BalaBit IT Security
BalaBit IT Security

The main problem of server administration is that while system administrators are usually near the bottom of the company hierarchy and do not have much responsibility, their privileges to accessing the different systems – like databases – is actually the highest in the company. And it is not only their responsibility that is limited, but their accountability as well, because they have countless possibilities to hide their actions. Although every server creates logs of the happening events, the logging system itself is also under the control of the system administrator: he can stop logging any time, and – if there is no centralized logging in place – even delete the log entries about his actions. Another problem about server administration is the increasing tendency of outsourcing. If a company outsources the administration of its servers to an external company, it effectively means that complete strangers – the system administrators of the company providing server-administration services, or in worse cases, a subcontractor – have omnipotent access to all business data of the company. The BalaBit Shell Control Box (SCB) is a device that controls, monitors, and audits remote administrative access to servers and networking devices. It is a tool to oversee server administrators and server administration processes by controlling the encrypted connections used in server administration. It is an external, fully transparent device, completely independent from the clients and the servers. The server- and client applications do not have to be modified in order to use SCB – it integrates smoothly into the existing infrastructure. The BalaBit Shell Control Box (SCB) is a gateway appliance that is transparent to every network traffic except the administrative protocols it controls. The controlled traffic is filtered according to rules you set in SCB, and also recorded into audit trails for later analysis. Every action, modification and configuration change that the administrators perform on the servers is available in the audit trails: in case of any problems (server misconfiguration, compromise, unexpected shutdown) the circumstances of the event are readily available and the cause of the incident can be easily identified. In other words: with SCB you can oversee and control the work of the system administrators, creating a new management level that has real power over the system administrators. SCB logs all administrative traffic (including configuration changes, executed commands, etc.) into audit trails. All data is stored in encrypted, timestamped and signed files, preventing any modification or manipulation. In case of any problems (server misconfiguration, database manipulation, unexpected shutdown) the circumstances of the event are readily available in the audit trails, thus the cause of the incident can be easily identified. The recorded audit trails can be displayed like a movie – recreating all actions of the administrator. Fast forwarding during replay and searching for events (e.g., mouse clicks, pressing the Enter key) and texts seen by the administrator is also supported. Reports and automatic searches can be configured as well. To protect the sensitive information included in the communication, the two directions of the traffic (client-server and server-client) can be separated and encrypted with different keys, thus sensitive information like passwords are displayed only when necessary. Some of the protocols that SCB can control are also used in thin-client environments – like VNC, or especially RDP used to access Windows Terminal Services – for such applications SCB provides an application-independent way to record the activities of the clients. This document has been updated and expanded to cover the requirements of PCI-DSS 1.2.1 and the features of SCB 2.0.