RSoP-Based Indicators of Exposure

Tenable Identity Exposure uses a set of RSoP (Resultant Set of Policy) based Indicators of Exposure (IoEs) to assess and ensure the security and compliance of various aspects. This section provides insights into the current behavior of specific RSoP IoEs and how Tenable Identity Exposure addresses performance concerns associated with their computations.

The following RSoP-dependent IoEs play a role in Tenable Identity Exposure's security framework:

  • Logon Restrictions for Privileged Users

  • Dangerous Sensitive Privileges

  • Application of Weak Password Policies on Users

  • Insufficient Hardening Against Ransomware

  • Unsecured Configuration of Netlogon Protocol

These IoEs depend on an RSoP computation results cache that is initialized when needed, computing values that are added upon request rather than relying on pre-existing values. Previously, changes to AdObjects triggered cache invalidation, leading to frequent re-computation during the IoE’s RSoP executions.

Tenable Identity Exposure addresses the performance impact associated with RSoP computations as follows:

  1. Live IoE analysis with potentially obsolete data — The computation (input/output event) of IoEs that rely on RSoP takes place in real time as they occur, even if the data used for processing may not be the most current. Buffered events that have the potential to invalidate the RSoP cache remain stored until they meet a specific condition, prompting the anticipated computation.

  2. Scheduled RSoP invalidation — Upon meeting the condition for re-computation, the system invalidates the RSoP cache, taking into account buffered events during the invalidation process.

  3. Re-execution of IoEs with up-to-date cache — Following the cache invalidation, IoEs undergo re-execution with the most recent version of the AdObject from the cache, incorporating buffered events. Tenable Identity Exposure computes each IoE individually for every buffered event.

For these reasons, the optimized computation duration for IoEs dependent on RSoP results in slower computation of deviances related to the RSoP.

Enhancements

Tenable Identity Exposure implemented changes to Indicators of Exposure dealing with RSoP tasks to improve their overall performance and responsiveness.

  • Smarter Security Checks — A redesign of how we perform certain security checks (called RSoP checks) to reduce system slowdowns.

  • Adaptive Scheduling — The system will automatically choose the best times to run these checks based on the current workload.

  • Overload Protection — We've implemented new measures to prevent system overload during busy periods.

  • GPO File Security Analysis — Indicators of Exposure that analyze the security of GPO files will now be processed every 30 minutes, instead of in real-time like other IoEs.

Benefits

  • Faster Response Times — By optimizing our security check process, you should notice quicker system responses, especially during peak usage times.

  • Improved Reliability — The new adaptive scheduling helps ensure that important security checks don't interfere with your work.

  • Smoother Experience — With better overload protection, the system should maintain consistent performance even under heavy use.

  • Enhanced Platform Stability — These changes will particularly benefit clients with high AD activity, ensuring more consistent performance.

Technical Aspects

  • RSoP checks and GPO file security analyses run periodically instead of in real time.

  • Every 30 minutes, the platform evaluates its workload. If it determines it can handle an analysis, it proceeds; otherwise, it waits until the load decreases.

  • Implementation of an algorithm to detect system overload, considering factors like message queue length and processing trends.

  • During overload periods, non-critical checks get postponed to maintain system responsiveness.