RSoP-Based Indicators of Exposure

Tenable Identity Exposure uses a set of RSoP (Resultant Set of Policy) based Indicators of Exposure (IoEs) to assess and ensure the security and compliance of various aspects. This section provides insights into the current behavior of specific RSoP IoEs and how Tenable Identity Exposure addresses performance concerns associated with their computations.

The following RSoP-dependent IoEs play a role in Tenable Identity Exposure's security framework:

  • Logon Restrictions for Privileged Users

  • Dangerous Sensitive Privileges

  • Application of Weak Password Policies on Users

  • Insufficient Hardening Against Ransomware

  • Unsecured Configuration of Netlogon Protocol

These IoEs depend on an RSoP computation results cache that is initialized when needed, computing values that are added upon request rather than relying on pre-existing values. Previously, changes to AdObjects triggered cache invalidation, leading to frequent re-computation during the IoE’s RSoP executions.

Tenable Identity Exposure addresses the performance impact associated with RSoP computations as follows:

  1. Live IoE analysis with potentially obsolete data — The computation (input/output event) of IoEs that rely on RSoP takes place in real time as they occur, even if the data used for processing may not be the most current. Buffered events that have the potential to invalidate the RSoP cache remain stored until they meet a specific condition, prompting the anticipated computation.

  2. Scheduled RSoP invalidation — Upon meeting the condition for re-computation, the system invalidates the RSoP cache, taking into account buffered events during the invalidation process.

  3. Re-execution of IoEs with up-to-date cache — Following the cache invalidation, IoEs undergo re-execution with the most recent version of the AdObject from the cache, incorporating buffered events. Tenable Identity Exposure computes each IoE individually for every buffered event.

For these reasons, the optimized computation duration for IoEs dependent on RSoP results in slower computation of deviances related to the RSoP.