Tenable Identity Exposure Deployment

You install Tenable Identity Exposure as an application package hosted in a dedicated Windows environment that must fulfill specific hosting specifications.Tenable Identity Exposure requires access to the operating system's master image on the system where you install it.

Required account permissions: The account you use to deploy Tenable Identity Exposure must have these specific permissions: SeBackupPrivilege, SeDebugPrivilege, and SeSecurityPrivilege.

Tenable preconfigures the application package with only Tenable services and your specific requirements. This deployment option offers maximum flexibility and integrates seamlessly into your specific environment.

NoteTenable Identity Exposure runs on a micro-services architecture embedded into Windows services. These services have a dedicated purpose (storage, security analysis, application, etc.) and all are mandatory. Consequently, you can only install Tenable Identity Exposure on operating systems supporting the micro-services model.

The following table details unsupported configurations:

Configuration

Description

Active anti-virus or Endpoint Detection and Response (EDR) solution

The Tenable Identity Exposure platform requires intensive disk I/O.

  • Using anti-virus and EDR can drastically decrease platform performances.

  • You must have an exception to allow Tenable Identity Exposure services and data folder.

FIPS-compliant algorithms

For data privacy reasons, do not activate Federal Information Processing Standards (FIPS)-compliant algorithms for encryption.

Firewalls

Do the following to allow Tenable Identity Exposure services to communicate with each other to have reliable security monitoring:

  • Disable local firewall rules preventing outgoing traffic.

  • Grant local firewall rules to allow incoming traffic on Tenable Identity Exposure services.

Erlang

  • Do not customize the HOMEDRIVE environment variable.

  • The PATHEXT environment variable must contain the .exe and .bat file extensions.

Deploying Tenable Identity Exposure’s platform in a non-certified environment can create unexpected side effects.

In particular, the deployment of third-party applications (such as a specific agent or daemon) in the master image can cause stability or performance issues.

Tenable strongly recommends that you reduce the number of third-party applications to a minimum.

Tenable Identity Exposure’s platform requires local administrative rights to operate and ensure a proper service management.

  • You must provide the Tenable technical lead with the credentials (username and password) associated with the administrative account of the host machine.

  • When deploying to a production environment, consider a password renewal process that you validate jointly with the Tenable technical lead.

As part of its upgrade program, Tenable frequently publishes updates to its systems to provide new detection capabilities and new product features.

  • In this deployment, Tenable only provides updates for Tenable Identity Exposure components. You must ensure a proper management of your operating systems, including the frequent deployment of security patches. For more information about Tenable Identity Exposure releases, see the Tenable Identity Exposure Release Notes.

  • Tenable Identity Exposure's micro-services architecture supports the immediate application of operating system patches.