Tenable Identity Exposure 2025 On-Premises Release Notes

• Exposure Center—A feature that enhances your organization's identity security posture. It identifies weaknesses and misconfigurations across your identity risk surface, covering both the underlying identity systems, such as Entra ID, and the identities within those systems.

• Identity 360—A new identity-centric feature in Tenable Identity Exposure that provides a rich and exhaustive inventory of every identity across the organization's identity risk surface.

  This feature unifies identities across Active Directory and Entra ID and enables them to be ranked by their risk, so you can rank identities across your organization from most risky to least risky.

Active Directory (AD) Indicators of Exposure (IoE)

• Sensitive Exchange Permissions — This IoE manages permissions related to Exchange groups and resources within the domain. It now shows exclusively all permissions either originating from or targeting Exchange to enhance readability in other IoEs.

• Exchange Group Members — This IoE tracks members of sensitive Exchange groups.

• Unsupported or Outdated Exchange Servers — This IoE detects outdated Exchange servers that Microsoft no longer supports as well as those missing the latest Cumulative Updates. To maintain a secure and fully supported Exchange environment, promptly address obsolete or unpatched servers. Failure to do so increases the risk of exploitation, exposing your organization to data breaches and ransomware attacks.

• Exchange Dangerous Misconfigurations to list misconfigurations that impact Exchange resources or its underlying Active Directory schema objects.

• Exchange Group Members — This IoE tracks members of sensitive Exchange groups.

• ADCS Dangerous Misconfigurations — This IoE identifies issuance policies (enterprise OIDs) that allow principals to become member of AD groups implicitly.

• Domain Without Computer-Hardening GPOs — This IoE checks the GPO setting "Block NTLM over SMB".

Other Features

• Health Check — A new domain health check enhances confidence in your Indicator of Attack deployment by identifying and addressing known errors on a per-domain basis. For more information, refer to Health Checks in the Tenable Identity Exposure User Guide.

• Usability — Tenable Identity Exposure now helps customers get visibility on the recent report by the "5 eyes" or their civilian agencies.

Indicators of Exposure

• Single Member AD / Entra Group — The IoE now shows the group member in the "Why it matters" description.

• First-Party Service Principal With Credentials — The IoE now shows the details for the identified credentials in the "Why it matters" description.

• Single Member AD / Entra Group and Empty Group — These IoEs now only count direct members for more accurate and meaningful results.

• Mapped Certificates on Accounts

  • This IoE now reports weak explicit certificate mappings, addressing the AD CS ESC14 Abuse Technique.

  • This IoE previously reported privileged users with only two types of mappings: X509IssuerSubject and X509SubjectOnly. It has now expanded its original scope to include additional mappings — X509RFC822, X509IssuerSerialNumber, X509SKI, and X509SHA1PublicKey.

• Domain Without Computer-Hardening GPOs — New checks related to the Windows Defender Credential Guard security feature, used to protect in-memory credentials.

• Ensure SDProp Consistency — Improved recommendations.

• Shadow Credentials — Improved recommendations for remediation of Return of Coppersmith’s Attack (ROCA). Introduction of a new option to remove potential false positives related to hybrid environments with Entra ID when the "device writeback" feature is disabled. This has an impact on the "Orphan Key Credential" reason in this IoE.

• Managed Service Accounts Dangerous Misconfigurations — Improvement in this IoE to include support for groups, enabling streamlined control of access to a gMSA.

• Security Profile Customization — Improved description for the options "Permitted object owner (by group membership)" for applicable IoEs.

• Two new options to enhance control over object ownership and permissions by group membership:

  • Permitted Object Owner (by Group Membership): Allows security principals to be designated as object owners through their group membership.

  • Permitted Trustees List (by Group Membership): Enables the assignment of special permissions to security principals based on their group membership.

• Unsecured Configuration of Netlogon Protocol - Tenable Identity Exposure now sets the default value of the "Skip registry key check" option to "true". This change assumes that users have applied the February 9, 2021 updates. This modification applies only to the default profile, leaving custom profiles unaffected.

• Password Management Risk — Added the Detection of Password Weaknesses IoE widget into the dashboard template.

• Root Objects Permissions Allowing DCSync-Like Attacks — Now includes a new option, "Keep MSOL_* accounts," which allows you to exclude those accounts and reduce false positives. By default, this option is disabled in the security profile, so the IOE does not flag MSOL_* accounts as deviant.

Indicators of Attack

• Golden Ticket IoA— Improved attack vector text.

• DCSync does not trigger an alert if its source comes from a username with a prefix MSOL_ (hardcoded and valid for basic mode only).

• Enumeration of Local Administrators does not trigger an alert if the target IP is unknown.

• Golden Ticket only triggers an alert if an attacker authenticated after forging a TGT (basic mode only).

• OS Credential Dumping: LSASS Memory does not trigger an alert if the tool belongs to Arctic Wolf Network (basic mode only).

• These IoAs no longer trigger alerts in the following cases:

  • DC Sync— When the source is a user or hostname related to the Azure ADConnect tool (basic mode only).

  • NTDS Extraction — When the source tool is either VSS Requestor or Veeam (legitimate backup tools).

  • Enumeration of Local Administrators — When the IoA cannot find the source user SID (basic mode only).

  • Petit Potam — When the IoA cannot retrieve the associated logon event.

  • Golden Ticket — When the IoA cannot fetch the source vectors (basic mode only).

Other Enhancements

• Identity 360 and Exposure Overview now redirect to the Exposure Instances page when drilling down on the related weaknesses

• Trust Attributes and Types in Directory Services

  • The trustType attribute now supports the TTAAD (TRUST_TYPE_AAD) value.

  • The trustAttributes attribute now supports the TDAV (TRUST_ATTRIBUTE_DISABLE_AUTH_TARGET_VALIDATION) value.

• Tenable One Container Change — To ensure an optimal product experience, Tenable Identity Exposure now prevents switching to a different Tenable One container when you upload a new license file.

• Export function — Users can choose the separator (comma or semicolon) when performing a CSV export, enabling flexibility to suit various use cases. The browser remembers the last used separator for future exports.

• Identity 360 — Improved loading time for pages, such as asset details in the Access & Entitlement tabs.

• Permissions to Collect the AD Domain Data — Now hides the "Granted Permissions to Collect Privileged Data" details when Privileged Analysis is deactivated in the user interface. Make sure your Relay is up to date for this feature to work.

Tenable Identity Exposure version 3.93 contains the following bug fixes:

Tenable Identity Exposure version 3.77.10 contains the following bug fixes:

• Tenable Identity Exposure streamlined the rollback process to effectively revert the environment to its previous state, ensuring no residual clutter or inconsistencies remain.

  New Prerequisite: Ensure the storage manager has at least 20 GB of available disk space before initiating the rollback procedure. For information, see Resource Sizing in the Tenable Identity Exposure User Guide.

Tenable Identity Exposure version 3.77.9 contains the following bug fixes: