BeyondTrust Integration Query Optimization

Summary

In an effort to improve performance and usability, we have made changes to the BeyondTrust integration. We have reduced the overall number of API calls, changed the requirements to register target systems, and introduced caching of domain-linked accounts.

A domain-linked account is a managed account of a domain, which is linked to a managed system. A domain-linked account is also known simply as a “linked account”.

Changes

• When using domain-linked accounts, it is no longer necessary to register individual targets in BeyondTrust, with three caveats:
  • You will still need to add any targets for which you would like to use privilege escalation, because these targets must have their escalation command set.
  • Domain-linked accounts must be linked to at least one managed system in BeyondTrust, therefore at least one target system must be registered in BeyondTrust.
  • In order to uniquely identify domain-linked accounts, the domain must be specified in the credential settings. If the domain is not specified in the credential settings, then the target must be registered in BeyondTrust and the domain account must be linked to it.
• We are adding caching of domain-linked accounts, with the caveat that in order to use the cache the domain must be specified in the credential settings.
• There is no change to local accounts (managed accounts of managed systems).
• When registering target systems, it is no longer necessary to register them both as assets and as managed systems, it is sufficient to just register them as managed systems.

Impact

If you are using the BeyondTrust integration and domain-linked accounts, please review your credential configurations. Tenable recommends specifying the domain for Windows domain-linked accounts.

Applies To

Tenable Nessus

Tenable Vulnerability Manager

Tenable Security Center

Target Release Date

August 14th