Tenable Identity Exposure 2024 On-premises Release Notes

• Secure Relay — Introducing a new mode of transfer for your Active Directory data from your network to Tenable Identity Exposure using Transport Layer Security (TLS) instead of Advanced Message Queuing Protocol (AMQP). For more information, see Upgrade to Use Secure Relay in the Installation Guide and Configure the Relay in the Administration Guide.

  • Alerting and Authentication — The Secure Relay supports Syslog and SMTP alerting. For more information, see Secure Relay in the Tenable Identity Exposure Administrator Guide.

    • Authentication — You can configure LDAP Authentication by selecting a Secure Relay. This relay reaches your LDAP Server to authenticate the user.

    • Alerts — Syslog and SMTP alerting function can send alerts to private servers through a Secure Relay. When creating an alert, the Secure Relay platform asks you to select a Relay. You can set up Relays and use them for either domain monitoring and alerting, or both.

      If you use Secure Relay and have existing alerts, the Tenable Identity Exposure 3.45 update automatically assigns a Relay to them for service continuity. You can edit this Relay for reasons related to your Relay-VM network rules or your preferences.

  • Basic Authentication and Unauthenticated HTTP Proxy Support — The Relay feature also supports HTTP proxy with basic authentication or no authentication if your network requires a proxy server to reach the Directory Listener server. For more information, see Secure Relay in the Tenable Identity Exposure Administrator Guide.

• Entra ID Support — This feature extends the scope of Tenable Identity Exposure to Microsoft Entra ID (formerly Azure AD) in addition to Active Directory. The following are new Entra ID-focused Indicators of Exposure (IoEs) now available to identify vulnerabilities within Entra ID:

  • Known Federated Backdoor — A Microsoft Entra tenant can federate with an external domain to establish trust with another domain for authentication and authorization. Organizations use federation to delegate authentication for Active Directory users to their on-premises Active Directory Federation Services (AD FS). (Note: the external domain is not an Active Directory "domain".) But if malicious actors gain elevated privileges in Microsoft Entra ID, they can abuse this federation mechanism to create a backdoor by adding their own federated domain or editing an existing one to add a secondary configuration with their own settings.

  • First-Party Service Principal with Credentials — First-Party Service Principals (Enterprise Applications) come from applications (Application Registrations) belonging to Microsoft. Most of them have sensitive permissions in Microsoft Entra ID that you often overlook during security reviews. This allows attackers to add credentials to them to benefit stealthily from their privileges.

  • Privileged Entra Account Synchronized With AD (Hybrid) — Checks for hybrid accounts, specifically those synchronized from Active Directory that have privileged roles in Entra ID. These accounts pose a security risk because they allow attackers who compromise AD to pivot to Entra ID. Privileged accounts in Entra ID must be cloud-only accounts.

  • Dangerous API Permissions Affecting the Tenant — Certain permissions on some Microsoft APIs can pose a serious threat to the entire Microsoft Entra tenant, because a service principal with these permissions becomes powerful while being more discreet than a user with a powerful administrator role such as Global Administrator. Abusing this can allow an attacker to bypass the Multi-Factor Authentication (MFA) and resist user password resets.

  • Missing MFA for Privileged Account — Multi-Factor Authentication (MFA) provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you enable MFA, even for non-privileged accounts. Accounts without an MFA method registered cannot benefit from it. This IoE alerts you when a privileged account does not have a registered MFA method or if you enforce MFA without registering a method, which can allow attackers with a password to register their own MFA methods and create a security risk.

  • Missing MFA for Non-Privileged Account — Multi-Factor Authentication (MFA) provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you enable MFA, even for non-privileged accounts. Accounts without an MFA method registered cannot benefit from it. This IoE alerts you when a non-privileged account does not have a registered MFA method or if you enforce MFA without registering a method, which can allow attackers with a password to register their own MFA methods and create a security risk.

  • High number of Administrators — Administrators have elevated privileges by definition. They can pose security risks when there is a high number of them since it increases the attack surface because there is a higher chance that one of them gets compromised. This is also the sign that the least-privileged principle is not respected.

• New Indicators of Attack (IoA)

  • DC Password Change — Related to Zerologon, this IoA focuses on a specific post-exploitation activity that attackers commonly use in conjunction with the Netlogon vulnerability: the modification of the Domain Controller machine account password. For more information, see the Tenable Identity Exposure Indicators of Attack Reference Guide.

  • Zerologon — Detects a failure in the Netlogon authentication process which indicates that attackers are trying to exploit the Zerologon vulnerability to gain privileges on the domain. For more information, see the Tenable Identity Exposure Indicators of Attack Reference Guide.

  • Domain Backup Key Extraction — Detects a wide variety of attack tools that use LSA RPC calls to access backup keys. For more information, see the Tenable Identity Exposure Indicators of Attack Reference Guide.

• Indicators of Exposure (IoE)

  • New IoEs:

  • Unsecure Dynamic DNS Zone Updates Allowed — Identifies unsecure configuration of dynamic DNS zone updates, which can lead to unauthenticated editing of DNS records, making them vulnerable to rogue DNS records.

  • Property Sets Sanity — Checks for any misconfiguration or backdoor from malicious actors present in Property Sets and their attributes within the AD schema. While there are currently no known public attack vectors associated with the use of property sets, this IoE focuses primarily on identifying misconfigurations or peculiarities stemming from third-party products that use this feature.

  • WSUS Dangerous Misconfigurations — Checks Windows Server Update Services (WSUS), a Microsoft product that deploys Windows updates to workstations and servers, for misconfigured settings that can lead to an elevation to administrator privileges from a standard account.

  • Detection of Password Weaknesses — Checks for robust passwords to ensure the security of Active Directory authentication. Weak passwords arise from factors such as insufficient complexity, outdated hashing algorithms, shared passwords, and exposure in leaked databases. Attackers exploit these weaknesses to mimic accounts, particularly concerning privileged ones, enabling unauthorized access within the Active Directory.

  • DFS Misconfiguration — Checks that SYSVOL uses Distributed File System Replication (DFSR), a mechanism that replaced the File Replication Service (FRS) for better robustness, scalability, and replication performance.

  • Deviant object exclusions: Tenable Identity Exposure allows exclusions for deviant objects in selected IoEs, including:

    • Group: Logon Restrictions for Privileged Users

    • Operating System: Computers Running an Obsolete OS

    • Organizational Unit: Logon Restrictions for Privileged Users, Computers Running an Obsolete OS, Application of Weak Password Policies on Users, Dormant Accounts, User Account Using Old Password

  • IoE analysis — on-premises users can now disable IoE analysis on the default Tenable security profile to reduce resource usage and achieve a lower latency in the security analysis. To implement this, you set the ALSID_CASSIOPEIA_CYGNI_Application__IOE__IgnoreDefaultProfile environment variable on the Security Engine Node (SEN) to true and restart the Cygni service.

• Reporting Center — This feature offers a way to export important data as reports to key stakeholders in an organization using a streamlined report creation process. For more information, see the Reporting Center in the Tenable Identity Exposure Administrator Guide.

• Dashboard templates — Ready-to-use templates help you focus on the priority issues that concern your organization such as compliance, risk, password management, and user/admin monitoring. For more information, see Dashboards in the Tenable Identity Exposure User Guide.

• Platform health check capabilities — Tenable Identity Exposure lists the platform health checks it performed in a consolidated view to enable you to investigate and resolve configuration anomalies promptly. For more information, see Health Checks in the Tenable Identity Exposure Administrator Guide.

• Onboarding — For enhanced security, the onboarding process now requires that users change the default credentials provided for the initial login when they log in for the first time. Tenable Identity Exposure also enhanced the rules for a new password.

• Scalability — Tenable Identity Exposure improved the performance of Indicators of Attack on the service side to handle events of interest on a greater scale for better IoA accuracy and latency. For more information, see Scale Tenable Identity Exposure Services in the Tenable Identity Exposure Installation Guide.

• Trail Flow

  • Tenable Identity Exposure receives events from Active Directory promptly as soon as changes appear. However, for high-frequency changes in large groups, it applies a 10-minute delay to aggregate events before notifying the rest of the system, preventing performance issues.

  • It is now possible to filter trail flow events by both date and time.

Tenable Identity Exposure version 3.59.4 contains all bug fixes since version 3.42.

Tenable Identity Exposure on-premises version 3.59.4 offers significant enhancements to safeguard your Active Directory infrastructure. This release includes updates to certain dependencies to prioritize software security and ensure up-to-date components for improved protection. The components are:

• Storage Manager (SM)

• Security Engine Node (SEN)

• Directory Listener (DL)

Tenable Identity Exposure version 3.42.18 contains the following patches:

Tenable Identity Exposure on-premises version 3.42.11 offers significant enhancements to safeguard your Active Directory infrastructure. This release includes updates to certain dependencies to prioritize software security and ensure up-to-date components for improved protection.