Privileged Analysis is an optional feature in Tenable Identity Exposure that requires more privileges — contrary to its other features — to fetch otherwise protected data and provide more security analysis.
When enabled, Privileged Analysis fetches the following additional data:
Password hashes — Tenable Identity Exposure fetches LM and NT hashes for password analysis. Tenable Identity Exposure fetches LM hashes only to warn about their presence as they use an old and weak algorithm but does not store them. The hashes collection scope includes:
All enabled user accounts
All enabled domain controller computer accounts
The Active Directory (AD) itself does not directly store user passwords — only their hashes using the LM or NT hashing algorithms which do not allow recovery of the original password. Tenable Identity Exposure does not store LM hashes.
Except for clients hosting their Relay in a SAAS-VPN platform, passwords never leave the client's infrastructure, as only the Relay handles them. The Relay does not store passwords but retrieves the user's password every time it's needed for analysis, keeping it in its cache only temporarily, typically for just a few milliseconds. However, Tenable Identity Exposure retains a minimal number of bits of password hash data, securely stored in the Relay's RAM, solely for performing a K-anonymity analysis to check for users with identical passwords.