Privileged Analysis
Privileged Analysis is an optional feature in Tenable Identity Exposure that requires more privileges — contrary to its other features — to fetch otherwise protected data and provide more security analysis.
Data Fetching
When enabled, Privileged Analysis fetches the following additional data:
-
Password hashes — Tenable Identity Exposure fetches LM and NT hashes for password analysis. Tenable Identity Exposure fetches LM hashes only to warn about their presence as they use an old and weak algorithm but does not store them. The hashes collection scope includes:
-
All enabled user accounts
-
All enabled domain controller computer accounts
-
Data Protection
The Active Directory (AD) itself does not directly store user passwords — only their hashes using the LM or NT hashing algorithms which do not allow recovery of the original password. Tenable Identity Exposure does not store LM hashes.
Except for clients hosting their Relay in a SAAS-VPN platform, password hashes never leave the client's infrastructure, as only the Relay handles them. The Relay does not store passwords nor passwords hashes but retrieves the user's password hash every time it's needed for analysis, keeping it in its cache only temporarily, typically for just a few milliseconds.
However, Tenable Identity Exposure retains a minimal number of bits of password hash data, securely stored in the Relay's RAM, solely for performing a K-anonymity analysis to check for users with identical passwords.