Tenable Identity Exposure 2024 On-Premises Release Notes
These release notes are listed in reverse chronological order.
Tenable Identity Exposure 3.77.3 (2024-11-06)
New Features
-
Indicators of Attack (IoA)
-
New basic and aggressive modes — The basic mode is designed for customers who prefer a streamlined setup, minimizing configuration time and reducing false positives, thereby cutting down on unnecessary alert noise. This applies to the following IoAs:
-
DCSync
-
Suspicious DC Password Change
-
Golden Ticket
-
NTDS Extraction
-
OS Credential Dumping: LSASS Memory
-
Enumeration of Local Administrators
-
SAMAccountName Impersonation
-
-
-
Indicators of Exposure (IoE)
-
New IoEs
- Shadow Credentials — A new IoE detects backdoors and misconfigurations of shadow credentials in the "Windows Hello for Business" feature and its associated key credentials.
-
Managed Service Accounts Dangerous Misconfigurations — A new IoE ensures the proper deployment and configuration of Managed Service Accounts.
-
Privileged Authentication Silo Configuration — Assists AD administrators in installing and setting up an authentication silo for Tier-0 accounts.
-
Property Sets Integrity — "Property Set" in Microsoft Active Directory (AD) consolidates multiple attributes for easier, more efficient ACL management. This Indicator of Exposure checks for misconfigurations or potential backdoors within these AD objects and their attributes.
-
Privileged AD User Accounts Synchronized to Microsoft Entra ID — Checks that privileged Active Directory user accounts are not synchronized to Microsoft Entra ID.
-
Enabled Guest Account — Checks that the built-in guest account is disabled.
-
Conflicting Security Principals — Checks that there are no duplicated (conflicting) users, computers, or groups.
-
RSOP-based IoEs — To enhance performance, Tenable Identity Exposure excludes live RSoP (Resultant Set of Policy) checks. Instead, schedule one RSoP security check every 30 minutes, which allows for better management of related checks that are necessary during the RSoP process. For more information, see RSOP-based Indicators of Exposure.
-
Last Password Change on KRBTGT Account — Added support for the krbtgt_AzureAD account in Windows Hello for Business (Cloud Trust deployment).
-
Reversible Passwords — Now includes validation for reversible passwords defined by the PSO with the attribute msDS-PasswordReversibleEncryptionEnabled.
-
Local Administrative Account Management — Support for New Windows LAPS. Introduces a new option called "LAPS version installed" and validate the configuration of the LAPS version based on user selections.
-
- Proxy — Ability to define a proxy connection during Tenable Identity Exposure installation or upgrade . This proxy connection enables on-premises environments to work with Tenable One features.
-
Secure Relay installation — The enhanced installer facilitates the upload of the self-signed certificate from the Directory Listener when you install the Secure Relay on a separate (standalone) machine.
Enhancements
-
Email alerting now only supports secured encryption protocols, specifically TLS 1.2 and 1.3. Customers who have overridden their Secure Relay to use deprecated SMTP encryption standards, like SSLv3, must remove the override. The only allowed values are 'Tls12', 'Tls13', or 'TLS12,Tls13' for automatic switching based on the server version. Using unsupported values will prevent the relay from starting.
-
New 10-hour "defer time" (Golden Ticket IoA) to allowlist legitimate users during this period, reducing the number of false positives.
-
IoA setup — Ability to choose event gathering duration before triggering event analysis. Values are bounded from 30 seconds to 9 minutes.
-
Active Directory — Tenable Identity Exposure increased the size limit for the AD objects it manages.
-
Indicators of Exposure
-
Dangerous Kerberos Delegation
-
No longer considers users with smartcards a security issue, as they are not affected by the AS-REP Roasting attack.
-
No longer flags computers as deviant for the reason "Not protected against delegation"; it resolves any existing deviances.
-
A new reason reports all accounts where the attribute used by the constrained delegation (msDS-AllowedToDelegateTo) refers to a Service Principal Name (SPN) that does not exist.
-
A new reason detects the current configuration of Kerberos delegation on Microsoft Entra Connect account (AZUREADSSOACC).
-
-
User Primary Group IoE — An additional reason reports on all accounts where the primaryGroupID attribute appears empty due to insufficient rights.
Accounts With Never Expiring Passwords — A new reason to make a distinction between privileged users and regular users.
Conflicting Security Principals — A new IoE checks that there are no duplicated (conflicting) objects such as users, computers, or groups.
User Account Using Old Password, Computers Running an Obsolete OS, and Dormant Accounts — Two new reasons to make a distinction between privileged users and regular users.
Domain Without Computer-Hardening GPOs
New checks to ensure that null sessions are explicitly disabled on all domain computers.
New checks related to hardened UNC paths configured for domain controllers (SYSVOL/NETLOGON shares).
New checks to ensure that the Print Spooler service is disabled on all domain controllers.
SMB signing enforcement — Tenable Identity Exposure ensures proper SMB signing enforcement on domain controllers and other servers. It validates the "Default Domain Controllers Policy" parameter and checks for correct GPO configuration on other servers.
Bug Fixes
Tenable Identity Exposure version 3.77.x contains the following bug fixes:
| Bug Fix |
|---|
| The "Allowed Users" option in the "Protected Users Group Not Used" Indicator of Exposure now allows whitelisting users by UserPrincipalName (UPN), SID, and sAMAccountName, instead of the previous method of using only Distinguished Name. |
| The Indicator of Attack listener now supports non-ASCII encoding. |
| Tenable Identity Exposure does not trigger the "Application of Weak Password Policies on Users" deviance for computers within a whitelisted container (configured in the profile). |
| Tenable Identity Exposure shows a warning message advising you to take a system snapshot before upgrading. |
| Tenable Identity Exposure improved the rollback process by removing residual items. |
| Tenable Identity Exposure resolved the Indicator of Exposure display when viewing the details of read-only profiles. |
| Envoy now prioritizes IPv4 resolution and fall back to IPv6, correcting the current configuration that does the opposite. |
|
Ability to secure the login session cookie to ensure that the session cookies are only sent over HTTPS, enhancing the security of the web application. |
| The Secure Relay Scheduled Task now has the valid parameter -AfadRolePath. During an upgrade, Tenable Identity Exposure removes and re-creates the Scheduled Tasks. |
| Tenable Identity Exposure now ensures a successful construction of the Tier0 asset graph. |
| The security analysis service processes its inputs during high CPU peaks (such as during security checks.) |
| Tenable Identity Exposure shows a successful description on health check issues with unknown status. |
| Tenable Identity Exposure correctly parses trust attributes (even when they are missing in rare scenarios) to show the topology view without issues. |
| The Indicator of Attack (IoA) deadlock issue no longer occurs on the machine hosting the security analysis service. |
| The Health Check for the AD Data Collector service now reports as true. |
| The Application of Weak Password Policies on Users IoE has enhancements to handle better edge cases related to options' limits. |
| The Secure Relay installer no longer triggers after the upgrade and restart of the Directory Listener. |
| Tenable Identity Exposure now prevents the Secure Relay from repeatedly sending LDAP query results that are no longer required by the security analysis service. |
| The DCSync IoA now accounts for the edge case where the 'samAccountName' of the Tenable service account exceeds 20 characters, ensuring that alerts do not trigger when the Privileged Analysis feature is enabled. |
| When using the installer in a localized version, an error message displays in English upon uploading invalid certificates. |
| The Privileged AD User Accounts Synchronized to Microsoft Entra ID IoE no longer requires the option "Whitelist computers". |
| The Password Guessing IoA's option "Detection time interval" now shows the correct label. |
| The Tenable Identity Exposure user interface no longer loads twice when accessing the base URL of the Tenable Identity Exposure environment. |
| Tenable Identity Exposure updated permissions behaviors related to the Indicators of Exposure pages. |
| Tenable Identity Exposure enhanced its ability to prevent SQL queries from executing indefinitely on small SaaS platforms, ensuring reliable database accessibility. |
| Tenable Identity Exposure now shows all Entra ID IoEs on the IoE pane. |
| Tenable Identity Exposure remediated false positives caused by Password Spraying Indicator of Attack (and potentially other IoAs). |
| For some edge cases, Tenable Identity Exposure updated the Secure Relay installation process for domain-joined machines: Customers using a Domain Admin account now receive a prompt advising them to use a Local Admin account instead. |
| Tenable Identity Exposure introduced a mechanism during the Relay startup to perform a network check between the Relay and the platform. If the platform is not yet operational, the Relay startup process waits to ensure a stable connection before proceeding. |
| If you have a Tenable One license, the user creation takes place in Tenable Vulnerability Management and propagates to Tenable Identity Exposure. In this case, when you click the "Create user" button in Tenable Identity Exposure, a message appears to direct you to Tenable Vulnerability Management to create users. |
| The Tenable Identity Exposure installer now works correctly for localized versions. |
| Tenable Identity Exposure uninstalls older .NET version during a major upgrade. |
| Tenable Identity Exposure resolved a logging issue in the "NTDS Extraction" IoA, ensuring it functions correctly in all scenarios. |
| An update to the "Password Guessing" IoA with a new "detection time interval" option, which previously referred to the "Password Spraying" IoA erroneously. |
| Optimization of the "GoldenTicket" IoA to eliminate occasional pauses in IoA and IoE analysis that previously lasted an hour or more. |
| The enhanced detection algorithm in the "Golden Ticket" IoA reduces false negatives and false positives. |
| Tenable Identity Exposure enhanced its ability to prevent SQL queries from executing indefinitely on small platforms, ensuring reliable database accessibility. |
| Public API endpoint /export/profile/:profileId/checkers/:checkerId now works correctly without options. |
| The MSI log files are available in C:\Tenable\Logs after an installation or an upgrade. |
Updated Software Dependencies
| Software Name | Pre-upgrade | Pre-upgrade | Post-upgrade |
|---|---|---|---|
| Tenable Identity Exposure | 3.42.20 | 3.59.8 | 3.77.3 |
| C++ 2015-2019 Redistributable | 14.40.33810.0 | 14.40.33810.0 | 14.38.33135.0 |
| .NET Windows Server Hosting | 6.0.35 | 6.0.35 | 8.0.10.24468 |
| IIS URL Rewrite Module 2 | 7.2.1993 | 7.2.1993 | 7.2.1993 |
| Application Request Routing 3.0 | 3.0.5311 | 3.0.5311 | 3.0.5311 |
| NodeJS | 18.20.4 | 20.18.0 | 20.18.0 |
| Erlang OTP | 26.2.5.4 | 26.2.5.4 | 26.2.5.4 |
| Rabbit MQ | 3.12.14 | 3.12.4 | 3.12.14 (downgrade) |
| SQL Server | 15.0.4385.2 | 15.0.4385.2 | 15.0.4385.2 |
| OpenSSL | 1.1t | 3.2.0 | 3.3.2 |
| Envoy | -- | 1.29.9 | 1.29.9 |
| Handle | 5.0.0 | 5.0.0 | 5.0.0 |
| Curl | 8.10.1 | 8.10.1 | 8.10.1 |
Tenable Identity Exposure 3.59.8 (2024-10-23)
Bug Fixes
Tenable Identity Exposure version 3.59.8 contains the following bug fixes:
| Bug Fix |
|---|
| The Secure Relay Scheduled Task now has the valid parameter -AfadRolePath. During an upgrade, Tenable Identity Exposure removes and re-creates the Scheduled Tasks. |
| Tenable Identity Exposure downgraded RabbitMQ to a more stable version. |
| In localized versions of the Tenable Identity Exposure installer, invalid certificate uploads trigger an error message in English. |
Updated Software Dependencies
| Software Name | Pre-upgrade | Post-upgrade |
|---|---|---|
| Tenable Identity Exposure | 3.59.7 | 3.59.8 |
| C++ 2015-2019 Redistributable | 14.40.33810.0 | 14.40.33810.0 |
| .NET Windows Server Hosting | 6.0.32 | 6.0.35 |
| .NET Runtime | 6.0.32 | 6.0.35 |
| .Net Core | 6.0.32 | 6.0.35 |
| ASP.NET Core | 6.0.32 | 6.0.35 |
| IIS URL Rewrite Module 2 | 7.2.1993 | 7.2.1993 |
| Application Request Routing 3.0 | 3.0.5311 | 3.0.5311 |
| NodeJS | 20.14.0 | 20.18.0 |
| Erlang OTP | 26.2.5.2 | 26.2.5.4 |
| Rabbit MQ | 3.13.6 | 3.12.4 |
| SQL Server | 15.0.4385.2 | 15.0.4385.2 |
| OpenSSL | 3.3.0 | 3.3.2 |
| Envoy | 1.29.5 | 1.29.9 |
| Handle | 5.0.0 | 5.0.0 |
| Curl | 8.9.1 | 8.10.1 |
Tenable Identity Exposure 3.42.20 (2024-10-23)
Updated Software Dependencies
| Software Name | Pre-upgrade | Post-upgrade |
|---|---|---|
| Tenable Identity Exposure | 3.42.19 | 3.42.20 |
| C++ 2015-2019 Redistributable | 14.40.33810.0 | 14.40.33810.0 |
| .NET Windows Server Hosting | 6.0.32 | 6.0.35 |
| .NET Runtime | 6.0.32 | 6.0.35 |
| .Net Core | 6.0.32 | 6.0.35 |
| ASP.NET Core | 6.0.32 | 6.0.35 |
| IIS URL Rewrite Module 2 | 7.2.1993 | 7.2.1993 |
| Application Request Routing 3.0 | 3.0.5311 | 3.0.5311 |
| NodeJS | 18.20.3 | 18.20.4 |
| Erlang OTP | 26.2.5.2 | 26.2.5.4 |
| MSSQL | 15.0.4385.2 | 15.0.4385.2 |
| RabbitMQ | 3.12.14 | 3.12.14 |
| OpenSSL (unchanged) | 1.1.1t | 1.1.1t |
| SysInternals Handle | 5.0.0 | 5.0.0 |
| cUrl | 8.91 | 8.10.1 |
Tenable Identity Exposure 3.59.7 (2024-08-14)
Bug Fixes
Tenable Identity Exposure version 3.59.7 contains the following bug fixes:
| Bug Fix |
|---|
| When the proxy changes on the Windows server, the .NET components now close and reopen their connection instead of disconnecting. |
| Specific cases with spikes in the number of threads between the Directory Listener and the Relay no longer cause a loss of connectivity between these two services. |
| The Register listener can now handle spaces in the account's samaccountname. |
Updated Software Dependencies
| Software Name | Pre-upgrade | Post-upgrade |
|---|---|---|
| Tenable Identity Exposure | 3.59.6 | 3.59.7 |
| C++ 2015-2019 Redistributable | 14.40.33810.0 | 14.40.33810.0 |
| .NET Windows Server Hosting | 6.0.32 | 6.0.32 |
| .NET Runtime | 6.0.32 | 6.0.32 |
| .Net Core | 6.0.32 | 6.0.32 |
| ASP.NET Core | 6.0.32 | 6.0.32 |
| IIS URL Rewrite Module 2 | 7.2.1993 | 7.2.1993 |
| Application Request Routing 3.0 | 3.0.5311 | 3.0.5311 |
| NodeJS | 20.14.0 | 20.14.0 |
| Erlang OTP | 26.2.5.2 | 26.2.5.2 |
| Rabbit MQ | 3.13.6 | 3.13.6 |
| SQL Server | 15.0.4375.4 | 15.0.4385.2 |
| OpenSSL | 3.3.0 | 3.3.0 |
| Envoy | 1.29.5 | 1.29.5 |
| Handle | 5.0.0 | 5.0.0 |
| Curl | 8.7.1 | 8.9.1 |
Tenable Identity Exposure 3.42.19 (2024-08-14)
Bug Fixes
Tenable Identity Exposure version 3.42.19 contains the following bug fixes:
| Bug Fix |
|---|
| Tenable Identity Exposure hardened the Trail Flow query engine against SQL injection attacks, significantly reducing the risk of users exploiting it to dump the database. |
| Deviance remediation for the Accounts Using a Pre-Windows 2000 Compatible Access Control IoE now appears correctly. |
|
Credential Dumping: LSASS Memory Indicator of Attack — A change in the correlation for the process name in the attack vector of this IoA to decrease the number of unknowns. |
| A new mechanism ensures that the database is resilient to having too many modifications in the badPwdCount attribute. In certain edge cases, the service responsible for managing the rate of bad password count events experienced a disconnection from the message queue manager, causing interruptions in event handling. |
Updated Software Dependencies
| Software Name | Pre-upgrade | Post-upgrade |
|---|---|---|
| Tenable Identity Exposure | 3.42.18 | 3.42.19 |
| cUrl | 8.4.0 | 8.91 |
| SysInternals Handle | 5.0 | 5.0.0 |
| IIS URL Rewrite Module 2 | 7.2.1993 | 7.2.1993 |
|
.net Runtime |
6.0.28 6.0.28 |
6.0.32 6.0.32 |
| NodeJS | 18.19.1 | 18.20.3 |
| MSSQL | 15.0.4355.3 | 15.0.4385.2 |
| RabbitMQ | 3.12.13 | 3.12.14 |
| Erlang OTP | 26.2.3 | 26.2.5.2 |
| OpenSSL (unchanged) | 1.1.1t | 1.1.1t |
| C++ 2105-2022 Redistributable (unchanged) | 14.38.33130.0 | 14.40.33810.0 |
| ASP.NET Core | 6.0.28 | 6.0.32 |
Tenable Identity Exposure 3.59.6 (2024-08-05)
Bug Fixes
Tenable Identity Exposure version 3.59.6 contains the following bug fixes:
| Bug Fix |
|---|
| The Secure Relay installer now checks if the current user is a local administrator. |
| When installing the Secure Relay on a domain-joined machine using a Domain Admin account, a pop-up message appears to instruct you to use a Local Admin account. |
| Proxy changes on the machine hosting the security analysis service (Cygni) no longer create a deadlock. |
Updated Software Dependencies
| Software Name | Pre-upgrade | Post-upgrade |
|---|---|---|
| Tenable Identity Exposure | 3.59.5 | 3.59.6 |
| C++ 2015-2019 Redistributable | 14.40.33810.0 | 14.40.33810.0 |
| .NET Windows Server Hosting | 6.0.31 | 6.0.32 |
| .NET Runtime | 6.0.31 | 6.0.32 |
| .Net Core | 6.0.31 | 6.0.32 |
| ASP.NET Core | 6.0.31 | 6.0.32 |
| IIS URL Rewrite Module 2 | 7.21993 | 7.2.1993 |
| Application Request Routing 3.0 | 3.0.5311 | 3.0.5311 |
| NodeJS | 20.14.0 | 20.14.0 |
| Erlang OTP | 26.2.5 | 26.2.5.2 |
| Rabbit MQ | 3.13.3 | 3.13.6 |
| SQL Server | 15.0.4375.4 | 15.0.4375.4 |
| OpenSSL | 3.3.0 | 3.3.0 |
| Envoy | 1.29.5 | 1.29.5 |
| Handle | 5.0.0 | 5.0.0 |
| Curl | 8.7.1 | 8.7.1 |
Tenable Identity Exposure 3.59.5 (2024-07-02)
Enhancement
-
OpenSSL 3.0 Support — This release upgrades OpenSSL to version 3.0.x. As a result, X.509 certificates signed with SHA1 no longer work at security level 1 or higher. TLS defaults to security level 1, which makes SHA1-signed certificates untrusted for authenticating servers or clients.
You must upgrade your certificates in response to this change. If you continue the installation without updating your certificates to use OpenSSL 3.0, the Tenable Identity Exposure installer returns the following error messages with recommended fixes:
-
Refer to the OpenSSL 3.0 release notes for more information.
-
To upgrade to version 3.59.5, see the upgrade requirements and procedures in the Tenable Identity Exposure User Guide.
Bug Fixes
Tenable Identity Exposure version 3.59.5 contains the following bug fixes:
| Bug Fix |
|---|
| The SAML-generated Tenable certificates now use a 4096-bit key size with SHA-256 encryption (previously 1024-bit). |
| Implementation of a security mechanism addresses the user enumeration capability during account lockouts. |
| An update of the TLS cipher suite list ensures compatibility with Azure ARC Update Manager for Windows Server 2022. |
| The Secure Relay installation can now proceed after a failed upgrade of Tenable Identity Exposure. |
| Deviance remediation for the Accounts Using a Pre-Windows 2000 Compatible Access Control Indicator of Exposure now appears correctly. |
| The Relay now ensures reliable Syslog message delivery across networks with latency. |
| A change in the correlation for the process name in the attack vector of the Credential Dumping: LSASS Memory Indicator of Attack decreases the number of unknowns. |
| A new mechanism ensures that the database is resilient to having too many modifications in the badPwdCount attribute. In certain edge cases, the service responsible for managing the rate of bad password count events experienced a disconnection from the message queue manager, causing interruptions in event handling. |
| The web application now supports uploading an ECC CA certificate to use for validation of TLS connections, including LDAPS authentication, SMTPS, and more. |
| Activity logs no longer report internal services activity. |
| Rollback resilience is now enhanced after upgrade failures, ensuring environment variables remain unchanged. |
| Enhancements to error messages for clearer guidance when the installer fails during the communication test between the Relay and the platform. |
| Secure Relay installation: The "Proxy Configuration" screen shows empty editable boxes to avoid a potential default rollback. |
Updated Software Dependencies
| Software Name | Pre-upgrade | Post-upgrade |
|---|---|---|
| Tenable Identity Exposure | 3.59.4 | 3.59.5 |
| C++ 2015-2019 Redistributable | 14.24.28127.4 | 14.40.33810.0 |
| .NET Windows Server Hosting | 6.0.27 | 6.0.31 |
| .NET Runtime | 6.0.27 | 6.0.31 |
| ASP.NET Core | 6.0.27 | 6.0.31 |
| IIS URL Rewrite Module 2 | 7.21993 | 7.2.1993 |
| Application Request Routing 3.0 | 3.0.05311 | 3.0.5311 |
| NodeJS | 18.19.0 | 20.14.0 |
| Erlang OTP | 26.2.2 | 26.2.5 |
| Rabbit MQ | 3.12.12 | 3.13.3 |
| SQL Server | 15.0.4335.1 | 15.0.4375.4 |
| OpenSSL | 1.1.1t | 3.3.0 |
| Envoy | 1.29.4 | 1.29.5 |
| Handle | 5.0.0 | 5.0.0 |
| Curl | 8.4 | 8.7.1 |
Tenable Identity Exposure 3.59.4 (2024-02-20)
New Features
- Secure Relay — Introducing a new mode of transfer for your Active Directory data from your network to Tenable Identity Exposure using Transport Layer Security (TLS) instead of Advanced Message Queuing Protocol (AMQP). For more information, see Upgrade to Use Secure Relay in the Installation Guide and Configure the Relay in the Administration Guide.
Alerting and Authentication — The Secure Relay supports Syslog and SMTP alerting. For more information, see Secure Relay in the Tenable Identity Exposure Administrator Guide.
Authentication — You can configure LDAP Authentication by selecting a Secure Relay. This relay reaches your LDAP Server to authenticate the user.
Alerts — Syslog and SMTP alerting function can send alerts to private servers through a Secure Relay. When creating an alert, the Secure Relay platform asks you to select a Relay. You can set up Relays and use them for either domain monitoring and alerting, or both.
If you use Secure Relay and have existing alerts, the Tenable Identity Exposure 3.45 update automatically assigns a Relay to them for service continuity. You can edit this Relay for reasons related to your Relay-VM network rules or your preferences.
Basic Authentication and Unauthenticated HTTP Proxy Support — The Relay feature also supports HTTP proxy with basic authentication or no authentication if your network requires a proxy server to reach the Directory Listener server. For more information, see Secure Relay in the Tenable Identity Exposure Administrator Guide.
- Entra ID Support — This feature extends the scope of Tenable Identity Exposure to Microsoft Entra ID (formerly Azure AD) in addition to Active Directory. The following are new Entra ID-focused Indicators of Exposure (IoEs) now available to identify vulnerabilities within Entra ID:
Known Federated Backdoor — A Microsoft Entra tenant can federate with an external domain to establish trust with another domain for authentication and authorization. Organizations use federation to delegate authentication for Active Directory users to their on-premises Active Directory Federation Services (AD FS). (Note: the external domain is not an Active Directory "domain".) But if malicious actors gain elevated privileges in Microsoft Entra ID, they can abuse this federation mechanism to create a backdoor by adding their own federated domain or editing an existing one to add a secondary configuration with their own settings.
First-Party Service Principal with Credentials — First-Party Service Principals (Enterprise Applications) come from applications (Application Registrations) belonging to Microsoft. Most of them have sensitive permissions in Microsoft Entra ID that you often overlook during security reviews. This allows attackers to add credentials to them to benefit stealthily from their privileges.
Privileged Entra Account Synchronized With AD (Hybrid) — Checks for hybrid accounts, specifically those synchronized from Active Directory that have privileged roles in Entra ID. These accounts pose a security risk because they allow attackers who compromise AD to pivot to Entra ID. Privileged accounts in Entra ID must be cloud-only accounts.
Dangerous API Permissions Affecting the Tenant — Certain permissions on some Microsoft APIs can pose a serious threat to the entire Microsoft Entra tenant, because a service principal with these permissions becomes powerful while being more discreet than a user with a powerful administrator role such as Global Administrator. Abusing this can allow an attacker to bypass the Multi-Factor Authentication (MFA) and resist user password resets.
Missing MFA for Privileged Account — Multi-Factor Authentication (MFA) provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you enable MFA, even for non-privileged accounts. Accounts without an MFA method registered cannot benefit from it. This IoE alerts you when a privileged account does not have a registered MFA method or if you enforce MFA without registering a method, which can allow attackers with a password to register their own MFA methods and create a security risk.
Missing MFA for Non-Privileged Account — Multi-Factor Authentication (MFA) provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you enable MFA, even for non-privileged accounts. Accounts without an MFA method registered cannot benefit from it. This IoE alerts you when a non-privileged account does not have a registered MFA method or if you enforce MFA without registering a method, which can allow attackers with a password to register their own MFA methods and create a security risk.
High number of Administrators — Administrators have elevated privileges by definition. They can pose security risks when there is a high number of them since it increases the attack surface because there is a higher chance that one of them gets compromised. This is also the sign that the least-privileged principle is not respected.
- New Indicators of Attack (IoA)
-
DC Password Change — Related to Zerologon, this IoA focuses on a specific post-exploitation activity that attackers commonly use in conjunction with the Netlogon vulnerability: the modification of the Domain Controller machine account password. For more information, see the Tenable Identity Exposure Indicators of Attack Reference Guide.
-
Zerologon — Detects a failure in the Netlogon authentication process which indicates that attackers are trying to exploit the Zerologon vulnerability to gain privileges on the domain. For more information, see the Tenable Identity Exposure Indicators of Attack Reference Guide.
-
Domain Backup Key Extraction — Detects a wide variety of attack tools that use LSA RPC calls to access backup keys. For more information, see the Tenable Identity Exposure Indicators of Attack Reference Guide.
-
-
Indicators of Exposure (IoE)
-
New IoEs:
-
Unsecure Dynamic DNS Zone Updates Allowed — Identifies unsecure configuration of dynamic DNS zone updates, which can lead to unauthenticated editing of DNS records, making them vulnerable to rogue DNS records.
-
Property Sets Sanity — Checks for any misconfiguration or backdoor from malicious actors present in Property Sets and their attributes within the AD schema. While there are currently no known public attack vectors associated with the use of property sets, this IoE focuses primarily on identifying misconfigurations or peculiarities stemming from third-party products that use this feature.
-
WSUS Dangerous Misconfigurations — Checks Windows Server Update Services (WSUS), a Microsoft product that deploys Windows updates to workstations and servers, for misconfigured settings that can lead to an elevation to administrator privileges from a standard account.
-
Detection of Password Weaknesses — Checks for robust passwords to ensure the security of Active Directory authentication. Weak passwords arise from factors such as insufficient complexity, outdated hashing algorithms, shared passwords, and exposure in leaked databases. Attackers exploit these weaknesses to mimic accounts, particularly concerning privileged ones, enabling unauthorized access within the Active Directory.
-
DFS Misconfiguration — Checks that SYSVOL uses Distributed File System Replication (DFSR), a mechanism that replaced the File Replication Service (FRS) for better robustness, scalability, and replication performance.
-
Deviant object exclusions: Tenable Identity Exposure allows exclusions for deviant objects in selected IoEs, including:
-
Group: Logon Restrictions for Privileged Users
-
Operating System: Computers Running an Obsolete OS
-
Organizational Unit: Logon Restrictions for Privileged Users, Computers Running an Obsolete OS, Application of Weak Password Policies on Users, Dormant Accounts, User Account Using Old Password
-
-
IoE analysis — on-premises users can now disable IoE analysis on the default Tenable security profile to reduce resource usage and achieve a lower latency in the security analysis. To implement this, you set the ALSID_CASSIOPEIA_CYGNI_Application__IOE__IgnoreDefaultProfile environment variable on the Security Engine Node (SEN) to true and restart the Cygni service.
-
-
Reporting Center — This feature offers a way to export important data as reports to key stakeholders in an organization using a streamlined report creation process. For more information, see the Reporting Center in the Tenable Identity Exposure Administrator Guide.
-
Dashboard templates — Ready-to-use templates help you focus on the priority issues that concern your organization such as compliance, risk, password management, and user/admin monitoring. For more information, see Dashboards in the Tenable Identity Exposure User Guide.
-
Platform health check capabilities — Tenable Identity Exposure lists the platform health checks it performed in a consolidated view to enable you to investigate and resolve configuration anomalies promptly. For more information, see Health Checks in the Tenable Identity Exposure Administrator Guide.
- Onboarding — For enhanced security, the onboarding process now requires that users change the default credentials provided for the initial login when they log in for the first time. Tenable Identity Exposure also enhanced the rules for a new password.
-
Scalability — Tenable Identity Exposure improved the performance of Indicators of Attack on the service side to handle events of interest on a greater scale for better IoA accuracy and latency. For more information, see Scale Tenable Identity Exposure Services in the Tenable Identity Exposure Installation Guide.
-
Trail Flow
-
Tenable Identity Exposure receives events from Active Directory promptly as soon as changes appear. However, for high-frequency changes in large groups, it applies a 10-minute delay to aggregate events before notifying the rest of the system, preventing performance issues.
-
It is now possible to filter trail flow events by both date and time.
-
Bug Fixes
Tenable Identity Exposure version 3.59.4 contains all bug fixes since version 3.42.
Updated Software Dependencies
Tenable Identity Exposure on-premises version 3.59.4 offers significant enhancements to safeguard your Active Directory infrastructure. This release includes updates to certain dependencies to prioritize software security and ensure up-to-date components for improved protection. The components are:
-
Storage Manager (SM)
-
Security Engine Node (SEN)
-
Directory Listener (DL)
| Software Name | Component | Pre-upgrade Version | Post-upgrade Version |
|---|---|---|---|
| Tenable Identity Exposure | 3.42 | 3.59 | |
| C++ 2015-2019 Redistributable | All (unchanged) | 14.24.28127.4 | 14.24.28127.4 |
| .NET Windows Server Hosting | SEN, DL | 6.0.22.23424 | 6.0.27 |
| .NET Runtime | SEN, DL | 6.0.22.32824 | 6.0.27 |
| ASP.NET Core | SEN, DL | 6.0.22.23424 | 6.0.27 |
| IIS URL Rewrite Module 2 | SEN (unchanged) | 7.2.1993 | 7.21993 |
| Application Request Routing 3.0 | SEN (unchanged) | 3.0.05311 | 3.0.05311 |
| NodeJS | SM, SEN | 18.18.0 | 18.19.0 |
| Erlang OTP | SEN | 26.1.1 | 26.2.2 |
| Rabbit MQ |
SEN |
3.12.6 | 3.12.12 |
| SQL Server | SM | 15.0.4322.2 | 15.0.4335.1 |
Tenable Identity Exposure 3.42.18 (2024-04-18)
See Tenable Identity Exposure 3.42 (2023-04-06) On-premises Release Notes for the complete list of new features, bug fixes, and patches.
Patches 3.42.18 (2024-04-18)
Tenable Identity Exposure version 3.42.18 contains the following patches:
| Patch | Defect ID |
|---|---|
| SAML-generated Tenable certificates now use a robust 4096 SHA256 key size, an enhancement from the previous 1024 size. | N/A |
|
Attack Path enhancements:
|
N/A |
| Tenable Identity Exposure now refreshes CA certificates properly following updates in the Syslog alert configuration. | N/A |
| Tenable Identity Exposure now applies the neutralization of formula elements in a CSV file, commonly known as CSV injection. | N/A |
| When Tenable Identity Exposure analyzes a 4776 event that lacks a hostname, resulting in an "Unknown" source, it now appropriately filters it out based on the "Allow Unknown source" option of the Password Guessing Indicator of Attack. | N/A |
|
DCSync Indicator of Attack enhancements:
|
N/A |
| The Indicator of Attack events listener can once again run on Windows Server versions older than 2016. | N/A |
| A new mechanism ensures that the database is resilient to having many badPwdCount attribute modifications. | N/A |
Updated Software Dependencies
Tenable Identity Exposure on-premises version 3.42.11 offers significant enhancements to safeguard your Active Directory infrastructure. This release includes updates to certain dependencies to prioritize software security and ensure up-to-date components for improved protection.
| Tenable Identity Exposure | Version 3.42.3 | Version 3.42.11 | Version 3.42.17 | Version 3.42.18 | |
|---|---|---|---|---|---|
| Software Name | File Name | Version | Version | Version | Version |
| cUrl | curl.exe | 7.66.0 | 8.0.1 | 8.4.0 | 8.4.0 |
| SysInternals Handle | handle.exe | 4.22.0 | 5.0.0 | 5.0 | 5.0 |
| IIS URL Rewrite Module 2 | rewrite_amd64_en-US.msi | 7.2.1980 | 7.2.1993 | 7.2.1993 | 7.2.1993 |
|
.net Runtime |
dotnet-hosting-6.0.14-win.exe | 6.0.14 | 6.0.16 |
6.0.22.32824 |
6.0.28 |
| NodeJS | node-x64.msi | 16.19.1 | 16.20.0 | 18.18.0 | 18.19.1 |
| MSSQL | setup.exe | 2019.150.2000.5 | 2019.150.4312.2 | 15.0.4322.2 | 15.0.4355.3 |
| RabbitMQ | rabbitmq-server.exe | 3.10.11 | 3.10.19 | 3.12.6 | 3.12.13 |
| Erlang OTP | otp_win64.exe | 25.1.2 | 25.1.2 | 26.1.1 | 26.2.3 |
| C++ 2105-2022 Redistributable (unchanged) | vcredist_2015_x64.exe | 14.24.28127.4 | 14.24.28127.4 | 14.24.28127.4 | 14.38.33130.0 |
| ASP.NET Core | dotnet-hosting-win.exe | 6.0.14 | 6.0.16 | 6.0.22.23424 | 6.0.28 |