Integration with an Active Directory Domain

Tenable Identity Exposure runs on Microsoft Server operating systems that connect to an Active Directory (AD) domain. The following are guidelines on whether or not to connect these servers to an AD domain.

• Because Tenable Identity Exposure offers sensitive security information, Tenable does not recommend joining its servers to any AD domain. In fact, working on an isolated environment allows for a clear separation between the monitored perimeter and the monitoring entity (i.e., Tenable Identity Exposure). In this configuration, an attacker with initial access or limited privileges on the monitored domain cannot directly access Tenable Identity Exposure and its security analysis results.

• If you have a trustful infrastructure, you can choose to run Tenable Identity Exposure on domain-joined servers. This approach improves server management as it is part of the regular process that you use for each domain-joined server. In particular, Tenable Identity Exposure servers apply the same hardening policies as any other corporate server. Tenable recommends this architecture only on secure AD environments, and you must take into consideration the following risks in the case of an AD compromise:

  • An attacker with server-administration privileges can gather more information about ways to compromise the system using data analysis from Tenable Identity Exposure.

  • The security policy on domain-joined servers can forbid the administrative access granted to Tenable Support or its certified partners.

  • An attack can corrupt Tenable Identity Exposure’s security monitoring by hiding a security incident.