Forests

An Active Directory (AD) forest is a collection of domains that share a common schema, configuration, and trust relationships. It provides a hierarchical structure for managing and organizing resources, enabling centralized administration and secure authentication across multiple domains within an organization.

Managing Forests

  1. In Tenable Identity Exposure, click System> Forest management.

  2. Click Add a forest on the right.

    The Add a forest pane appears.

  3. In the Name box, type the forest name.

  4. In the Account section, provide the following for the service account that Tenable Identity Exposure uses:
    • Login: Type the name of the service account.
      • Format: User Principal Name, such as “[email protected]” (recommended for compatibility with Kerberos Authentication) or NetBIOS, such as “DomainNetBIOSName\SamAccountName”.
    • Password: Type the password for the service account.
    5. Note: If you must set the AD service account of Tenable Identity Exposure as a Protected Users group member, ensure your Tenable Identity Exposure configuration supports Kerberos Authentication, because Protected Users cannot use NTLM authentication.

  5. Click Add.

    A message confirms the addition a new forest.

  1. In Tenable Identity Exposure, click System> Forest management.

  2. In the list of forests, hover over the forest you want to modify and click the icon on the right.

    The Edit a forest pane appears.

  3. Modify as necessary.

  4. Click Edit.

    A message confirms that Tenable Identity Exposure updated the forest.

Protecting Service Accounts

Tenable recommends protecting service accounts to maintain security by correctly setting User Account Control (UAC) attributes to prevent delegation, require preauthentication, use stronger encryption, enforce password expiration and requirements, and allow authorized password changes. These measures mitigate the risk of unauthorized access and potential security breaches, ensuring the integrity of an organization's systems and data.

You can modify user account control settings using Windows' Local Security Policy editor or Group Policy Editor with the appropriate administrative privileges.

  • In the editor, navigate to Local Policies -> Security Options to locate and configure the following settings: (This may vary depending on your Windows version.)

    • "Network access: Do not allow storage of passwords and credentials for network authentication": set it to Enabled.

    • "Accounts: Do not require Kerberos preauthentication": and set it to Disabled.

    • "Network security: Configure encryption types allowed for Kerberos": ensure that the option "Use Kerberos DES encryption types for this account" is not selected.

    • "Accounts: Maximum password age": set the password expiration period (for example, 30, 60, or 90 days so that PasswordNeverExpires = FALSE).

    • "Accounts: Limit local account use of blank passwords to console logon only": set it to Disabled.

    • "Interactive logon: Number of previous logons to cache (in case domain controller is not available)": set the desired value, such as "10" to allow users to change their passwords.

  • On a machine hosting AD, open PowerShell with the appropriate administrative privileges and run the following command:

Copy 
Set-ADAccountControl -Identity <AD_ACCOUNT> -AccountNotDelegated $true -UseDESKeyOnly $false -DoesNotRequirePreAuth $false -PasswordNeverExpires $false -PasswordNotRequired $false -CannotChangePassword $false

Where <AD_ACCOUNT> is the name of the Active Directory account you want to modify.