Privileged Analysis

Privileged Analysis is an optional feature in Tenable Identity Exposure that requires more privileges — contrary to its other features — to collect otherwise protected data and provide more security analysis.

Data Collection

Note: The Privileged Analysis feature requires elevated privileges. See Access for Privileged Analysis.

When enabled, Privileged Analysis collects the following additional data:

  • Password hashesTenable Identity Exposure collects LM and NT hashes for password analysis. Tenable Identity Exposure collects LM hashes only to warn about their presence as they use an old and weak algorithm but does not store them. The hashes collection scope includes:

    • All enabled user accounts

    • All enabled domain controller computer accounts

Data Protection

The Active Directory (AD) itself does not directly store user passwords — only their hashes using the LM or NT hashing algorithms which do not allow recovery of the original password. Tenable Identity Exposure does not store LM hashes.

Tenable Identity Exposure stores NT hashes using an “over-hash” algorithm. Taking the NT hashes that the AD returns, Tenable Identity Exposure re-hashes them through the PBKDF2 key derivation function configured with 10’000 iterations of the HMAC-SHA256 hashing algorithm. This increases the protection of those hashes while still allowing Tenable Identity Exposure to perform useful analysis.

Data cleaning

When you disable the Privileged Analysis feature — which you can do at any time — Tenable Identity Exposure clears all previously collected data from its database.

Data transfer to Tenable Cloud

Only when you enable the Tenable Cloud option, Tenable Identity Exposure forwards all data that the Privileged Analysis collects to the Tenable Cloud for storage and analysis. The data protection rules described previously still apply.