panel.
100
Computer/Recorder Administration
Received by This Computer - Check to include all email received by this computer; clear to exclude. If both items are checked, all email sent OR received by this computer is included.
Has attachments - Check to include email with attachments; clear to exclude attachments. If "Has attachments" is checked, you can specify the size of the attachment using the drop-down list and entry field. Attachment rules do not apply to webmail. of any size - All attachments are included. less than - Include only attachments smaller than the specified size. Type a number to represent the size in kilobytes. greater than - Include only attachments larger than the specified size. Type a number to represent the size in kilobytes. equals - Include only attachments of an exact size. Type a number to represent the size in kilobytes.
Does not have attachments - Check to include email with NO attachments; clear to exclude email without attachments. If both items are checked, email with OR without attachments is included.
If a rule specifies that attachments should be captured, Record Attachments also must be enabled in the Email Activity settings. Attachment rules do NOT apply to webmail.
And the email's format is: To include all email formats, leave all boxes checked.
Plain Text (text only) - Check to include; clear to exclude. HTML (hypertext markup language - includes graphics and special fonts) - Check to include; clear to exclude. RTF (rich text format - includes graphics and special fonts) Check to include; clear to exclude. If all items are checked, the email can be in any format.
Sent from This Computer - Check to include email sent from this computer; clear to exclude email sent from this computer.
101
Computer/Recorder Administration
And the email comes from: The default is to include all email sources: SMTP / POP, Webmail accounts, AOL accounts, Microsoft Exchange accounts and IMAP accounts. And the email's To / From / Subject / Body: For each part of the email header, you can create conditions based on what appears in the To address, the From address, the Subject, or the entire Body of the email. The email must match these conditions in order to be recorded (or ignored). Use the drop-down list next to each field to select how to match, and type a word or characters to indicate what to match.
is anything - (Default) All email is included, regardless of what is in the field; leave the field next to it blank. starts with - The beginning of the email field matches what you type in the adjacent box. For example, "Robert" matches robert@mycompany.com or robertk@yahoo.com.
ends with - The end of the email field matches what you type in the adjacent box. For example, you might look in the To field for matches to "TheirCompany.com" and capture email sent to sales@theircompany.com and jane@theircompany.com.
contains - The email field contains the characters typed in the adjacent box. For example, you might look for "weapons" anywhere in the Body of an email.
equals - The email field exactly matches what you type in the adjacent field.
Click OK to close the box and set the rule. Click Cancel to close the box without saving changes. Set the priority of this and other rules when you return to the Email Filter box.
If you do need to make changes to System Settings, ensure they take effect by restarting the computer.
102
Computer/Recorder Administration
Polling Interval - The Recorder polls the Lotus Notes Server for updated information. If you have a busy network you may want to increase the polling interval to reduce load on the system. Default is every 30 seconds, and the maximum is 3600 seconds (1 hour).
To set options:
Check for duplicate emails - By default Spector 360 checks for and ignores duplicate email messages. Clear the check box to record all email sent and received. Omitting duplicate email is useful when an antivirus or other third party program has sent email duplicates. Spector 360 keeps a list of the last 100 email messages received. If an exact duplicate is received and this option is set, the duplicate is ignored. This list restarts when you turn off the computer.
IMAP Email - Incoming IMAP email. Programs using IMAP for incoming email usually use SMTP for outgoing email (see below). AOL Email - Email composed or opened using the proprietary AOL Internet interface. AOL email is recorded when the user opens received email or composes an email. If the email is listed in AOL, but is not opened by the user, it is not recorded.
Use alternate MAPI capture - Use this option when requested by Technical Support. Enable this option only if the Recorder conflicts with add-in software to cause unexpected behavior in a MAPI email client (such as Microsoft Outlook).
Web Email - Email messages sent and received through a Web browser (Webmail) using Hotmail, Yahoo, AOL, Gmail, etc. SMTP/POP Email - Email sent using SMTP and received using POP. Many standard mail programs, Microsoft Outlook, Outlook Express, Incredimail, and Eudora, use SMTP and POP protocols.
Exchange/MAPI Email - Email from MS Exchange or another application incorporating MAPI functionality to become "mailenabled." Microsoft Office Suite is MAPI enabled. Scan ONLY Inbox for pre-existing new emails - The Exchange / MAPI Email option must be enabled. Check to capture unread Exchange/MAPI email ONLY in the user's Inbox folder. Clear to capture unread messages in ALL folders in the Exchange mailbox. If you change this option, the user must log out and log in for the change to take effect.
103
Computer/Recorder Administration
Exchange-Web(2000) Exchange-Web(2003) OpenWebmail SqWebMail Type the host location in the first field. This is the URL of the mail server, which usually starts with "mail" instead of "www," such as "mail.school.edu." If you wish, check the "Host might be accessed by the following IP address" and enter the IP address of the webmail host. If you don't know the IP address, click the Resolve button. The IP address is optional. 5. Click OK to return to the Email System Settings, where the webmail host and is now listed and will be recorded.
Note that Spector 360 automatically captures Outlook Web Access 2007 and 2010 (also known as Outlook Web App, or OWA), a webmail service of Microsoft Exchange Server. Use this system setting to capture earlier versions of Exchange webmail.
SMTP Ports: Monitors port 25 to capture outgoing SMTP email, such as that sent by MS Outlook. POP Ports: Monitors ports 109 and 100 to capture incoming POP email, such as that received by MS Outlook. IMAP Ports: Monitors port 143 to capture incoming IMAP email received via a remote server.
104
Computer/Recorder Administration
Document Tracking
Document Tracking
Document Tracking allows you to determine who, when and what is happening to sensitive documents and how resources are being used. Initially, only printing and CD/DVD burning are tracked, but you can turn on settings to track the recorded user's document activity at any location on the local computer or on the network.
Who copied, deleted, or modified an important network document If there has been movement of confidential documents Whether intellectual property theft is occurring How print resources are being used
ON - Select this option (or toggle the left column button to green) to enable recording. OFF - Select this option (or toggle the left column button to red) to disable recording. This setting has no effect on the other recording tools.
105
Computer/Recorder Administration
Document Tracking on a local hard drive can generate an enormous amount of data. Enable tracking on a local hard drive ONLY with file filters to limit folders and files tracked.
Configure File Tracking Options for each Drive - Windows Profiles Only. Select a lettered or known UNC drive and to track (or not track). For example, you would choose this option to watch a particular network drive, or to change the definition of Default File tracking for all drives. See File Tracking for Each Drive.
1. 2.
Select Include to include a list of files to track. Select Exclude to track all documents except for a list of files. Click the Add button to add a filter. See Document Tracking File Filter for complete rules.
Remove a filter by selecting it and clicking the Delete button. For example... To track a network drive where sensitive documents are kept, you would Configure File Tracking for the specific drive. To track downloading of Network documents, you would Use File Tracking Options based on the "Network" drive type, watch all activity, but be sure to add a File Name Filter to narrow results. To track ONLY files on a Network drive that include a "confidential" folder in the path, you add a file name filter that directs Spector 360 to INCLUDE *\confidential\* in the path.
Track Printed Documents - Check to record documents submitted to a printer, including the name of the print job, the job owner, number, size, and date and time submitted. Clear this option to omit tracking printed documents.
Track WinXP CD/DVD Burning (IMAPI) - Windows Profiles Only. Check to record files being written to a CD/DVD device if the application is using Windows IMAPI (Image Mastering Applications Programming Interface). Disc burning on older, proprietary interfaces may not be captured. Clear this option to omit this type of tracking.
106
Computer/Recorder Administration
Deleting Files Records an "event" when a file is deleted someone removes a file or folder. Renaming Files Records an "event" every time a file is renamed.
Check the types of drives you wish to track. Clear the drives you do not wish to track:
CD/DVD Any drive where a CD or DVD device is detected. Note that if a CD/DVD driver does not support file actions (create/modify/delete) at the drive, activity will not be recorded. To capture CD/DVD burning on Windows, select the CD/DVD burning (IMAPI) option at the bottom of this panel.
Local - Includes the local hard drive (or drives). Be very careful choosing this setting. Windows generates a large number of file operations on local hard drives, and you probably don't want to record ALL activity. If you need to track local drives, limit the activities you track or use File Name Filtering to focus in on directories, files, or file types.
For example, the above setting tracks all activity initiated by this user, omitting only activity on Local hard drives and Other drives.
For File Tracking based on drive type, Spector 360 considers files addressed by UNC names to be on "Network" drives.
Network Any remote (non-local) drive detected by the operating system. For example, if the user opens a file on the network S: drive, eBlaster would capture the event.
Removable Any drive detected as removable device, such as a USB memory stick, external CD/DVD, MP3 player, or camera. Other If the device (camera, phone, etc.) is not detected as any of the above, use this option to capture file activity.
Creating New Files Records an "event" when a new file is created. Creating a new file includes copying a file to a location where it did not exist before.
Writing to Existing Files Records an "event" when a file is opened for writing someone opens, edits, and saves or does not save changes.
107
Computer/Recorder Administration
If no "Type" is listed (Local, Network, CD/DVD, Removable), the drive is not currently active or mapped. UNC is the last choice in the list and applies to activity that occurs when the user navigates to a shared location on the network.
If a drive is added or a drive mapping changes, Default Tracking is automatically applied to the new drive. This means NO FILE TRACKING WILL TAKE PLACE.
Do NOT Track files on this drive - Turns off ALL file tracking on the drive. Use Default File Tracking - Uses Default File Tracking for this drive (the default). Use Custom File Tracking, Track if - Select specific actions to record or not record on the selected drive (see below).
Be careful when turning on file tracking for LOCAL and commonly used NETWORK drives. Use File Filtering, if necessary, to avoid getting too much data.
108
Computer/Recorder Administration
Creating New Files Records an "event" when a new file is created. Creating a new file includes copying a file to a location where it did not exist before.
Writing to Existing Files Records an "event" when a file is opened for writing someone opens, edits, and saves or does not save changes.
Deleting Files Records an "event" when a file is deleted someone removes a file or folder. Renaming Files Records an "event" every time a file is renamed.
Click OK on the Custom Tracking Settings box to return to Document Tracking settings, where your selections are displayed in the "Tracking" column. File tracking at Drive G: on Create + Write + Delete + Rename
You need to track ANY copying of files to removable drives (as shown above). You need to watch all of a user's document activity for a few days. You would select all options and assign the recording profile only to high-risk computers.
109
Computer/Recorder Administration
You need to track ALL activity that occurs to a sensitive document at any location. You would all options, but define a file filter on the Document Tracking main settings panel.
Be careful! You may end up tracking more activity than you need! Custom File Tracking by drive (below) or tracking by Drive Type is easier to control than changing the Default Tracking.
activities you track or use File Name Filtering to focus in on directories, files, or file types.
Network Any remote (non-local) drive detected by the operating system. For example, if the user opens a file on the network S: drive, eBlaster would capture the event.
Removable Any drive detected as removable device, such as a USB memory stick, external CD/DVD, MP3 player, or camera. Other If the device (camera, phone, etc.) is not detected as any of the above, use this option to capture file activity.
Click OK. Changes will be applied when the Recorder checks in with the CCS. You may want to restart the recorded computer to make sure changes apply to all applications.
Creating New Files Records an "event" when a new file is created. Creating a new file includes copying a file to a location where it did not exist before.
Writing to Existing Files Records an "event" when a file is opened for writing someone opens, edits, and saves or does not save changes.
Deleting Files Records an "event" when a file is deleted someone removes a file or folder. Renaming Files Records an "event" every time a file is renamed.
Check the types of drives you wish to track. Clear those you do not wish to track:
CD/DVD Any drive where a CD or DVD device is detected. Note that if a CD/DVD driver does not support file actions (create/modify/delete) at the drive, activity will not be recorded. To capture CD/DVD burning on Windows, select the CD/DVD burning (IMAPI) option at the bottom of this panel.
Local - Includes the local hard drive (or drives). Be very careful choosing this setting. Windows generates a large number of file operations on local hard drives, and you probably don't want to record ALL activity. If you need to track local drives, limit the
110
Computer/Recorder Administration
For example: Include or exclude all Word documents All documents in any directory with "private" in the file name All documents on the C: drive with "private" in the file name All documents (UNC) on a specific host All Word documents at any UNC location All Word documents on any lettered drive All documents with the file type "as" plus one additional letter (as in .asp) *\*.doc *\*private*.* c:\*\*private*.* \\192.168.1.20\*\*\*.* \\*\*\*\*.doc *:\*\*.doc *.as?
Click OK to add the filter to the include/exclude list or cancel to discard the filter.
Files Transferred
To use wildcards:
You can use wildcards to specify a path, a filename, or a file type. The Spector 360 Recorder will include or exclude files represented as long as file tracking is ON for the drive or drive type.
Use the * (asterisk) wildcard to match zero or more characters. Use the ? (question mark) wildcard to match any one character. Use *\* to find the match on any path.
If pirated software is being downloaded Bandwidth usage due to video and music downloads Inappropriate exchanges of information Which upload/download domains you need to block from
access
111
Computer/Recorder Administration
Use of computer resources to archive and exchange large files Security risks in sharing with unknown Internet users P2P Programs Recorded Kazaa Kazaa Lite Morpheus Gnucleus LimeWire Phex Swapper XoloX P2P NOT Recorded BearShare
Program used to transfer files Date and time the transfer was recorded Type of transfer: upload or download Name of the file transferred Type of the file transferred: audio, image, video, software program, compressed, or unknown file
FTP - File Transfer Protocol (FTP), is a standard protocol used to exchange files between computers over a TCP/IP network (such as the Internet or an Intranet). FTP is commonly used to upload files to a server and to download files to a local computer.
HTTP - Hypertext Transfer Protocol (HTTP) is a set of rules for transferring files - text, graphic images, sound, video, and other multimedia files - on the World Wide Web. HTTP makes its requests and responses over a TCP/IP network.
Peer to Peer (P2P) - Peer to peer communications allows direct file exchanges between two computers over the Internet. Unlike FTP, there is no concept of a formal "server." Protocols captured include Kazaa and Gnutella, which is used by Morpheus, Gnucleus, LimeWire, Phex, Swapper, and XoloX, and rely on HTTP ports to transfer files.
Access to pornography Illegal copies of copyrighted music, software, and other media
112
Computer/Recorder Administration
ON - Select this option (or toggle the left column button to green) to enable recording. OFF - Select this option (or toggle the left column button to red) to disable recording. This setting has no effect on the other recording. Network and Document activity can still be recorded.
Gnutella Ports - Lists the ports commonly used for Gnutella activity separated by a space. If a non-standard Gnutella port is used, type a space and add the port to this field.
System Settings - Windows Only. Click this button for advanced Files Transferred settings that allow you to add Gnutella and FTP ports, or turn off capture of HTTP uploads. More...
You will see evidence of port activity in the Dashboard's Network Activity details. Note the FTP or Gnutella port and add it to this panel. See Troubleshooting File Transfer Recording.
FTP Ports - Lists ports commonly used for FTP activity. If a nonstandard FTP port is used, type a space and add the port to the list.
113
Computer/Recorder Administration
Keystrokes Typed
Keystroke Recording
The Spector 360 Recorder logs every visible and non-visible keypress, providing clear proof of what was typed in any application or at any web site. It can capture extended keystrokes, such as keystrokes used to render non-Latin characters. Keystrokes typed in one program window (up to a certain length) are captured as one Keystroke event.
Keystroke recording allows you to find out:
If someone uses a password inappropriately Where a user has typed a "hidden" Ctrl+C and Ctrl+V What was typed in a program, whether or not you have access What was typed, even when the email or document was
subsequently changed or deleted
All keystrokes typed in the window Total count of keystrokes typed Date and time the keystrokes were recorded Start and end times: there may be multiple start and stop times within the window if there were typing delays of more than five minutes Name displayed in the Window's Title bar Program used and user logged in
Text entered from a tablet (written with a stylus) will NOT be captured as keystrokes. However, you will have Screen Snapshots, and a record of the document, email, or online searching activity.
114
Computer/Recorder Administration
When you enable this option, a message asks if you would prefer to completely disable capture of form data to avoid capture of passwords. Choose Yes to disable POST forms capture, ensuring no passwords will be captured. Choose No to mask keystroke passwords, but allow capture of form data, whether or not passwords are included.
System Settings - Windows Only. Click this button to access the Record Characters option, which is useful for monitoring computers being used in other languages. More...
The Recorder does not capture mouse activity.
you are monitoring someone using a language that requires more than one keystroke to create a character (for example, Japanese).
ON - Select this option (or toggle the left column button to green) to enable recording. OFF - Select this option (or toggle the left column button to red) to disable recording. Do Not Capture Passwords - Check to "mask" password entry with asterisks (*) so they do not show up in Keystrokes Typed reports. Clear to see all password keystrokes. A user name and masked password
Enabling this option may not prevent capture of passwords with form (Post) data, which appears in the Dashboard as part of web site activity when Record POSTs is enabled. This means passwords will be visible in some cases where a web site login was used.
115
Computer/Recorder Administration
When this box is checked, the Dashboard displays a Characters tab and shows characters resulting from combined or extended keystrokes. Characters will also appear in Email and Chat/IM events IF the application used supports the language used. By default, character information is not captured unless you are using an operating system designed for an international character set. See Keystrokes vs. Characters.
IME Assistance
Some languages (like Japanese) have too many characters for a normal keyboard to accommodate. For these languages, an Input Method Editor (IME) helps users enter characters. For example, the Japanese IME converts the keystrokes nihongo into these three characters:
Keystrokes are the physical keys you press on your keyboard. Pressing keys on the keyboard may or may not generate a character. For example, to generate capital A, you would type the SHIFT key (which does not generate a character) and the A key. The first keystroke is a dead key because it does not produce any characters by itself.
Characters are the glyphs (the pictures of characters) displayed as a result of the keystrokes. The dollar sign glyph $ on a standard western keyboard is generated by pressing the SHIFT key and the 4 key.
116
Computer/Recorder Administration
Network Activity
Number of bytes sent during the event Number of bytes received during the event Duration of the event
To common network IP addresses in the ranges normally used for local networks. You can change settings to include these ports, but you risk receiving a very large number of network events. The standard LAN ports include: 10.*.*.*:* 169.254.*.*:* 192.168.*.*:* 10.*.*.*:* - Represents connections made at the local computer to itself 169.254.*.*:* - Represents local area network ranges commonly used by DHCP 192.168.*.*:* - Represents local area network ranges commonly used within a network
Name of the program that established the network connection Start and end time of event Protocol used for connection Domain name where connections were made IP address of the target connection Port used for the connection Number of connections during the event
117
Computer/Recorder Administration
Turning off Network Activity recording has no effect on the recording of Files Transferred, Document Tracking, Web Sites visited, or other types of recording.
Record network activity for only these programs listed Record ONLY the listed programs. Record network activity for all programs except these listed EXCLUDE the listed programs.
Click Add in the Programs section. In the Select Programs box, select the programs you wish to include or exclude. Use the Browse button to navigate to and select any executable file.
ON - Select this option (or toggle the left column button to green) to enable recording. OFF - Select this option (or toggle the left column button to red) to disable recording. For example, may want to exclude programs such as Internet Explorer (Iexplore.exe) to avoid duplicating activity already captured by Web Sites Visited recording. The folder path of the file name is NOT
118
Computer/Recorder Administration
necessary. Click OK to close the add the program to the list. The listed programs will be recorded (or excluded from recording).
Start the program you want to select and then click Refresh on the Select Programs box to display it in the list.
click the Resolve button. If the name can be resolved to an IP address, it is displayed in the IP fields above. In the example above, activity at Amazon.com would be excluded (or included).
All network connections have IP:Port information. The IP is the address of the computer where connection was established, and the port locates the connection at the computer. Ports are like phone extensions to a single phone number. Some port numbers are well known, standard Internet connections. For example, port 25 is almost always used for SMTP email, and Port 80 is almost always used for web page connections.
Capture network activity for these IP ports listed - Select to include ONLY at the listed IP ports. Be sure to REMOVE the default ports and Add the ports to include. For example, to capture ONLY web traffic, clear all ports and add 80 (*.*.*.*:80).
Capture network activity for all IP ports except those listed - By default, Spector 360 captures activity at ALL ports EXCEPT those listed, which would result in large amounts of recorded data. You can exclude additional ports. For example, port 25 is almost always used for SMTP email. You might exclude this activity if you get enough data from Email recording by adding (*.*.*.*:25).
Click OK to accept the entry, or Cancel to reject it. The window closes. If the entry was accepted, the IP and Port is added to the IP:Ports list.
Click Add to add new ports. In the IP:Port box, type the IP address and port, or use * (asterisk) to specify ANY value.
All ports at a local computer might be: 192.168.0.90:* Email at any IP address using the standard SMTP port is: *.*.*.*:25
If you don't know the IP address, under Computer and Domain Name Resolver enter the "friendly" computer name known on the network (such as OFFICE005) or a domain name (such as amazon.com) and
119
Computer/Recorder Administration
Notes:
Reducing the minutes in this setting generates more events. Raising the minutes in this setting generates fewer events with more connections. A connection to the same network IP address but at a different port is always recorded as a separate network event. If more than one connection is made by the same program to the same network address/port within a period of activity, the Recorder will not "start" a new event, it will add the connection to the current event.
If the inactivity time period passes without any new connections being made, the Recorder records current activity as an "event," including the count of connections made during the event.
For example: If you browse CNN in the morning for 5 minutes and again at lunch for 15 minutes two separate network events involving cnn.com are recorded (inactivity was detected between morning and lunch). If you are browsing CNN in the morning and continue to browse continuously until lunch, a single event with many connections would be recorded (no inactivity detected).
Flush after n minutes of inactivity - Enter the number of inactivity minutes that should pass before the Network event ends. "Inactivity" is the number of minutes that should transpire between network connections before recording of an event. The default inactivity time is 10 minutes.
120
Computer/Recorder Administration
Online Searches
How many personal searches an employee conducts Indicators of possible inappropriate or even violent behavior How a productive employee conducts research on the
Internet
When, where, and who was searching Words entered by user for the search, such as "jobs in Hawaii" Internet site where the search was entered The protocol or Uniform Resource Identifier, used at the site (HTTP, HTTPS)
Web Site Recording must be ON to capture online searches. Searches are captured along with other Web Site activity.
121
Computer/Recorder Administration
Program Activity
Times employees are actively using productivity programs Which productivity programs users prefer How much time is wasted on games or frivolous programs If unapproved programs are being used
For each program event, the Recorder captures:
Date and time the program window was opened Title of the program window Name of the program User who executed the program Total time the program was open Time the program had focus Time keyboard and mouse activity were taking place When and how many times the program was opened during a day
ON - Select this option (or toggle the left column button to green) to enable recording. OFF - Select this option (or toggle the left column button to red) to disable recording. This setting has no effect on the other recording tools. Program activity will still be visible in Screen Snapshots and Keystrokes.
122
Computer/Recorder Administration
123
Computer/Recorder Administration
User Activity
ON - Select this option (or toggle the left column button to green) to enable recording. OFF - Select this option (or toggle the left column button to red) to disable recording.
When this recording is ON, a chart of activity for the user appears in the User Activity view.
Who is taking long lunches or coffee breaks If anyone is logging on at night or on weekends Where and when recording has been interrupted on a
computer
There are no settings for User Activity Recording. As long as recording is ON for the applicable time periods, log on and log off events will be recorded.
124
Computer/Recorder Administration
Post: The user submitted a form through the web page to a server Redirected: The requested page was redirected to another page Redirector: The requested page sent the user to another page Blocked: The requested page was blocked Blocked Redirector: The requested page redirected the user to a blocked page Blocked Redirected: The user was redirected to this page and it was blocked.
Which users are web surfing, how often, and when Who is visiting inappropriate web sites If a web page was opened and forgotten or actively used Total time a user spent at a non-work-related site Which web sites you should be blocking Whether it makes sense to block all Internet access for periods
during the day
Address ( URL) of the web site Date and time of visit How many visits occurred Total time the site was open Time the site had focus Time the user was active on the site The window title of the site Type of request sent to the web server: Web: The user navigated to this web page
125
Computer/Recorder Administration
ON - Select this option (or toggle the left column button to green) to enable recording. OFF - Select this option (or toggle the left column button to red) to disable recording. This setting has no effect on the other recording tools. Web Site activity will still be captured in Screen Snapshots, Keystrokes, and Program Activity.
Changes to these settings will not take effect until the user quits and restarts browser applications. You may wish to remotely restart the computer.
HTTP Ports - Ports 80, 8080, and 11523 are TCP/IP ports commonly used to access the Internet. If your web server is configured to a different port, type a space and add the port number to this list.
126
Computer/Recorder Administration
HTTPS Port - Port 443 is the TCP/IP port commonly used to access the Internet with SSL security. If the web server is configured to use a different port, type a space and add the port number to this list.
Do not delete a listed port unless problems occur on the network.
Record Mozilla Browsers (i.e., Firefox) - This option is checked to enable capture of activity on Firefox, Netscape, and other Mozillabased web browsers. Clear to skip recording these browsers.
Record AOL Security Edition - (ON by default) Check to enable capture of AOL Security Edition. Clear to skip recording of this browser.
Record POSTs - (OFF by default) Check to enable capture of all POST form data where information is sent from the local browser to a remote Internet server. Complete information about each POST appears in Dashboard Web Site Events. Clear to skip this recording.
To save changes:
Click OK on this panel and on the main Settings panel.
127
Computer/Recorder Administration
Who/When to Record
Green - Click on a half-hour spot on the grid or click and drag to mark the time to record. Green color indicates the time periods to be recorded.
When to Record
Normally, a Spector 360 Recorder records ALL activity, whenever a computer is on. You can adjust a Computer Profile so that the Recorder only captures activity at specified times. The Record > When to Record setting affects ALL types of activity recording and all users being recorded (using this profile). For example, there may be certain times of day or certain days of the week when it's not necessary to record activity.
White - Click again on any green area to clear it (the time period will not be recorded). View Scheduled Times - Click this button to see a list of times when recording will be ON. This helps you adjust your selections.
Clear Entire Schedule - Click this button to clear all green from the grid and start over.
The When to Record schedule only affects activity types set to ON in the left portion of the Record pane.
To schedule recording:
Check the "Record based on the following schedule" option to activate the weekly grid. Clear this option to record always (within other setting parameters).
128
Computer/Recorder Administration
Who to Record
Normally, the Spector 360 Recorder records ALL users who log onto a computer where it is installed. Each new user name is captured. Each user's activity is captured. It's possible to limit who you record by including or excluding users from recording. A user you are NOT recording could log in to any computer on the network, and the Recorder would not record any activity after that login.
Record only users listed - Select to specify which users to record. Record all users except these listed - Select to specify which users NOT to record. Add - Click this button to add a user to the list of users to record (or not to record). The New User dialog box appears. Enter the name of a user to record. The name must be the local Windows or network login username. Click OK to add the user to the list.
Delete - Select a user in the list and click this button to remove the user from the list.
The Who to Record setting affects ALL activity types that are ON. If you want partial recording for certain users, turn OFF activity types in the Record left pane and select the user names here.
129
Computer/Recorder Administration
The keyword or phrase detected (for example, "online gambling") Application being used User logged in Date and time of detection Type of activity recording in which the keyword was detected
Watch suspect activity across all event types. Send immediate notification every time a keyword is
detected.
Screen Snapshot events Program Activity events Email attachments Keystrokes when the keyword has been edited; for example, "sex" would not be detected if the user types s, e, t, Backspace, and x Web sites transmitted in encrypted format through the secure SSL protocol, typically addressed with "https://" Web sites transmitted compressed, such as Yahoo
130
Computer/Recorder Administration
Add - Click to Add a word to the list. All characters, spaces, and punctuation are accepted. Select Match whole word only to match an entry exactly, such as "World of Warcraft." If you do not select this option, the Recorder will find partial matches, such as "world" or "war." Click OK to accept the entry and add it to the list.
You must have recording enabled for each activity type to get the full Keyword scan.
Delete - Select a Keyword in the list and click Delete to remove it. Import - Click to browse to and import a text file list of words. See Importing Keywords. Export - Click to export the Keywords list to a text file. The export does not include Server keywords. See Exporting Keywords.
ON - Select this option (or toggle the left column button to green) to enable recording. OFF - Select this option (or toggle the left column button to red) to disable recording.
131
Computer/Recorder Administration
Scan Window Caption - Check to scan the captions of windows opened on the computer desktop. The caption usually includes the program name and document name. Recording of Program Captions must be on.
Recording of the activity type must be ON before keywords can be detected in it.
Trigger Snapshot Recording - Check to take extra snapshots when a keyword is detected. Clear to skip taking extra snapshots. Snapshot recording does NOT need to be on.
Scan Chat and Instant Messages - Check to scan the content of chat and IM conversations for a keyword match. Clear to skip Chat/IM conversations. Chat/IM recording must be ON.
every [?] seconds for [?] seconds - By default the Recorder takes a snapshot when the keyword is detected and continues to take snapshots every 5 seconds for a period of 60 seconds. Select 1-999 seconds for either field. Lower numbers in the first field provide more snapshots. Higher numbers in the second field provide a longer time period for increased snapshots.
Scan Emails - Check to scan the content (body), subject, and To/From fields of sent and received email for a keyword match. Clear to skip email. Email recording must be ON.
Scan Web Site Addresses - Check to scan web site URLs and domains for keywords. Clear to skip web site addresses. Web Sites Visited recording must be on.
Process Server Keyword lists - Windows Profiles Only. Check to add words from Keyword Groups that are part of "enabled" centralized Event Alerts. These might include the predefined "Bullying" or "Drugs" group, or any defined custom group. Enable this option to increase snapshots and receive email notification immediately when these keywords are detected at a computer.
Many keywords can generate large numbers of snapshots, using up disk space on the computer and at the File Storage location. Be careful in setting up keywords and snapshots.
Scan Web Site Pages - Check to scan all content of web site pages for a keyword match. Clear to skip web page content. Scan Keystrokes - Check to scan the content of all keystrokes typed (following any edits or deletion) in any application. Clear to skip keystrokes.
Scan File Transfer Information - Check to scan the file names and locations involved in uploads and downloads. Clear to skip File Transfers.
132
Computer/Recorder Administration
The recorded computer must have direct access to the Internet to generate an alert notification email.
Once Every . . . Mins - Use the up or down arrows to select the frequency for email notification. The Recorder can send an alert each time it detects a new keyword (this does not include multiple instances in a single location). However, to prevent a flood of email, set the notification interval to a greater time span. The Recorder sends an alert only once, for any given keyword, during
the specified interval. It will NOT send subsequent alerts until this set number of minutes has passed. The default is 5 minutes.
Server Type - Select the type of Server from the drop-down list. Direct SMTP - The email is sent from an SMTP mail server. In the Email Address field, enter the delivery address (me@mycompany.com) and use the Advanced settings to specify the email server (mail.mycompany.com). Many mail servers do not approve Direct SMTP mail requests from computers; you may need to use Relay SMTP. Relay SMTP - Email delivery is relayed through a server. You provide the same credentials to the server that you use to log in to your email. Enter the Email Address (me@mycompany.com) and use the Advanced settings to provide the email server name, and your account name and password.
133
Computer/Recorder Administration
Exchange Folder - Windows Profiles Only. Email is delivered to a Microsoft Exchange public folder on the network. The recorded computers must be on the Exchange network, or the reports will not be delivered. If selected, the Email Address field is replaced by a Folder Path field. Type the public folder name of your Exchange server. Include the folder to which you will direct the alert email. No Advanced settings are required, although you may wish to change the email from address and subject. Default template settings for web page notification
Email Address - Enter the email address to receive alert notification. Advanced - Click to set up a Direct SMTP or Relay SMTP server and a "friendly" from address and subject for discretion. See Advanced Alert Notification Settings.
the type of activity where you want to change the message (Chat/IM, Email, Program Activity, etc.).
134
Computer/Recorder Administration
Reset Default - Click to return to the default email format for this
activity type.
Subject - Appears in the subject line of the email. A subject
Macros
USER_NAME - The Windows account name for the person logged in when the alert occurred. KEYWORD - The word or phrase from the Watch List that was detected. FIELD_NAME - The field in the activity record where the keyword was detected, such as CONTENT - Data providing a context, such as a URL for a web page or Window title for a document, for the keyword detected. DATE_TIME - The date and time the keyword was detected. COMPUTER_NAME - The recorded computer where the keyword was detected. PROGRAM_NAME - The name of the program that was running when this keyword was detected.
entered in the Email Notification Advanced settings will overwrite this subject. Select and type over wording you want to change, inserting macros as desired. The subject line can be useful for quickly sorting and filing email (by user name, computer name, and so on). Keep in mind that you can apply different templates to different Recording Profiles.
Body - The body template will comprise the email body, with
insert the macro at the cursor position in the template, either in the subject line or body. For example, you could change the Subject to: Sales Dept. - %KEYWORD% detected in %USER_NAME% chat
Subject: ABC Sales - budget.xls detected in JohnSmith chat
and the body to: Chat/IM in the Sales Department, as recorded by the Bank ABC Sales profile: %USER_NAME% from Bank ABC used the keyword "%KEYWORD%" in %PROGRAM_NAME% on %COMPUTER_NAME%.
Body: Chat/IM in the Sales Department, as recorded by the Bank ABC Sales Recording Profile: JohnSmith from Bank ABC used the keyword "budget.xls" in iChat on COMPUTER45.
135
Computer/Recorder Administration
Domain - The domain of the email server. Use either the server's domain name or the server's IP address.
The Direct SMTP method of delivery can be inconsistent. You are sending this mail directly from the computer to the mail server, and many mail servers now deal with the problem of Spam by refusing to accept Direct SMTP from a computer (rather than from an ISP). Be sure to test the email delivery before settling on this choice. If it doesn't work, try Relay SMTP.
Authentication - Change the selection from None to POP or ESMTP if the mail server requires authentication a login for outgoing mail (most do). This activates the next fields.
Account Name - Enter a valid account name for the email server (same as you would enter for an email client). Password - Enter the valid password for the account name. TLS Windows Profiles Only. Select from: Do Not Use (default), Use if Available (encrypt the email if possible), or Required (TLS encryption is required). Transport Layer Security (TLS) encrypts communication to block outside parties from viewing the data during transmission. This is an extra security measure.
Mail Server - Enter the name or IP address of a remote SMTP mail server (not a webmail server). SMTP Port - Enter the port used by the SMTP server. The default port for most SMTP outgoing mail is 25. Be sure to check your actual email client setup to find out which is the preferred port for outgoing mail. The email test will fail if the wrong port is used.
Validate Server's Certificate - If you are using TLS, you can select this option for extra security. A certificate verifies the identify of a web site thereby providing a secure communications channel.
136
Computer/Recorder Administration
Importing Keywords
Instead of adding keywords and phrases one at a time in the Recorder's Keyword Alert settings, you can import a text file list. This allows you to maintain a list of keywords in a separate document. Start with an exported list or use any text file containing a list of keywords in the appropriate format. Import the list into a profile by selecting Alert > Keyword Watch List.
Friendly - Appears as a name identifying the "From" sender (in addition to the email address). From Address - Appears as the email address is sent from. The default is noreply@spectorsoft.com. Subject - Appears in the Subject line of an alert email. If you don't enter a subject line, the default subject appears as "Spector Alert on domain\computer."
You can import more than one keyword list. You can add to a keyword list and re-import it. Each import adds to the keywords already listed. Any new words are added, and any repeated words are ignored. To remove keywords from the Alert panel, select and Delete them explicitly.
One keyword or phrase per line (row) Use 0 (zero) following a keyword to find a partial word within other words Use 1 (one) following a keyword to Match whole word only and find the exact phrase Use # (number sign) at the beginning of the line to indicate a comment (will be ignored on import) Save the file in text format
137
Computer/Recorder Administration
Security Considerations
Using an MS Exchange public folder may allow a monitored user to modify the content of the public folder receiving the alerts as they will have Create Items, Read Items, and Folder Visible permissions for the Default account. You can hide the public folder so most users would never know it exists on the MS Exchange server, but for better security the public folder should be moderated. If a public folder is moderated, all messages posted to the folder are immediately forwarded to another mail-enabled folder with restricted access. The public folder remains empty and the administrator can review the keyword alerts by viewing them in the "mail enabled folder.
Exporting Keywords
You may want to export a Keyword list to use in another profile.
To export Keywords:
1. 2. 3. Open the profile's Alert > Keyword Watch List panel. Edit the list if necessary, and when the list is ready, click the Export button. In the Export to box, navigate to a folder and type in a file name. You don't need to specify a file extension, but a text file will be created. Click Save to save the export file. The file you create can now be imported to a new profile.
Setting Up Folders
Create a MS Exchange Public Folder to Receive Alerts - Create a public folder to send the Alerts to. This folder This will allow a monitored user to see this folder in the Outlook Public Folders list and its contents.
Create a second hidden Public folder - This task creates a second hidden public mail folder that the first folder will forward Alerts to. Use MS Exchange System Manager to mail-enable the second hidden folder - Mail-enabling this second hidden folder will allow
138
Computer/Recorder Administration
the alerts to be forwarded from the to a moderated folder and removed from the second hidden folder.
make this folder a sub-folder of the first folder for organizational purposes. This folder will be hidden so that users will not be able to see it or its contents. 5. 6. 7. 8. 9. Click OK to create the folder. Select the folder that you just created in the Public Folders list. Right-click and select Properties. Click on the Permissions tab. Select the Default name. to disable. This removes permission for both Folder Visible and Read Items, making this folder invisible and inaccessible to all other users.
Configure the second hidden public folder to be moderated Prevents a user from accessing the Alerts while allowing the administrator to view the alerts from the second mail enabled folder. Note: You will need Administrator privileges perform MS
Exchange administration.
10. Select the Folder visible permission and remove the check mark
139
Computer/Recorder Administration
140
Computer/Recorder Administration
Internet Blocking
Internet blocking (filtering) allows you to enforce an Acceptable Use Policy by preventing users from accessing all, or portions of, the Internet. Spector 360 allows centralized Web Filtering for Windows computers in addition to blocking at the local Recorder. The "Block" settings in a Recorder Profile apply only to the computers to which the profile is assigned. Use local Recorder blocking to:
Web site domains Chat/IM Contacts ("friends") Internet Access at ports Specific users who log in to computers where blocking is enabled
Block web access for computers that leave the network . Block ALL Internet access. Block specific chat or IM contacts. Block types of communication or specific ports.
Block vs. Allow
If you block a domain the user cannot display any web page at the domain. If you block a port, no communication takes place at that port. If you block a Chat/IM contact, no messages are sent or received from the blocked contact. Alternatively, if you allow access to ONLY certain domains, ports, or Chat/IM contacts, a user can access these and no others. For example, you could limit Internet access to ONLY online references, a work-related server, a specific FTP domain, in-house MSN messaging, and that's it. No other Internet connection is allowed.
141
Computer/Recorder Administration
filtering policy for the computer. Local filtering settings (in the lower portion of this panel) are ignored until the Recorder fails to connect to the Web Filter Server after several attempts. The Recorder then applies the Local Web Filtering settings. Clear this option to use only Server Web Filtering. If the computer is removed from the network, no web site blocking will occur.
For centralized Web Filtering to work OR to report data based on Web Filtering Categories, Server Web Filtering MUST be enabled on this panel in the computer's profile.
Local Web Filtering Enabled - Check this option if Server Web Filtering is NOT enabled when you want to enable only local filtering. Clear this option if you want no local blocking to occur.
Block web sites in list - Select this option to BLOCK all the web sites listed. Allow access ONLY to web sites in list - Select this option to ALLOW access to only those web sites listed. Keep in mind this will set limitations to using an allowed web site if it uses content from another site. For example, if you allow cnn.com, not all of the content it provides will be allowed.
Add - Click this button to add a domain to Block or Allow. In the Web Site Access box that appears, enter a host and domain or domain name only (for example, mail.site1.com or site1.com). Click OK to add the new domain to the list.
Server Web Filtering Enabled - Check to enable centralized Web Filtering. Recorded web events will automatically be associated with Web Filtering Categories. Clear to select Local Web Filtering.
Revert to Local Web Filtering... - Available when the above option is checked. Check to set up Local Web Filtering as a backup
142
Computer/Recorder Administration
Delete - Select a web site in the Local Web Filtering list and click Delete to remove it from the list. Import - Click this button to import a list of web sites from a text file. See Import/Export Sites to Block. Export - Click this button to create a text file from the currently displayed list of web sites. See Import/Export Sites to Block.
Specifying a host limits filtering to that portion of the web site. For example, you could block gmail (mail.google.com) and still allow searching at google.com.
# Add comments by starting a line with this symbol www.gamblingsite.com pornographysite.com badsite.org
143
Computer/Recorder Administration
ON - Select this option (or toggle the left column button to green) to enable blocking. OFF - Select this option (or toggle the left column button to red) to disable blocking.
To block a type of Chat/IM altogether, select the Chat/IM port for blocking on the Block Internet Access panel.
Block contact names in list - Select to prevent the user at the recorded computer from communicating with the contacts listed below. Other chat and IM will NOT be blocked.
Allow access ONLY to contact names in list - Select to block all chat except with the contacts listed below. For example, you may allow a list of clients, teachers, or business associates.
Add - Adds a contact name. Click to open a Chat/IM Blocking box where you can select the chat account type and identify the contact to block (or allow). See the section following. Click OK on the box to add the contact to your Chat/IM list.
Delete - Select a contact from the list and click Delete to remove the name from the list.
For example if you notice that Bob is continually on Yahoo Messenger having inappropriate conversations with his girlfriend Sue, you can block Sue's Yahoo ID. You would know her ID by observing the previous Chat/IM recordings. Bob can still use Yahoo Messenger, but he will not send or receive any messages to or from Sue.
144
Computer/Recorder Administration
For example, if a user logs in to Windows Live Messenger and chats with a Yahoo contact, you would select MSN for the Chat/IM type,but enter the Yahoo account (friend88@yahoo.com) as the contact. Get the information you need by viewing Chat/IM activity that has already taken place.
Yahoo - Select if the person you are monitoring signs into Yahoo Messenger, Yahoo Chat 2.0, or an online Yahoo chat room. A Yahoo ID might be friend88; the ID of another contact participating in these Yahoo sessions might be a full email address, friend88@hotmail.com. To block access to a Yahoo Chat Room (available from Yahoo Messenger), enter the name of the Chat Room; for example: Gardening:6. You can get the name of Yahoo contacts and the Chat Rooms being used from the Chat/IM Activity view.
AOL/ICQ - Select this Chat/IM type if the user signs into AOL, AIM, AIM Express, Dead AIM, ICQ 2002, ICQ 2003 or ICQ Lite. Enter the Screen Name of the contact you want to block. For ICQ, enter the User Identification Number (UIN).
MySpace - Select if the person you are monitoring signs into MySpace to use Instant Messaging. Enter the Display Name and the User Profile ID you want to block. Both the Display Name and the numeric User-Profile ID appear in the Chatted with column in the Chat / IM Activity view.
MSN - Select if the person you are monitoring signs into MSN Messenger, Windows Live Messenger, or MSN Exchange Client. Next to Email Address, enter the full email address of the contact you wish to block (or allow), such as friend88@hotmail.com or friend88@yahoo.com. Blocking an internal MSN Chat/IM contact is not supported. The Recorder on a Mac will block contacts when AIM, Yahoo, MSN, Jabber, MySpace, Facebook, or Bonjour accounts are used.
145
Computer/Recorder Administration
Block Internet Access - Select ON to turn on blocking and activate settings below. Select OFF to allow Internet access. Block All Internet Access - Select to block ALL access to the Internet on the computer: ports, web sites, email, and chat/IM communication. The Blocking Schedule can be set to schedule when access is blocked, otherwise it is blocked at all times.
Block Selected Internet Access - Select to specify (on this panel) types of Internet access to block. If a Blocking Schedule is set, it applies to these selections.
Blocking Schedule - Click this button to set a schedule for the blocking specified on this panel. See When to Block.
Your settings on this panel and on Web Sites and Chat/IM Activity blocking may overlap. For example, blocking Yahoo Messenger ports blocks ALL Yahoo IM contacts. The most restrictive policy always applies.
Slide the left/right scroll bar below this list to view the Ports Blocked by your selection.
Web Sites via HTTP/HTTPS - Internet access to normal and secure Internet sites via the http and https protocols; this
146
Computer/Recorder Administration
includes most web sites, but not local network or ftp addresses. Blocks outgoing ports 80, 443, 8008, 8080, and 8088.
Kazaa - Peer-to-peer communication via Kazaa, a file-sharing application commonly used to download MP3 and video files. Blocks all outgoing and incoming ports used by the protocol.
SMTP/POP Email - Access to standard SMTP and POP email. Blocks outgoing ports: 25, 100, 109, 110, 465, and 995. File Transfer via FTP - File uploads and downloads using FTP (File Transfer Protocol). Blocks outgoing ports 20, 21, 989, and 990. AOL and HTTP/HTTPS - America Online (AOL) and other web sites that might not be covered by the first option. Blocks outgoing ports 80, 443, 8008, 8080, 4000, 5190-5193, 8088, and 11523.
Kazaa Lite - The Lite version of the Kazaa protocol. Blocks all outgoing and incoming ports used by the protocol.
AOL Instant Messenger (AIM) - Instant messaging using AIM. Blocks all outgoing and incoming ports used by the AIM client. ICQ - Chat communication in the standard ICQ protocol (older AOL clients). Blocks outgoing and incoming ports used by ICQ ICQ Lite - Chat communication using a simplified version of ICQ. Blocks all outgoing and incoming ports used by the protocol. MSN Messenger - MSN instant messaging. Blocks all outgoing and incoming ports used by the client application. Trillian - The Trillian protocol communicating on any chat network. Blocks all outgoing and incoming ports used by the protocol.
Windows Messenger - Windows Live instant messaging. Blocks all outgoing and incoming ports used by the protocol. XMPP (Jabber) - Messaging in the XMPP or Jabber protocol. Blocks outgoing port 5222. Yahoo Messenger - Messaging via a Yahoo account. Blocks all outgoing and incoming ports used by the protocol. Blocks all outgoing and incoming ports used by the protocol.
Other Chat/IM and HTTP/HTTPS - Chat and Instant Messaging protocols PLUS web sites. Blocks outgoing ports 80, 443, 8008, 8080, and 8088 plus 1863, 5190, 6660-6669.
147
Computer/Recorder Administration
Clear Entire Schedule -Click to clear all scheduled block times (red areas). When the schedule is cleared, Internet Access blocking is in place ALL of the time.
Click OK to set the schedule are return to Block Internet Access settings.
Click OK at the bottom of the panel to save your changes, or Cancel to remove them. The window closes.
Block based on the following schedule - Check to enable setting a blocking schedule. Clear this option to disable scheduling. Schedule Grid - Click and drag a red area to mark days and times when blocking is active. Red is blocked. White is NOT blocked. View Scheduled Times - Click this button to open a list of scheduled Internet blocking times for each day of the week.
148
Computer/Recorder Administration
Who to Block
Windows Profiles Only. When local Recorder blocking is active, the Block Internet Access, Block Website, and Block Chat/IM settings apply to ALL users who happen to log on to the recorded computer where they are applied. You can select particular users to receive blocking. The Recorder will then apply blocking locally, based on which user is logged in to the computer.
user names, all users of the computer will be denied access as specified on other panels.
Delete - Select a user from the list and click Delete to remove the user from the list of users to block.
Only block the following Windows users - Check this option if you want to specify users to block. Clear this option to apply the blocking settings to all users of the computer. If you check this option but do not specify any users, Spector 360 assumes you want to block all users.
Add - Click the Add button after enabling the above option to display the New User box. Enter a user name and click OK to add the user to the list of users to block. If you don't enter specific
149
Computer/Recorder Administration
General Options
Password - If set, a password prompt appears when someone enters the hotkey combination to open a local Viewer. If no password is defined, the prompt does not appear.
Confirm Password - Confirm the password by typing it again. Hotkey - Windows Profiles Only. The key combination required to activate access to the Viewer. Change - Windows Profiles Only. Click to set a new hotkey combination in the Hotkey box. Select at least two modifier keys and type any keyboard character.
To set Viewer access security:
The Password and Hotkey combination on this panel apply to opening a Viewer installed with the Recorder. Ignore these settings if you are not using a Viewer. Note: We suggest using the same password for ALL Client
installations. Passwords are case-sensitive.
Set to Stealth Mode - Check to hide evidence the Recorder is running (default); clear to display a Recorder Service icon. Include Viewer with Spector Client Installation - Check to install a Viewer with the Recorder. A prompt appears warning that installing the Viewer increases possibility of detection. Click OK to go ahead with the selection. If the Recorder is already installed on a computer, you must re-install it and "Push" the installation. For a Mac, you must reinstall at the computer. Clear this option to omit the Viewer.
150
Computer/Recorder Administration
For security, include the Viewer with the Recorder installation ONLY for troubleshooting purposes.
Profile Name - Name of this profile. Type in a name for a new profile, or type over the name to change it. Profile Description - Description of the profile.
Enable User Logon Warning - Check this option to display a message warning that this computer is being monitored. The message is displayed each time someone restarts the operating system or a new user logs on to the computer. Clear this option to keep the Spector 360 Recorder "invisible."
Set Warning Text - Click this button to change the text of the warning message that appears when "Enable User Logon Warning" is enabled. The default message is a standard warning used by many government agencies. Select the existing text and type over it to make changes. Click OK to set your changes.
151
Computer/Recorder Administration
Admin Username - Enter the user name of any Windows administrator in the Admin group on the monitored computer. Admin Password - Enter the administrator's password.
Click OK to accept the changes you have made or Cancel to reject them. The Advanced Settings window closes.
Mask Program Titles - Windows Profiles Only. Default is OFF. Check this option to "hide" Windows titles (usually the program/document or web page name). All window titles are replaced by a non-recognizable string. Masking program titles does not affect aggregation of data in the Dashboard. Clear this option to read program Window titles in recorded events.
SpectorSoft recommends that all companies have an acceptable use policy that informs employees and computer users that their computer activity is subject to monitoring.
152
Computer/Recorder Administration
Hide Files and Folders in Explorer /Finder - Check to prevent files and folders from being visible in Windows or in the Finder. Clear to make files visible within the folder (which may be hidden).
Password - By default there is no password [None] required to open data files. This password adds a layer of security at the local computer to prevent unauthorized access to the data files. It is a good strategy to apply a password BEFORE beginning to record/review data, or after changing the data files folder to a new location. Click Set to enter and verify a new password OK to set the password.
Delete Data After...Days - Set a number of days to retain snapshots on the computer before deleting. Default is 30 days. Maximum Data Size...MegaBytes - Set a size limit in MB for all snapshots stored on the local computer. Default is 500 MB.
Do Not Modify - Keep the default, random settings. Specified Folder - Windows Profiles Only. Select to store data in a specific folder. In the following field, enter a folder name or click Browse to navigate to and choose a folder in which to store the Data Files. This option is recommended only for troubleshooting.
Extension - Windows Profiles Only. The SpectorSoft data file extension is . SDF. We recommend you do not change it.
153
Computer/Recorder Administration
Delete Data After...Days - Set a number of days to retain ALL non-snapshot data on the computer before deleting. Default is 45 days.
Application Settings
The Application panel provides settings to control recording, the inactivity timeout (after which Spector 360 stops recording), and which programs are recorded or not recorded. Select a profile's General Options > Application panel.
Maximum Data Size...MegaBytes - Set the data storage size in megabytes that will be the limit for ALL non-snapshot data stored on the computer. When the size is exceeded, older data will be over-written. Default is 30 MB. To store data indefinitely enter a zero (0) in both the
"Delete Data After" and "Maximum Data Size" fields. Data will never be deleted using these settings if the Recorder is unable to connect to the Data Vault.
Be sure to click OK at the bottom of the panel to save changes. To ensure that new settings affect all applications and users, restart the computer after changing these settings.
154
Computer/Recorder Administration
Type a new number in the Inactivity Timeout field, or use the arrows
Viewer Hotkey - Windows Profiles Only. Opens the Viewer, if one is installed with the Recorder. The default combination is Ctrl+Alt+Shift+S. The Viewer hotkey sequence can also be changed in Security Settings. Remember this sequence!
to increment or decrement the number from 0-999 minutes. Use 0 (zero) for no timeout period; the Recorder never stops recording.
A separate timeout setting is available for recording within each program instance.
Recording Hotkey - Windows Profiles Only. Stops and starts recording at the computer. Initially there are no recording hotkeys defined. If you define recording hotkeys, you can use them to temporarily stop and restart recording at the monitored computer.
Snapshot Hotkey - Windows Profiles Only. Takes an immediate snapshot at the recorded computer. The default combination is Ctrl+Alt+Shift+P. Regardless of Screen Snapshot settings, this hotkey sequence records an immediate Screen Snapshot.
In the Hotkey box, check at least 2 modifier keys (Ctrl, Shift, Alt, Windows) to press for a valid combination. Type a regular key (such as "P") to press with the combination. Click OK to set the Hotkeys.
Be careful not to set hotkey sequences that are the same as keyboard shortcuts used by anyone at this computer!
155
Computer/Recorder Administration
Examples: To save disk space, you may choose to EXCLUDE monitoring of high usage desktop programs, such as Excel or Work. There will be no program activity or snapshots of these programs in the Dashboard data. To focus on web activity, you may choose to monitor ONLY Internet Explorer, Firefox, and other browser applications. If all other types of recording are ON, you will capture all web, program, file transfer, or chat activity that occurs within a browser. No data or snapshots will be captured from Word, Excel, or other desktop programs.
navigate to and select any executable file. Click OK. The Select Programs box closes and programs) are added to the list.
Delete - To remove a program from the list, select the program in the box and click Delete.
Only monitor, record/alert/block, the following programs (otherwise all) - Check to limit recording by program, and activate the following options.
Monitor only programs listed - Select to provide an "Include" list of specific programs to record, block and alert on. Monitor all programs except these listed - Select to create an "Exclude" list of programs to NOT record, block or alert on. Add Opens a Select Programs to Include/Exclude box. All programs currently running appear in the list. Select one or more programs to add to your Include or Exclude Programs list.
Allow Limited Users UI Access - Windows Profiles Only. When this is selected, users who do NOT have administrator privileges are able to open the Recorder Viewer and monitor recorded events. They will not, however, be able to change any settings. The default is to deny access to "limited users."
Enable Spector when Windows starts - By default, Spector 360 automatically starts recording whenever Windows is started at the computer. If you want to manually start recording, turn this feature off. You can use the Control Center to start and stop recording.
If the program you want to select is not listed, open the program now and click Refresh on the Select Programs box. This causes the program to appear in the list. If you wish, click Browse and
156
Computer/Recorder Administration
Capture Elevated Applications - Windows Profiles Only. Allows capture of processes in Vista that are running under Elevated (Administrator) privileges. This generally only applies to a small subset of applications Setup Applications, Control Panel Applets, etc. However, any application can be run with these elevated privileges by right-clicking on it and choosing Run as administrator. Change this setting only if directed to do so by Technical Support staff.
Include 32-bit Applications (64-bit OSes only) - Windows Profiles Only. Applies to computers running a Windows 64-bit operating system. Enables an extra feature of the Capture Elevated Applications option so that 32-bit Elevated Applications are also captured. Change this setting only if directed to do so by Technical Support staff.
Capture Applications Run as Another User - Windows Only. Captures occasions when a user runs an application under an account other than the one he or she logged in as.
Don't Record Admin Users (Mac) - Mac Profiles Only. Applies to computers running a Mac OS X operating system. Omits the Admin User from all types of recording.
Disable Advanced Recording (Mac) - Mac Profiles Only. Applies to computers running a Mac OS X operating system. Changes the method of recording applications such as Safari, Firefox, and iChat if problems are occurring. Check this option only if directed to do so by Technical Support staff.
Capture Console Applications - Windows Profiles Only. When selected, Spector 360 captures keystroke activity in the Windows Command (Cmd) window or in DOS.
Network Initialization Delay - Windows Profiles Only. This setting increases the number of seconds to delay initialization of Spector 360 Recorder modules used to capture Internet information, and may prevent the Recorder from conflicting with programs that may be competing for the same Windows resources. The default is 0. Click the arrows to change this setting only if requested to do so by a SpectorSoft engineering staff.
Automatically turn off Work Offline - Windows Profiles Only. Enables the Recorder to work around communication problems when a computer is set to "Work Offline."
157
Computer/Recorder Administration
Enable Automatic Error Transmissions - Spector 360 traps internal program errors and stores them in a log file. When this option is turned on, program errors may be automatically transmitted to SpectorSoft so that Technical Support may find the cause of the errors. The default is not to enable automatic transmission. Turn this on only if requested to do so by a SpectorSoft engineer.
Enable Log File - The Recorder maintains a log of its own activity. The log, which you can view from Manage Computers in the Control Center, provides a date-time stamp of sessions and settings changes, but only records as much as specified in the Detail Level or under the Configure Log File settings. If you contact Technical Support, you may be asked to send us Recorder log files for troubleshooting purposes.
Log File Detail Level - The default level of logging is zero (0), which provides a minimal number of log entries. Other levels are 1 and 2. Normally there is no need to change this level. However, if you are having a problem, and a SpectorSoft Technical Support representative asks you to increase the level, this setting will provide more detailed information about internal The Recorder activities (creating a larger Log File on the computer). To raise the Log File Level, click on the arrows.
Configure Log File - Click this button to display a box of Log File options. Click the appropriate activity, as advised by Technical Support. This increases data collection only for a specific component(s), as needed.
158
Computer/Recorder Administration
Server Settings
You can verify or change Spector 360 Recorder communication with Servers from General Options > Servers in a Recorder's profile. These settings are established on installation of the Spector 360 Server Components and will only change if you move a Server, add a Server, or if there is a communication conflict. Keep these points in mind:
Recorders communicate best with a Server at a static IP address. When a computer obtains an IP address automatically (uses DHCP) the address may change every time it connects to the network. If the Recorder cannot resolve the IP address to a computer name on the network, it will not find the Server.
Communication takes place at a particular port. The Recorder attempts to contact each Server at a specific port at the Server IP address. The Recorder in turn reserves a port at the recorded computer (Client Port) for Server communication. The default ports normally work, but watch for network conflicts.
Direct Recorders to the correct server. If you add a Data Vault or Web Filtering Server, use the profile to direct Recorders to the Server you want them to use. The Server must already be installed and appear in the Servers view.
When the location of a Server changes, the Control Center configures existing Computer Profiles to use the new location. Computers running the Recorder need to be restarted before Server changes go into effect.
Server Name - The computer name or IP address of the computer where the Primary Server is installed. Change the Server Name only if the Primary Server has been moved to a different computer.
Port - The default IP port address for communication with the Primary Server is port 16770. You can change the port by entering a different number. The Server Port configuration in this panel must match the port configuration in the Servers view.
159
Computer/Recorder Administration
Use Static IP Address - Check if the Primary Server is installed on a computer with a static IP address (recommended). Clear to rely on the network's name resolution.
Use Static IP Address - Check to indicate the Data Vault is installed on a computer using a static IP address (recommended). Clear to rely on the network's name resolution.
Server IP - The IP address of the computer where the Primary Server is installed. Click Edit to open an "IP:Port" box and change the IP address. If you don't know the IP address of the Primary Server computer, enter the computer name in the lower field and click Resolve. The IP address for the computer will be displayed in the upper field. Click OK to set your change.
Server IP - The IP address of the computer where the Data Vault Server is installed. Click Edit to change the IP address. Use Resolve, if necessary. Click OK to set your change.
Send Interval - How often the Recorder attempts to send data to the Data Vault Server. The default is every 240 seconds. Max Send Period - How long the connection from the Recorder to the Data Vault Server lasts. The default connection period is 30 seconds.
Server Name - The computer name or IP address of the computer where the Data Vault Server is installed. Change the name if the Data Vault service has been moved to another computer.
Server Name - The computer name or IP address of the computer where the CCS is installed. Server Port - The IP port address where the Client Service attempts to communicate with the CCS. The default is port 16768. Do NOT change the port unless there is a network conflict.
Server Port - The IP port address where the Recorder attempts to communicate with the Data Vault Server. The default is port 16769. Do NOT change the port unless there is a network conflict. This port must match the port specified in Control Center Properties for the Data Vault.
Use Static IP Address - Check to indicate the CCS is installed on a computer with a static IP address (recommended). Clear to rely on the network's name resolution.
Server IP - The IP address of the CCS computer. Click the Edit button to change the IP address (see above).
160
Computer/Recorder Administration
Send Interval - How often the Recorder attempts to communicate with the CCS and update its status. The default is every 300 seconds.
Client Options
Windows Profiles Only. Client Options control the visibility of a Recorder installation and provide settings for use of App-V, Published Applications, and other circumstances. Select a profile's General Options > Client Options.
Server Name - The computer name or IP address of the computer where the WFS is installed. Change the name if the server has been installed on a different computer or if you are directing Recorders using this profile to a different WFS.
Server Port - The IP port selected on installation of the server. The default is always port 16771. Change the port ONLY if there is a conflict on your network. This port must match the port specified in Control Center Properties for the Web Filter Server.
Use Static IP Address - Check to indicate the WFS is installed on a computer using a static IP address (recommended). Clear to rely on the network's name resolution.
Server IP - The IP address of the computer where the WFS is installed. Click the Edit button to change the IP address (see above ).
161
Computer/Recorder Administration
2. 3. 4. 5.
Installation progress bar - A progress bar appears. Readme - Displays notes following the installation. Restart prompt -Displays a restart prompt. Remove install file prompt -Asks to remove the installation file.
Use Fixed Filenames - Check to install Client Recorder software with the same filenames on all computers. Clear this option to randomize the filenames for every installation. Fixed filenames allow you to exclude the Recorder files from antivirus scanning.
Enable App-v Support - Check Enable App-V Support if you have applications deployed using Microsoft Application Virtualization (App-V), formerly SoftGrid. This option allows the Recorder to capture activity within these types of applications. If you do not check this option, the App-V applications will not be properly recorded.
Reboot Client Computer After Installation? - The Recorder is not fully installed until the computer restarts. Check this option to override the prompt shown in step 4 above and have the Client restart immediately and automatically. Clear this option to allow the user to turn off and restart in normal operation. The Client will not begin recording until the computer restarts.
Enable Alternative Shell Support - This option allows you to install the Recorder on Windows Terminal Services (Microsoft Remote Desktop) or Citrix Server and capture activity that occurs in published applications. Check Enable Alternative Shell Support and then click to open a box where you can specify the alternate shell that is launched to run Citrix or Terminal Server published applications. The alternative shell name is: wfshell.exe - Citrix Server rdpshell.exe - Windows Terminal Server Click OK to set the alternate shell name. Clear this option to record applications running under the normal Windows shell. To record workstation activity in "local" applications, install an additional Recorder on each workstation.
Show Agreement Dialog? - Available when "Install in Quiet or Silent Mode" is cleared. Requires response to an Agreement dialog box. Click the View button to see what this dialog box looks like.
Show License Dialog? - Available when "Install in Quiet or Silent Mode" is cleared. Requires response to a License dialog box. Click the View button to see what this dialog box looks like.
Show Serial Number Dialog? - Available when "Install in Quiet or Silent Mode" is cleared. Requires the user to enter or confirm the serial number.
Show Options Dialog? - Available when "Install in Quiet or Silent Mode" is cleared. Displays a Security Options prompt, allowing the user to set a password for the Viewer, if one is being installed, and whether or not Recorder will be visible on the Windows task bar and as a program or not. The user can change the password during the installation, but not the Hotkey sequence.
Enable Spector Client in Safe Mode - Check this option to activate recording when Windows is started in Safe Mode. When this option is cleared, the Recorder will not launch and record activity when Windows is started in Safe Mode.
Show Installation Warning Dialog? - Begins the Recorder installation with a message that you create. The user must respond to the message before the installation continues. Click Edit next to this option to change the message.
Enable Executable File Mutation - Use only if directed by SpectorSoft Technical Support. Recorder Method - Select these options only if directed to do so by SpectorSoft Technical Support.
162
Computer/Recorder Administration
Record URLs
Windows Only. Normally Spector 360 captures activity at all URLs. Some organizations prefer to exclude select web addresses from recording in order to protect the privacy of users. Others may want to record ONLY sites where work requiring documentation takes place. Select a profile's General Options > Record URLs panel.
When a web site is not recorded, it cannot be blocked or scanned for keywords.
The Record URLs feature differs from other Record settings in that it applies to capture of several web-based activity types at the named URL: Screen Snapshots, Web Site Activity, Online Searches, and Keystrokes Typed. Although browser activity is recorded in Program Events, the Window Titles or Captions for pages viewed at the site are "masked out," as shown below. google.com records or excludes the entire Google domain. mail.yahoo.com records or excludes recording of the Yahoo mail subdomain. www.mycompany.com/products/requirements.htm records or excludes recording of this web page. Click OK to add the URL or Cancel to close the box without adding an item.
163
Computer/Recorder Administration
Enable program window caption selective recording - Check this item to turn on selective window caption recording. If it is cleared (default), ALL window captions are captured, as possible.
Record window captions for Programs listed only - Select this to specify which programs to record. Record window captions for programs except listed - Select to specify which programs to NOT record. Add - Click to open a window and add a program name.
Delete - Click to remove a program in the list. Import - Click to import a list of programs from a text file. Export - Click to export a list of programs.
164
Computer/Recorder Administration
One URL per line (row) For comments use # (number sign) at the beginning of the line Save the file as a text (.txt) file
You can import more than one list. You can add to a list and re-import it. Each import adds to the URLs or programs already listed. Any new items are added, and any repeated items are ignored. To remove URLs from the Record URL panel, select and Delete them explicitly. To remove Programs from the Program Caption panel, select and Delete them explicitly.
165
Computer/Recorder Administration
166
Status - State of the license: Active: The Recorder is actively communicating with the Primary Server. Reserved: The Recorder is not currently in communication (or has been uninstalled), but is reserved for the named computer.
Last Refresh - Date and time the installed Recorder last checked licensing information at the Primary Server.
Register or re-register your serial number. After installing Spector 360 , or after purchasing additional licenses, register and unlock the product. More..
Add computer licenses to a Serial Number. When you are ready to expand your Spector 360 installation, simply add licenses to your serial number. More...
Add a Serial Number. In special cases, multiple serial numbers may be required. More... Refresh. To update the list of Computer Licenses: click the toolbar button - OR Press F5 - OR - Right-click and select Refresh.
Serial Number - A registered Spector 360 serial number. Total Licenses - Total number of computer licenses registered and unlocked for this serial number. Available - Number of Recorder licenses still available to assign to computers. Licensed Computer - Name of each computer that has received a license. A computer receives a license when the Recorder is installed.
167
To reserve a license:
Select one or more computers in the Manage Computers view. Select Reserve License from the Edit menu or from the context (right-click) menu. All licenses you intend to reserve must be under the same serial number. Select the serial number, if applicable. Click OK.
If you are managing more than one serial number, a message cautions you to be sure to select the correct serial number for the license(s). You cannot "undo" an incorrect license reservation. Use the drop-down list to select the correct serial number, and then click OK to reserve the licenses.
If you have selected more computers than you have available licences for, a message appears. Click OK and contact SpectorSoft about purchasing additional licenses.
If the Control Center is unable to communicate with the CCS or Primary Server, or if there are no available licenses, a message appears and no licenses are reserved.
A message asks you to confirm reserving the selected number of licenses from this serial number. Click Yes to continue or No to cancel.
A second message confirms the License Reservation. It may take several minutes for the license icon to appear in the Manage Computers list, but the number of "Available" licenses in Manage Computer Licenses changes immediately. Manage Computers list shows a reserved license.
168
5.
Wait several minutes for the email from SpectorSoft to arrive. The email contains your Serial Number, Registration Code and the Unlock code. Follow instructions below to unlock.
1. 2.
169
4.
Click OK in the Validate License message. Spector 360 is now enabled for the number of computer licenses you purchased.
You can install the Spector 360 Recorder on one computer for each license; if you have a 50 computer license, you can install the Recorder on 50 computers, no more.
If the Recorder is removed from a computer, the license remains reserved for that computer and can only be installed on another computer with the same Windows name on the same network. License reservations are held indefinitely.
When you make the purchase, SpectorSoft will make the appropriate changes to your license agreement and will update your serial number to include the additional licenses. 3. Re-register your serial number. Do this in Manage Computer Licenses. See Serial Number Registration. 4. Unlock the computer licenses. You will receive an unlock code by email when you register. Follow the instructions in Serial Number Registration to unlock the new licenses and enable the Primary Server to validate the additional Recorder installations. 5. Install the additional Recorders. Once the serial number is re-registered, the Computer Licenses pane shows an updated number in the Total Licenses column. You can now go to Manage Computers and assign additional computers a Recorder installation.
If you are recording a Windows multi-user server, then a license is required for each unique user connecting to the multi-user server. For example, a 50-computer license would allow for the installation of the Recorder onto a Citrix MetaFrame server configured for 50 unique users.
Note: Spector 360 uniquely identifies a computer on the network by using its Windows computer name. If the computer name of the computer is changed, another license for that computer will be used in order for the Recorder to continue to record the computer.
170
Default - A green check mark indicates the version to be installed if no specific Recorder Version has been assigned to a computer. The default version is also used when you request automatic Recorder installations for new computers joining the network.
Recorder Version - The first two numbers (7.2) indicate the Spector 360 version, the next four (.6349) indicate the build, and the last three in parentheses are the Webmail version - 7.2.6349 (170). The Webmail version is updated as available with your Recorder Version downloads.
Recorder downloads occur via an HTTP connection, but you can change this in the Servers > Primary Server properties box. As soon as a new Recorder Version (also known as a signature file) is downloaded and appears in this view, you can assign it to computers and use it in profiles. Updating the Recorder version will NOT remove any recording data from the computer; however, some profile settings may change. Check the computer's profile using the new version to see if settings are as you want them to be.
If you have upgraded your Spector 360 Servers be sure to re-install the Recorder (rather than assign a new version).
Check for and download a new version. More... Change the default Recorder version. After downloading a new version and checking profile settings, you probably want to make the latest version the default. More...
Automatically install new versions on computers. Set computers to receive the latest ydownloaded version at the given update time. You can do this as you Add Computers or Modify a Computer. You can also specify an automatic install when computers are added to Active Directory.
Assign the Version to Computers or Groups. If you are NOT automatically updating the version, assign the new version to select computers. Once the version is assigned, computers will receive it when they check in with the CCS, or when you use the Install Recorder command to install or re-install the client. More...
171
3.
A newer version of the Recorder A newer configuration for capturing webmail Available downloads for other new items
If updates are available, wait as they are automatically downloaded. When the download is complete, "Done" appears next to each task.
4.
Click Close to close this box. Refresh the Control Center window to view the new Recorder software in the list of Recorder Versions.
If computers are set up for automatic updates, they automatically receive the latest downloaded Recorder Version from the Control Center Server (CCS) when they "check in." If computers are not receiving automatic updates, you need to "assign" the new Recorder version to computers.
172
4.
A message asks you to confirm the Recorder version and the number of selected computers (and groups). Click Yes to apply the version or No to cancel. The assigned version appears in the Computers list.
A Recorder receives its update at the "Client Update Time" scheduled in the CCS properties. The computer must restart before any new Recorder functionality goes into effect.
173
2.
Select an option for an automatic updates. These options apply after the Recorder has been installed:
Don't automatically update the Spector 360 Recorder Automatically update the Spector 360 Recorder Automatically update the Spector 360 Recorder
Never update the Recorder automatically - The version does not change unless you re-assign or re-install it. Update the Recorder as soon as possible - When a new version has been downloaded, computers receive the update as soon as possible.
Save your changes or continue through the process of adding the computer. The computer must restart before any new Recorder functionality goes into effect.
Update the Recorder automatically at - Computers receive the update at this time. Click on the hour, minutes, or AM/PM and use the arrow buttons to change the time. If the time precedes the download, the update will occur on the next day at the set time.
Click OK. A message asks you to confirm the change. Click Yes to apply, or No to cancel, the change and close the box.
174
Click OK to save your selections and set defaults. Click Cancel to discard changes. The default versions will appear in selection lists and with a green checkmark in Manage Recorder Versions.
175
Managing Servers
Managing Servers
Spector 360 Servers should be running and ready to communicate as soon as they are installed. The Servers tool allows you to view each Server's location, communication port, and status. From the Servers view, you can stop and start a Server, change the communication port, change credentials , or add a Data Vault or Web Filter Server.
To manage Servers:
Modify Server properties. Select the Server and Modify from the toolbar bar - OR Select Modify the selected Server in the Task Navigation pane. See: Control Center Server Properties Data Vault Server Properties Primary Server Properties Web Filter Server Properties Database Server Properties
To view Servers:
Select the Servers tool from the lower left navigation pane to view:
Add a Server. Add an extra Data Vault or Web Filter Server that you have installed. More... Change Server location. If you move a Server, make sure the change is noted in the Control Center. More... Remove a Server. Remove an extra Data Vault or Web Filter Server. When a lock icon is displayed next to a Server, it cannot be removed. Only "added" Servers can be removed. More...
Server Type: Control Center - Delivers instructions to Recorders. Data Vault - Receives data from the Recorders. Primary Server - Manages licensing for Recorder installations. Web Filtering - Filters access to the Internet. Database - SQL Server access to the database; includes status of the SQL or Spector Agent.
Database login is not required to access Servers, however some changes require the Database SA password.
Host Name - Computer where the Server is installed. Port - The port where the Server listens for communication.
176
When: The Server is installed on the same computer as MS SQL Server, the Spector 360 Databases, and File Storage location. Any time. The Server is installed on the same computer as the Spector 360 Databases. The Server is installed on the same computer as the Spector 360 Databases.
177
When: Any time. The Server is NOT on the same computer as the Spector 360 Databases. The account must be able to connect to and access the computer where the Database is installed. The Server is NOT on the same computer as the File Storage location; however, the recommended configuration is to assign the File Storage location to a local drive on the SAME computer where the SQL Server and Databases are installed.
Database Server
If your Spector 360 installation uses more than one Data Vault or WFS Server, use the same Network User Account credentials for the second Server.
178
Moving a Server
It's possible to move a Server from one computer to another. Use the Spector 360 Setup program to re-install the Server elsewhere and then make sure to uninstall it from its current location. Move a Server when it is least likely anyone will be using Spector 360 to view activity.
See Adding a Server to ADD another Data Vault or Web Filter Server.
Uninstall/Reinstall. When you MOVE the Server, you are uninstalling it on one computer and installing it on another. Local/Network Account. The Primary Server service generally will operate under the Local System account, no matter where it is installed. The Data Vault Server and Web Filter Server need to run under a Network account if installed on a computer separate from SQL Server and the Databases. Be sure to set Server credentials
accordingly.
Control Center. The Control Center will automatically locate the moved Server and configure all Recorder Profiles to use the new Server location. Computers running a Recorder pointing to this Server, however, will need to be restarted.
Static IP. Server computers should be up and running all the time and have a static IP address.
To move a Server:
1. Uninstall the Server you wish to move. Select Start > All Programs > Spector 360 > Uninstall Spector 360 . Clear all component check boxes except the Server you want to move. Verify that you want to remove the Server, and wait for uninstall to complete. Click Finish and restart the Server computer.
179
Moving a Server
2.
Install the Server you wish to move. Run the Setup program, again (you can choose Uninstall from the Start menu) selecting Re-install or Install this time. Select only the Server component you are moving. Locate the CCS (Control Center Server). If you are prompted to locate the CCS, type the computer name where it is installed or Browse to the computer and select it. Enter your serial number. Accept the license agreement and enter your serial number, if necessary. Locate the SQL Server computer, if prompted. The Data Vault and Web Filter Server need to communicate with the Spector 360 Database. Type the name of the Spector 360 SQL Server computer, if prompted, and enter the SA password. Choose a path for installation. The default installation location is C:\Program Files\SpectorSoft\Spector 360 on the computer where you are running the Setup. Select the computer to receive the installation. If you are running the Setup program at the original Server installation location, choose "Install on Another Computer." If you are running the Setup program at the location where you want the Server installed, select "Install on This Computer." Make sure to enter the correct Computer Name or navigate to and select the computer on the network. Enter Network Credentials, if applicable, and click Finish when the installation is complete.
Choose a Local or Network service account. If you are locating the Server elsewhere on the network, you will want to use an existing Windows Network account.
180
Adding a Server
3.
Verify the Server computer in the Control Center. Make sure the Server icon is in the system tray of the new computer. You may need to restart the computer to see the icon. Use the Control Center Servers tool and Modify to verify that the moved Server is listed in the Control Center as running on the specified computer. If you moved the Primary Server, review your Computer Licenses to make sure the proper number of licenses are active.
The Data vault requires about 205 MB of free disk space. Other Servers require about 1 MB of free disk space. See the Deployment Guide for additional configuration requirements.
A Spector 360 installation uses ONE Control Center Server, Primary Server, and Database Server. NOT attempt to install multiple instances of these Servers without contacting Technical Support.
Adding a Server
If you have a large or extremely active Spector 360 installation, you may want to install an additional Data Vault or Web Filter Server to facilitate data delivery and communication. Follow steps below to deploy another Server:
First, install the extra Server on its computer. Then, add the Server to the Control Center. Finally, apply Computer Profiles that use the new Server Settings to the network computers you want to report to this Server. 2.
Select Windows Start > Run and enter cmd. At the console prompt, navigate to the folder where the Setup program exists and use the following command: sp360setup73.exe /e Select the Server or Servers you wish to install. Provide your serial number at the bottom of the panel to continue.
Server requirements:
The Server Computer. Server computers should be up and running at all times. Server computers should have a static IP address.
The Database must be installed before servers are installed. All servers EXCEPT the Primary Server access the Database. Servers need to know the name of the Database computer. Servers need to run under a Windows account with access to the Database computer.
Servers require Database login credentials. Use the same Database credentials for all Web Filter Servers. Use the same Database credentials for all Data Vault Servers.
3. 4.
Agree to the End User License Agreement by checking the box and clicking Next. Do not download updates if you have not updated other core components (use the same Setup file versions).
181
Adding a Server
5.
Select Database from the right list and type the Database computer name and SA Password. The server will automatically attempt to make connection to the computer and the Spector 360 SQL Server instance.
6.
Select Control Center Server from the right list and enter the CCS computer name. The server will automatically contact the CCS for management.
Enter Database credentials for the Server. Make sure all Web Filter Servers or all Data Vault Servers use the same credentials.
Click Add. It's possible to add more than one server at a time. For a Data Vault, enter the full path to the central File Storage location, as accessed by the Database. The default location would 7. Select the Web Filter or Data Vault Server panel and supply the required information. Type the name of the computer to receive the Server installation. Enter non-Local System service account credentials for the Server. Make sure this account has permission to access the Database computer. 8. be C:\Spector360Data on the Database computer, and might be specified as \\SERVER05\C$\Spector360Data.
Complete the installation process.
The server icon should appear in the system tray of the computer it is installed on.
182
Adding a Server
Make sure all Servers are communicating with the Database. Two Servers of the same kind (two Data Vaults) should use the SAME credentials to access the Database. Make sure all Data Vault Servers use a Base Path to the same File Storage location.
183
Removing a Server
Removing a Server
You can remove an "extra" Data Vault or Web Filtering Server from the Control Center. These servers do NOT have the lock icon displayed next to them in the Servers view. If you want to completely remove or move the primary Server Components, use the Spector 360 Setup program. An extra Data Vault has been added
To remove a Server:
1. 2. 3. 4. Select the Server (without a lock icon) you wish to remove. Select Remove the selected server from the Task Navigation pane - OR - Right-click on the Server and select Delete. Respond to the confirmation message. Refresh the Control Center. The Server will no longer appear in the Servers list.
One CCS installed Direct network access to Recorder computers Domain Administrator credentials to access all computers Direct network access to Control Center applications) Installed at a static IP address Computer is always up and running Recorder profiles are configured with the correct CCS (or IP
address) and port
Requires Administrator-level credentials. To perform its functions, this server must be able to operate as an Administrator user on all network computers being monitored. During installation or from the Control Center, direct the CCS service to log in as a common Windows Administrator User or as a Domain Administrator.
184
Manages the computer list. When you add computers to the Control Center's Computers List, the CCS establishes connection to the computers. Background updating is used to monitor status of the computers. If you choose, the CCS can query Active Directory and automatically update the computers listed in the Control Center. The CCS manages a ONE computer list for all Control Center applications.
Controls a computer. The CCS delivers your Control Center instructions to STOP and START recording on a computer, RESTART the computer, or run diagnostic tests on the computer.
Installs and uninstalls the Recorder. When you request a client installation, the CCS delivers the Client Install file to the computer and activates the Client Service to install the Recorder at the scheduled time. If you choose, the CCS can automatically install the Recorder on any new computers joining the network.
Provides Recorder configuration. When you make changes to recording at the Control Center, the CCS provides the changes to computers. Client Recorders automatically "check in" with the CCS and receive Recording Profile and Recorder Version updates. CCS settings determine when check-ins occurs and whether version updates will be delivered automatically.
Enables and controls Spector 360 self-auditing. The CCS can be used to log all activity at this Control Center and deliver the activity to the proper SQL Server instance for storage in the database. See Auditing.
Computer Name - The name of the computer where the Control Center Server ( CCS) is installed. If you need to move this server, use the Spector 360 Setup to reinstall the Control Center Server at the desired location and uninstall it from the previous location. Then, make sure the correct computer name appears in this field.
Listen IP Port - The port number (TCP and UDP) where the CCS listens for Recorders to communicate and update their status. Change this port only if there is a port conflict at the CCS computer. Use the arrow buttons to increment or decrement the value or simply type in a new number. A warning message appears if you change the port to another already used by a
185
Spector 360 Server. The CCS attempts to update Server Communications in all Recorder profiles.
Client settings:
The CCS communicates with client computers and manages the Recorder at computers.
Use Default Port - Click this button to return the Listen IP Port to its default value of 16768. Log Detail Level - The Control Center maintains a log of its own activities. The log file includes date/time-stamped scanning, licensing, configuration, and login actions, and can be useful in determining problem areas. By default, the log records a Low level of detail. Change the level to Normal or Debug only if instructed to do so by SpectorSoft Technical Support.
View Log File - Displays the Control Center self-auditing log (stored in \..\SpectorSoft\Spector 360 \ spceadminsvc.log) . Most recent activities are appended to the bottom of the file. More...
Enable communications with Spector 360 Recorder s - This option MUST be enabled in order for the Control Center to communicate with clients. The Control Center communicates with all Client Recorders using the TCP/IP protocol.
Server Status - Reports the status of the Control Center service: Running, Stopped, or Unknown if the service cannot be detected. Stop/Start Service - Stops the Control Center service if it is running; starts the service if it is not running. The service is called "Spector Control Center Server" in your list of Windows Services. The button toggles between "Start" and "Stop."
Client communications port - The port where the Spector 360 Recorder receives Control Center instructions, by default port 2468. Avoid changing the port unless there is an IP Port conflict.
Use Default - Click this button to return the Client communication port to its default port, 2468.
Do not change the Client communication port unless absolutely necessary. If you change the port, Recording Profile Server settings are updated to use this port.
Show Tray Icon - Displays an icon in the Windows system tray at the computer where the CCS is installed. Clear to hide the icon. Credentials - The CCS runs under Network Account credentials established during Setup. The CCS requires administrator privileges on all computers being monitored; in effect Domain Administrator credentials. Click this button to display an Account Information box, change the credentials, and click OK. You'll need to change credentials if the Domain Administrator password used by the CCS changes.
Background updating:
"Background processes" are programs that run without being visible. The CCS communicates continuously with computers through background communication to keep status of Client Recorders and Servers current. Use these settings to control this communication:
Enable background updates of Control Center views - Check to enable background updates of network activity. If a computer's status changes, the change will automatically show up in the Computers list. Clear to stop background updating and manually Refresh the list from the Control Center.
186
Install Spector 360 Recorder to all ADSI computer additions Check this item to instruct the CCS to install a Recorder on any new computer that has been automatically added to the Computers list from Active Directory. Computers will be added to the list AND the Recorder will be installed on those computers.
Be careful enabling the Install Spector Recorder to all ADSI computer additions option. You don't want to commit Recorder licenses to computers you do not intend to record.
Group ADSI Computers by - Use to group ADSI computers as they are added in the Manage Computers list. The default setting is No ADSI Grouping: All computers are added to the Default Group. Select another setting to group computers according to a
Update interval - The frequency (in minutes) with which background updates occur (if enabled), by default every 5 minutes. Type a number from 1 to 1440 or use the arrow keys to change the value. Increasing this value can reduce network traffic and may be satisfactory if users do not log in and out frequently. Decreasing the value is usually not necessary. Experiment with this setting to determine what best suits your situation.
group already defined in Active Directory. See Managing Computers from Active Directory. Active Directory has no impact on grouping of computers already in the Computers list. Custom ADSI Group - When you select Custom for ADSI grouping, use this field to create a group name. All computers added to the Computers list from ADSI will be added to this group. This becomes your default group.
Automatically update the Computer list using Active Directory Check to retrieve a list of computers from Active Directory to populate the manage computers view. Once these computers are added to the list, the CCS will continue to check with Active Directory and automatically add any NEW Active Directory computers to the Manage Computers view.
Client Update Time - Time of day at which the CCS will automatically install or apply updates to Recorders. Select from the following options: As soon as possible after changes are made - Updates will be relayed to client computers when they check in with the CCS. Installation and uninstallation updates will cause computers to restart, unless you have changed the Recording Profile. At this time every day - Set a time for updates to be received by computers. Even if a computer is off, it will receive the update as soon as it is turned on and restarted. Select the hour, minutes, or AM/PM value and type a new value or use the arrows to change the value.
Synchronize the Computer list to Active Directory - Available when the above option is checked. Check this option to add AND remove computers based on Active Directory. Any computers in Active Directory NOT in the computer list will be automatically added to the computer list. Any computers NOT in Active Directory will be automatically removed from the computer list. Clear this option to use Active Directory to update status only.
187
Auditing settings:
The CCS is responsible for passing audit transactions at this Control Center to the database. In this section, identify the Database computer and the account used for database connection. You will be prompted for the SA Password when you attempt to change these settings. See Auditing for a complete discussion of this feature.
located. Click the computer button to select a different computer (database instance). See Changing the Database Computer.
Version - The software version and build number of the Control Center Server. Communications - Displays the IP port configured in the Control Center Server settings.
audit transactions: SQL Server, Network Account, or Local Account. See Changing Server Credentials.
disabled.
Enable/Disable - Click to open a box that allows you to enable or
Server version:
The currently installed version and build of the Server is displayed at the bottom of its Properties panel. This information may be important for troubleshooting with SpectorSoft Technical Support.
Stop / Start Service - Stops the Primary Server service if the service is running. Starts the service if it is stopped. View Log File - Opens the CCS log file. You can view or print a log of CCS activity when requested by SpectorSoft Technical Support for troubleshooting purposes. More...
188
Deployment Utility - Opens the Spector 360 Deployment Utility, which allows you to build a Recorder configuration. The preferred method is described in Creating a Manual Setup File.
Windows Firewall - If applicable, this button displays the Windows Firewall Settings . You can disable the firewall exception for port 16768 (default) for troubleshooting purposes. By default, the firewall exception is enabled for the port when the CCS is installed and re-enabled every time the Windows Firewall Settings dialog box is opened and then closed.
Direct network access to Recorder computers Installed at a static IP address Computer is always up and running Runs under an account with credentials to access the
Database / File Storage Location
Same Computer When installed on the SAME computer as the MS SQL Server and Spector 360 Database, the service can run under Windows Local System.
Different Computer When installed separately from the SQL Server database instance or the base path folder, configure the service to use a Windows "Network Account." The Data Vault requires "read/write" privileges to access the computer(s) where data is stored.
189
Remote Office To capture recordings at a remote office, install ALL Server Components (without the Database) on the remote network, giving the Data Vault Server computer direct VPN connection to the centralized Database , under a Network Account.
The transmission lasts a maximum of thirty seconds. Any remaining events are transmitted to the Data Vault on subsequent connections. The Recorder would only reach this thirty-second threshold if it has been disconnected from the Data Vault for a period of time and has accumulated a large number of recorded events in the local Data File. 4. The Recorder deletes the data on the local hard drive. When the recorded events are received by the Data Vault, the Recorder deletes them from the local client hard drive. 4. The Data Vault inserts event records in the Data Vault DB. The Data Vault Server delivers the received data to the Data Vault database, where it is held in "raw" format. 5. The Data Vault Server passes files to the File Storage location. If there are email attachments or screen snapshot files associated with the data, the Data Vault delivers these to the File Storage folder located at the Base Path (default is C:\SpectorData on the Data Vault computer). Attachments are stored in one folder, and snapshots are stored by Domain and User. 6. The Data Vault initiates the "Process DV" jobs. Every few minutes, a Data Vault job runs to process events from a certain type of activity and insert them into the active STORAGE Database. The STORAGE Databases contain records of data for each computer or user sending recorded events. Once the data is in a STORAGE database, a Dashboard user can query and view the data.
Multiple Data Vaults If you add another Data Vault Server to your existing Server Component installation, give all Data Vaults the same account credentials. See Adding a Data Vault or Web Filter Server .
190
View Log File - Displays the Data Vault Server log file. This information may be requested by SpectorSoft technical support for diagnostic purposes. More...
Service Status - Indicates whether the Windows service is "Running" or "Stopped." Stop Service - Available when the service is running. Click to stop the Data Vault Windows service. This action is the same as stopping the service from the Windows Service Manager or from the Data Vault Administration window. When the service is stopped, Recorder data cannot be delivered to the Data Vault and remains on the local computer until the service is restarted.
Data Vault service settings:
The top of the Data Vault Properties to control the service:
Start Service - Available when the service has been stopped. Click to start the service. Show Tray Icon - Displays an icon in the Windows system tray at the computer where the Data Vault Server is installed. Clear to hide the icon.
Computer Name - Computer where the Data Vault Server is installed. Listen IP Port - The IP port where the Data Vault listens for data from the Clients (16769). Change this port only if there is a conflict on your network. If you change the port here, the CCS will update all Recorder profiles (that use this Server) with new Server Communication settings.
Credentials - Click this button to verify or change the account credentials under which the Data Vault service runs. You will need to enter the SA Password to open the Data Vault Server Credentials box.
If you move this Server (the SQL Server instance), Dashboard users will not be able to aggregate data from the older Server location with newly recorded data. To maintain data from a previous SQL Server instance, (a) stop the Data Vault service (b) create a backup of the database (c) restore the data at the new server location, and (d) restart the Data Vault service.
Use Default Port - Resets the port back to its default value if it has been changed. Log Detail Level - Select the detail level for logging Data Vault activity: Low - Less activity is recorded, resulting in a smaller log file. Normal - The default level of activity is recorded.
191
Combine User Recordings Across Computers - Check to store recordings from all user accounts with the same name in one user data set. This is useful when users log in locally to multiple computers and networks. For example, COMPUTER1/JOHN, COMPUTER2/JOHN, and NETWORK1/JOHN would be combined into <combined>/JOHN instead of three different "users." Clear this option to store data from all logins separately.
Server Type - The type MS SQL Server cannot be changed. Server - The computer where the Spector 360 SQL Server instance is running. Click the button next to this field select a SPECTOR360 SQL Server instance on a different computer. The drop-down list displays all instances where the Spector 360 Database component has been installed. When you change the SQL Server instance, the Data Vault service will begin to populate the newly selected database with recorded data.
Server version:
The currently installed version and build of the Server is displayed at the bottom of its Properties panel. This information may be important for troubleshooting with SpectorSoft Technical Support.
Connection Account - The account this Server uses to connect to the SQL Server database instance. Possible account types are Local System, Network Account, or an SQL Server account.
Base Path - The path to the folder where the Data Vault Server stores Screen Snapshot and Email Attachment files of recorded activity, by default C:\Spector360Data on the computer where the Data Vault is installed. The path shown is relative to the Data Vault computer, not the computer on which you are running the Control Center. Click the button next to the Base Path field to navigate to and select a different File Storage folder.
When you change the Base Path, you change the storage location for FUTURE recordings. Use Windows to move the EXISTING data to a new location.
192
The Data Vault Server must be operating under an account with privilege to access this folder. Use Database Configuration - Modify File Storage Location to set up a share for the Spector 360 Data folder to be used by the Dashboard.
Version - Displays the software version and build number. Communications - Displays the IP port where the service is listening for Spector 360 Recorder deliveries. Database Server - The computer \ Spector 360 SQL Server instance which will receive processed data from the Data Vault. Database Status - This status is "OK, Connected" if the service is communicating with the Database, "Unknown" if the service cannot find the Database, or "Connection NOT established," if the service is not currently communicating with the Database server.
Base Path - The path the Data Vault Server uses to send files to File Storage.
193
Primary Server
Stop / Start Service - Stop or start the Data Vault Service. When you click Stop Service, you are prompted to confirm stopping the service. When you click Start Service, you are prompted to confirm starting the service.
View Log file - Displays the Data Vault Service Log file. The log file tracks the service's attempts to communicate with the database and Clients, and to complete its data storage tasks. The coded messages assist in Data Vault /Database troubleshooting with the help of a SpectorSoft technical support representative.
Windows Firewall - Displays the Windows Firewall Settings box. Mark the "Enable Service Communication through Windows Firewall" checkbox to enable communication through the firewall; clear the check mark to disable the firewall exception. A status line informs you whether or not Windows Firewall is running at all. Click OK to accept a change in the firewall exception.
One Primary Server installed per serial number Direct network access to Recorder computers Installed at a Static IP address Computer is always up and running Internet access is beneficial but not required Recorder profiles are configured with the correct Primary
Server Name (or IP address) and port
194
moved to another computer. When you uninstall the Recorder, the license is still reserved for that computer and can only be assigned to a computer with the same Windows name. 3. The Primary Server verifies the Recorder installation. When the Recorder is installed, it attempts to contact the Primary Server once every minute to establish initial communication and activate the license. When communication is established, the Primary Server verifies the computer name and license. 4. When the license is verified, the Recorder begins recording. After initial verification, the Recorder contacts the Primary Server once every four hours to verify the software license. If communication with the Primary Server is lost
If the service has been stopped, or the computer is off-line:
195
Administration Window or select Check for new versions under Manage Recorder Versions. The Primary Server computer connects to the Internet IP Address defined by the domain "u2a1376gf-43ty245c.com." Access to this domain address must not be blocked by a network firewall. There are three possible ways to connect to the Update Server.
Computer Name - Displays the network computer where the Primary Server is installed. If you move the Server, be sure to change Server settings for all Computer Profiles.
Listen IP Port - The Primary Server listens for Client Recorders on port 16770. Do NOT change this port unless you have a specific network conflict. Use the arrows to change the number, or type in a new number. If you change the port, the CCS will attempt to change Server settings for all Computer Profiles.
Direct Connection - Use IP port 16771 to connect to the SpectorSoft server for updates. Proxy Connection - Access the Internet via a network web proxy server (HTML). You must specify the address and port for communication: Proxy Address - Enter the Proxy server IP address or name. Proxy IP Port - Enter the Port used to communicate with the proxy server.
Use Default Port - If the port has been changed, you can return it to the default Spector 360 port (16770) by clicking this button. View Log File - Click this button to view or save a text file log of Primary Server activity (splicensemanager.log) to use for troubleshooting purposes. More...
Service Status - Shows the Server as "Running," "Stopped," or "Unknown." Start Service - Available when the service is stopped. Starts the Primary Server service. The service MUST be started for Recorders to operate correctly.
HTTP Connection - (Default) Connect to SpectorSoft via HTTP port 80. This is the default configuration. If your network has a proxy server or a firewall that filters non-standard HTTP traffic, you may need to configure one of the other options provided.
Stop Service - Available when the service is running. Stops the Primary Server service. Credentials - This button allows you to change the account under which the Primary Server's Windows Service operates. By default the Server operates under the Local System account for the machine where it was installed. You can change the account to use a network account or credentials other than the Local System. You will need to enter the SA Password first. More...
Server version:
The currently installed version and build of the Server is displayed at the bottom of its Properties panel. This information may be important for troubleshooting with SpectorSoft Technical Support.
196
View Log File - Opens the Primary Server log file. You can view or print a log of Primary Server activity when requested by SpectorSoft Technical Support for troubleshooting purposes.
Serial Number - Displays the Serial Number Registration dialog box. It's possible to register and unlock Spector 360 from this window.
Windows Firewall - The Windows Firewall Settings displays an exception for port 16770 (default). You can disable the exception for troubleshooting purposes. By default, the firewall exception is enabled for the port when the Primary Server is installed and re-
enabled every time the Windows Firewall Settings dialog box is opened and then closed.
Version - Software version and build number for the Server. Last Update - Displays last time the software was updated. Communications - Displays IP port configured in the Primary Server settings. RevLevels - Displays current Spector 360 Recorder revision information. This information helps you determine if you have the latest support for recording web-based email and security (stealth) from SpectorSoft.
Serial Numbers - Displays the registered serial number and the number of Client licenses reserved, in use, and available.
Stop / Start Service - Stops the Primary Server service if the service is running. Starts the service if it is stopped. Updates - Check and download the latest Recorder Version. The update becomes visible in the Control Center application, and when the Recorders check in with the Primary Server, they can receive the update. The update file includes updated webmail capture, as the format of these web sites can change frequently.
197
3.
The Recorder requests the WFS before going online. Each time the computer requests to go online to a web site, the Recorder checks with the Web Filter Server.
4.
The WFS grants or denies access. The server enforces block and allow rules by priority, as set by the Web Filtering rules currently in the database. The first rule is applied first, then the second, and so on, based on "who" and "when" and other settings. This type of filtering is dynamic and applies to the user login rather than the specific computer.
5.
The "Blocked" message is displayed at the computer. If a domain ends up being blocked by the rules, a customized message with a hyperlink can be displayed. The link might lead to an explanation of Acceptable Use Policy or to a request for Internet access. If the domain is not blocked, the site is displayed.
Direct network access to Recorder computers Installed at a static IP address Computer is always up and running Access to the Database Recorder profiles are configured with the correct WFS Name
(or IP address) and port
The Recorder ignores instructions from the Web Filter Server. Even if the computer is removed from the network or connected to any other network the filtering will be applied. The Recorder's When to Block and Who to Block settings apply to the specified web sites in addition to specified ports. You would change the filtering on any computer by applying profile changes.
198
If you block All Internet Access at the local Recorder, no Server Web Filtering rules will apply, because no Internet access is allowed.
If you block HTTP/HTTPS ports during work hours at the local Recorder, the Server Web Filtering rules will apply ONLY during "off" hours, when the Internet port access is allowed.
If you block HTTP/HTTPS ports for specific users at the local Recorder, the Server Web Filtering rules will apply to OTHER users. The locally blocked users are simply blocked from accessing web sites altogether.
If you allow ONLY Chat/IM from specific teachers or business associates at the Recorder, there will be no incoming messages from unauthorized contacts, even though Server Web Filtering rules may allow access to a chat room domain.
If you block ports used by Kazaa at the local Recorder, the user will NOT be able to download media at those ports, even if the domain is permitted.
If you block File Transfer via FTP from the local Recorder, a user might be able to visit a site, but the Recorder will NOT allow an FTP download from the site.
Computer Name - Name of the computer where the Web Filter Server is installed now. Listen IP Port - The Web Filter Server listens on port 16771. Change this port only if there is a conflict on your network. If you
199
change the port here, the CCS will attempt to update Server Communication settings for all Recorders using this Server .
Server version:
The currently installed version and build of the Server is displayed at the bottom of its Properties panel. This information may be important for troubleshooting with SpectorSoft Technical Support.
Use Default Port - Click this button to reset the port back to its default value if it has been changed. Log Detail Level - Shows the level of detail being captured in the Server log file. View Log File - Click to view a log of Server activity. More... Service Status - Shows the Server as "Running," "Stopped," or "Unknown." Start / Stop Service - Click Start to start the service when it is stopped; click Stop to stop the service when it is running. Credentials - Click to view or change the type of connection account or the account credentials under which the Web Filter Server (a Windows service) is operating. Credentials must provide access to the Spector 360 Database so that the Web Filter Server can receive web filtering instructions. More...
Server - The Spector 360 SQL Server instance (computer and database) the Web Filter Server connects to. If the location of the Database has changed, click the computer button next to this field to select the correct SPECTOR360 SQL Server instance.
Connection Account - The type of credentials used by the Server to access the Spector 360 Database. The credentials will be the same as set by Set Credentials above. Local System - The service runs under the Local System account. DOMAIN\user - The service runs under a Windows network account. Username and Database - The service uses SQL Server credentials to access the database.
Version - Version of the Web Filter Server (WFS) installed. Communications - The port where the WFS is listening for Client requests. The default port is 16771. Database Server - The Spector 360 SQL Server instance (computer and database) providing Web Filtering rules to the WFS.
200
Database Status - The status of the WFS to the Database and whether the current database is validated. Status can be Connected, Not Connected, and Unknown.
Stop Service - Appears when the WFS Windows service is running. Click this button to stop the Windows service. A message asks you to confirm the action, and a second message tells you the service was stopped. When the service is stopped, either local Client Web Site blocking goes into effect as a backup, or there is no web site filtering.
Start Service - Appears when the WFS Windows service is not running. Click this button to start the Windows service. View Log File - Click this button to view a text log file of Web Filter Server activities. The log file is useful for SpectorSoft Technical Support when they help you troubleshoot problems. If Technical Support requests a "Verbose Log," click Server Status and make the selection.
Server Status - Click this button to view the Spector 360 Recorder activity detected by the Web Filter Server. More... Windows Firewall - Click this button to view the Windows Firewall status. When the WFS was installed, an exception was put into place to allow communication through an XP firewall on port 16771.
Clear Display - Click this button to clear the currently displayed information. Disable Display - Check this option to turn off the display of events on this box. Clear to view all user web requests. WFS Server Verbose Log - This option affects the Web Filter Server log file, which you view from the main WFS Administration window. Check this item when instructed by SpectorSoft Technical Support to increase the detail shown for each web filtering event logged by the Web Filter Server. Clear this option to keep the default, brief log, which logs only two lines for each event.
201
Database Server
Change - Click this button to open a box where you can select a different SQL Server instance of the database. See Changing the Database Computer.
Service Status - Status of the MS SQL Server service. Running or Stopped if the service is not running. Stop/Start Service - Click this button to stop or startup the SQL Server service. Credentials - Click to change the account under which the Server runs. You will need to enter the SA password before you get to the Server Credentials box.
SQL Agent Service Status - If you are using MS SQL Server Standard or Enterprise, you are using the SQL Agent Service. The status is Running or Stopped.
Stop/Start SQL Agent - Click this button to stop or startup the SQL Agent service. Spector Agent Service Status - Status of the Spector Agent Service: Running or Stopped. Stop/Start Spector Agent - Click this button to stop or startup the Spector Agent service.
To move the Database, install the Spector 360 Database using the Spector 360 Setup program. Be sure to follow instructions in Moving the Database so you don't lose data!
Computer Name - Name of the computer where MS SQL Server and the Databases are installed.
202
Auditing
Only the System Administrator (SA) can allow a Spector 360 user access to Auditing, and the SA password will be required to enable or disable Auditing. Users without 5. 6. 7. 8. Use the drop-down list to select the computer. Click OK. A message asks if you want to attach to the Spector 360 Database on the new computer. Click Yes to proceed. Enter the SA password for the Database. Click OK. Click OK on the Database Server Properties box.
Verify the Data Vault Server Properties shows the correct File Storage Base Path on the new computer.
203
Servers - Each server tracks commands issued in its area. For example, the Primary Server tracks changes to assigned licenses, the Database Server tracks Database backups, and so on.
Server, Primary Server, Web Filtering Server, Dashboard, Export Utility, or "No Component."
Background capture - Commands are captured "in the background" without interrupting activity, but the user and computer issuing the command will be identified.
CCS collects data - The CCS receives the temporary information gathered by the servers and stores it in an audit table in the Database.
AUDIT Database - The Database begins to manage a database starting as AUDIT-001. As auditing data accrues, new databases are automatically created: AUDIT-002, AUDIT-003 and so on.
Viewing - A user with access to Auditing in the Control Center is able to display and filter the logs for viewing and reporting in Audit History.
Use the Previous and Next buttons on the toolbar to browse through pages of data. Use Refresh to update the view showing the latest data. For each action the following information is provided:
When - The date and time the command was issued. Action - Identifies the end result of the command issued: Add, Modify, or Delete a value or perform a Database operation. User - Identifies the user logged in when the command was issued. Computer - Identifies the computer where the command was issue. Location - Identifies the location in the user interface where the command was executed. Component - Identifies the program from which the command was issued: the Control Center, Control Center Server, Data Vault
Description - Lists fields that were applied or changed. The number of fields depends on the action. For example, "Unschedule Pending Install" may include only the Computer Name and Install Time. "Computers - New" lists all fields applied to the computer in the Add wizard or dialog box. "New Client Recorder Settings" lists all profile settings.
Audit Entity - Names the item added, deleted, or modified. For example, a profile change may list "Initial Profile Mac" as the entity (profile) that was changed. A new Dashboard login may list "wwilks" as the user who was added.
Before Value - The value of the item before modification. A blank value did not previously exist (i.e., the computer in the above
204
illustration). ON and OFF values are represented by 1 and 0. Other values may be another numerical value, a name, a time, and so on. You can match up values to the Component and Location interface that was used.
After Value - The value of the item after modification. The same values as the Before Value column apply to each field. A blank value represents an item that was removed. If the Before and After values are different (a change was made), both values are highlighted, as shown below.
Set Filter Criteria - Click Filter on the toolbar or "Filter the audit data being displayed" in the Task Navigation pane to open a criteria box and zero in on commands, types of data, users, or computers. The Filter Criteria persists in Audit History until you
change it. Click Clear Filter to clear the report and return to all
Sort by column - Click on a column heading in Audit History or Audit Details to sort the data (Ascending or Descending order) by When, Action User, Computer, Location, Component, or any of the Details fields.
Filter by column - Roll the cursor over a column heading and click the small filter icon to the right of the heading. This opens a menu allowing you to quickly filter by values in the column. For example, if you select Add from the Action filter menu, only records with an Add action are displayed, and all others are hidden. This option is available both in Audit History and Audit Details. An ALL option is added to the menu once a filter is "on" to show the hidden data. This filter does not persist; when you leave and return to Audit History ALL data is shown.
205
Enable/Disable Auditing
Enable/Disable Auditing
Enable Auditing when you want to track commands issued from the Control Center. When auditing is enabled, the Servers log commands and pass them back to the CCS, which stores all issued commands in the Database. User and computer information is captured with each command. See Viewing the Audit History. 4.
Local System account if the CCS and Database are on the same computer. Click Enable/Disable to display the following dialog box. Once it's configured, you can toggle auditing on or off from Tools > Options.
To enable auditing:
To enable auditing, use the Control Center Server properties to set up auditing and Tools > Options to switch it on and off. For security purposes you will be asked to identify the database and the account the CCS will use, as well as supply the SA password.
To configure auditing:
1. Select Servers > Control Center Server and Modify. Click on the Auditing tab. See Control Center Server Properties.
Enable - Turn on auditing. Disable - Turn off auditing. Cancel - Close this dialog box without changing settings.
2.
Select the Spector 360 Database computer. Click the computer icon button and select the computer where the SQL Server instance is installed.
3.
Specify a connection account. Use the key icon button to open a Server Credentials box. This account will be used by the CCS to access the Database to read and write auditing data. Use the
206
Audit Criteria
Audit Criteria
The Control Center provides filtering criteria (similar to criteria used in the Dashboard) for Audit History. Use Audit Criteria to limit the data shown and focus in on activity. You can select a date range, specific computers or users, or Spector 360 components and sources. For example, you could view all "Archive Database" actions from the previous year or all commands issued by one user so far this month.
Component and Source selections can exclude each other. Make sure a Source selection is a subset of your Component selection (for example, Computers - New source belongs to the Control Center component).
To change criteria:
In the Audit History view, select Filter from the toolbar or Task Navigation pane. Make selections in the Audit Criteria box and press OK. All data not within the filter is hidden.
Date: Select a time period from the drop-down list and fill in date and time fields as requested. Only the data recorded within the selected time period will be displayed. For example, if you request "Previous Month," activity from the current month will be hidden. See Viewing by Date.
Computers: Select one or more computers to include or exclude. See Viewing by Computer. Users: Select one or more users to include or exclude. See Viewing by User. See Components: Select a Spector 360 server or application to view. See Viewing by Component. Sources: Select the interface that is the source of the action. For example, Computer - New shows all commands adding, modifying, or deleting a computer in Manage Computers.
Actions: Select a type of action performed, such as Add, Modify, or Delete. See
If a date or time is not valid (according to this computer's system clock) a red warning symbol and message appear.
207
Criteria Settings
This informational field summarizes your criteria selections, revealing all set values. Use the Clear Filter button on the toolbar to clear all settings and return to a view of all data for "This Year."
active Database. Click on a calendar date to select it and place it in the "To" or "From" date box.
Date and Time Range - View data from a specific start date and time to and end date and time. For example, you might choose to view a critical time period during a company merger, from 3/1/2011 at 9:00 AM until 3/14/2011 at 5:00 PM. Use the dropdown calendar or type in From and To dates, entering an at time for each date. Date format mm/dd/yyyy and Time format is hh:ss:AM/PM or as set by this computer's system clock.
If a date or time is not valid (according to this computer's system clock) a red warning symbol and message appear.
Date Range with Time Constraint - View data within a date range at specific times. For example, you might view data for a 5-day work week, showing only the 8:00 AM to 5:00 PM period.
Date Range - View data within a specific date range. Type a From (beginning date) and a To (ending date) for the range in mm/dd/yyyy format, or click a down-arrow to select a date from a calendar. The "To" date must be equal to or greater than the "From" date. Today's date appears at the bottom of the calendar. Left and right arrows let you backup and go forward through months. You are limited to the first and most recent dates of recorded data in the Use the drop-down calendar or type in From and To dates. Enter the time between the starting time each day and the ending time each day. Date format mm/dd/yyyy and Time format is hh:ss:AM/PM or as set by this computer's system clock.
208
Today - View all data for today's date, a full 24 hours (12:00 AM to 11:59 PM). Note that a portion of "today" is probably not finished, so you will likely not view a full day.
Previous Month - View last month's data from 12:00 AM of the first day to 11:59 PM of the last day of the month. Last 'n' Months - View data for the previous number of months up to the present. Type the number of months to include, Sunday morning (12:00 AM) of the first day through Saturday midnight (11:59 PM) of the last day. The dates for the setting are reflected in the dimmed "From" and "To" fields. Check Include this month if you want to include this month's data, even though the week is not completely finished.
Yesterday - View all data for a full 24 hours (12:00 AM to 11:59 PM) for the previous date. Last 'n' Days - View data for the previous number of days up to the present. Enter or select the number of days to view, and check Include today if you want to include what has been recorded today so far. The selected from and to dates are displayed when you move on to the next field.
This Year - (Default) View all data for the current year, from January 1 through today. Last Year - View data from January 1st through December 31st of the previous year.
This Week - View data so far this week. Weeks are measured from Sunday morning (12:00 AM) to Saturday midnight (11:59 PM). If you select "This Week" on Thursday, you get Sunday through Thursday.
Use the Clear Filter command, or open the Filter Criteria and select This Year.
Previous Week - View last week's data from Sunday morning through Saturday midnight. Last 'n' Weeks - View data for the previous number of weeks. Type the number of weeks to include up to the present week, Sunday morning (12:00 AM) to Saturday midnight (11:59 PM). The dates for the setting are reflected in the dimmed "From" and "To" fields. Check Include this week if you want to include the current week's recorded data, even though the week is not completely finished. Leave "Include this week" blank if you want to make sure that each week is a full week of recorded data.
This Month - View data so far for this month. Months are measured from the morning of the first to midnight of the last day of the month. If you select this option on the 15th of the month, you will view data for days 1 through 15.
209
3.
Click OK to apply the selection and close the box. 3. Click OK to apply the filter and close the selection list. Note that your selections are listed in the Audit Criteria Summary.
210
The sources:
The sources reflect the possible locations (user interfaces) where a command can be issued. For example, a "Computers" source would include actions that took place in the "Computers list" area of the Control Center. "New Dashboard Login" would include actions to add Spector 360 from the Dashboard component. Note that Available Sources may not yet have actions recorded in the Audit History.
3.
Click OK to apply the filter and close the selection list. Note that your selections are listed in the Audit Criteria Summary.
211
The actions:
The actions reflect the possible types of commands that can be issued. For example, "Modify" actions may have taken place from the Computers list and in the Client Recorder Profile as computers were added and profiles changed. Note that some Available Actions may not yet be recorded in the Audit History.
2.
Select an action from the Available Actions list. Use the Ctrl and Shift keys to select multiple actions. Click the > button to move the action to the Selected Actions list on the right. Use < to remove an action from the Selected list. Click >> or << move all actions from one list to the other.
3.
Click OK to apply the filter and close the selection list. Note that your selections are listed in the Audit Criteria Summary.
212
For consolidated reporting, it's important to use only ONE Spector 360 database.
Manage Database Backup and Restore - View databases and the currently available backups and perform a backup, archive a database, or restore a backup or archive.
Manage Database Jobs - View each database job history and status, change job schedule and monitor job progress. Manage Database Configuration Set options for database storage, logs, backups, archives, enable Space Management,and set up Dashboard shares.
See the Servers section of this guide for instructions on verifying and monitoring the Data Vault and SQL Servers.
2.
Copy Snapshots and Attachments with the Backup. If your Database computer is available, use the Control Center to make sure Screen Snapshots and Email Attachments (if you are recording them) are included for Backups. Use Database >
213
Manage Database Configuration to make this setting. When you do this before backing up, you will be able to restore the Screen Snapshot and Email Attachment files to the File Storage location, and the share names as previously defined will be updated in the CUSTOMER database. Database Configuration settings determine if snapshot/attachments are included 8. 7.
Backup and Restore pane. Exit out of the Control Center and wait for the all Databases to be restored. Activate the Data Vault Server. Follow the instructions in Step one and click Start Service. Check the Database computer. In the Control Center, select Servers, right-click the Database Server and select Modify. Next to "Computer Name" click the Change button. Select the new computer name. A prompt asks you if you want to reapply the Spector 360
When you change the Computer Name in the Database Server properties, the Control Center attempts to point the Data Vault and Web Filtering Servers to the new Database instance. Perform the following steps only if this did not occur.
3.
Perform a Full Backup. If your Database computer is available, perform an immediate Full Backup of the STORAGE databases. If the Database computer is not available, you will have to use the most recent Full Backup you have at another location. Copy the Full Backup Folder (default location on the Database computer is ...\MS SYQL\SQL.1\SPCT_BACKUP\ ) to the new computer's hard drive. 9.
Point the Data Vault Server to the correct computer. In the Control Center, select Servers, right-click the Data Vault Server and select Modify. Under "Database Storage," click the Change button. Select the correct Database computer and click OK. Enter the SA password and click OK. Click OK to save the Properties.
4.
Move your existing File Storage folder. IMPORTANT! If your Database computer is available and the File Storage location is on the Database computer, follow instructions to move the folder BEFORE you Uninstall the Spector 360
10. Point the Web Filter Server to the correct computer. If you are using Server Web Filtering, in the Control Center, select Servers, right-click the Web Filtering Server and select Modify. Under "Database Connection," click the Change button. Select the computer where the Database SQL Server is installed and click OK. Enter the SA password and click OK. Click OK to save the Properties. 11. Inform Dashboard and Control Center users. Test this new Database instance with existing Dashboard installations to make sure connections are working on the network. Dashboard and Control Center users will need to log in to the new Spector 360
5. 6.
Install the Spector 360 Database on the new computer. Use the Spector 360 Spector 360 Restore the backup. Be sure to restore the backup BEFORE you activate the Data Vault Server. At the new Database computer, use the Control Center's Database > Manage Database Backup and Restore and select the Browse for restore folder feature to locate the backup you copied to this computer, if it is not visible in the
214
4.
Change the Data Vault credentials, if necessary. In the Control Center, access Servers > Data Vault Properties. Click Credentials for the Data Vault Service. If the File Storage location is now on a computer separate from the Data Vault, you need to use Network Account credentials that have Read/Write privileges at the File Storage location. The credentials must be from an established network account. If necessary, check the computer where you moved the File Storage location to verify user access. The Network Account you select for the Data Vault Server will be automatically added for SQL Server access.
5.
Change the Data Vault Base Path. In the Control Center's Data Vault Properties box, use the folder button next to "Base Path" to browse to and select the moved folder on the new computer. Click OK to set the Data Vault changes.
6.
Check the Database Configuration. Select the Control Center's Database > Manage Database Configuration. Select Modify file storage location from the Navigation pane. Make sure the Base Location specifies the new File Storage folder. Click the folder icon next to Shared Name to ensure the share refers to the correct folder. If necessary, change the Share folder and click OK.
7.
Test the move from the Dashboard. Open a Dashboard, select User Explorer and a user for whom you know you have snapshots. If you see the previously recorded snapshots, the move was successful.
2.
Move the folder. Use Windows to move the File Storage folder (e.g., C:\Spector360Data ) to the new computer or hard drive. Make sure to move the entire folder.
3.
Share the folder. If Dashboard users are using a Share (other than C$ Share) to access files, use Windows to add the Share to the new File Storage folder security settings. Use the same Share name previously defined.
215
Databases
retrieve.
LOOKUP DB - 001: The lookup database is related to the Customer database and contains the program names, domain names, and so on, that appear in lists in the Dashboard. This information grows as data accumulates, and Spector 360
STORAGE DB - 001: Where the recorded data resides. Spector 360 WFS FILTER DB: Where Website Filtering custom categories, category groups, time profiles, and rules are stored. Initially this database is empty.
WFS SYSTEM DB: Where provided data (system categories) for Website filtering is stored. New data is added to this database when SpectorSoft provides WFS System Category updates.
Database Name: Identifies the database. As you accumulate data, you will have multiple STORAGE, ALERT, and LOOKUP DBs, but only one ADMIN, CUSTOMER, and DATA VAULT DB.
ADMIN DB: Contains the SQL Server instance scripts that are not customer specific. There are no tasks to perform for this database, and it is not included in a Full Backup.
Version: Identifies the Spector 360 Database version. Archived: Indicates whether or not the database has been archived (archives apply only to STORAGE DBs). Maximum Size: Maximum size the database can be before a new one is automatically created. The max for all databases is 4 GB (4,096 MB) for SQL Server Express and a user-defined size for SQL Server Standard / Enterprise. When a STORAGE database reaches this size, it can be archived.
ALERT DB - 001: Contains Event Alert profiles, keywords, and operators. CUSTOMER DB: Contains customer-specific data common to all data, such as login profiles. This database is included in a Full Backup. There are no tasks to perform for this database.
Current Size: The size of the database. The ADMIN and CUSTOMER DB sizes will not change until you upgrade Spector 360 . The DATA VAULT DB size increases as recordings are received from the Clients, and decreases as recordings are processed and inserted in the STORAGE database. The STORAGE
DATA VAULT DB: The Data Vault Server stores raw data it receives from Recorders in this database. The data is held here until the Process Data Vault job runs and inserts the data in the
216
DB continues to increase in size until it reaches the maximum size and a new STORAGE DB is created.
Space Used: How much disk space the database is using. Date Created: The date and time the database was created (initially the installation date).
Backup vs. Archive
A "Full Backup" backs up all Spector 360 Spector 360 "Archive" is available only after a STORAGE database
reaches its maximum size and saves data only from one STORAGE database to another location. An Archive Restore makes the archived STORAGE database accessible again at any time without affecting the current state of the database.
1.
The Spector 360 Recorder records and stores events. The Client Recorder, installed on each network computer, detects and records all events, organizing the data into records and storing it in data files on the local computer hard drive.
2.
The Recorder s push data to the Data Vault. Once every four minutes, a The Recorder attempts to deliver its stored data across the network
Backup - Back up all Databases immediately: Full Backup - Create a complete backup of the databases. Differential Backup - Back up only data new since the last backup. 3.
to the Data Vault Server, through the established Data Vault port. The Data Vault accepts the data. The Data Vault Server listens on the established port and responds to the Recorder communication. When the Recorder receives acknowledgement that recorded events have been accepted by the Data Vault service, it deletes the files from the local computer's hard drive. If the data is not accepted, or the Data Vault is not available, the data remains on the Recorder computer for a specified duration or until it reaches a maximum size, when the Recorder begins to delete the oldest events. 4. The data goes into the DATA VAULT DB. The Data Vault Server receives the data and directs it to the DATA VAULT database, where it is held in "raw" format. It passes
Restore - Restore all Databases from a backup folder: Restore Databases - Retrieve a Backup from the normal location Browse for Restore Folder - Navigate to a Backup set location.
Archive - Archive the selected, "full" STORAGE database. Archive Restore - Restore the selected archived database. History - View the backup and version history of a database. Statistics - View statistics for a DATA VAULT or STORAGE database. Refresh - Refresh the information shown.
217
files (screen snapshots or email attachments) to the specified File Storage folder location.
For best results, install the Data Vault Server, the Database, and the File Storage location on the same computer.
5.
Data is processed for the STORAGE DB. The Data Vault periodically runs Process Data Vault (DV) jobs for each type of recorded activity, which format the data in the DATA VAULT DB and place it into the most recent, active STORAGE database.
6.
The Dashboard accesses the data. Once the data is in the STORAGE database, a user can log into the Dashboard, connect to the SQL Server instance of the Spector 360
7.
New STORAGE databases are automatically created. Each STORAGE database stores data records, usually in sequential order. When a database exceeds its maximum size, a new database is automatically created (STORAGE - 002). The Control Center and the Dashboard have access to all available STORAGE databases. You can get statistics on:
STORAGE DB These databases contain the records viewed by Dashboard users. View statistics on a single database (for example, on STORAGE DB - 001) or Across Databases (for example on STORAGE DB - 001 through 003).
8.
Full STORAGE databases can be archived. To conserve disk space, you can archive older, full (at maximum size) STORAGE databases and remove them from the Spector 360
DATA VAULT DB The DATA VAULT database receives raw data passed from the Recorders to the Data Vault service. This data is processed regularly and inserted into the active STORAGE database. Statistics on the DATA VAULT show you the records being captured now.
218
2. 3.
In the upper right Databases pane, select the STORAGE or DATA VAULT database you wish to view. Select Statistics on the toolbar - OR Select View database statistics from the Task Navigation pane OR - Right-click and select Statistics.
The DATA VAULT statistics may show few or no records, because as data is processed and inserted into the current STORAGE database, it is removed from this database. The DATA VAULT DB refills as Recorders pass new data to it.
summarized in the Database Statistics window. By default, the Dashboard shows statistics by Event:
Across Databases: When checked, this counts records from all available STORAGE and DATA VAULT databases. By default, the option is cleared and you see statistics only from the database you selected. You can switch between the Events/Users/Computers view of statistics with this option selected. If Users is also selected, you will not see the DATA VAULT database.
Events: When checked, this option displays a record count of events, starting with the most active Event type. If you also select Users or Computers, those fields are added.
The statistics shown for all databases take the same format, and all views of the statistics show these fields:
Record Count: Total number of event recordings for each activity type. By default all views of the statistics show records ordered from largest Record Count to smallest.
Start Date: When this database started receiving these event recordings. End Date: Last time the database received new data for each type of recording. Status: Status of the database can be Online, the Dashboard can access the data, or Archived, the data has been archived and deleted from the accessible location.
Users: Displays record count by user, starting with the user with the greatest record count. If you select Users in addition to Events or Computers, Users are listed in the first column. Selected alone, this option summarizes a users activity.
Use the play buttons at the bottom of the window to navigate through Statistics records:
Computers: Displays the record count by computer, starting with the computer with the greatest record count. Selected alone, this option provides a quick summary of activity on a computer.
219
The Statistics window always opens to its default view of Events only for the selected database.
Click on a column heading in the Database Statistics window. The statistics are sorted by that field, greatest to least (down arrow next to field name). If you click on the same column heading again, the sort order is reversed to least to greatest.
You can also drag and drop the column headings to change the order of fields in the window.
For example, for a view of one users activity, select all options at the top of the Statistics window. Click the User column heading to sort by user. You can then scroll or page to the user you wish to review.
Date: Date of the database backup activity. Operation: Backup or Restore of the database. User Name: User who requested the backup or restore. File Name: Location of the backup, by default: C:\Program Files\Microsoft SQL Server\MSSQL$SPECTOR360 \Backup\0001\ (for the first full backup)
220
Full Backup Date: The date and time the backup set was created by performing a full backup. Differential Backup Date: The date and time the last differential backup was performed for the backup set. File size: The size of the backup file. Database version: The version of the Spector 360 Valid Backup: Indicates whether or not the backup can be restored. Yes means the backup is valid and can be restored; No means the version is invalid or the data has been compromised.
Keep at least two full backups of your databases. In addition, it is good practice to "test" backups by restoring them to a Test Database. See Troubleshooting.
Backup File: Names the full backup file that will be used with the latest differential, if available, to restore the data. Each backup set is stored in its own folder and contains a full backup file (F... BAK) and any differential backups (D... BAK).
221
To manage backups:
Perform the following tasks from the Backup History pane using the toolbar or the right-click menu.
Backup Path: Identifies the path to the folder where backup sets are stored. Each time a full backup is created, a new backup set folder is created within this directory. Subsequent Differential Backups are added to the folder. The folder takes the name SPECTOR360 [date][time]. Change the Backup path and folder from Database Configuration. The Spctr_Backup Folder Contains Your Backup Sets
Refresh the information shown. Select Refresh on the toolbar or from the right-click menu. Delete a backup. Select the backup and click Delete on the toolbar. More... Create a differential backup. Back up only data new since the last backup. More... Create a full backup Create a complete backup of the databases. More... Restore the databases Select a backup set from the Backup History list and click Restore. Locate (Browse to) and restore a backup form another location. More...
222
Alternatively, you can right-click anywhere in the upper right Databases pane and select Create a Full Backup.
Spector 360 is set to perform a full backup one night every week. A full backup creates a new backup folder (backup set) at the Backup Location. A backup set contains a full backup file and each subsequent differential backup (up to the next full backup).
Each folder has the date and time appended to its name: SPECTOR360 yyyymmddhhmmss The default Backup Location is: C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Spctr_Data\
Differential backups are stored in a dated folder with their associated full backup at the Backup Location. Spector 360 is set to run a differential backup every night.
223
Archiving a Database
Archiving a Database
A STORAGE database can be archived as soon as it reaches its maximum size and another database has been automatically created. The Archive job moves the STORAGE data to the designated archive location. Archived data is no longer accessible by Dashboard users, but it can be restored at any time without changing the state of the current databases. Use the Database tool to archive old STORAGE Databases, making room for new ones.
Do not attempt to use the Dashboard while an Archive or Restore is taking place.
You can view statistics and history in an ARCHIVE. Normally the data is stored sequentially in order of recording time, so you would be able to investigate or research a particular time period.
An archive affects only STORAGE data. Unlike a full backup, which copies all data from ALL databases to the backup location, an archive moves only STORAGE data to the archive location. Archived data is no longer accessible by Dashboard users. An archive does not include Admin, Customer or Data Vault databases, which remain active following an archive.
To archive a database:
1. 2. Select Database > Manage Database Backup and Restore. In the upper right Databases pane, select the full STORAGE database you wish to archive. The database must have reached its maximum size, and a new database must be started. 3. 4. 5. Click Archive on the toolbar - OR Right-click the STORAGE database and select Archive. A message appears informing you that the database will be offline (not available) after archiving. Click Yes to continue. Wait as the operation is performed. The database is removed to the specified archive location and is no longer directly accessible. Click Refresh on the toolbar to make sure that the archived database now reads "Yes" in the "Archived" field.
You can restore archives. To restore a STORAGE archive, the archived database must be listed in Databases Management and it must be on the database computer. If you've moved the archive off the computer's hard drive, before attempting to restore, move it back on. The default location for archives is C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Spctr_Archive.
You can archive only a full STORAGE database. When a database reaches its size limit (4096 MB for SQL Server Express and user-defined for full SQL Server), Spector 360 automatically creates a new database (e.g., STORAGE-002). You can archive a database only after it is full and a new one is created.
Archives write to the database computer. Archive to the default location C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Spctr_Archive or to another location on the SQL Server/Database computer. This ensures SQL Server has full permission to the archive. Once the archive is complete, you can move it to a different location.
224
Restoring a Backup
You can set up automatic archiving. The Database provides Space Management settings for automatic archiving when certain conditions are met.
Restoring a Backup
If the data becomes compromised, or if you need to move the data to a new computer, you will need to restore the latest Spector 360 Database.
Restore when the database is not being used! Restore at a time when the fewest users will be affected. During the restore, Dashboard and Control Center users will not be able to connect to the database, all connections to the database will be dropped, and if a user attempts to access data, the application will close. It's best to restore a Backup folder from a local drive on the database computer. In addition, it is good practice to "test" backups by restoring them to a Test Database. See Troubleshooting.
3.
Restore share names. The Backup procedure displays a Share Names box if File Storage share names differ. Select the folder with share names you want to restore. The Share names will allow Dashboard users to access Screen Snapshot and Email Attachments from the File Storage Location. The default is C$ share. Change the Share Name if you wish. Click OK. These Shares will appear in under Database > Manage Database Configuration > File Storage Location.
To restore a Backup:
1. Select a Backup folder. Open Database > Manage Database Backup and Restore. If the backup you want to restore is listed in the Backup History pane, select the backup. 2. Select Restore. Click Restore button on the toolbar and select Restore Databases - OR - Select Restore from a full backup in the Task Navigation pane - OR - Right-click on the backup and select Restore Databases. If the backup you need is NOT listed in Backup History, select Browse for Restore Folder. Navigate to the folder you wish to use. See Browse for Restore Folder. 3.
Choose access during restore. Select whether or not you want users to be able to access the database before the restore is completely finished. Click one of the Allow access buttons to continue the backup. See Restore Steps for help in making your choice.
225
4.
Wait as the Backup folder is restored. The full backup and latest differential are restored to the current SQL Server instance. If you have chosen to save Snapshots and Attachments for Backup/Restore (see Database Configuration), the Restore job will copy the Screen Snapshot and Email Attachment files to the specified destination folder, and the share names as you have defined them will be updated in the CUSTOMER database. If Snapshots and Attachment files were not included in the Backup, a message appears telling you that only the database will be restored. The Snapshot and Email Attachment files will not be available. Click Yes to restore the database only. Database Configuration settings determine if snapshot/attachments are included
5.
When the Restore is complete, check the data. Open STORAGE database Statistics to see if the data was successfully restored as you expected. 2. By default the Spector 360 Spector 360 Backup location is displayed in the Browse for Folder box. Navigate to any other folder where a Spector 360 backup is stored. Select the Backup set folder ("SPECTOR360 [date][time]") and click OK. See Restoring a Backup for more information on the Restore job
Errors appear if the data is not compatible with the database. If serious errors occur, you may have to uninstall the database, reinstall it, and restore a valid backup.
226
not available. Users receive the message "The database restore operation is running. The Dashboard must be shut down." Their Dashboard application then shuts down. This is why it is important to inform all users when a restore operation will take place, or run the restore when users will not be using the Dashboard.
If you chose not to copy snapshots and attachment files as part of the backup job, Step 2 does not apply.
Step 2 of Restore
During the Step 2 of a restore job, the restore operation overwrites all screen snapshot and email attachment files. The database has been fully restored and has all pointers to the files, but the files are now being overwritten with restored data. This step can take a long time, and so you are offered a choice:
If you select Allow access after Step 1 on the dialog box, users now regain access to the newly restored database. Dashboard users can access Quick View, User Explorer, and so on. However, if a user attempts to access a screen snapshot or email attachment, a "File not found" error message appears.
Allow access after Step 1 - This allows users to access the database after Step 1 of the restore operation completes. If Step 1 is NOT complete, a message appears and their Dashboard (or Control Center) closes automatically.
If you select Allow access after Step 2 on the dialog box, users are blocked from using the Dashboard until the restore procedure is completely finished. As in step 1 of the process, any attempt to access data causes the Dashboard to shut down.
If Dashboard users are having frequent "File not found" errors, and you have selected Allow access after Step 1, a restore in progress could be causing this problem.
Allow access after Step 2 - This blocks user access through the entire restore operation (Step 1 and Step 2). Users attempting to access the database receive a message and their Dashboard (or Control Center) closes automatically.
Cancel - Cancel out of the request and do not perform the restore. You exit back to Backup and Restore Management.
Step 1 of Restore
During the first step of a restore job, the restore operation overwrites all data in the current database. While this happens, the database is
227
3. 4. 5.
Select the Jobs Management folder in Management. Click the Refresh button on the Dashboard toolbar. Wait several moments for the display to update. Check the Archive/Restore job. If the job status says it is currently executing, the restore is not finished. If the job status shows an updated "Last Run Time" and says that the job is currently idle, the restore operation has completed.
4. 5.
On the toolbar, click Archive Restore - OR right-click the archived database and select Archive Restore. Wait for the database to be restored. Click Refresh on the toolbar. The status for the database will be updated if the restore was successful, and the data will be available to Dashboard users.
The Control Center restores STORAGE archives. Restoring an archive restores only the STORAGE database from the selected archive. If you need to reconstruct the entire Spector 360
The archive must be on the database computer. If the archive folder has been physically moved to a different location, copy it back to the computer where the Spector 360 Spector 360
You can restore from a remote Control Center. The restore function automatically looks at the archive destination location on the Database computer for the archive folder. From that folder, select the archive you want.
Only previously archived data can be restored. If a database has not been archived, you cannot perform the Archive Restore function. If you need to restore from a database backup, select Restore from a Full Backup from the Task Navigation pane. See Restoring a Backup.
3.
228
Deleting a Backup
Deleting a Backup
We recommend keeping at least two full backups of your Spector 360 Database. To save disk space, delete older backups that you probably won't be using. See Space Management for automatic deletion of older backups. The SA login can delete a backup set directly from Manage Database Backup and Restore.
Database Jobs
To delete a backup:
1. 2. 3. 4. Open the Database tool and select Manage Database Backup and Restore. Select the backup you wish to delete. Right-click and select Delete. A message asks you to confirm the deletion. Click Yes to continue. Wait until a message appears telling you that the selected backup and its associated files have been removed. Click OK. The backup is now deleted from the hard drive. 5. Click Refresh on the toolbar (or right-click and select Refresh) to see an updated list of backups.
Job Name: See "Types of Database Jobs" below. Last Run Time: Date and time the job was last run - "None" if the job has not yet run.
229
Next Run Time: Date and time the job is scheduled to run next "None" if no schedule has been set. Note that Archive/Restore jobs cannot be scheduled through Jobs Management.
Backup Differential. A differential backup backs up all changes since the last full backup. Use it for frequent and quick data backups; a differential backup takes only a fraction of the time taken by a full backup. When you restore a database, the full backup you select, plus the latest differential (if there is one) is used.
Current Status: "The job is currently idle" or "The job is executing." Description: A brief description of the job.
Process DV - Common Data. This job processes data common among the event types users, computers, programs, and domains that has been received by the DATA VAULT database for insertion into current STORAGE Database. The job runs every 2 minutes by default, depending on whether or not the Data Vault is receiving Recorder data from computers. You can change the schedule to meet your requirements.
Maintenance Server. This job performs behind-the-scenes, general server maintenance, such as cycling SQL Server logs, flushing cache for all databases, and removing excessive data. By preventing error logs and other files from becoming too large, server maintenance ensures better performance. By default, server maintenance takes place daily at 4:00 AM. You can change the schedule to meet your requirements; for example, a highvolume server may require the job to be run twice a day. Error logs are flat text files stored in ...\Microsoft SQL Server\MSSQL$SPECTOR360\LOG on the Data Vault - Database computer.
Misc - Archive/Restore. This item tracks Archive and Restore jobs. An Archive job moves a specified STORAGE database to an archive location, deleting it from the current database location. A Restore job restores an archive or backup to the active databases. These jobs are not scheduled to run regularly, but you can view their History from Manage Database Jobs.
Job scheduling does NOT apply to Misc - Archive/Restore jobs, although an archive can be run automatically as part of the Maintenance - Space Management job.
Maintenance Database.This job performs behind-the-scenes maintenance to ensure database performance, such as re-indexing all tables in the current STORAGE databases. By default, database maintenance runs once a week on Sunday night. You can change the schedule to meet your requirements.
Process DV - Lookup Data. This job processes the lookup values Spector 360 uses internally from event data in the DATA VAULT database for use in the STORAGE database tables. By default, this job runs every 2 minutes. You can change the schedule to meet your requirements.
Backup Full. A full backup makes a baseline copy of all databases (ADMIN, ALERT, CUSTOMER, DATA VAULT, LOOKUP, STORAGE, WFS FILTER and WFS SYSTEM) currently in use. The Backup - Full job has a default weekly schedule and destination folder, which you can change to meet your requirements. Each full backup causes a new folder, containing the full backup file and any subsequent differential backups, to be created in the defined backup location.
Maintenance - Space Management. This job executes any archives or deletion of archives and backups that you have set up in Space Management. If you have not enabled automatic space management, the job has no effect on the data. Select Management Database Configuration and Space Management in
230
the left pane to change the settings. By default, this job runs once a week.
Process DV - Snapshot Data. This job processes Screen Snapshots received from Recorders. By default, this job runs every 5 minutes.
Maintenance - Flush Search Cache. This job flushes the Dashboard Search tool cache. The Search cache keeps Dashboard search results available so that a user can return to them after using other Dashboard tools. Because this cache uses up memory, it is flushed when the Dashboard is closed AND as often as set in this job schedule. By default, the Search cache is scheduled to be flushed once every four hours, every day. You can change the schedule to improve performance on your system.
Process DV - User Activity Data. This job processes User Activity (log on / log off) received from Recorders. By default, this job runs every 5 minutes.
Process DV - Email Data. This job processes Email Activity received from Recorders. By default, this job runs every 5 minutes.
Maintenance - Data Retention. This job executes deletion of transactions that you have set up in Space Management. If you have not enabled automatic space management, no deletions take place. By default the job is scheduled to run once a day.
Process DV - Keystroke Data. This job processes Keystrokes Typed activity received from Recorders. By default, this job runs every 5 minutes.
Process DV - Update DV Statistics. This job updates the Data Vault statistics so that you can view the latest Recorder data received. See Viewing Database Statistics. By default, this job runs every 15 minutes.
Process DV - Chat Data. This job processes Chat/IM activity received from Recorders. By default, this job runs every 5 minutes.
Process DV - Document Data. This job processes Document Tracking activity received from Recorders. By default, this job runs every 5 minutes.
Process DV - URL Data. This job processes Web Site activity received from Recorders. By default, this job runs every 10 minutes.
Process DV - Keyword Data. This job processes Keyword activity received from Recorders. By default, this job runs every 5 minutes.
Process DV - Update User/Computer Statistics. This job processes events for display of Database statistics by user or by computer. See Viewing Database Statistics. By default, this job runs every 20 minutes.
Process DV - P2P Data. This job processes File Transfer (and peer-to-peer) activity received from Recorders. By default, this job runs every 5 minutes.
Process DV - Port Data. This job processes Network activity (at ports) received from Recorders. By default, this job runs every 5 minutes.
Refresh the status of all jobs in the list. Click Refresh on the toolbar or right-click and select Refresh. Modify a job's schedule. More... View a job's history. More... Monitor Job Status. More...
Process DV - Program Data. This job processes Program Activity received from Recorders. By default, this job runs every 5 minutes.
231
The job executes every day. The job starts at the set time (hh:mm:ss AM/PM) Every 1 day(s) - Runs every day Every 2 day(s) - Runs every other day Every n day(s) - Runs every n days (select a number) Occurs once: Once a day at the start time. Occurs every n Minutes or Hours: The job runs periodically throughout the day. Process DV - every day, every 2 or 5 Minutes. Maintenance - Server runs once a day at 4 AM. Maintenance - Data Retention runs once a day at 10 PM (depends on Space Management settings) Maintenance - Flush Search Cache runs every day, every 4 hours.
Control your backups - Be aware that backups can take a significant amount of time and disk space. Be sure to adjust the weekly Backup - Full and daily Backup - Differential jobs as needed to avoid overtaxing your resources. Use Space Management to control backup use of disk space. Daily Frequency Default Daily Schedules
Schedule Process DV (Data Vault) jobs by importance - If you do not collect and report on ALL events, you can reduce the load on the server by processing the type of events you DO collect more frequently and those you don't less frequently. For example, if you view Web Site reports daily, but Keyword Alert reports only monthly, you can increase Process DV - URL processing and push off Process DV - Keyword Data processing.
The job executes every week. The job starts at the set time (hh:mm:ss AM/PM) Every 1 week(s) - Runs once a week Every 2 week(s) - Runs every other week Every n week(s) - Runs every n weeks (select a number) Select one day (Mon-Sun) to run once a week or multiple days to run several times a week. Process DV runs every day, every 2 or 5 Minutes. Maintenance - Server runs once a day at 4 AM. Maintenance - Data Retention runs once a day at 10 PM (depends on Space Management settings) Maintenance - Flush Search Cache runs every day, every 4 hours.
Schedule Process DV jobs by reporting time - If you have timecritical reporting needs for example, you need a report on Network Activity by 4 PM each day you can schedule the Process DV - Network Activity job to run just before report time.
Schedule to improve performance - If you have a high-volume site, you can balance database request volume with Data Vault processing and database maintenance. Runs on Default Daily Schedules
232
The job executes every month. The job starts at this time (hh:mm:ss AM/PM) Day: Run the job on a day (1-31) of the month. For example, select 1 to run on the first day of each month. Select 15 to run the job on the fifteenth of each month. The nth Day of the month: Run the job on the first/second/third/fourth or last day, which is a Sunday-Saturday/Weekday/Weekend Day. For example, run the job on the - second Sunday of every month - third Wednesday of every month or - last Weekend Day of the month.
Select one day (Mon-Sun) to run once a week. Select 2 or more days to run several times a week. Process DV runs every day, every 2 or 5 Minutes. Maintenance - Server runs once a day at 4 AM. Maintenance - Data Retention runs once a day at 10 PM (depends on Space Management settings) Maintenance - Flush Search Cache runs every day, every 4 hours.
Run Date: Date and time the job was executed Duration: How long the job took to complete Status: The job Succeeded or Failed Status Message: If the job failed, a message indicates what might have happened
Use the play buttons at the bottom of the window to navigate through job records:
233
Database Configuration
Max Size: Available for MS SQL Server 2005 Standard or Enterprise only. The SA login can change the maximum database size. For example, if you have a large server, you may want to expand the maximum database size from 5 GB to 10 GB. If you have MS SQL Server Express installed, the database maximum size is 4 GB and cannot be changed.
234
Unlimited: Available for MS SQL Server 2005 Standard or Enterprise only. The SA login can check this option to specify a STORAGE database with no size limit. This means that the database will not clone when it reaches a certain size, but continues to grow as one database. Be aware that a large database affects the performance of database jobs and Dashboard queries. If you have MS SQL Server Express installed, the database maximum size is 4 GB and cannot be changed.
Click Save at the bottom of the Database configuration pane to save your settings. If you leave the folder without saving, you will be prompted to save.
set the top end of the range. In the following example, 250 MB of memory are reserved to process the Dashboard requests, and no more than 382 MB will ever be used.
Fixed: Displays a slider that lets you set the exact amount of physical memory that the SQL Server database will have available to it when the Dashboard is run. In the following example, exactly 382 MB of memory are always reserved to process the Dashboard requests.
Click Save at the bottom of the right pane to save your changes and close the dialog box.
Dynamic: Allows the SQL Server to use as much physical memory as it needs, when it needs it. If it needs 100 MB, that's what it uses; if it needs 500 MB, that's what it uses. Use this setting for best performance when you are not worried about memory and disk space on the computer where the Spector 360 Database resides.
Dynamic Range: Displays a slider that allows you to set a range of memory used by SQL Server in MB. The bottom of the range is always used, and the top is never surpassed. Move the slider to
235
Data Location: Shows the location of the STORAGE databases where recorded data is stored. This folder contains the .mdf and .ldf master and local database files used by SQL Server for the Spector 360 Database. You can change the location for the creation of the next STORAGE database created on the Spector 360 Database computer's hard drive. The default location is: C:\..\Microsoft SQL Server\MSSQL.1\MSSQL\Spctr_Data\
Backup Location: Path to the backup folders and files where full and differential backups are stored in incrementally numbered subfolders. The default path is:
Log Location: Shows the location of the SQL Server database logs. This folder contains error logs and SQL agent logs maintained by Microsoft SQL Server. The logs are flat text files with date stamps, message codes, and Microsoft messages. Click the folder button to the right of the path to open a Browse window and select a new location for the logs. This setting goes into effect when the next STORAGE database is created and does not affect the current logs. The default location is: C:\..\Microsoft SQL Server\MSSQL.1\MSSQL\Spctr_Log\
All locations set must be on the Data Vault / Database computer (hard drive or media). The locations can only be set from a Dashboard installed on the Data Vault / Database computer.
Archive Location: Path to the folder where archive files are stored. The default is: C:\..\Microsoft SQL Server\MSSQL.1\MSSQL\Spctr_Archive\
236
Copy snapshot and attachment files during backup/restore: Check this option to copy Screen Snapshot and Email Attachment files to the appropriate location when a Backup or Restore Backup operation takes place. Clear this option if you do not want these files included.
Management Settings. These settings allow automatic archives, archive deletion, backup deletion, and deletion of data in the database or File Storage. Space Management settings are executed regularly as a single database job (Maintenance - Space Management. If Space Management is enabled, the job runs by default once a month on the first day of the month. You can change the job schedule. Space Management set to delete Backup Sets
Copy snapshot and attachment files during archive/restore: Check this option to copy Screen Snapshot and Email Attachment files to the appropriate location when an Archive or Restore Archive operation takes place. Clear the option if it does not matter to you that these files can be restored from archive with the data.
The final options let you set an error tolerance for Backup / Archive / Restore, as well as control the log file for these operations.
Write update activity to Log File: The Backup / Archive / Restore log file is written automatically to the ...\MSSQL\Spctr_Log\ location and always includes errors encountered. Check this option to include all activity in addition to errors so that you can see exactly how many files have been copied and where in the process an error occurred during a restore. Clear this option to omit other activity and collect only the errors.
Maximum errors before stopping file backup/archive/restore: By default this option is set to 0 (Zero). As soon as one error occurs, the Backup, Archive, or Restore operation stops. Type in or use the arrows to select a greater tolerance. For example, if you set this option to 100, the operation will process and encounter 100 errors before stopping. This may not be a problem if the errors are spread over thousands of files.
237
all days except today. Enter 0 in the days field to remove all days including today. 3. 4. Click Save at the bottom of the Space Management pane to save your settings. Click Delete Data at the bottom of the pane to delete event data from the databases right now. See Deleting Event Data.
If you leave Space Management without saving, a prompt appears.
If you need to access data from an archived STORAGE database, simply Restore the Archive.
If Dashboard users generate regular reports and don't require frequent access to past data, archiving STORAGE databases that have reached their maximum size to another location can save substantial disk space for new, ongoing STORAGE databases.
The number of days you enter specifies the "age" of the archive set. With "60 days" as the setting, an archive set created 60 days ago will be deleted tomorrow.
A STORAGE database cannot be archived until it has reached its maximum size. As soon as a STORAGE database reaches its maximum size, it becomes inactive. A new STORAGE database is created and becomes the active database.
The archive sets) must be at the location specified in Database Settings in order to be automatically deleted. An archive cannot be restored or recovered once it is deleted. To delete ALL archive sets, you would enter 0.
If you are automatically archiving STORAGE databases (the above option), you may also want to automate control of the archives, discarding those older than a certain time period. Keep in mind that your regular database Backups provide the true "safety net" for your system.
The number of days you enter specifies how long the STORAGE database is inactive before it is automatically archived. With "30 days" as the setting, a STORAGE database that received its last record (and became full) exactly 30 days ago will be archived tomorrow.
To archive a database as soon as it becomes full (and when an Archive job is set to occur), you would select "0 days." The Archive job copies the STORAGE database to an "archive set" at a location you specify. It is then removed from the Spector 360
238
The number of days specifies the "age" of the data records. With "60 days" as the setting, any recordings stored in a currently active STORAGE database 60 days ago will be deleted tomorrow.
The number of days specifies the "age" of the Screen Snapshot file. With "90 days" as the setting, any Snapshot files stored 90 days ago will be deleted tomorrow.
The Data Retention job performs this task. Use Database Jobs to schedule this job. The deleted data is gone forever, unless it was present for a Full Backup, which can be restored. If the criteria for deleting the data (e.g., older than 30 days) deletes ALL data in the database, the whole database will be dropped. For example, if all data in STORAGE 001 is older than 30 days, STORAGE 001 is dropped.
The Data Retention job performs this task. Use Database Jobs to schedule this job. The deleted data is gone forever, unless Screen Snapshots were included with a Full Backup, and the Restore is set to include Snapshots. See Database Settings.
If the whole database is dropped, Spector 360 This option does not affect archived databases. To delete ALL records, you would enter 0.
If you are not concerned with archiving data, you can simply remove data records from the live database after they reach a certain age.
Screen Snapshots (photographic images of user screens) are graphic files that can take up a great deal of disk space, especially for a large installation or when many Snapshot "Triggers" are used.
Older than n day(s): Check to delete any backup set older than the specified time period. Type or use the arrows to set the number of days. For example, with the above setting, a backup folder created 30 days ago will be deleted from the disk tomorrow.
If you include Screen Snapshots with Archives (see Database Settings), they will be archived with their associated data, and the entire Archive can be moved to another location. Otherwise, Screen Snapshots remain indefinitely in the File Storage folder.
Older than the last n set(s): Check to delete the oldest of the specified number of backup sets. Type or use the arrows to set the number of backup sets. For example, if you specify 10 backup sets, when the 11th full backup occurs, the 1st (oldest) is deleted.
239
The backup sets) must be at the location specified in Database Settings in order to be automatically deleted. To delete ALL backups, you would enter 0.
We recommend keeping two full backups of your data, but additional backups may compromise disk space on your system.
240
Older than 'n' Days - Enter the number of days (maximum 1000) of transactions to remove. For example, "Older than 30 Days" removes event data up to 31 days ago. Older than 'n' Weeks - Enter the number of weeks (maximum 1000) of transactions to remove. For example, "Older than 1 Week" removes event data up to 8 days ago. Older than 'n' Months and enter the number of months (maximum 1000) to remove. For example, if today is January 5, 2010, and you select "Older than 12 Months," you will remove data up through December 31, 2008.
User(s): Click the down-arrow and Delete All Users to remove event data for ALL users or Delete Specific Users to open the Users Selection box. Select Available users and click > to move them to the Selected list. Click OK to set your selection. Return to and change your selections by clicking the button next to the Users drop-down list.
Users and Computers will remain in the Users / Computers Management, but without available data will no longer appear in charts, reports, and forms.
Computer(s): Click the down-arrow and select Delete All Computers to remove event data for ALL computers or Delete Specific Computers to open the Computers Selection box (similar to the Users Selection box). Select Available computers and click > to move them to the Selected list. Click OK to set your selection. Return to and change your selections by clicking the button next to the computers drop-down list.
Date: Click the down-arrow and select from the following. All Dates - Removes event data for the selected users and/or computers in the database from ALL dates, including today. If you wanted to clear all data for user or computer from the database, you would select "All Dates."
241
242
Database Logins
automatically added to the Database with the permissions specified. As part of the login account, each user also receives a Dashboard profile that may provide custom criteria, custom charts and reports, and predefined groups of users, computers, and domains.
Display Name - The descriptive name of the user as displayed in Spector 360. The Display Name can be any name. You can change the Display Name by editing the login account. More...
Login Name - The name the user uses to log in to the Dashboard and Database. If the login was created to use Windows authentication, this will be the user's Windows login name. If the login was created to use SQL Server authentication, this can be any login name.
Users may be accessing the Database from either the Control Center or the Dashboard. All users are required to login in order to:
Authentication - Indicates whether the login account uses Windows authentication or has an SQL Server user name and password. More...
Login Type - Indicates whether the login account has Master, Standard, or System privileges. More...
Use any part of the Dashboard (Standard or Master Login) Manage Recording Profiles (Master Login) Manage Web Filtering (Master Login) Manage Event Alerts (Master Login) Manage the Database itself, including Database Login accounts (Master Login)
Control Center users who manage Servers, Computers and Recorders can open the Control Center without logging in.
Sort the list. Click on any column heading to re-sort the list of logins. Update the display with the latest data. Click Refresh. The Control Center requests the latest data from the Database.
243
Add a new Dashboard login account. Click New on the toolbar or right-click in the right pane and select New. More...
Change a Dashboard login account. Change the Display Name, SQL password, and access to users, events and/or Dashboard tools. Right-click on the login and select Edit. More...
Delete a Dashboard login account. Select the account and click Delete on the toolbar (or right-click and select Delete). You will be prompted for confirmation.
No Login Account - A user without Database credentials can use the Control Center application to install, update, and uninstall Recorders. He or she will have access ONLY to the Computers (excluding Profiles management) and Servers tools. This user can NOT open the Dashboard.
Copy a login to create a NEW login account. Select a login and click Copy on the toolbar - OR Right-click on the login and select Copy. More...
Copy a Dashboard profile to another, existing account. Select a login and click Copy on the toolbar - OR Right-click on the login and select Copy. Use the Dashboard to set up... User Groups - User Groups facilitate assigning user
privileges to login accounts. For example, one login might access only a "Marketing Group." Another login might access all users except those in an "Executive Group."
Standard Login - A Standard login has the above Control Center privileges to access Computers and Servers and can also log in to and use the Dashboard (Quick View, Search, Data Explorer, User Explorer, and Reports) to view user activity. Most Spector 360 users will have Standard accounts. The Standard login, unlike a user without a login account, may be given permission to view (without changing) additional areas of the Control Center or Dashboard, such as Web Filtering rules. See the table below.
NOTE: The SA Password is always required to make modifications to Server that interact with the Database.
Master Login - A Master login account, similar to a "super user" login, should be reserved for the persons) responsible for organizing network resources and managing the Spector 360 data. The Master login can use all tools in both the Control Center and the Dashboard, and can manage the Database, Database Logins, Groups, Scheduled Reports, and centralized Web Filtering and Event Alerts. See the table below.
244
Master SA - The System Administrator account, similar to a "root" login, is the SQL Server account defined on installation of the Spector 360 SQL Server database. There is only one SA. This login has access to all Spector 360 functions and all recorded data. It is required to start the Dashboard or the Control Center for the first time before other logins are created. The password is required to install, uninstall, and update Spector 360 . Keep your SA password secure! We recommend that you do NOT use the SA account for normal Control Center or Dashboard operation.
Control Center Run Computer Diagnostics Manage Computer Licenses Create/Modify Computer Profiles Manage Recorder Versions Servers View Servers Modify Server Properties Add Servers
Master X* X X X
Standard X* X
No Login X* X
System - The Spector 360 Server Components access the Database through special "service" accounts. These accounts are not managed as users.
Do not lose the SQL System Administrator credentials. You will need the password to manage Servers and to upgrade the Spector 360 installation. If you lose or forget the SA login, follow procedures in Recovering the SA Password.
X X** X** X
X X** X** X
X X** X** X
Start/Stop Servers Database View Databases, Backups, Jobs View Database Statistics View Database History Backup or Archive Restore a Backup Restore an Archive Monitor Job Status
X X X X X X X X X X X X
X X
Set Database Configuration Space Management options File Storage location or shares View Database logins Create/Modify a Login
X (own)
245
Control Center Web Filtering View Web Filtering Summary, Rules, Times, Groups, Categories Create/Modify Filtering Rules Create/Modify Time Profiles Create/Modify Category Groups Create/Modify Custom Categories Event Alerts View Alert Profiles, Times, Operators, Keyword Groups Create Alert Profiles, Times, Operators, Keyword Groups Modify Alert Profiles, Times, Operators, Keyword Groups Import/Export Keyword Groups
Master
Standard
No Login
Master
Standard
X X X X X
X* X* X*
X X X X
View permissions of login (* your own) Create/Edit Standard Logins Create/Edit Master Logins Computers View all computers Add or import computers
X X X X
X X X X
Edit the computer description Delete computer transactions Users View users (* as permitted)
X* X X X
X*
Add or import users Edit a user name Delete user transactions Programs View all programs Edit program description Domains View all domains Edit a domain description Groups View all groups (* as permitted) Add or edit groups
* Running Computer Diagnostics requires Domain Administrator or equivalent credentials on computers. ** Requires entry of SA password.
X X
X X
X* X*
X*
246
Dashboard Management Folders Delete groups Schedule Reports View scheduled reports Schedule reports (* permitted data) Delete scheduled report tasks Online Search Rules View search rule domains and tags Edit search rules Create new search rules Website Filtering (same as Control Center) Alert Profiles (same as Control Center)
Master X*
Standard
X X* X
X X X
247
Do NOT use the following reserved characters in an SQL Server login name or password: / | ' " [ ] { } ( ) , ; ? * ! @ $ \ or <space>. These characters are blocked by the Dashboard. You will receive an error message when you attempt to save the account.
Only the Login Name (and Password, if SQL authentication is used) and Display Name are required to create an account.
Login Name (SQL SERVER) - For SQL Server Authentication, the Login Name can be any name, following the rules in the above box. The name does NOT have to be defined elsewhere. You cannot edit this field once an account is saved. If you need to change the login name, delete the login account and start over with a new one.
To define the login authentication and type: The Authentication type sets whether the user logs into the database automatically using Windows Authentication, or by entering an SQL Server Login Name and Password (see Types of Authentication). The Display Name is used for Dashboard / Control Center display.
Password (SQL SERVER ONLY)- Enter a password to use for SQL Server authentication, following the rules in the above box. If you need to change an SQL Server password, click Change Password on the toolbar at the top of this window.
Use Windows Authentication - Select this option to use Windows credentials for authentication. If the user has logged on to Windows using the specified account, the Dashboard (or Control Center with Database access) opens automatically. You must enter a valid domain\username in the Login Name field, but no password is required.
Confirm Password (SQL SERVER ONLY) - Repeat the SQL Server password in this field. Display Name - REQUIRED A name used to identify the login account in the Dashboard. Enter the name as you wish it to be displayed within the Dashboard. You can change this name at any time without affected login credentials.
Use SQL Server Authentication - Select this option to define an account for the SQL Server instance. The user will be required to enter both the Login Name and Password you define here to open the Dashboard (and/or Control Center with Database access). The current Windows login will make no difference.
The Login Type differentiates an administrative Master from a Standard user (see Login Roles and Types).
Master - A Master login account may have access to both Dashboard viewing and Management functions. Standard - A Standard login account may have access to Dashboard viewing and reporting functions, but may only view Management resources in the Dashboard.
Login Name (WINDOWS) - For Windows Authentication, the Login Name MUST be a valid domain\username or local Windows account name. Click the button next to this field to browse a list of network users known to Spector 360 . Select the name you want and click OK. You cannot edit this field once an account is saved. If you need to change the login name, delete the login account and start over with a new one.
The Access Type restricts Dashboard viewing for this user to certain users or user groups. By default, a login has access to ALL USERS. Each login can be limited to specific users by selecting an Access Type other than "All Users" and then selecting users or user groups under
248
the Select Users tab. Use the drop-down list to select one of the following:
list shows which users or groups are currently accessible to the Database login. Select a user or group from the Available list. Use the Shift and Control keys to select multiple groups.
All Users - View activities of all users. Include Specific User(s) - View activities only of selected users. Include Specific User Group(s): View activities only of users in selected groups. Exclude Specific User(s): View activities of all but selected users. Exclude Specific User Group(s): View activities of all but selected groups. Display user's Name in event data - Check to allow this login to view permitted user data with user names. Clear this item to "mask out" (replace with ****) the user names in Dashboard views of user data.
Click the > button to send highlighted users or groups to the right "Selected" list. Click the >> button to send ALL users or groups in the "Available" list to the "Selected" list. Click < to return selected users or groups in the "Selected" list back to the "Available" list. Click << to return all users or groups back to the "Available" list.
Examples You may want to restrict managers to viewing Dashboard activity only for their direct reports by selecting Include Specific User(s). You may want to allow someone access to All Users in order to set up Alert Events, even though this person will NOT have permission to view data in Dashboard Events. You may want a supervisor to look out for inappropriate behavior in a group, but not necessarily identify the problem individual by name. You would clear the Display user's name item.
Users are added to the Database as they are recorded by Spector 360. A Master login can add users to the Database BEFORE they are recorded by using the Dashboard's Management > Users. User Groups must be created using the Dashboard's Management > User Groups.
Someone responsible for tracking compliance issues may benefit from focusing on File Transfers and Document Tracking, but has no need to see other forms of monitoring.
It may be useful to assign monitors of specific recording activity type (Mr. Z oversees monitoring of Web Sites & Online Searches).
249
The person in charge of Alert Events may want to see Alert Activity, but have no need to drill down to the details in other activity.
Dashboard Tools- Check these items to allow access to the view of user activity; clear to omit the tool completely from the navigation pane and Tools menu. For example, if you clear ALL
options and then select ONLY Search, only the Search button will be available in the Dashboard. The user will not see Quick View, Data Explorer, User Explorer, or Reports.
All Management Tools- Check to allow access to Dashboard Management functions (and Event Alerts and Web Filtering in the Control Center). Clear to restrict access. Check the individual folders you want the user to be able to access. A Standard login with access to Management folders will be able to VIEW but not CHANGE items in Management folders. A Master login with access to Management folders can fully use all folders that are checked.
Someone responsible for monitoring a set of users may have no need to access the Management tool at all. You would clear All Management Tools.
Alert Events- Check to allow access to all aspects of setting up Alert Profiles. Clear to restrict access. You can allow access to individual folders. For example, you might allow a login to set up Keyword Groups, but restrict his or her ability to define Alert Profiles and Operators.
Someone responsible for setting up Alert Events and Web Filtering policies may have no need to view actual user activity. You would clear Quick View, Search, Data Explorer, User Explorer, and Report.
Time Profiles - Time Profiles under Alert Events and Web Filtering refer to the same functionality. If one is checked, both are checked (the login may set up Time Profiles); if one is unchecked,
250
both are unchecked (the login will have no access to Time Profiles either in Alert Events or Web Filtering).
Website Filtering- Check to allow access to all aspects of Web Filtering. Clear to restrict access. You can allow access to individual folders. For example, you might allow a login to create and add domains to Custom Categories, but restrict their ability to define Filtering Rules and Time Profiles.
Database logins- Check to allow a Master login access to create and modify Dashboard login accounts. Clear to restrict the user from accessing logins. 2. A message informs you that loading the user list for the first time may take several minutes. Click Yes to continue and wait for the list of Windows Users to appear. Users are listed alphabetically by Display Name. 3. Select a user and click OK.
Jobs- Check to allow access to Database Jobs in the Control Center under the Database tool. A Standard login will be able to view job status; a Master login will be able to schedule, and view history and statistics of jobs. Clear to restrict the user from accessing these functions.
Backup and Restore- Check to allow access to Backup and Restore in the Control Center under the Database tool. A Standard login will be able to view Databases and Backups; a Master login will be able to view Database Statistics, Backup History, and perform backups, archives, and restores. Clear to restrict the user from accessing these functions.
Database Configuration - Check to allow access to Database Configuration in the Control Center under the Database tool. A Standard login will be able to view settings for Data / Backup / Archive jobs, automatic Space Management and File Storage share names. A Master login will be able to change settings. Clear to restrict the user from accessing these functions.
On the Windows Users box, click any column heading to sort the list alphabetically by that column.
Display Name: Descriptive name provided for Windows login User Name: The Login name Domain: The network domain the user logs into
Use the play buttons to navigate through the user records in the list.
When you are finished, click Save and Close on the New or Edit Database login toolbar to save your selections and close the window. You can edit a Database login's access privileges at any time. Changes go into effect when the Dashboard user logs in again.
251
SQL Server authentication Requires entering a user name and password to start the Control Center. SQL Server authentication allows the user to log in to the Control Center at any computer that can access the appropriate database. This type of authentication is preferable for a Master administrator, providing easier access at more locations.
"Default" criteria and content for each chart, report, and data form Any custom charts, reports or data forms that have been created Any custom folders that have been created Global criteria "default" settings Any created User Groups, Computer Groups, Program Groups, or Domain Groups
Windows authentication Does not require login when the Control Center starts. If the Windows user currently logged into the computer is a valid Control Center Administrator, the user simply presses OK on the login prompt and Control Center opens. The Control Center passes the current Windows account credentials to database server and will attempt to log in automatically the next time it is opened.
Create a template:
Use the Dashboard to set up a profile as you want it, and create your login "template." Once a template is created, use either the Dashboard or the Control Center to copy the profile from the "template" account to new or existing user accounts. From the Control Center, select Database and Manage Database Logins. Give users the same profile (Dashboard groups, default settings, and report formats) to facilitate training, troubleshooting, and standardized reports.
It is possible to log in as a different user after the Control Center automatically logs in under Windows authentication.
252
253
To delete a Login:
1. 2.
Do not use the following characters in your SQL Authentication password: / | ' " [ ] { } ( ) , ; ? * ! @ $ \ or <space>.
Select the Database tool and Manage Database logins. In the right pane, select the login account and click Delete on the toolbar - OR Right-click and select Delete from the pop-up menu.
3. 6. 7. A message informs you that the password was changed successfully. Click OK. If you have changed your own password, close Control Center and open it again to log in with your new password.
A message asks to confirm the deletion. Press Yes to remove the login.
254
Database Support
Database Support
The local Spector Agent checks SpectorSoft FTP site for scripts. Scripts are downloaded and executed automatically for your Spector 360 SQL Server installation.
Database Support
Manage Database Support allows you to work directly with SpectorSoft Technical Support to solve database issues. For example, if data isn't showing up in the Database, you would "Start Database Support," a log file would be generated, and connection to SpectorSoft would be established. Steps below tell you how it works.
Scripts that have been downloaded and successfully executed are listed in the right pane of the Manage Database Support view. Doubleclick or select View Support Script to view the script.
A debug log file is generated locally. SpectorSoft is notified that a Database Support log is ready for upload. A SpectorSoft engineer acknowledges and uploads the file via secure FTP. The SpectorSoft engineer selects the appropriate script.
255
Support Log becomes active. Use this command to send the log file when you are ready. Click OK to save your changes or Cancel to discard them.
Automatically Execute the Scripts - Check to run the database scripts received from SpectorSoft automatically. Clear to receive the scripts from SpectorSoft without having them execute automatically. When this option is disabled and a script is downloaded, View Support Script becomes active. Click the button or link to view the script, and click Approve on the Script Viewer window to run the script.
Automatically Upload the Debug Log to SpectorSoft FTP - Check to upload the log file created when you click Start Database Support to the SpectorSoft support FTP site. Clear to create the log file without uploading it. When this option is disabled AND SpectorSoft has approved the upload of the debug log, Upload
256
What kind of web sites should NEVER be accessed? Should any web sites ALWAYS be allowed? Should access differ at different times of day? Should rules and exceptions be created for specific users? Do I want to tie Web Events to Web Filtering Categories?
Centralized Web Filtering does not apply to Macintosh computers.
257
4.
Specify When to allow or block access. Each rule requires a Time Profile. Three Time Profiles are provided: All Times, Non-Office Hours, and Office Hours. "Users" appear in the Database as recording occurs. "User Groups" are Spector 360 groupings of users (by department, risk category, etc.) If you wish, define a New User from this panel, using user names as known to the network. You cannot define a New Group until more than one user is available. Use the Dashboard Management tool to manage Spector 360 User and User Group lists. 6. Specify What to allow or block. Select the domain Categories or Category Groups that will be allowed or blocked. Ready-made Web System Categories are available that cover commonly known domains. Use the New button to create a new Time Profile as you define your rule, or modify the provided times. See Defining a Time Profile.
5.
Specify Who the rule affects. Select to which Users the rule will apply. "All Users and User Groups" is a provided selection. As long as the user is logged into the network, the rule applies.
258
8.
Review and finish the rule. The final wizard panel summarizes settings for the rule. You can click < Back to make corrections or click Finish to save the rule. To see the rule listed in the Web Filtering Summary or Manage Filtering Rules, click Refresh after a brief period of time. Note that filtering takes 5-10 minutes to go into effect, and may not affect web sites currently being viewed.
9.
Set the rule's priority. If you have more than one rule defined, the rules are applied in their order of appearance in the Web Filtering Rules list. The first rule is applied first and has top priority. If you need exceptions to general rules, place them above the general rule. Use the Move
For example, the provided Shopping category includes Amazon, eBay, and other well-known shopping sites. As soon as additional problem sites filter through in the recorded data or within the Dashboard's detected Domains list, you can create new, "custom" categories. If you wish, add a New Category or New Group while defining this rule. 7. Give the rule a name and description. The name and description appear in the Web Filtering Rules list. Decide whether you want to Disable this rule for now or Enable it immediately. A rule must be enabled to take effect.
Down/Move Up buttons on the Manage Filtering Rules toolbar to order the rules. Example:
Rule 1: ALLOW user X access to ALL WEB SITES at ALL TIMES. Rule 2: ALLOW all users access to SHOPPING and BANKING at noon only. Rule 3: BLOCK all users from SHOPPING, BANKING, and category group BLACKLIST sites at ALL TIMES.
In this example, user X is not blocked at all, even when other users are. Everyone can use shopping and banking sites at noon, but only user X can use them at other times. Example:
Rule 1: BLOCK all users from ADULT, GAMBLING, and GAMES sites at ALL TIMES. Rule 2: ALLOW user group Q access to CHAT at ALL TIMES. Rule 3: BLOCK all user groups access to CHAT at ALL TIMES.
In this example, users in group Q, like everyone else, cannot access forbidden sites. However, they are the ONLY ones who can use Chat/IM sites.
259
Filtering Rules: Filtering Rules are complete definitions of who, what, and when to allow or block. The Summary box tells you how many rules are currently enabled (are in effect right now) or disabled, and how many rules have been defined total. Each Filtering Rule uses a Time Profile, Categories/Category Groups, and applies to some or all users. Click View List to view or set up Filtering Rules.
Time Profiles: A Time Profile is a schedule for applying the rule. Two Time Profiles (Office Hours and Non-Office Hours) are provided, and you have to option to choose "All Times" when defining a rule. The Summary box tells you how many Time Profiles in addition to "All Times" are available. Click View List to view or set up Time Profiles.
Use the Web Filtering tool in the Dashboard or Control Center to define a network-wide Web Filtering policy. The Web Filtering Summary provides a synopsis of the policy you have in place. Initially there are no rules in place. See Getting Started with Web Filtering for a complete explanation.
Master login users are able to update Web Filtering rules while viewing web site data (in the Dashboard). The Database provides one set of Web Filtering rules that any Master Login with appropriate permission can adjust.
Category Groups: A Category Group allows you to combine Categories for a rule. You need to set up your groups before using them in a rule. The Summary box tells you how many groups exist. Click View List to view or set up Category Groups.
Categories: A Category is a list of domains of a certain type, such as Sports, Adult Sites, or Gambling domains. Spector 360 provides a complete set of ready-made Web Filtering System Categories, available for use in Filtering Rules and in Category Groups. See System Categories. You can augment the provided categories with your own Custom Categories. For example, you might set up a "More Gambling" category that contains gaming sites detected by the Spector 360 Recorder , but not included in the provided system categories. Select Categories under Management Folders to view the provided System Categories and to define your own Categories.
260
and select and change the color of the text and the message background. Click OK at the bottom of the box to save the message.
261
Filtering Rules
Priority: Rules are applied in order of priority. The first rule has top priority and is applied first, the second rule is applied next, and so on. Keep the "exceptions" higher in the list than the general rule they apply to. Move a rule up or down in priority by selecting it and clicking the Move Down or Move Up button on the toolbar. In the illustration above, rule one prevents specified
262
television and media sites from being used hours when bandwidth is needed most. Rule two allows other entertainment (not specified by rule one), shopping, and banking to be available at noon. The last rule blocks adult sites at all times.
Rule Type: A rule can either Allow or Block categories of web sites. Enabled: No means the rule is currently disabled. Yes means it is working right now. Any rule that is enabled is actively blocking or allowing access to web sites. To enable a rule, click Enable on the toolbar. To disable a rule, click Disable (which becomes active when the selected rule is enabled).
A rule change takes 5-10 Minutes to take effect. When you create a new rule or change an existing rule, it will not take effect until the Client checks in with the Web Filter Server and updates its currently cached rules with the new rules. If you add a domain to be blocked, the domain may be available for several minutes before it becomes blocked. If the user has the web site open, the blocking won't occur until the user refreshes (F5) or attempts to navigate to a new page in the domain.
New: Open the New Filtering Rule wizard. Use the wizard or "Advanced Setup" to create a Website Filtering rule, following onscreen instructions. More...
Modify: Double-click a rule, or right-click and select Modify to edit the rules General, Who, When, and What settings. More... Delete: Delete the selected rule from the list (and from the database). Move Down / Move Up: Move the selected rule down or up the list, changing its priority (see below). Allow / Block: Change the rule from "Block" to "Allow," or from "Allow" to "Block." For example, you can select a rule that ALLOWS all users to shop during noon and click Block to instantly prevent all users from shopping during noon (also on the New/Edit
Refresh: Update list of rules. Click the Refresh button on the toolbar. Find: Open the Find Rules pane and discover which rules, if any, block a particular domain. More... Test: Open the Test Rules pane and test whether domains will be blocked at certain times of day for certain users. More...
General panel).
Disable / Enable: Disable the selected active rule or enable a selected rule that is not currently active (also on the New/Edit General panel). A disabled rule remains in the Filtering Rules list, but doesn't do anything. Disabling ALL rules leaves the network without any Website Filtering.
263
When you first create a rule, you may want to disable it until you have it placed in the correct priority in the Filtering Rules list.
Rule 1: ALLOW user X access to ALL WEB SITES at ALL TIMES. Rule 2: ALLOW all users access to SHOPPING and BANKING at noon only. Rule 3: BLOCK all users from SHOPPING, BANKING, and category group BLACKLIST sites at ALL TIMES.
Step 1: Welcome. Choose to use this wizard or Advanced Setup and click Next. Step 2: Select Type of Rule. Specify whether this rule will Allow access to web sites or Block access to web sites and content. Click Next to continue.
In this example, user X is not blocked at all, even when other users are. Everyone can use shopping and banking sites at noon, but only user X can use them at other times. Example:
Step 3: Select When to Allow/Block. Choose a Time Profile from the "Existing Time Profile" drop-down list, or click the New button to add a new Time Profile now. If you add a new Time Profile, it is automatically selected for this panel. Click Next to continue.
Rule 1: BLOCK all users from ADULT, GAMBLING, and GAMES sites at ALL TIMES. Rule 2: ALLOW user group Q access to CHAT at ALL TIMES. Rule 3: BLOCK all user groups access to CHAT at ALL TIMES.
Step 4: Select Who to Allow/Block. Select the users to be included in the rule. All Users and User Groups includes everyone. Specific Users and User Groups activates the User Groups and Users list. Check the users or groups you wish to include in the rule and click Next to continue. Select All - Checks all users/groups. Clear All - Clears all check marks.
In this example, users in group Q, like everyone else, cannot access forbidden sites. However, they are the ONLY ones who can use Chat/IM sites.
Step 5: Select What to Allow/Block. Choose categories of web sites to include in the rule. All Web
264
Sites blocks (or allows) all domains. Choose Specific Categories and Category Groups activates the list. Check the Category Groups, System Categories, and Custom Categories to include in this rule. Click Next to continue. New Category - Creates a new Custom Category and includes it in the rule. New Group - Creates a new Category Group and includes it in the rule. Select All - Checks all items in the list. Clear All - Clears all check marks.
Step 6: Enter a Rule Name and Description. The Rule Name appears in the list of Filtering Rules and is required. The description is optional. Check "Disable this rule when it is saved" to start the rule disabled. You can Enable it when you are ready at any time using the toolbar button at the top of Filtering Rules Management.
To save a rule:
Use the Toolbar at the top of the New/Edit Website Filtering Rule box to save your rule. You will be prompted for missing information if the rule is not complete.
Step 7: Review Your New Rule. The final panel of the wizard summarizes the rule name, type, time profile, users and categories. If the rule is correct, click Finish to close the wizard and add the rule to Filtering Rules Management. If the rule is not correct, use the Back button to go back through the steps and make corrections. Cancel ends the wizard without saving the rule.
265
From the Selection Type list, select: All Users and User Groups - Applies the rule to all users. Specific Users and User Groups - Allows you to select users to whom the rule applies. If you are selecting specific users or groups, click on names under Available Users and User Groups. Use the Ctrl+V and SHIFT keys as needed to multiple-select. Click the > button to send the selected users to the right column. Click >> to send ALL Available Users to the Selected Users and Choose whether to start with this rule: Enabled - As soon as you save it, the rule goes into effect. Disabled - The rule will be added to the Filtering Rules list, but not activated until you click the Enable button on the Filtering Rules toolbar. Choose whether this rule will: Allow - Specify web sites that users may view, or Block - Specify web sites that users may NOT view
For example, you might create one rule to ALLOW access to your company and all work-related domains. Other rules would BLOCK undesirable domains.
User Groups list. Click < or << to send one or more Selected Users and User Groups back to the "Available" column. When the Selected Users and User Groups contain all users you want to include in the rule, continue on to When. 3. Click the When tab. This is where you set the time the rule will be in effect.
2.
Click the Who tab. Here, you specify to whom the rule applies. From the Time Profile list, select: All Times - The rule is always in effect, or Select another Time Profile that has been defined in Time Profiles Management. You cannot edit the Time Profile from this panel; the filtering schedule is shown for your information only. Go to the Time Profiles folder to create or change a Time Profile. Click the What tab. Here, you specify Categories or Category Groups to allow or block.
266
A rule change takes 5-10 Minutes to take effect. When you create a new rule or change an existing rule (and it is enabled), it will not take effect until the Client checks in with the Web Filter Server and updates its currently cached rules with the new rules. If you add a domain to be blocked, the domain may be available for several minutes before it becomes blocked. If the user has the web site open, the blocking won't occur until the user refreshes (F5) or attempts to navigate to a new page in the domain.
Use the Selection Type drop-down list to select: All Web Sites - To block (or allow) all access. Specific Categories and Category Groups - To select categories to block or allow. If you're not blocking all web sites, select a Category or Category Group in the Available column. If you wish, use the CTRL and SHIFT keys to multiple-select. Category groups (all custom) are set up in Category Groups Management. Custom categories you define in Categories Management. System categories are automatically provided with the Spector 360 Database. Click the > button to send the selected users to the Selected Categories and Category Groups column. Click >> to send ALL Available Categories to the Selected list. Click < or << to send Selected Categories back to the available column. List all categories you want to include in the rule in the "Selected" column. 4. When you have selected Who, When, and What (or made a change anywhere to an existing rule), click Save and Close to save the rule and add it to the Filtering Rules list.
267
Find all rules where a particular domain was specified. Domain: enter the domain you would like to find. Leave the default "All" setting in the remaining fields. A star will appear next to all Filtering Rules that include this domain. Find all rules that apply to a specific user, such as "Bill Smith." User/Group: Click the button next to this field and select the individual user, "Bill Smith." Leave all other fields at their default "All" setting. A star will appear next to all rules that affect Bill Smith. Find all rules that are in effect at 12 noon. Time of Day: Enter 12:00 PM or 12:00:00 (depending on your system's time format). Leave all other fields at their default "All" setting. When you click Find, a star will appear next to all rules in effect at noon. Find out if a domain is in a system category. Domain: Enter the domain name or IP address. Category/Group: Click the button to the right of this field and select the System Category you want to check. A star appears next to all rules that include this domain and use the system category.
To find a rule:
1. 2. 3. 4. Select Web Site Filtering and Manage Filtering Rules to display the full list of rules. Click the Find button on the toolbar. A Find Rule(s) pane opens at the top of the Web Filtering Rules list. Enter a Domain and/or change any field (see below) to specify what you wish to find. Click the Find button at the bottom of the form. If a match is found, a star appears next to the rule.
Find out if problem sites are being filtered at noon for a particular department. Category/Group: Select the defined Category Group, such as "Problem Sites." Time of Day: Set to 12:00 PM or 12:00:00. User/Group: Click the button and select the defined User Group, such as "SALES." Leave the Domain and Day setting at their default "All" setting. When you click Find, a star appears next to all rules filtering any domain in "Problem Sites," in effect at noon, which apply to users in the "SALES" department.
If no matches are found (no star appears next to a rule) to indicate a domain is blocked, you must assume users have access to the domain.
268
To clear fields:
Click the Clear button. This returns ALL fields to the default <All> setting. If you want to clear User or User Group selections without resetting other fields, open the Select User or User Group box and check the "Match All Users and User Groups" option.
Domain: The rule addresses a specific Internet domain. Enter the domain name in this field. Type the name and the top-level domain in the format domain.com, or enter an IP address (255.222.22.2). Domain names may contain letters, digits (0-9), a dot (.) and a dash (-). An IP address may contain digits (0-9) and dots (.) only. Other characters are illegal and cause a message to appear. If you are not looking for a specific domain, leave this field set to <All Domains and IP Addresses>.
Users: The rule addresses specific users or user groups. Click the button to the right of the User/Group field. This opens a box where you can select ONE User or User Group. At the top of the box you can choose to show all Users and Groups, only Users, or only Groups. You can also click on a column header to sort by that column, for example, sort by Description. Make your selection and click OK. The rules found must specifically include the User or User Group you have selected (a rule set to apply to All Users and User Groups will NOT be a match).
Time of Day: The rule blocks access at a certain time of day. Enter the time in the format used by your Windows desktop. In most cases, the format is HH:mm PM/AM, and you would type 12:00 PM for noon. If time of day is not your concern, leave the setting at <All Times>.
Day: The rule blocks web sites on certain days. Select the day from the drop-down list. The rules found must be in effect during the day specified. If you're not looking for a particular day, leave the setting at <All Days>.
Category/Group: The rule addresses a defined Category or Category Group (such as "Sports" or "Shopping"). Click the button to the right of the Category/Group field. This opens a box where you can select ONE system or custom category or one Category Group. At the top of the box you can choose to show all Categories and Groups, only Categories, or only Groups. You can also click on a column header to sort by that column, for example, sort by Description. Make your selection and click OK. The rules found must include the Category or Category Group you have selected. Check Match All Users and User Groups to clear selections in this box. This returns the Find setting to its default "All Users and User Groups" when you click OK.
269
A site is being blocked at 10:00 AM, but allowed at 12:00 PM and 7:00 PM. A site is being blocked for one user, but not for another user who requires access. A site is always blocked for any selected user.
This test verifies that access to amazon.com is ALLOWED to John Smith at 1:00 PM on Wednesdays.
Domain: Enter a domain name in the format domain.com, or enter an IP address (255.222.22.2). Domain names may contain letters, digits (0-9), a dot (.) and a dash (-). An IP address may contain digits (0-9) and dots (.) only. Other characters are illegal and cause a message to appear.
Match Disabled Rules: OPTIONAL Check this box to find matches in disabled as well as enabled rules. Clear this box if you are testing ONLY the currently enabled rules.
Time of Day: Enter the time you wish to check. Use the time format used by your Windows desktop settings, such as 1:00 PM or 13:00:00.
Day: Select the day you wish to check from the drop-down list. User: Click the button next to the user field or press Enter or the Spacebar to open a Select User box. Select (highlight) the ONE user you wish to test and click OK.
270
The Select User box closes and the name is entered in the User field.
Adding a user in Users Management does NOT set up monitoring of the user. Computer monitoring begins when a Spector 360 Recorder is installed on the user's computer.
Display Name - The Display Name is used only by Spector 360 for charts, criteria selection, and other purposes. It does not have to match a name on your network. You can change a user's display name at any time using Management > Users in the Dashboard.
271
Enter up to 50 characters. By default, users are listed alphabetically by the display name.
User Name - The User Name is the account user name by which the user logs in to the computer and the network. This name must exactly match the user name known to the network. If in doubt, look for the user name at the Windows or Mac computer under user account information.
The Login Name is automatically supplied from your User Name and Domain/Computer Name entries.
Login Type - Select how the user logs in from the drop-down list. Local - The user logs in locally to the computer being used. Network - The user logs into the computer and into a domain network.
Computer Name - For a Local Login Type, select the computer name from the drop-down list. The computer must already be "added" to Spector 360 and known to the Database.
Domain - For a Network Login type, select the domain where the user will log in from the drop-down list. The list contains domains known to Spector 360 . You can type in a new name, but make sure it is a valid domain on your network.
For example, grouping users by department makes it easy to assign a manager a Database login account with access only to users in his or her particular department.
To group users:
The New/Edit User Group box opens when you click New in the Dashboard's User Groups Management or New Group while defining "Who" in a Web Filtering rule. Simply move available users on the left to the right column to select them for the group.
When you click OK to add the user, the new user appears will appear in Dashboard (and Control Center) lists.
272
Group Name - Name of this group, up to 20 characters, to be displayed in User Group selection lists. Description - A description for this group, up to 110 characters. Group Type - Specific Users: Lists all users in the "Available" column allowing you to select individual users for the group. All Users from Specific Domains: Lists all domains in the Available column, allowing you to select all users in one or more domains.
filter. Both System and Custom Categories are listed in the Web Filtering Categories pane. o
Available Users - The list of users or domains in the left column is available for grouping. Use the Shift and Control keys to select multiple-select. When all desired users are in the Selected list, click Save and Close on the toolbar. The window closes and the new user group appears in the list. Click > (or double-click) to send all highlighted users or domains to the right-column Selected list. Click >> to send all users or domains in the Available list to the Selected list. Click < (or double-click) to return highlighted users or domains in the Selected list back to the Available list. Click << to return all Selected users or domains back to the Available list.
SpectorSoft automatically updates your Web Filtering system database with the latest System categories and their domains.
To view categories:
Select Web Filtering tool and Manage Categories. The right pane lists all categories. System Categories are in light italics, and Custom Categories are in normal typeface.
273
Category: The name of the category that appears in filtering rule selection lists. Type: System Categories are included with the Spector 360 Databases. These include most commonly known domains and are dimmed because you cannot edit or remove them from the list. Custom Categories are those that have been defined to cover specific domains. You can edit and remove these categories. More...
Description: A brief description of the types of domains included in the category. Roll your cursor over a category for a clearer picture of a dimmed System description.
To manage categories:
Use the toolbar at the top of the window or the right-click menu. 2. 3. In the Domain field, enter the domain name (name.com, name.co.uk, name.org, and so on). Select Find in: All Categories - Search all categories in the list Custom Categories - Search only Custom Categories System Categories - Search only the predefined System Categories 4. Click the Find button. A star appears next to each category where the domain was found.
New - Create a new Custom Category. More... Modify - Change the selected Custom Category (or simply doubleclick the category). More... Delete - Remove the selected Custom Category from the database. Refresh - Update the view with the latest categories from the database. Find - Open the Find Domain pane at the top of window in order to see if a specific domain is included in one or more categories. See below.
You cannot modify System Categories. However, you can combine Custom and System Categories in a Category Group.
274
System Categories
System Categories
A "category" in Spector 360 is a list of domains (Internet sites) with something in common. "System Categories" are ready-made domain lists provided with the Spector 360 Database. For example, the Shopping System Category will include Amazon, eBay, well-known department stores and other online shopping sites. All System Categories are marked as type System in selection lists.
Use the Find button in Categories Management to see whether a domain is included in one or more of the System Categories. For example, you'll find the domain msn.com in the News and Search Engines categories.
Category Games Government Hacking Health and Medicine Hobbies and Recreation Illegal Drugs Illegal Software Job Search and Career Development Kids News Personals and Dating Phishing and Fraud Proxies and Translators Religion Ringtones and Mobile Phones Search Engines Shopping Social Networking
Description Sites offering online (non-gambling) games. Sites providing government and military related information. Sites offering hacking and cracking information. Sites providing information on personal health. Sites providing information on hobbies such as pets. Sites providing information on illicit drugs. Sites providing illegal pirate software. Sites providing information to job seekers.
Category Adult Sexually Explicit Advertisements and PopUps Chat Computer Viruses Downloads Entertainment Finance and Investment Food and Dining Gambling
Description Sites offering adult content including artistic nudity, porn, sexuality and nude lifestyles. Sites with advert servers and banner URLs. Sites with chat rooms and/or client and web-based messenger services. Sites that host virus infected files. Sites that host downloadable content including audio, video and software. Sites that promote television, radio, movies, books and magazines. Sites offering online banking and investing services. Sites offering information on cooking and eating. Sites offering online games of chance.
Sites that kids tend to waste time on. Sites providing news and weather information. Sites providing dating information and services for singles. Sites that attempt to trick people into providing personal information. Sites that offer mechanisms to bypass network security software. Sites that promote religion. Sites providing mobile/cell phone products and downloads. Sites offering Internet search engines and utilities. Sites offering online shopping, auctions and various goods and services for consumers. Sites offering social networking information and journal/diary services.
275
Category Society and Culture Sports Spyware Travel Violence Web based eMail
Description Sites offering information about childcare. Sites relating to sports and sports news. Sites that use spyware techniques. Sites relating to personal travel and vacations. Sites relating to promoting and depicting violence. Sites offering webmail and online email services.
276
field, simply start typing to call up a list. For example, type shop to list domains starting with these letters. Select the domain or domains you want to add from the list. Use Shift and Ctrl to multiple-select. Click the Add button between the columns to add the selected domain(s) to the right-column category list.
Enter IP Address - Select this tab to enter an IP address or address range. Use the asterisk (*) to indicate a range. Press Enter or click Add to add the IP address or range to the rightcolumn category list.
Enter Domain Name - Select this tab to type a domain name or specific domain subfolder. Press Enter or click the Add button to add the domain to the right-column category list.
Use any of the following formats: badsite.com www.badsite.com badsite.com/section2 For example, you may wish to allow www.google.com for searching, but block www.google.com/ig and gmail.com to block use of Gmail (Google Mail).
Instead of entering or selecting domains, you can import a list (text file) of domains into a category. See Importing Domains.
Select Event Domains - Select this tab to choose from domains that have already been recorded by Spector 360 . In the Filter
277
The file can have a .csv, .txt, or other extension, as long as the format is plain text. For example...
4.
Confirm that you want to import the selected file by clicking Yes.
Domains in the list can be separated by commas, tabs, line breaks, or spaces. The import accepts domains in the following formats: example.net example.net\subfolder www.example.net subdomain.example.org - OR - an IP address or address range in the format n.n.n.n, for example: 123.123.12.* 5. Wait for the domains to be imported. A message confirms the number of domains that were successfully imported. Even if you canceled the operation, some domains may have been imported. Click OK.
The import adds to (does not replace) domains already in the Custom Category list. The import will not "repeat" domains that already exist in the Custom Category list; duplicate domains are skipped.
278
279
280
281
file transfers) among people with access to the data. As soon as a match to an alert profile appears, you get an email.
Event Name: Name of the Alert Profile. Event Type: The type of events this profile watches. Each profile watches only one activity type, which can be Chat/IM, Email, File Transfer, Keystroke, Program, Web, Network, Document Tracking, or User Activity.
Enabled: No means the profile is currently disabled. Yes means it is working right now. Description: A description of this Alert Profile.
an "Alert Event" is recorded, and (if requested) notification is sent to an Alert Operator. You can enable, disable, or change Alert Profiles at any time.
Examples:
You can watch for "Bullying" and "Hate" keywords in the content of Chat/IM activity initiated by suspected troublemakers. As soon as one of the words pops up in a conversation, you get an email.
If you're worried about sensitive financial data, you can create a Keyword Group containing relevant words, filenames, and file locations; and then watch for activity (email, document activity,
Add a new profile - Master Login Only: Click New on the toolbar - OR Select Add an Alert Profile - OR -
283
Right-click in the right pane and select New - OR Copy an existing Profile to create a new one. More....
generated when conditions for a profile are met, but no email notification is sent until an Alert Operator is assigned to the profile. At any time, you can disable a profile or change the users, conditions, and time period to which it applies. Event Name Clock Change Event Type User Activity Document Tracking File Transfer Web Site Network Document Tracking Program Email Description Attempts to change the computer's clock settings, based on User Activity events Instances of files being copied to removable media based on Document Tracking events .EXE or .ZIP files downloaded from the Internet based on File Transfer events Any files being downloaded from a web site, based on URL type Users with more than 100,000 total bytes per day of network bandwidth Users with more than 50 printing events in one day, based on Document Tracking Instances of game programs running, based on known program names Email messages that contain (possibly) improper topics for work, based on a keyword* Chat and Instant Message conversations on (possibly) inappropriate topics, based on a keyword* Internet searches (possibly) not related to work topics, based on a keyword*
View or edit an existing profile: Standard logins with access to Alerts can view profile details. Master logins can update an Alert Profile to enable/disable it, or change profile's email recipients (operators), users to watch, conditions, or time profile. Double-click a profile in the profiles list - OR Select the profile and click Modify on the Toolbar - OR Right-click on a listed profile and select Modify . More...
Copying Files
Set up email delivery of Alert notification - Master Login Only: Click Email Configuration on the toolbar - OR Select Modify Alert Mail Configuration in the Task Navigation pane - OR Select the Alert Profile in the right pane, right-click and select Email Configuration. More... Downloading Dangerous File Downloading Files Excessive Network Use Excessive Printing Game Programs Improper Email Messages Inappropriate Chat
Show or hide disabled profiles: By default, Spector 360 shows ALL Alert Profiles that have been defined ("No" appears in the Enabled Column for profiles that have not been enabled). To show ONLY profiles that are now enabled, click to turn OFF Show Disabled Profiles on the toolbar - OR Select Show Disabled Profiles from the Edit or context (rightclick) menu. Click the button or select the menu item again to change the setting back to "Show" disabled profiles.
Chat/IM
Non-Work Searches
Web Search
284
Event Name Off-Hours Logins Social Networking Sites Suspect Web Searching Too Few Hours Too Few Keystrokes Too Much Browsing Too Much Chat Too Much Web Surfing Uncommon Search Engines Unsupported Browsers Use of iTunes
Description Network logins during non-office hours. Monday- Friday. 5:00 PM-9:00 AM. Anytime on weekends Visits to social networking web sites, based on a URL name or web site category** Visits to web sites with inappropriate topics or content based on a keyword* or web site category** Users with fewer than 6 hours on the computer in an 8 hour work day Users with fewer than 2,000 keystrokes in one day Users with more than two hours usage of Internet Explorer, based on Program Activity More than 10 chat sessions in one day, based on a count of Chat/IM Events Users with more than two hours usage of the Internet, based on Web Sites Visited Internet searches done with uncommon search engines (not Google, Yahoo, Bing, Live, or MSN) Use of (possibly) unsupported (on your network) Internet browsers: Firefox, Opera, Safari, Chrome iTunes running and using bandwidth to download and play music, movies, TV Shows, podcast or radio Sending or receiving webmail
Event Type
Description messages
* Keywords are defined within Keyword Groups. See the What tab for the Alert Profile. **Domains included in categories are defined within Web Filtering Categories. See the What tab for the Alert Profile.
Centralized Alerts do not apply to Macintosh computers.
Web Site
Program
Webmail
285
Alert Name - Enter a name for the profile, up to 50 characters. Description - Enter a description of the rule. The description may be up to 255 characters.
Enabled - As soon as you save it, the alert goes into effect. Disabled - The alert will be added to the Alert Profiles list, but not activated until you click the Enable button on the Alert Profiles toolbar.
Name the Alert Profile under General Select all or specific users to watch under Who Choose an event type and at least one condition under What Choose how often to notify and when to watch for the alert under When
Each Alert Profile is based on ONE ACTIVITY type (e.g., email or chat). It's possible to edit the provided profiles to better suit your needs.
Alert Recipients - Check the Alert Operators (defined in Alert Operator Management) who should receive email notification when this alert occurs. Click New Alert Operator to define a new operator on the spot. The New Recipient will be added to this list and to the list of Alert Operators.
286
1.
From the Selection Type list, select: All Users and User Groups - Applies the profile to all users. Specific Users and User Groups - Allows you to select users to whom the rule applies.
2.
If you are selecting specific users or groups, click on names under "Available Users and User Groups." Use the CTRL and SHIFT keys as needed to multiple-select.
1. 2. 3. 4. 5.
Select an Event Type from the drop-down list. Click the Add Field button to activate the first row. The first two columns of the first row will be blank. Under Field Name, select an event field from the drop-down list. Under Operator, select from the drop-down list how you want the contents of the event field to match the given Value. Under Value, depending on the event field, enter or select a value, keyword, or Keyword Group.
It takes only one field to set up an alert. Remember, if you are not watching All Users and User Groups, the alert applies ONLY to the users you have selected under Who.
3.
Click the > button to send the selected users to the right column. Click >> to send ALL Available Users to the Selected Users and User Groups list.
4. 5.
Click < or << to send one or more Selected Users and User Groups back to the "Available" column. When the Selected Users and User Groups contain all users you want to include in the rule, continue on to What.
287
6.
Click Add Field to activate subsequent rows and add more conditions for this particular Event Type. For a second field, select a Logical Operator (AND/OR) in the second column. If you want to add nested conditions, click on the first column to select the opening parenthesis, which always appears alone on its row. See the Alert Conditions topic for further explanation and examples. 3.
a day. The most frequent alert schedule is once every hour; and you can receive alerts as infrequently as once every 6 months. Select a Start Date. Enter a date in mm/ dd/ yyyy format or click the drop-down arrow to display a calendar. Use arrows next to the month and year to change these values, and click on a date.
4.
Select a Start Time. The time will be in the format used by your computer's system clock. Select a time field and use the arrows to increment or decrement the value. A 12-hour clock includes AM or PM selection.
1.
Select a Time Profile from the drop-down list. The graphic schedule immediately shows green for hours when the alert is in effect and a table below the graphic lists the hours the alert is in effect. You can select: All Times - Spector 360 always watches for the alert conditions. Other Time Profiles you have defined. See Time Profiles for detailed help.
When you are finished defining or modifying the Alert Profile, click Save to save your changes or Save and Close to close the New/Edit Alert Profile window and add the profile to the list of Alert Profiles.
2.
Select an Alert Frequency. If this alert occurs, even if it occurs multiple times, the Alert Operator will receive an email message at this frequency. Use the drop down list to select Every 'n' Hours / Days / Weeks / Months. In the second field, type or select a number. The above illustration shows an Alert Frequency of once
288
A row is added above for a Logical Operator (AND or OR) to precede the parenthesis. A closing parenthesis is added two rows down. The nested condition must be enclosed by parentheses. You cannot make any other selections on the parenthesis row select your Field Name in the next row down, or use Add Field to add the next row.
All conditions within the parenthesis are analyzed together before going on to the next top-level condition. In the following illustration, the Keystrokes event would have to pass this test before continuing to the next condition: There are more than 8 keystrokes OR The keystrokes contain the character " mypass" AND The current window caption includes the characters "login"
The first two columns of the first row are always blank; there is no need for grouping parenthesis or a Logical Operator.
289
AND - The previous and next conditions must both be met. For example, to find bullying words in a MySpace Chat room, your logic might be: In Chat/IM Events - Chat Contents contains words in the group "Bullying" AND - The Window caption contains the word "MySpace."
can watch Chat/IM events for Count of Events > (is greater than) 10 within an Alert Frequency of 1 Day.
OR - Either the previous or the next condition must be met. For example, to get alerts when activity takes place in either Facebook or MySpace, your logic might be as follows: In Web Events - The Window caption contains the word "Facebook" OR - The Window caption contains the word "MySpace" Whenever there are multiple "OR" conditions for a single field, you probably can define a custom Keyword Group. You can define a "Social Network" Group that contains all sites you'd like to watch (MySpace, Facebook, Blogger, Twitter, etc.) and use the secondary Operator in group to specify that custom group as the Value. The Alert Profile would simply state: In Web Events - The Window caption is in the group "Social Networks"
When you make multiple selections "in group" or where there are specific value selections, there is an implicit OR in the value selection: For example, you can select Chat Contents "in group" of "Bullying or Drugs." You can select Chat Type events that contain "AOL/ICQ or YAHOO or MSN."
Operators
Operator Definition Greater than value entered Great than or equal to value Less than value Less than or equal to value Equal to value Not equal to value Includes the value entered or selected Does not include the value Includes any of the words from selected Keyword Groups. You can create custom groups in order to select the words you need. Does not include the words from selected Keyword Groups
Count of Events - Select this field to instruct Spector 360 to watch for an aggregated count of this activity type for one user/computer during the Alert Frequency (set under "When"). For example, you
290
Create a new Alert Operator: In Manage Alert Operators, click New on the toolbar - OR Select Add an Alert Operator from the Task Navigation pane OR - Right-click in the right pane and select New. See New/Edit Alert Recipient. You can also define an Alert Operator while creating or editing an Alert Profile.
Edit a defined Alert Operator: Double-click a listed operator - OR - Select an operator and click on Modify the selected Alert Operator - OR - Right-click on an operator and select Modify. Use the Edit Alert Recipient box to change the name, description, email address and whether or not the operator is "enabled" to receive alerts. See New/Edit Alert Recipient.
Disable or enable an Alert Operator: An Alert Operator who is "Disabled" ("No" appears in the Enabled column) has been defined, but is not currently receiving email notification. An Alert Operator who is "Enabled" ("Yes" appears in the Enabled column) receives email as soon as alert conditions are met. You may wish to disable an operator when the person is out of the office. To enable or disable an operator, double-click on the Alert Operator in the list to open the Edit Alert Recipient box. Clear the Enabled checkbox to disable or check it to enable the operator. Click OK.
Name - A name that identifies the operator. Email - The email address where alerts are sent. Description - A description of this operator. Enabled - Yes means the operator is enabled for receiving alert notification; No means the operator is disabled and will not received alert notification messages until enabled.
Show or Hide disabled Alert Operators: By default, ALL operators are listed. To remove disabled operators from the Alert Operators list, select Alert Profiles. Double-click on a profile in the list. Under the General tab, select Hide Disabled Alert Operators. When this option is checked, any operator for this Alert Profile who has been disabled will NOT appear in the Alert Operators.
291
Enabled - Check this box to enable the Alert Operator recipient. If this box is not checked, no email will be sent to this person, even if he or she is designated as alert recipient for an active Alert Profile.
Click OK to save the recipient and the name to the Alert Operators Management list.
292
Modify a Keyword Group. Make changes to a custom group by selecting it, right-clicking, and selecting Modify. See Defining a Keyword Group.
Import a Keyword Group or Groups. Right-click in the right pane and select Import. Either a CSV or XML list of keywords, formatted as described in Importing Keywords and Groups can be processed and added to the Keyword Groups Management list.
Delete a Keyword Group. You can delete any predefined or custom Keyword Group that you don't need. Select a group and click Delete on the toolbar, or right-click on a Keyword Group and select Delete. A message appears asking you to confirm the deletion and warning that you cannot undo it. Click Yes to continue (or No to cancel the operation). The Keyword Group is removed from the Dashboard and from the Database; it cannot be recovered unless a Database Backup is restored.
Create a Keyword Group. Click New on the toolbar, or right-click in the right pane and select New. Pick and choose from any of the words in existing groups, and/or add your own words. You can change words in a custom Keyword Group at any time, and all Alert Profiles using that group are immediately changed (taking effect as soon as applications or
293
Description Chat and Instant Message conversations on (possibly) inappropriate topics, based on a keyword* Internet searches (possibly) not related to work topics, based on a keyword* Network logins during non-office hours. Monday- Friday. 5:00 PM-9:00 AM. Anytime on weekends Visits to social networking web sites, based on a URL name or web site category** Visits to web sites with inappropriate topics or content based on a keyword* or web site category** Users with fewer than 6 hours on the computer in an 8 hour work day Users with fewer than 2,000 keystrokes in one day Users with more than two hours usage of Internet Explorer, based on Program Activity More than 10 chat sessions in one day, based on a count of Chat/IM Events Users with more than two hours usage of the Internet, based on Web Sites Visited Internet searches done with uncommon search engines (not Google, Yahoo, Bing, Live, or MSN)
Non-Work Searches Off-Hours Logins Social Networking Sites Suspect Web Searching Too Few Hours Too Few Keystrokes Too Much Browsing Too Much Chat Too Much Web Surfing Uncommon Search Engines
Web Site
Copying Files
Downloading Dangerous File Downloading Files Excessive Network Use Excessive Printing Game Programs Improper Email Messages
Web Search
294
Description Use of (possibly) unsupported (on your network) Internet browsers: Firefox, Opera, Safari, Chrome iTunes running and using bandwidth to download and play music, movies, TV Shows, podcast or radio Sending or receiving webmail messages
Program
Webmail Messages
* Keywords are defined within Keyword Groups. See the What tab for the Alert Profile. **Domains included in categories are defined within Web Filtering Categories. See the What tab for the Alert Profile.
Although you can view the words in any group, you cannot modify the provided, system Keyword Groups. If you need different words, create a new Keyword Group.
295
Type a word in the Keyword field. Use any characters, numbers or spaces. If you wish, type a phrase or an entire document path or URL. Click the > button to move this word to the Selected list. Keep in mind that Spector 360 looks for a match to a complete keyword. If you used the above Keyword group and Spector 360 found C:\bin\admin\documents\2008\text.txt in a field, it would set off a an alert. If it found C:\ bin\admin\text.txt, it would not. Select Keywords - Select this tab to choose words from any existing Keyword Groups.
To import keywords:
1. Double-click a word to select it and move it to the Selected Keywords list. Or, using Shift and Ctrl to multiple-select in the lefthand list, and then click the > button to move words to the Selected list. Click >> to move all words to the Selected list. Click << to move all words out of the Selected list. Click the > button to add a word to the list. To remove a word from the Selected list, highlight it and click the < button. 3. Click Save on the Keyword Group toolbar to save your changes, and Save and Close to save and close the Keyword Group window. If you attempt to close the window after making changes, you are prompted to save. 4. 2. 3. Prepare a list of keywords in a CSV (comma separated value) or XML formatted text file as described below. Select the Event Alerts > Manage Keyword Groups. Click Import on the toolbar - OR - select Import data into a Keyword Group from the Task Navigation pane - OR - right-click in the right pane and select Import. The import box appears. Select Keywords and Groups and click Next.
5.
Choose to import either a . CSV (Comma Separated Values) or an .XML ( eXtensible Markup Language) file. Directions for both are below. Make your selection.
296
6.
Click Browse to browse to and select the file you wish to import, or type the path and filename in the field. Be sure you select a file in the format you have selected. Click Open.
7.
Click Next. If the file is correctly formatted, an import box lists all keyword records about to be imported. If there is a problem with the import file, a message appears at the top of the box. The bottom of the box tells you how many records are detected, and you can use the play buttons to browse through and check the records.
A new group name creates a new, custom Keyword Group. If the group already exists, and a keyword being imported already exists, the keyword is ignored.
11. Close the window when you are finished. Each new group is listed in Keyword Groups Management, and new words should be added to any existing custom Keyword Groups.
If you wish, click Back to choose a different file format, or Cancel to exit the import. 8. 9. Click Import to continue at the bottom of the box to continue. If the group already exists, a message asks if you would like to replace the keywords in this group with the imported keywords. Click Yes to replace words in the group or No to add any new words to the existing group. 10. A check mark appears in the Imported column for each record that was successfully imported; an import error is noted in the Error column. If you receive errors, check the records causing the problem. The original file may need to be corrected.
Create a plain text file from any application using comma separated values.
297
Follow the steps above to select and import the file you created.
<Root> <Keywords> <Keyword Word="invoice" Group="Financial" <Keyword Word="budget" Group="Financial" /> />
Import Rules
When you import keywords, the following rules apply:
If a required field is missing, a message informs you that "Some records do not have the required information. Continue processing the file?" If you choose to continue the import, the records with errors will be skipped and all valid records will be imported.
If a keyword already exists in the group specified by the import file, the record will not be imported. If an imported keyword is assigned to a group where it does not yet exist, it is added to the group. If a Keyword Group does not exist, it is added.
298
5.
A message appears when the export is complete and asks if you would like to open the file you just created. The file has been created at the location you request in exactly the same format as required for import. Click Yes to open the file now, or No to close the message box. An XML file opens in the default application or Internet browser.
From Email Address: The email address from which alert notification will be sent. From Friendly Name: Any name to identify the email alert source. SMTP server: The name of the computer, domain, or IP address of the mail server used by the default email client on this computer. For example, the SMTP Server might be a computer
299
named SERVER1 or the domain mail.mywebsite.com. An IP Address would have the format 11.22.33.44.
Send Timeout: The period of time in seconds to continue attempting to send the email before timing out. The default is 130 seconds.
Port Number: The port from which to send the Alert notification email. The default is 25, a standard outgoing SMTP port. Use SSL: Check this box if you wish to use Secure Socket Layer encryption for security of the email. This must be supported by your mail server.
Logon Type: How the email server will be accessed. Windows Credentials - Select to use your Windows login and password to access the Task Scheduler to send the email. Login and Password - Select to enter a User Name and Password to access the email server.
Click OK to configure the email and close the box. Click Cancel to close the box without changing the configuration.
300
301
Time Profiles
New: Define a new profile. More... Modify: Edit a Time Profile. More... Delete: Remove the selected Time Profile from the database. Refresh: Update with the latest data and changes. Details: Select Show All to show the day-by-day schedule for each listed Time Profile. Select Hide All to view only the Time Profile names.
Profile Name: The name of the defined Time Profile. Click the (minus sign) next to a profile name to close up details, or the + (plus sign) button to open the daily schedule for the Time Profile.
Description: Change the Description of the Time Profile when you add or edit a Time Profile.
302
color in filtering time in the grid, the days and times you select are listed below the grid. The list is for your information only; to make changes, click and drag on the calendar grid.
The selected time periods are listed below the schedule graphic.
Name: Enter a profile name up to 50 characters. Description: The Time Profile description appears next to the profile selection when you are defining the filtering rule. Describe the schedule and, if you like, include instructions for using it. The description may be up to 255 characters.
Keyboard shortcuts: Use Alt+L to place focus immediately in the When to Filter schedule. Use the arrow keys to position the cursor. Hold down Shift and use the arrow keys to color (or remove color from) the schedule grid.
When to Filter: In the calendar grid, click on date/time squares to color them. Colored areas define the filtering times. Hold down the mouse button and drag to color an area. Click a time column heading to color that time for all days, or click a day row heading to color all times in that day. Drag over colored areas to clear them. Dragging over colored AND blank areas colors all areas.
In the above illustration, the profile would apply to Sun-Wed, from 1:45 to 5 AM and from 12 to 1 PM and NOT at other times. As you
303
Developer Tools
A call to the stored procedure requires a value for EventType_ID, StartDate and EndDate. Other parameters are optional. If you use the parameter names in the call, the order and inclusion of optional parameters will not be required. If you do NOT use the parameter name (supply just the value) all parameter values must appear in the order shown.
EventType_ID:
Integer, REQUIRED argument The first parameter (integer) specifies the type of records to retrieve (Programs, Web Sites Visited, Email, Keywords, etc.). Each Event Type ID and the fields it retrieves are outlined in the following tables.
Definition
The ReturnRawDataSet stored procedure retrieves a list of records (with all data fields) for one event type within a time range. Seven possible parameters allow you to specify the data you want. For example, the procedure could retrieve all Email events from January 1-10 for user Bill Smith (on the CHICAGO domain) recorded on any computer. The procedure would be called as follows:
ID 1 2 3 4 104 5
EVENT TYPE Program Events Web Site Events Snapshots Email Events Email Attachments Keystroke Events Chat/IM Events File Transfer (P2P) Events Keyword Alerts Network Events (Port) Document Tracking Events User Activity Online Searches
EXEC SPCTR_ADMIN.dbo.usp_Utility_ReturnRawDataSet @int_EventType_ID = 4 ,@int_TransactionID = 0 ,@dte_StartDate = '2008/01/01 00:00:00' ,@dte_EndDate = '2008/01/10 23:59:59' ,@int_MaxRowCountPerRequest = 0 ,@str_FullLoginName = 'CHICAGO\bsmith' ,@str_ComputerName = ' '
7 8 10 11 12 13 14
304
TransactionID:
integer, OPTIONAL argument Default = 0
StartDate / EndDate: datetime, REQUIRED arguments The required StartDate and EndDate parameters specify the beginning and end of the date and time range for the data you want to retrieve. Data records are stored by date and time and usually are retrieved sequentially from earliest to latest within the time range (see the note above). Only records within the date range will be retrieved. Be sure to use the format: yyyy/mm/dd hh:mm:ss No milliseconds are used. For example, the following call retrieves all Program records for all users from midnight, January 1, to a second before midnight, January 5 (up to the default limit of 50,000 records).
The transaction (record) to use as a starting point. Each record inserted in the database is associated with a Transaction ID. A Transaction ID value of 0 (zero) begins a count of Transaction IDs retrieved. Use the Transaction ID to control the row pointer for successive calls. For example, if 5889 records are retrieved in the first call, to get the next segment of data, the subsequent call would specify: ,@int_TransactionID = 5889 If you use the MaxRowCount argument, the number of rows (records) you specify will be retrieved as a maximum. If you do NOT use the MaxRowCount argument, a maximum of 50,000 records will be retrieved. To retrieve the next set of records beyond the maximum, you need to use: ,@int_TransactionID
= 50000
Transaction IDs vs. Dates Transaction IDs are retrieved sequentially in the same order in which the records were inserted in the database. However, you cannot assume that Transaction IDs will also be ordered by date. Example: A sales person disconnects from the network for 5 days, returns to the office, and all recordings are uploaded at that time. Transaction IDs from the salesman's data are ordered as they were inserted in the database, while the recording date/time of each transaction accurately reflects the time of the recording:
MaxRowCountPerRequest integer, OPTIONAL argument Default = 0, or 50000 rows Use the Maximum Row Count parameter to specify the maximum number of rows to return for each call to the procedure. The number of rows actually returned may be fewer, but will not exceed this maximum. This parameter allows you to expand the maximum if you need to retrieve more than 50k records in a single call, or reduce the maximum if your processing resources are limited. If you omit this parameter or use the default 0 value, the maximum rows retrieved per call will be 50,000.
Transaction 1 - Recording date was 2008/01/20 employee Transaction 2 - Recording date was 2008/01/21 employee Transaction 3 - Recording date was 2008/01/15 salesman Transaction 4 - Recording date was 2008/01/16 salesman Transaction 5 - Recording date was 2008/01/22 employee
305
Requesting a large number of data records will consume disk and memory resources on your database machine. Be especially careful when requesting content-heavy events, such as Email or Keystrokes. If the database machine is being used for other processes, we recommend using the default 50K row limit or setting an even smaller maximum row count.
1 - Program Events
ID 1 1 2 3 4 5 6 7 8 9 10 11 Fields Returned Program StartDateTime TransID ComputerDomainName ComputerName FullLoginName ProgramName TotalTime FocusTime ActiveTime WindowCaption ComputerSerialNumber datetime int varchar(255) varchar(255) varchar(512) varchar(128) int int int varchar(128) varchar(50) Data Type (max)
FullLoginName: varchar(128), OPTIONAL argument Default = empty string, or all users Use the Full Login Name string parameter (maximum 128 characters) to retrieve data recorded for an individual user. You can omit this parameter (or pass an empty string) to retrieve event records for ALL users. Use the complete Domain\Username specification, as listed in the Dashboard Management Users list, or as returned by this procedure without this parameter.
FullComputerName: varchar(128), OPTIONAL argument Default = empty string, or all computers Use the Computer Name string parameter (maximum 128 characters) to retrieve data recorded on a single computer. You can omit this parameter (or pass an empty string) to retrieve event records for ALL computers. Use the complete computer name specification, as listed in the Dashboard Management Computers list, or as returned by this procedure when this parameter is not used.
306
ID 10 11 12 13 14 15
Filename is the name of the snapshot data file. EncryptKeyType returns the encryption type for snapshot files:
0 = non-encrypted format 1 = Internal encryption 2 = 3DES encryption You can use the Snapshot converter (ExportFile) to decrypt the snapshots for viewing outside of a SpectorSoft product.
3 - Screen Snapshots
ID 3 1 2 3 4 5 6 7 8 9 10 11 12 Fields Returned Snapshot StartDateTime TransID ComputerDomainName ComputerName FullLoginName EndDateTime UNCPath FileName SnapshotCount EncryptKeyType EncryptKeyGUID ComputerSerialNumber datetime int varchar(255) varchar(255) varchar(512) datetime varchar(512) varchar(128) int int varchar(40) varchar(50) Data Type (max)
4 - Email Events
ID 4 1 2 3 4 5 6 7 8 9 10 11 12 Fields Returned Email RecordedDateTime TransID ComputerDomainName ComputerName FullLoginName ProgramName AttachCount IncomingFlag EMailType EMailBodyType FromName FromAddress datetime int varchar(255) varchar(255) varchar(512) varchar(128) int int varchar(12) varchar(64) varchar(128) varchar(128) Data Type (max)
307
ID 4
13
14 15 16 17 18 19 20 21 22 23 24 25 26
ToNameAddress Subject CCNameAddress BCCNameAddress EncryptedFlag TooBigFlag UnsentFlag BodyErrorFlag AttachErrFlag AttachOffFlag WebMailHost BodyDisplay BodyText ComputerSerialNumber
blob varchar(512) blob blob int int int int int int varchar(256) blob blob varchar(50)
SPCTR_ADMIN.dbo.usp_Utility_ReturnRawDataSet @int_EventType_ID = 104 ,@int_TransactionID = 0 ,@dte_StartDate = '2006/01/01 00:00:00' ,@dte_EndDate = '2006/01/10 23:59:59'
For email attachment information, make a call to Event Type 104, as described below. The first call below to Event Type 4 returns the first 50,000 (maximum) email events for the given date range. The second call to 104 returns all email attachments matching the email events returned in the first call.
UNCPath returns a string value containing the (Universal Naming Convention) path where you can access email attachment files. The email attachment files themselves are not returned.
EncryptKeyType returns the encryption type for email attachments: 0 = non-encrypted format 2 = 3DES encryption If 3DES encryption was used, the EncryptKeyGUID field returns the key that you will need to decrypt the files in this standard
308
format. Encryption is set in the Control Center Properties for the Data Vault.
7 - Chat/IM Event
ID 7 Fields Returned Chat 1 2 RecordedDateTime TransID ComputerDomainName ComputerName FullLoginName ProgramName ChatDataFormat ChatType ProtocolType ChatUserName ChatRemoteUsers WindowCaption ChatData ComputerSerialNumber datetime int varchar(255) varchar(255) varchar(512) varchar(128) varchar(20) varchar(20) varchar(20) varchar(128) varchar(1024) varchar(128) blob varchar(50) Data Type (max)
5 - Keystroke Event
ID 5 1 2 3 4 5 6 7 8 9 10 11 12 Fields Returned Keystroke StartDateTime TransID ComputerDomainName ComputerName FullLoginName ProgramName FormattedKeyCount WindowCaption KeyboardLocale CharacterSet KeystrokeCombined ComputerSerialNumber datetime int varchar(255) varchar(255) varchar(512) varchar(128) int varchar(128) varchar(20) int blob varchar(50) Data Type (max)
3 4 5 6 7 8 9 10 11 12 13 14
KeystrokeCombined returns all text representation of Unicode from all keys and key combinations for the event.
309
ID 10 9 10
varchar(50) varchar(50)
10 - Keyword Alert
ID 10 1 2 3 4 5 6 7 8 Fields Returned Keyword RecordedDateTime TransID ComputerDomainName ComputerName FullLoginName ProgramName Keyword KeywordSource datetime int varchar(255) varchar(255) varchar(512) varchar(128) varchar(50) varchar(20) Data Type (max)
10 11 12 13 14 15 16
310
14 - Online Search
ID 14 1 2 3 4 5 6 7 8 9 10 Data Type (max) 11 Fields Returned Web Search StartDateTime TransID ComputerDomainName ComputerName FullLoginName ProgramName TotalTime FocusTime ActiveTime URI HostName DomainName WindowCaption URL ComputerSerialNumber datetime int varchar(255) varchar(255) varchar(512) varchar(128) int int int varchar(50) varchar(256) varchar(256) varchar(128) varchar(3072) varchar(50) Data Type (max)
13 - User Activity
ID 13 1 2 3 4 5 6 7 8 9 10 Fields Returned User Activity RecordedDateTime TransID ComputerDomainName ComputerName FullLoginName ActionDescription StartDateTime EndDateTime TotalTime ComputerSerialNumber datetime int varchar(255) varchar(255) varchar(512) varchar(50) datetime datetime int varchar(50)
12
13 14 15
311
Regsvr32 /u <LocalPath>\ExportCtl2.dll
ChooseCodec() Calls the interface that allows a user to choose which Codec the control should use, and stores this information in the registry. This method has no arguments. The interface allows selection of a codec, some of which allow adjustments to compression quality. Call this function before calling ExportAsAVI() unless PromptForCodec is set to TRUE within the export function.
ExportAsAVI() This function exports an AVI file from a set of image files. The function uses the following arguments (in order): Files (array of strings) The array specifies names of files to load. To obtain the filenames of screen snapshots, run the Simple Database API Stored Procedure with the Event Type ID of 3. The filename is returned in the 8th field of each retrieved record.
Regsvr32 /i <LocalPath>\ExportCtl2.dll
For example:
Regsvr32 /i C:\tools\ExportCtl2.dll
312
EncryptKeyTypes (array of integers) Specifies the encryption method for each file in the above array (they can be mixed). This array must be in alignment with the Files array. See Encryption Key Types below for valid values. EncryptPasswords (array of strings) Supply the password for each element in the above Files array. The Files and Passwords arrays must be aligned, so that the first element in Passwords specifies the password for the first element in Files. Obtain the passwords from the same procedure used above; the password is returned in the final two encryption key fields (type and GUID). SnapCounts (array of integers) Each integer specifies the snapshot count for each file. Obtain the count from the above procedure; the count (integer) is returned in the 9th field for each record. OutFile (string) Specify the name of the output .AVI file. The resulting video will be stored at the location and under the name you specify. BeginDate ( DateTime) Specify the beginning of the date and time range you wish to include in the export. Use the format: yyyy/mm/ dd hh:mm: ss EndDate ( DateTime) Specify the ending of the date and time range to export. Only snapshots within the range will be included in the resulting .AVI. Use the format: yyyy/mm/ dd hh:mm:ss PadSeconds (BOOLEAN) Allows creation of an .AVI that plays close to real time. If TRUE, the export function will fill in any missing seconds (where there are no snapshots) by duplicating the previous frame. One pad frame is inserted for each second there is no new snapshot. If FALSE, no padding is supplied, and the frames are simply inserted directly from the available snapshots, one after another. PadThreshold (integer) Only valid if PadSeconds is TRUE. Specifies the maximum number of frames to insert between time
gaps. If the number of seconds (with no new snapshots) is greater than this value, the function will not insert ANY padding between those two frames. In the example below, the PadThreshold is set to 900. This means if a gap of 500 seconds occurs, 500 pad frames will be inserted. If a gap of 900 seconds occurs, no padding is used; the movie jumps directly to the next segment of user activity. Fps (integer) Specifies the Frames Per Second value for the .AVI file; this is the speed at which snapshot frames are displayed in the movie. PromptForCodec (BOOLEAN) If TRUE, then a UI will be displayed allowing the user to choose the Codec (see illustration above). This is the same UI that is displayed in a call to ChooseCodec(). If FALSE, then ChooseCodec() must have been called manually BEFORE the ExportAsAVI() command is first issued, otherwise this function will fail.
ExportAsImages() This function is not yet implemented. ExportFile() - Decrypts any attachment or snapshot file. Uses the following arguments: SourceFileName (string) Specifies the full path to the encrypted source file. DestFileName (string) Specifies the full path to the decrypted destination file. The argument must include path and filename information. EncryptKeyType (integer) Specifies the encryption method used in the source file ( SourceFileName). See Encryption Key Types below for valid values. EncryptPassword (string) Specifies the password for SourceFileName.
313
specExport.ExportAsAVI(ref objFiles, ref objTypes, ref objPass, ref objCounts, "c:\\spectorsoft\\exported\\testavi.avi", dtStart, dtEnd, true, 900, 1, false);
314
Troubleshooting
Troubleshooting
SpectorSoft is committed to providing you with the best overall product experience. Our products are designed with superior quality and ease of use in mind, but we understand that issues do arise from time to time that require outside help. Follow these steps to get answers to questions when you are having trouble.
removing installed files. Although SpectorSoft continually improves and updates the Recorder stealth so it will not be detected, software vendors also continually update their "risks." Refer to the Spector 360 Deployment Guide for proactive solutions that exclude SpectorSoft from scans and prevent detection from happening in the future. Consult the Knowledge Base for specific instructions in adjusting settings in major antivirus / anti-spyware packages, such as McAfee and Symantec.
Check for Updates Minor updates between the major releases are provided free of charge in order to provide continuous support for the ever changing email, instant message, and web browser programs that we record. These updates may also contain minor functionality improvements and software bug fixes. Make sure you frequently check for an updated Recorder Version.
Update Your Virus Protection and Windows Files Improper recording may result when there are underlying Windows issues on your computer, for example unwanted viruses, software conflicts, or an out-of-date Windows program. Spyware applications that sometimes accompany Internet downloads can interfere with Windows and with SpectorSoft software. Keep your systems clean!
Consult the Spector 360 Guides Consult the Troubleshooting topics in this guide. Other Spector 360 guides to consult are: Spector 360 Deployment Guide Spector 360 Dashboard Guide Consult our Knowledge Base by clicking the link at the bottom of this page.
Email or Call Technical Support When all else fails, contact Technical Support.
Read the Support FAQs Visit Technical Support's Online FAQs (Frequently Asked Questions) to view the most common and easiest to resolve support requests. You will be required to enter your registered Serial Number.
Antivirus/Anti-spyware Detection Many times trouble with Spector 360 recording has to do with antivirus or anti-spyware software detecting and quarantining or
315
Log File Technical Support may request that you send a Server or Recorder log file. They may ask you to send this log file to (see below) to assist in solving the problem.
Additional Information The Troubleshooting Help topics for each type of recording will give you a list of other information to send.
To be prepared:
To fully describe your problem to Technical Support by email or by phone, have the following information available:
Recorder Computer Windows OS Version The operating system and version running on the recorded computer. This is available from My Computer Properties such as Windows XP Professional, Version 2002, Service Pack 2.
Viewing a Recorder Log File Viewing a Server Log File Viewing the Control Center Application Log
Server Computer(s) Windows OS Version If the problem pertains to a Server Component, have the operating system and version of that computer ready.
Server Component Versions Check the Control Center's Help > About for the installed Control Center and Database version. In the Control Center's Servers list, right-click each Server and select Modify to display the Properties where versions are listed at the bottom of the box.
Client Recorder Version Note the Recorder Version used on computers where you are having a problem. The installed Recorder version is listed for each computer in question in the Control Center's Computer > Manage Computers list under "Recorder Version" such as V7.0(1009). The version 7.0 is followed by the build version in parentheses.
316
Errors - Display only errors that have occurred. Error messages appear in red typeface. Warnings and errors - Display only warnings (in blue) and errors (in red). Information, Warnings, and Errors - Display all messages in the log file.
Use the Window menu to switch to main Control Center window or another open window. Use Refresh to update the information shown in the log.
Program - Program where activity occurred. Type - Type of message logged: Information, Warning, or Error. When - Date and time activity was logged. Level - Level of severity. PID - Identifies the running process. TID - Identifies the thread where the log statement is generated. Message - A description of the activity, warning, or error logged.
317
Recorder Installation
Computer Status - Recording Recorder - Installed Recorder Version - Displays a version number Last Recording - Date and time of last data sent Profile Name - Profile settings installed
If you do not see these indicators following installation, or if the Recorder appears to be installed but is not recording, read this section.
Check the account credentials for the Control Center Server. The Server must have domain administrator access to computers. Test connection to and, if necessary, enable the Administrative Share (C$) on the remote computer. Test for and, if necessary, enable Remote Registry Services on the remote computer. Test for and, if necessary, enable File and Printer Sharing on the remote computer.
The Recorder install file could not be downloaded to the computer. Or, the bootstrap service was never installed.
Try this...
318
1.
Refresh the view. Make sure the Control Center is updated with the latest information from computers. Click Refresh.
2.
Verify that the scheduled install time has really passed. The installation is activated by the time on the computer where the Recorder is being installed. If there is a difference in system clocks, the install may not happen because the time has passed, or the install may happen later than you think. To find out how a computer clock is set, type: net time \\ computername where computername is name of the computer in question.
3.
Verify how far the installation progressed. Run Automatic Computer Diagnostics on the computer in question (make sure you are logged in to the Control Center computer with Administrator-level credentials at the computer you are testing). If the Computer Diagnostics show the Client Bootstrap Service (the Windows service that downloads the Recorder at the scheduled time) is installed and running, but the Recorder has not yet been installed, select View > Bootstrap Log File in from the Control Center menu bar and review the log file for indications that the bootstrap service is unable to communicate with the Control Center Service. If the Computer Diagnostics indicate the Client Service (Recorder) has been installed, review the computer's status under Manage Computers. If the Last Client Check-In field is populated, try to Cancel Recorder Install/Uninstall.
4. 5.
Make sure antivirus/anti-spyware is not interfering. See the instructions above. Reinstall. After performing these steps, try installing the Recorder again. Select the Push option.
319
Check your Computer Profile settings. Make sure recording is ON for all activities. Make sure Internet access has not been blocked for the type of recording you expect.
Make sure Spector 360 supports recording. There are a few applications, protocols and circumstances where Spector 360 does not record. See the specific topics in this section.
Check your antivirus / anti-spyware software. Although SpectorSoft continually improves and updates the Recorder stealth so it will not be detected, software vendors also continually update their "risks." Your software may suddenly begin detecting and quarantining the Spector 360 Recorder software. Refer to the Spector 360 Deployment Guide for proactive solutions that exclude SpectorSoft from scans and prevent detection from happening in the future. Consult the Knowledge Base for specific instructions in adjusting settings in major antivirus / anti-spyware packages, such as McAfee and Symantec.
Consult the online Knowledge Base. Click here and enter your serial number. The Knowledge Base covers issues, workaround, and solutions to a variety of problems.
320
Recorder Requirements
Recorder Requirements
Once the Server Components are installed, you can deploy the Spector 360 Recorder to network (Client) computers to complete your installation. The installation includes the Recorder software and a hidden Client Service to accomplish tasks and communication. Each Recorder receives instructions from the Control Center Server (CCS) and sends recorded data to the Data Vault Server. Most domain networks are already set up to meet Spector 360 Recorder communication requirements. Read this topic to ensure you are ready to install Recorders.
* You will install the Recorder directly on Windows XP Home (or on legacy Windows computers) as these operating systems do not have the required Windows services running that allow remote installation of the Recorder. See Installing at the Computer.
On a domain network, simply use the Domain Administrator login. This is a user account that is a member of the network Domain Administrator Group, which in turn should be in the Local Administrator Group on each computer. Most domain networks have this set up already.
You have an available license for this computer (e.g., a 50 computer license to install the Recorder on 50 computers). The computer is on the network and able to communicate through a TCP/IP connection. The computer has at least 50 MB free hard disk space. The computer is able to communicate with computer(s) where the Primary Server, the Control Center Server (CCS), and the Data Vault Server are installed. We recommend using a static IP address for the Server Components computer(s) to ensure communication.
On a Windows Workgroup network, you may need to add a special account to each computer's Local Administrator Group and use that account for the Control Center. More...
The computer has one of the following Windows operating systems installed (32- or 64-bit edition): Windows Vista Windows 7 Windows XP Pro or XP Home* Windows Server 2003 or Server 2008
A Macintosh computer has Mac OS 10.5 or 10.6 (Leopard, Snow Leopard, or later) with an Intel-based processor.
321
Running Diagnostics
If a computer fails the Diagnostics, or if the CCS is unable to enable one of these services, see the Troubleshooting Section of this guide for instructions on enabling services at the computer operating system. An alternative for managing older Windows machines is to install the Recorder manually, at the computer.
Running Diagnostics
Computer Diagnostics allow you to query the progress and status of Spector 360 Recorder installation on a remote computer. These tests determine if a computer will meet the requirements to receive a Recorder installation and pinpoint any point of error in the Client Recorder installation process. Two sets of tests are provided: Automatic and Manual. Access Run Computer Diagnostics from the Recording >Manage Computers.
Because diagnostics involve extensive resource requests, you cannot run automatic diagnostics more than once every 15 seconds. A countdown at the bottom of the screen shows how many seconds remain until the automatic diagnostics can be run again.
Exclude the SpectorSoft "risk" (signature) from detection - OR Use the fixed filenames profile option when installing the Recorder, and then specifically exclude those files from scanning in the antivirus program.
Macintosh: The first (ping) diagnostic can be run to test communication with a Macintosh computer. The other diagnostics do not apply.
Refer to instructions in the Spector 360 Deployment Guide. Find specific third-party instructions in the Spector 360 Knowledge Base.
322
Running Diagnostics
If the computer is OFF... The "Ping" test fails, and no other tests are performed.
If the Recorder has been successfully installed... The Client Bootstrap Service has been removed and is not running, and the Client Service is running.
If the Recorder is not installed, but the computer can receive one The communication tests are successful.
If tests that you expect to pass fail, for example, you have attempted to install the Client Recorder but the Spector Client Service does not appear to be installed or running, try the Manual Diagnostics, then check the computer and consult the Troubleshooting section of this guide. For more about each test, see below.
323
Running Diagnostics
Start the Spector Service?The service is installed but not running. Click Yes to start the service or No to leave it stopped. Click Read Configuration to retrieve the Recorder version and build, webmail version, and Viewer installation status. The Spector Client Service is running, a Recorder version is installed, no Viewer is installed.
If the configuration is not available, a message appears: Cannot open Service Control Manager on computer...The computer may be off the network or you may need to log in to Windows using Administrator credentials. If the service was not found, a message appears in the status box: Unable to retrieve Spector configuration data...The Spector Client Service has been stopped or is not installed. If the configuration is available, it is displayed in the status box.
Cannot open Service Control Manager on computer...The computer may be off the network or you may need to log in to Windows using Administrator credentials.
Service System Event Dispatcher was not found on computer..The Recorder is not installed. An installer service was not found..
Stop the Spector Service? The service is installed and running. Click Yes to stop the service or No to leave it running.Type your expanding text here.
324
Running Diagnostics
message appears. Make sure you have logged into Windows using Domain Administrator or an equivalent administrator-level account with access to the system directory on all computers.
Communicate with (ping) \\computer Checks for presence of and ability to communicate with the computer on the network. If communication is successful, the results return the computer's IP address along with communication time and TTL. If communication is not successful, you see "Ping failed," and none of the other tests are run.
Client Bootstrap Service is installed Windows computers only. Tests for the presence of the service initially sent from the CCS to install the Spector Agent on this computer. If the service is found, the result is "Yes" and indicates the Recorder installation is in progress. If this test continues to result in "Yes," and the Spector Client Service test continues to fail, you may need to uninstall and reinstall the Recorder. If the result is "Service Systems Events Dispatcher was not found on computer <computer>," either a Recorder installation was never received by the computer, or the Recorder was successfully installed and the installation service has been removed.
Start the Windows Remote Registry Service Windows computers only. Attempts to start and/or connect to the Remote Registry service on the machine where the Control Center is running. If the Remote Registry service is running or was successfully started, the result is "Yes." If the Remote Registry cannot be started, an error message appears. If necessary, check settings at the computer. More...
Access the Windows Remote Registry Service Windows computers only. Attempts to connect to the Remote Registry service on the remote computer being tested. If the communication succeeds, the result is "Yes." If the above test failed, this test will also fail, and an error message appears. Check the computer, if necessary. More...
Client Bootstrap Service is running Windows computers only. Tests to see if the installation service is running. If the service is running, the Recorder is being installed and the result is "Yes." If the service is not found in the above test, this test is not performed. If the service is found in the above test but is NOT running, there may be a problem with the Recorder installation.
Read Windows configuration data from the registry Windows computers only. Determines if the current Windows account (used to launch the Control Center) has authority to access the Remote Registry. If the test succeeds, the result is "Yes." If the test fails, an error message appears. Make sure you have logged into Windows using Domain Administrator or an equivalent administrator-level account. If necessary, check services at the computer. See Recorder Requirements.
The Client Service is installed Tests for the presence of the Client Service that is installed with the Recorder. If the service exists, the result is a green check and "Yes." If the service has not been successfully installed, the result is red x and "Service System Event Dispatcher was not found on computer <computer>."
The Client Service is running Determines if the Client Service is running on the remote computer. If the Recorder is running, the result is "Yes." If the Spector Client Service was not found, this test is not performed. If the service is installed but not running, an error message appears. Check Troubleshooting Recorders.
Access the Windows SYSTEM32 directory Windows computers only. Determines if the current Windows account (used to launch the Control Center) has authority to access the system folder where the Recorder will be installed. If the test succeeds, the result is "Yes." If the test fails, an error
325
Read Client configuration information If the Client Recorder is installed and can communicate with the CCS, this test returns the Recorder version and build number, the webmail version, and whether or not a Viewer was installed with the Recorder. If the Client has not been installed, the test is not run.
326
are troubleshooting email recording, you might check Email and Webmail in addition to the default options. Click OK.
327
3.
328
On Windows XP systems:
1. 2. 3. 4. 5. 6. Go to the network computer and open the Windows Control Panel. Open Network Connections and access Properties for Local Area Connections. Make sure File and Printer Sharing for Microsoft Networks is checked. Click OK. Return to the Control Panel and open Windows Firewall. Click the Exceptions tab. In the list of Programs and Services, make sure File and Printer Sharing is present and checked, indicating that an exception in the firewall exists for this communication.
329
330
Troubleshooting Recording
occurred and add it to Files Transferred System Settings. Be aware that some Gnutella clients communicate on many ports, using only one or two ports for the actual File Transfer. A trial-and-error approach may be required to pinpoint the ports in question.
Test for File Transfers. Use a computer where the Recorder is installed to make file transfers of the type you want to see and see if you can pinpoint where the error occurs. See Check Data Progress.
Document Tracking
Document Tracking is OFF by default, except for printing and CD/DVD activity (IMAPI). Follow the steps below to solve issues if you do not see activity as expected in the Dashboard. If necessary, contact SpectorSoft Technical Support. Have the Recorder log file and information about activity you are hoping to track ready.
Check other activity. Is Keystroke, Program, Snapshots or ANY recording taking place at the computer? If not, network connection, antivirus/anti-spyware software, OS settings, or another problem may be occurring. See Troubleshooting.
Check Record settings. Is Files Transferred recording is ON? Open Computer Profiles, select Record and check for the green ON button next to Files Transferred. See Files Transferred Settings.
Check other activity. Check to see if Keystroke or Snapshots or ANY recording is taking place at the computer. Network connection, antivirus/anti-spyware software, OS settings or another problem may be occurring.
Make sure the protocol you want to record is supported. Refer to Files Transferred Recording to see which types of communication Spector 360 records and which it does not.
Make sure recording is ON. Is Document Tracking ON for the type of activity you wish to track? Open the Computer Profile, select Record and check for the green ON button.
Check blocking. Check Web Filtering and local Recorder blocking. If you filter out FTP domains, for example, transfers won't take place and will not be recorded.
Verify tracking is ON for the drive. Make sure the network drive or type of drive you wish to record has File Tracking enabled. Make sure the type of activity you wish to see (Creating, Writing, Renaming) is enabled. If you are tracking by drive, check Default Tracking to make sure settings have not been changed to exclude activity.
Check communication ports. When a Gnutella or FTP exchange happens on port not listed in the Files Transferred System Settings, it will not be recorded. You can see evidence of a non-standard exchange in the Dashboard's Network Activity event details. Note the port where the activity
331
Chat/IM Recording
Check the File Name Filter. Verify that the Include or Exclude filters for Document Tracking are not preventing recording of important information.
would be unable to capture the conversation. In this case, you can change the Recorder so that instead of using "auto" capture it always uses the "high-level" method of capture. You can use "high-level" capture for all types of Chat/IM except MSN Messenger. Refer to the Recorder Profiles Chat/IM System Settings.
Windows OS not supported. Document Tracking is not supported on Windows 98/ME systems.
Chat/IM Recording
Follow the suggestions below to resolve Chat/IM recording problems, and retest Chat/IM recording after trying each solution. If you are still unable to capture Chat/IM following these steps, contact Technical Support. Have the Recorder log file and information about the chat or IM client and any special configuration available.
No longer recording a type of Chat/IM. Windows Only. If the Recorder was previously recording Chat/IM from AOL, Yahoo, MSN, ICQ, or IRC, and suddenly stops recording, it is possible that the Chat/IM interface has been upgraded to a version or protocol no longer supported by Recorder. Verify that other Chat/IM conversations can be recorded using an interface other than the one not being recorded. If other Chat/IM interfaces can be recorded, change the Advanced Chat Settings to force either the low-level or high-level method. The user's Chat/IM application must be closed and restarted after the profile settings have changed. If you are still unable to resume recording of the Chat/IM interface, contact SpectorSoft Mac Only. If the Recorder stops recording Chat/IM, make sure the user has not switched to secure communication. The Recorder may not capture conversations in Chat/IM when the application is using Secure Socket Layer (SSL) or Transport Layer Security (TLS) encryption to connect with the server. To get around this problem, go to the computer in question and check the chat client preferences. Make sure options to use SSL or TLS are not enabled. Make sure the user is not connected to a secure IM host, such as slogin.oscar.aol.com.
Check the Chat/IM Configuration. Is Chat/IM recording is ON? Open the Computer Profile, select Record and check for the green ON button. Check the System Settings to make sure recording of the type of chat you want to capture is not disabled.
Check support for the type of Chat/IM. Spector 360 records chat and instant message (IM) conversations from most of the popular programs. If the chat or IM you are interested is NOT captured by the Recorder, you can always view Keystrokes Typed, Program Activity and Screen Snapshots. To see which Chat/IM protocols are captured by Spector 360, refer to Chat/IM Recording.
Change record level, if capture is unreliable. Windows Only. The Recorder applies default capture "levels" to different types of conversations. Sometimes the default setting fails to capture communication. For example, if a Chat/IM application uses unencrypted communication, the Recorder may automatically apply the low-level method of recording. If the user then switches to encrypted communication, the Recorder
332
Email Recording
Email Recording
Various circumstances could cause Spector 360 to not record email. Use the following steps to troubleshoot the most common problems with email recording.
Mac only. If the Recorder stops recording a type of email, make sure the user has not switched to secure communication. The Recorder may not record email when the application is using Secure Socket Layer (SSL) or Transport Layer Security (TLS) encryption to connect with the server. To get around this problem, go to the computer in question and check the email client preferences. Make sure options to use SSL or TLS are not enabled.
Check other activity. If Spector 360 was previously recording email and no longer is, it is possible that all recording has stopped on the computer. Check other types of recording, such as Keystrokes or Snapshots to see if ANY recording is taking place. Network connection, antivirus/antispyware software, or another problem may be occurring. See Troubleshooting.
Check the MS Exchange Outlook version. Windows Only. If MS Exchange email is not being recorded, make sure the user is using MS Outlook 2000 or MS Outlook XP or a later version. The Recorder cannot capture MS Exchange email if earlier versions of MS Outlook are being used on the computer.
Check record settings. Is Email Activity recording is ON? Open Computer Profiles, select Record and check for the green ON button next to Email Activity. Check Email System Settings to make sure the type of email you want to record is enabled. To record a specific "internal" webmail site, it must be specially configured in the settings.
Check blocking. Check Web Filtering and local Recorder blocking (in the profile) to make sure you are not filtering out domains and preventing the email you expect from occurring.
Test email recording. Use a computer where the Recorder is installed to send and receive email of the type you want to see. Check the progress of the event data. See Check Data Progress.
Make sure the email type is supported. Verify that the email type you want to record can be captured by the Recorder. If not, Dashboard users can still review sent email in Keystrokes and received email in Screen Snapshots. See Email Activity Recording for supported email applications and Webmail Recording for supported web email sites.
No longer recording a type of email. If the Recorder was previously, but is no longer, capturing a type of webmail or email, it is possible the webmail signature or email application has changed, and the Recorder no longer recognizes it. Download the latest version from the Control Center's Recording >Recorder Versions, and configure network computers to automatically receive the update.
333
Check other activity. Check to see if Keystroke or Snapshots or ANY recording is taking place at the computer. Network connection, antivirus/anti-spyware software, OS settings or another problem may be occurring.
Check other activity. Check to see if Keystroke or Snapshots or ANY recording is taking place at the computer. Network connection, antivirus/anti-spyware software, OS settings or another problem may be occurring.
Make sure recording is ON. Is Web Sites Visited recording is ON? Open Computer Profiles, select Record and check for the green ON button. Check Web Sites Visited System Settings to make sure recording of the browser you want is not disabled.
Make sure recording is ON. Is Network Activity recording is ON? Open the Computer Profile, select Record and check for the green ON button. Check Who to Record and When to Record to make sure activity you need to see is not being excluded.
Make sure the web browser can be recorded. The Recorder captures Web Sites Visited in most popular browsers. Some Web browsers, such as Opera, are not recorded. See Web Site Recording.
Verify appropriate program and IP/Port filters. Check the Network Activity settings panel to make sure the profile is not excluding programs or ports that you wish to record. If you are recording at specific IP/ports, make sure they are the correct ones, and that activity you need to see is not taking place elsewhere. See Network Activity Settings.
Check blocking. Check Web Filtering and local Recorder blocking (in the profile) to make sure you are not blocking access to web activity that you expect.
Check HTTP/HTTPS ports. If a user is accessing the web from a non-standard web server port or a proxy server, you may need to add ports to Web Sites Visited System Settings. Check the Dashboard 's Network Activity event details for evidence of web activity on non-standard ports.
334
Windows Only The Recorder uses a programming interface provided within Internet Explorer called a Browser Helper Object to record details about visits to Web sites. Internet Explorer 6.0 and later versions allow the user to disable this Browser Helper Object interface by clearing the Enable third-party browser extensions option under the Internet Explorer Tools > Internet Options > Advanced tab. If this option is disabled, the Recorder will be unable to record some information for Web sites visited with Internet Explorer. Note: This same option would disable other third-party extensions to Internet Explorer such as the Google Toolbar and Adobe Acrobat.
Check other activity. If the Recorder was previously recording programs, but no longer is, it is possible that all recording has stopped on the computer. Check other types of recording, such as Keystrokes or Snapshots to see if ANY recording is taking place. Network connection, antivirus/anti-spyware software, or another problem may be occurring. See Troubleshooting.
Make sure recording is ON. Is Program Activity recording is ON? Open Computer Profiles, select Record and check for the green ON button.
Make sure the program has been restarted. If the program was up and running before recording of the program was enabled, it must be restarted for recording to begin. Note that Spector 360 does not record background programs, services, or programs visible only in the system tray.
Make sure the program has not been excluded. Check General Options > Application in the profile. Make sure programs have not been wrongly excluded from recording on this panel. See Application Settings.
Enable recording of App-V applications. If your network uses Microsoft Application Virtualization (App-V) or "SoftGrid," the Recorder needs to be deployed with the App-V option enabled or these programs will NOT be recorded. This option is available in General Options > Client Options. See Client Options.
335
Troubleshooting Servers
Troubleshooting Servers
3.
In the Properties box, check the Computer Name and Listen IP Port. If the computer is wrong, use Change to set the correct Computer Name and location. If the port is wrong, change the Port number. Click Use Default Port if you know you are using the defaults and the number may have been wrongly changed.
Troubleshooting Servers
This topic provides some general troubleshooting tips for Spector 360 Server Components.
Make sure you are logged into Windows under domain administrator or an equivalent account. Make sure the CCS machine is running and on the network. Check the Server at the computer where it is installed to determine whether or not the service is running.
336
This operating system message may indicate a problem with the Server, but it also may be that the service was actually stopped or started, after you click OK on the error message. The Control Center's connection to the Windows Service Control Manager (SCM) may get hung up by the shutdown request while attempting to stop the service. This may also happen if you stop or start the service from SCM.
Reinstall a Server:
If a Server installation or its computer has become compromised, you can always reinstall the Server using the Spector 360 Setup program. Be sure to uninstall a Primary Server or CCS before installing it on a new computer. You may need to re-register your serial number and receive a new unlock code. Be sure to use the Spector 360 Setup version compatible with your other installed components and Database.
337
2.
Select Internet Protocol (TCP/IP) and then click Properties. If the IP address is being obtained automatically, manually configure the computer to use a specific IP address, Subnet Mask, and specific DNS server addresses. Make appropriate adjustments to your network setup. This requires Domain Administrator privileges on a domain network.
3.
Change the Server IP addresses at the Control Center, if necessary. If you configured the Server computer(s) with a static IP address BEFORE using Setup to install the Server Components, the correct IP address will appear in the Server settings. If not, use the Control Center's Servers tool. Modify each Server to use the correct static IP address.
4.
Instruct the Recorder to use the static IP address for communication with the Servers. At the Control Center, access the Computer Profile Server settings. Otherwise, enter the correct IP address. Be sure to check Use Static IP Address for each server.
IP Port 16770 for the Primary Server IP Port 16769 for the Data Vault IP Port 16768 (TCP and UDP) for the Control Center Server IP Port 16771 (TCP and UDP) for the Web Filter Server
If using these ports will result in a conflict, you can change the port in the Server settings (for the Client) AND in Control Center (for the server).
338
5.
Log in to the Control Center, specifying the NEWCOMPUTER\SPECTOR360 instance and using the test SA password. See Logging in.
6.
Use the Browse for Restore function to locate and restore the copied Backup set. See Browsing for a Restore Folder.
Check the Control Center. Select Database > Manage Database Backup and Restore, and check the Valid Backup column in the lower pane. "No" indicates the Backup was not valid; "Yes" indicates it was. In the upper pane, right click on STORAGE DB and select Statistics. Check for appropriate record counts and Start and End Dates. See Viewing Database Statistics.
Check the Dashboard. If you have the privileges, use the Dashboard to view activities you need to record, during the time period covered by the Backup. If you are able to view Dashboard data from the LIVE Database, but not the Test Database, there probably was a problem with the Backup and it needs to be performed again.
339
Data was not finished restoring. You must give the Restore time to complete. If you attempt to use the Control Center or Dashboard while a Restore is in progress, the application will close. TIP: Start Job Status Monitoring before you launch the Restore.
Check the Recorder Profile settings. Make sure recording is on for the event you wish to see. See the "Troubleshooting Recording" section in this guide for tips. See also Add or Modify a Computer Profile.
Incompatible Database. The Database Backup was created with an earlier version of Spector 360 and is not compatible.
Check the Recorder Status in the Computers list. See if the Recorder is installed and detected and when the "Last Recording" was delivered to the Data Vault. In the Control Center select Recording >Manage Computers.
Backup data is missing or corrupt due to disk space issues. Backups will not be performed properly if the Database hard disk is full. Make sure you enable some form of automatic or manual Space Management on the Database machine. Don't forget to manage the File Storage location. The Snapshot and Email Attachment files can rapidly use up disk space.
Install a Viewer with a Recorder on the computer. If you're having trouble with a specific computer, create a Profile that includes a Viewer. At the computer, open the Viewer interface (press Ctrl+Alt+Shift+S) to make sure the Recorder is recording the type of data you want to see. If data is visible in the Viewer, it has been recorded but has not yet been delivered to the Data Vault. If NO data is visible, check the Record settings. Remember to remove the Viewer when you are done testing.
Check the Data Vault Server. Make sure it is running and identifies the Database on the correct computer. In the Control Center, select Servers > Data Vault in the right pane, and click Modify on the Toolbar. See Troubleshooting Servers.
Check Data Vault DB Statistics. Find out if events have been received, how many, which types, from which computers, and when events were last delivered. In the Control Center, Select Database > Manage Database Backup
340
and Restore > DATA VAULT DB (in the upper right pane), and click Statistics on the toolbar. See Viewing Database Statistics.
Check Storage DB Statistics. Find out if and when events were processed and added to the Database. See Viewing Database Statistics.
Check Database Jobs. Find out when the Data Vault was last processed for the type of event you wish to see. Check the Job Schedule.
Pinpoint as best you can where the data is held up, and if still have trouble, contact SpectorSoft Technical Support and initiate Database Support.
341
The Alert Profile is enabled. More... The Alert Operator who receives email notification is enabled. The email address used is correct. The Alert Profile is applied to the proper users or user groups. The Alert Profile contains the Keyword Groups or the specific fields required to trigger an alert. More... The Time Profile used for the Alert is set to watch for keywords at appropriate times. More... The Event Alert Email Configuration uses the correct SMTP Server, port, and credentials. More... If you use a keyword as specified by the profile, an alert is actually generated and can be viewed in the Dashboard.
The computer(s) you are watching has the latest Spector 360 Recorder installed. More...
342
Recording is ON for the type of activities you wish where you are watching for keywords. More...
Verify that your network does NOT have a firewall blocking communication on this port from the computer Try configuring an internal email address instead of an external email address. Try configuring a Webmail address (Yahoo, Hotmail, Google, etc.) to receive alert notification.
The Email program and version used to send alerts The Keyword Groups and "What" settings used for the Alert Profile Any other information helpful in resolving the problem
343
SpectorSoft Information
Contact Us
When sending email, please include your company name, city, and state to ensure your request is handled as promptly as possible. Feel free to contact us 24 hours a day, 7 days a week.
General Contact
SpectorSoft Corporation 1555 Indian River Blvd., B-210 Vero Beach, FL 32960 USA World Wide Web: www.spectorsoft.com U.S. & Canada: 888-598-2788 International: 772-770-5670
Sales Contact
Contact our sales staff for pre-sales questions, information about the latest SpectorSoft products, upgrade options, and pricing for our current products. SpectorSoft Corporations professional sales staff is ready to answer your sales questions: Monday - Friday; 9:00 AM to 10:00 PM EST Saturday & Sunday; 10:00 AM to 6:00 PM EST Web: Request Info Email: sales@spectorsoft.com Sales Fax: 772-770-3442
Technical Support
Web: Request Support Email: 360support@spectorsoft.com
Microsoft Windows, MSN and other Microsoft products referenced herein are either registered trademarks or trademarks of Microsoft Corporation in the U.S. and / or other countries.
345
Index
Macintosh and Mac, Mac OS X, and Leopard are trademarks of Apple Computer, Inc., registered in the U.S. and other countries. AOL and AOL Instant Messenger are trademarks of America Online, Inc. Adium is a trademark of the Free Software Foundation, Inc. iChat is a trademark of Apple Computer, Inc. MobileMe is a service mark of Apple Computer, Inc. Yahoo! Brand Features are trademarks of Yahoo! Inc. Gmail and Google are trademarks of Google, Inc. JABBER is registered trademark of the XMPP Standards Foundation. Lotus Notes is registered trademark of IBM. ICQ is a trademark of ICQ, Inc. Citrix is a registered trademarks or trademarks of Citrix Systems, Inc. Novell is a copyright of Novell, Inc. Skype is a registered trademark of Skype Limited. Trillian is a trademark of Cerulean Studios.
These Help Files may contain other names and phrases (marks) that may or may not be trademarks of other organizations. All other trademarks and service marks are the property of their respective owners.
346
Index A
Active license ......................................................................... 164 Add a WFS user...................................................................... 267 Add computer group ................................................................. 71 Add computer licenses............................................................. 167 Administrative C$ share........................................................... 326 Advanced Security settings - Recorder ....................................... 148 Alert fields to watch for ........................................................... 283 Alert notification (from Recorder) .............................................. 130 Alert on Keyword (from Recorder) ............................................. 128 Alert Profiles Provided with Spector 360 ............................................ 278, 288 Recipient (operator) ............................................................ 286 Users to watch ................................................................... 281 What to watch for ............................................................... 283 Alert recipient (Operators) Email configuration ............................................................. 293 New recipient ..................................................................... 286 Allow websites ....................................................................... 261 Archive database Include snapshots/attachments ............................................ 232 Job history......................................................................... 229 Job status.......................................................................... 230 Maximum errors before stopping ........................................... 232 Assign profile to computer ......................................................... 77 Assign version by platform ....................................................... 170 Assign version to computer ...................................................... 170 Attachments Copy with backup, archive, restore ........................................ 232 Audit filter criteria................................................................... 203 Audit History .......................................................................... 200 Auditing ................................................................................ 200 2011 SpectorSoft Corporation, All rights reserved. Authentication ........................................................................ 248 Automatic Recorder updates ..................................................... 171
B
Backup Delete a backup .................................................................. 225 Location of ......................................................................... 232 Maximum errors before stopping ........................................... 232 Restore a backup ................................................................ 221 Base path .............................................................................. 189 Block web sites via centralized web filtering .................................................. 253 Blocked web site message ........................................................ 257 Blocking Schedule (local) ......................................................... 145 Browse for backup .................................................................. 222 Browse for Windows users ........................................................ 247
C
Categories Find a domain in categories .................................................. 270 System categories ............................................................... 271 Category Groups ..................................................................... 275 Check for new Recorder version ................................................ 168 Client bootstrap service ........................................................... 324 Column layout .......................................................................... 39 Components in auditing ........................................................... 206 Computers Groups ................................................................................ 72 Import a list ......................................................................... 49 Remove from list................................................................... 53 Configure database support ...................................................... 252 Configure SMTP email .............................................................. 293 Copy snapshots with backup ..................................................... 232 347
Index
Copyright .............................................................................. 341 CSV export of Keyword groups ................................................................. 292 CSV import of Computer list ....................................................................... 49
by Drive ............................................................................ 104 CD/DVD burning (MAPI) ....................................................... 103 File filter for ....................................................................... 107 Printing ............................................................................. 103 Settings ............................................................................. 102 Download .............................................................................. 169 a Recorder update ............................................................... 169 Recording of ....................................................................... 108
D
Data retention ........................................................................ 236 Data Vault Server ................................................................... 186 Database............................................................................... 209 Compatibility...................................................................... 337 History .............................................................................. 216 Moving .............................................................................. 209 Restore ............................................................................. 221 Database jobs History .............................................................................. 229 Status of ........................................................................... 230 Database support ................................................................... 251 Configure .......................................................................... 252 Database support script History of scripts run ........................................................... 251 Running ............................................................................ 252 Viewing ............................................................................. 252 Default group ........................................................................... 72 Default Recorder Version .................................................. 172, 173 Define category group ............................................................. 276 Delete Archives automatically ......................................................... 234 Backups automatically ......................................................... 235 Computer group ................................................................... 72 Computers........................................................................... 53 Login account..................................................................... 250 Transactions from live data .................................................. 236 Deployment Utility .................................................................... 66 Document Tracking
E
Edit blocked message .............................................................. 257 Email alert Configuration of .................................................................. 293 from the Recorded Computer ................................................ 130 Email recorded Email recording filter ............................................................. 96 Enable web filtering rule........................................................... 261 Error ..................................................................................... 311 Event Alerts Define a keyword group ....................................................... 289 Recipients .......................................................................... 286 What to watch for ............................................................... 283 Exclude recording of URL.......................................................... 160 Export Computers selected ............................................................... 57 Keyword groups .................................................................. 292 Export program ...................................................................... 163 Export URL............................................................................. 163
F
File and printer sharing ............................................................ 325 File Storage Base path to....................................................................... 189 Including files with backup/archive ........................................ 232 Moving .............................................................................. 211
348
Index
File Transfer recording ............................................................. 108 Ports recorded.................................................................... 110 Record settings .................................................................. 109 Firewall Exception for Data Vault ...................................................... 190 Exception for Primary Server ................................................ 193
J
Job history ............................................................................. 229
K
Keyboard shortcuts ................................................................. 298 Keystroke recording ................................................................ 111 Keystrokes vs. characters..................................................... 113 Keyword groups Add new group ................................................................... 289 Export keyword groups ........................................................ 292 Modify a group ................................................................... 289 Keywords detected Trigger snapshots ............................................................... 128 Keywords in events ................................................................. 128
G
Gnutella ................................................................................ 108 Group - Category.................................................................... 275 Group - Computer .................................................................... 70 Add a new group .................................................................. 71 Delete a group ..................................................................... 70 Move a computer to a different group ...................................... 72 Set default group .................................................................. 72 View groups ......................................................................... 70 Group users ........................................................................... 268 Group, Category ..................................................................... 276
L
Licenses ................................................................................ 164 Adding to a serial number .................................................... 167 Register and unlock ............................................................. 166 Status of............................................................................ 164 Total number...................................................................... 164 Limewire................................................................................ 108 Listening ports........................................................................ 334 Log file .................................................................................. 333 for Control Center ............................................................... 313 for Control Center Server ..................................................... 182 for Database ...................................................................... 231 for Primary Server............................................................... 192 for Web Filter Server ........................................................... 196 Login As a different user................................................................. 11 Authentication .................................................................... 248 Deleting............................................................................. 250 Event privileges .................................................................. 245
H
History of a Database..................................................................... 216 of a Database job ............................................................... 229
I
Import .................................................................................... 49 Computers to the Control Center............................................. 49 Keyword list for local alerting ............................................... 134 Inactivity timeout ................................................................... 120 Install Recorder at the computer ................................................................... 66 IP Address ............................................................................. 334
349
Index
User privileges ................................................................... 245 Logon warning - Recorder ........................................................ 148 Lost serial number .................................................................. 166
Administration window ......................................................... 193 Print event alerts .................................................................... 294 Privileges ............................................................................... 245 Profiles .................................................................................... 74 Program Caption ..................................................................... 161 Programs recorded Enable/disable activity recording ........................................... 119 Inactivity timeout................................................................ 120 Monitor all except the following ............................................. 152 Monitor only the following .................................................... 152 Network activity in .............................................................. 114
M
Manage computer licenses ....................................................... 164 Manual install - Recorder ........................................................... 66 Manual uninstall - Recorder ........................................................ 67 Masking All program titles ................................................................ 148 Window captions at web sites ............................................... 160 Maximum errors on backup, archive, restore .............................. 232 Maximum size of Database....................................................... 230 Move a Server ............................................................................ 176 Computers to a new group ..................................................... 72 File Storage location............................................................ 211 the Database ..................................................................... 209
R
Recipient of alert notification .................................................... 286 Record by URL ........................................................................ 160 Recorder installation Check for update ................................................................ 169 Uninstall .............................................................................. 67 Recorder Version .................................................................... 168 Automatically update ........................................................... 171 Set default ......................................................................... 172 Update computers ............................................................... 170 Recording .............................................................................. 213 Excluding or including URLs .................................................. 160 Excluding or including users.................................................. 126 Scheduling ......................................................................... 125 Remove ................................................................................... 67 Computers from list ............................................................... 53 Data from Database ............................................................ 236 Group of computers............................................................... 72 Recorder from computer ........................................................ 67 Server ............................................................................... 180 Reserved license ..................................................................... 164 Restore a Backup ........................................................................... 221
N
Network Activity recording ....................................................... 114 Ports recorded.................................................................... 114 Programs recorded ............................................................. 114 Settings ............................................................................ 114
P
Passwords Changing SQL Server password ............................................ 249 SQL Server authentication ................................................... 248 Windows authentication ....................................................... 248 Peer-to-peer (P2P) .................................................................. 108 Ports recorded.................................................................... 110 Port Web Filter Server listens on.................................................. 196 Primary Server
350
Index
Job status for ..................................................................... 230 Rules for email recording ........................................................... 96
T
Technical support .................................................................... 341 Testing a filtering rule .............................................................. 266 Time profile Adding a new profile ............................................................ 298 Trigger screen snapshots ........................................................... 87 When keywords are detected ................................................ 128 Troubleshooting ...................................................................... 311
S
Schedule Blocking at the computer ..................................................... 145 Screen Snapshot recording Triggers and timing ............................................................... 87 Selective recording of window captions ...................................... 161 Serial number ........................................................................ 164 Serial number registration ....................................................... 166 Server Move to a different computer................................................ 176 Server ports .......................................................................... 334 Service monitoring credentials .................................................. 148 Service polling delay ................................................................. 54 Set default group...................................................................... 72 Set warning text ..................................................................... 148 Show file names .................................................................. 66, 74 Sources in auditing ................................................................. 207 Space Management Job status.......................................................................... 230 SQL server Authentication .................................................................... 248 Start database support ............................................................ 251 Static IP ................................................................................ 334 Stop database support ............................................................ 251 System Categories .................................................................. 271 System tray ........................................................................... 193
U
Uninstall Recorder ..................................................................... 67 Unlock code ........................................................................... 166 Update Recorders ................................................................... 170 Update Spector 360MERGEFORMAT ............................................. 22
W
Web Filter Server Account credentials ............................................................. 196 Admin window .................................................................... 197 Properties .......................................................................... 196 Status ............................................................................... 198 Stop or start service ............................................................ 196 Web Filtering Test rules .......................................................................... 266 Web site recording Limit recording of URLs ........................................................ 160 Settings ............................................................................. 123 What conditions - Alerts ........................................................... 283 When to record ....................................................................... 125 Who to record ........................................................................ 126 Window caption recording ........................................................ 161 Windows ................................................................................ 248 Authentication .................................................................... 248 Firewall exception ............................................................... 193
351
Index
Wizard - web filtering rule ........................................................ 260 Write update activity to log file ................................................. 232
X
XML export ............................................................................ 292
352