Pre-deployment Requirements

You install Tenable Identity Exposure as an application package hosted in a dedicated Windows environment that must fulfill specific hosting specifications.Tenable Identity Exposure requires access to the operating system's master image on the system where you install it.

Tenable preconfigures the application package with only Tenable services and your specific requirements. This deployment option offers maximum flexibility and integrates seamlessly into your specific environment.

Tenable Identity Exposure runs on a micro-services architecture embedded into Windows services. These services have a dedicated purpose (storage, security analysis, application, etc.) and all are mandatory. Consequently, you can only install Tenable Identity Exposure on operating systems supporting the micro-services model.

OpenSSL 3.0 Support — Starting with version 3.59.5, Tenable Identity Exposure uses OpenSSL 3.0.x. As a result, X.509 certificates signed with SHA1 no longer work at security level 1 or higher. TLS defaults to security level 1, which makes SHA1-signed certificates untrusted for authenticating servers or clients.

You must upgrade your certificates in response to this change. If you continue the installation without updating your certificates to use OpenSSL 3.0, the Tenable Identity Exposure installer returns the following error messages with recommended fixes:

Perform the installation as the local account member of the local or built-in administrators group or as an administrator on the server where you install Tenable Identity Exposure. 

Caution: Log in to the machine as this local administrator account outside the domain. Do not log in as a local administrator within the domain.

The account requires the following permissions:

• SeBackupPrivilege

• SeDebugPrivilege

• SeSecurityPrivilege

Before installing, disable any AV and/or EDR solution on the host. Failing to do so triggers a roll-back during installation. You can safely enable AV/EDR once the installation is complete, but be aware that it may impact product performance due to high disk I/O operations.

Perform any required reboots prior to installation. When you launch the installer on a server, it checks the following:

• There is no pending reboot.

• The server was restarted properly less than 11 minutes ago.

• The MSI checks the following registry keys:

  • HKLM: \ Software \ Microsoft \ Windows \ CurrentVersion \ Component Based Servicing \ RebootPending

  • HKLM: \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ WindowsUpdate \ Auto Update \ RebootRequired

  • HKLM: \ SYSTEM \ CurrentControlSet \ Control \ Session Manager -> PendingFileRenameOperations

The use of service accounts must be allowed on the operating system.

The following table details unsupported configurations:

Deploying Tenable Identity Exposure’s platform in a non-certified environment can create unexpected side effects.

In particular, the deployment of third-party applications (such as a specific agent or daemon) in the master image can cause stability or performance issues.

Tenable strongly recommends that you reduce the number of third-party applications to a minimum.

Tenable Identity Exposure’s platform requires local administrative rights to operate and ensure a proper service management.

• You must provide the Tenable technical lead with the credentials (username and password) associated with the administrative account of the host machine.

• When deploying to a production environment, consider a password renewal process that you validate jointly with the Tenable technical lead.

As part of its upgrade program, Tenable frequently publishes updates to its systems to provide new detection capabilities and new product features.

• In this deployment, Tenable only provides updates for Tenable Identity Exposure components. You must ensure a proper management of your operating systems, including the frequent deployment of security patches. For more information about Tenable Identity Exposure releases, see the Tenable Identity Exposure Release Notes.

• Tenable Identity Exposure's micro-services architecture supports the immediate application of operating system patches.

• Tenable Identity Exposure works with Windows Server 2016 with the latest available update.

• Tenable Identity Exposure installation program requires Local Administrator rights on Windows Server 2016 or later. If the account used for the installation is the default account, ensure that this account can run programs without restrictions.

• Tenable Identity Exposure services require Local Administrator rights to run local services on the machine.

• Tenable Identity Exposure requires a dedicated data partition. Do not run Tenable Identity Exposure on the OS partition to prevent system freeze if the partition is full.

• Tenable Identity Exposure SQL instance requires the virtual accounts usage feature.

• When installing or upgrading Microsoft SQL Server after implementing tighter security measures, the installation process fails due to insufficient user rights. Check that you have the necessary permissions for a successful installation. For more information, see the Microsoft documentation.

• Tenable Identity Exposure must run as a black box. Dedicate each machine to Tenable Identity Exposure and do not share it with another product.

• Tenable Identity Exposure can create any folder starting with the ‘Alsid’ or ‘Tenable’ prefix on the data partition. Therefore, do not create folders starting with "Alsid" nor "‘Tenable" on the data partition.

• Erlang: Do not modify the HOMEDRIVE environment variable. The PATHEXT environment variable must contain the .exe and .bat file extensions.

• If you must set the AD service account of Tenable Identity Exposure as a Protected Users group member, ensure your Tenable Identity Exposure configuration supports Kerberos authentication, because Protected Users cannot use NTLM authentication.

This table resumes the prerequisites in a handy checklist before installation.