Tenable Identity Exposure 2023 On-premise Release Notes

Application of Weak Password Policies on Users

• Improved performance for heavy workload scenarios.

• Introduces two new reasons to explain better two cases where you may think the GPO applies but in fact does not:

  • An Organizational Unit that contains computers may block the GPO inheritance.

  • A security filtering prevents the GPO from applying to computers.

Verify AAD SSO Account Password Last Change now resolves deviances when they apply to deleted AD objects.

Dangerous Kerberos Delegation now handles existing but empty Resource-Based Constrained Delegation (RBCD) attributes.

Accounts using a Pre-Windows 2000 Compatible Access Control (C-PRE-WIN2000-ACCESS-MEMBERS) now reports all problematic well-known principals of the "Pre-Windows 2000 Compatible Access" group.

Elimination of false positives on the Tenable Identity Exposure GPO for these IoEs: Verify Sensitive GPO Objects and Files Permissions and Domain Controllers Managed by Illegitimate Users.

Tenable Identity Exposure now limits the Organizational Unit allow list option for the IoE Accounts With Never Expiring Passwords in the backend to reduce the quantity of logs generated.

It is now possible to view Indicators of Exposure in German again.

Tenable Identity Exposure no longer displays tenable_ad_date tags in the CSV export file.

Reduced false positives/negatives for Tenable Identity Exposure attacks for the following IoAs: sAMAccountName Impersonation, Kerberoasting, OS Credential Dumping: LSASS Memory, DCShadow, and DPAPI Domain Backup Key Extraction.

OS Credential Dumping: LSASS Memory — Shows more accurate process and username information when displaying the information in the UI and alerts.

Password Spraying no longer misses attacks when Tenable Identity Exposure cannot match an IP address through the DNS Record AD object.

MassiveComputersRecon — Removed the non-relevant option Whitelisted target domain controllers

IoA Script

• Tenable Identity Exposure improved the resiliency of the IoA setup script for subsequent installations of the script.

• It is again possible to run the Register-TenableIOA script from a domain-joined server using runas.

The Indicator of Attack PDF report no longer displays an erroneous header on the cover page.

The renaming of the Tenable Identity Exposure GPO no longer has an impact on the automatic update feature of the Tenable Identity Exposure Indicator of Attack configuration.

The IoA installation reestablishes security events logging.

Tenable Identity Exposure correctly displays attributes with a dollar character ($) in the Indicator of Attack investigation view.

When installing the IoAs on a Windows 2022 Domain Controller, the server no longer needs to reboot.

Tenable Identity Exposure now requires fewer permissions to obtain the same Indicator of Attack analysis.

Shows more precise labels for SQL drives.

Supports non-English languages.

Allows you to click on the "Previous" button to go back and change installation options.

Fails silently if it detects an existing SQL server previously installed on the Storage Manager.

After deleting a directory, the Attack Path now refreshes its Tier0 graph.

The page now shows a single menu bar.

The Attack Path service can now handle multiple large security descriptors during its initialization.

The Tenable Identity Exposure (Compliance) Score through the Public API now excludes deactivated checkers for the provided profile. This had led an incorrect score via the Public API. This is now improved and consistent with the Compliance Score available in the Tenable Identity Exposure UI.

Authentication — Tenable Identity Exposure now logs a successful login attempt after it validates it.

Security — GraphQL suggestions no longer appear.

Tenable Identity Exposure dashboard widgets now show "0" instead of "No data" when it does not detect any deviants.

Improvements in the Kerberos service account authentication when Tenable Identity Exposure collects data for privileged analysis.

Upgraded the RabbitMQ library dependency to fix CVE-2022-37026.

Tenable Identity Exposure improved performance when dealing with multi-valued attributes with numerous entries.

Tenable Identity Exposure improved SYSVOL fault tolerance, such as against invalid accesses.

Tenable Identity Exposure indicates again the LDAP objects that became out of scope (for example, due to permissions.)

DNS records show up with their correct IPv6 addresses.

Tenable Identity Exposure no longer lists the security profiles to which a user does not have access.

Tenable Cloud Service — Tenable Identity Exposure provides more precise error messages when it cannot connect or authenticate to Tenable Cloud Service.

License — Tenable Identity Exposure now bases its count of active users only on the AD objects whose objectClass is strictly User, and not the objectClasses that contain User such as MSMQ-Migrated-User or strongAuthenticationUser.

Trail Flow — You can now copy the SDDL field when using a non-secured HTTP protocol (relevant for some on-premise deployments that either use HTTP or a not recognized HTTPS certificate).

Tenable Identity Exposure API Reference Portal — Removed irrelevant entry (events).

API — Reinforced integer input validation and managing the error appropriately as Bad request instead of Internal server error.

Tenable Identity Exposure handles better foreign security principals when they are also unresolved security principals.

Tenable Identity Exposure replaces the \0a sequences in AD attributes with a space when sending them through SYSLOG.

It is now possible to edit roles with removed directories in some edge cases.

Tenable Identity Exposure links unresolved security principals in the attack path feature to the right domain.