Privileged Analysis

Privileged Analysis is an optional feature in Tenable Identity Exposure that requires more privileges — contrary to its other features — to fetch otherwise protected data and provide more security analysis.

Prerequisites

To use Privileged Analysis, you must open the dynamic RPC ports TCP/49152-65535 and UDP/49152-65535. For additional information, see Network Flow Matrix.

Data Fetching

Note: The Privileged Analysis feature requires elevated privileges. See Access for Privileged Analysis.

When enabled, Privileged Analysis fetches the following additional data:

  • Password hashesTenable Identity Exposure fetches LM and NT hashes for password analysis. Tenable Identity Exposure fetches LM hashes only to warn about their presence as they use an old and weak algorithm but does not store them. The hashes collection scope includes:

    • All enabled user accounts

    • All enabled domain controller computer accounts

Data Protection

The Active Directory (AD) itself does not directly store user passwords — only their hashes using the LM or NT hashing algorithms which do not allow recovery of the original password. Tenable Identity Exposure does not store LM hashes.

Except for clients hosting their Relay in a SAAS-VPN platform, password hashes never leave the client's infrastructure, as only the Relay handles them. The Relay does not store passwords nor passwords hashes but retrieves the user's password hash every time it's needed for analysis, keeping it in its cache only temporarily, typically for just a few milliseconds.

However, Tenable Identity Exposure retains a minimal number of bits of password hash data, securely stored in the Relay's RAM, solely for performing a K-anonymity analysis to check for users with identical passwords.

Note: For SaaS-VPN platform clients, the behavior is the same, but it is Tenable that hosts your Relay.