<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><title>Privileged Authentication Silo Configuration<!-- --> | Tenable®</title><meta name="description" content="&lt;p&gt;Proper management of privileged accounts (users and computers) is important for security to limit the risks of a full Active Directory (AD) environment compromise. In the most recent versions of Windows (Windows Server 2012R2+), Microsoft provides features and a technical design to protect adequately such accounts using authentication silos and policies. This Indicator of Exposure aims to assist AD administrators in the implementation of a model designed to protect those highly privileged (i.e. &quot;Tier-0&quot;) accounts.&lt;/p&gt; "/><meta property="og:title" content="Privileged Authentication Silo Configuration"/><meta property="og:description" content="&lt;p&gt;Proper management of privileged accounts (users and computers) is important for security to limit the risks of a full Active Directory (AD) environment compromise. In the most recent versions of Windows (Windows Server 2012R2+), Microsoft provides features and a technical design to protect adequately such accounts using authentication silos and policies. This Indicator of Exposure aims to assist AD administrators in the implementation of a model designed to protect those highly privileged (i.e. &quot;Tier-0&quot;) accounts.&lt;/p&gt; "/><meta name="twitter:title" content="Privileged Authentication Silo Configuration"/><meta name="twitter:description" content="&lt;p&gt;Proper management of privileged accounts (users and computers) is important for security to limit the risks of a full Active Directory (AD) environment compromise. In the most recent versions of Windows (Windows Server 2012R2+), Microsoft provides features and a technical design to protect adequately such accounts using authentication silos and policies. This Indicator of Exposure aims to assist AD administrators in the implementation of a model designed to protect those highly privileged (i.e. &quot;Tier-0&quot;) accounts.&lt;/p&gt; "/><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="apple-touch-icon" sizes="180x180" href="https://www.tenable.com/themes/custom/tenable/images-new/favicons/apple-touch-icon-180x180.png"/><link rel="manifest" href="https://www.tenable.com/themes/custom/tenable/images-new/favicons/manifest.json"/><link rel="icon" href="https://www.tenable.com/themes/custom/tenable/images-new/favicons/favicon.ico" sizes="any"/><link rel="icon" href="https://www.tenable.com/themes/custom/tenable/images-new/favicons/tenable-favicon.svg" type="image/svg+xml"/><meta name="msapplication-config" content="https://www.tenable.com/themes/custom/tenable/images-new/favicons/browserconfig.xml"/><meta name="theme-color" content="#ffffff"/><link rel="canonical" href="https://www.tenable.com/indicators/ioe/ad/C-AUTH-SILO"/><link rel="alternate" hrefLang="x-default" href="https://www.tenable.com/indicators/ioe/ad/C-AUTH-SILO"/><link rel="alternate" hrefLang="en" href="https://www.tenable.com/indicators/ioe/ad/C-AUTH-SILO"/><meta name="next-head-count" content="18"/><script type="text/javascript">window.NREUM||(NREUM={});NREUM.info = {"agent":"","beacon":"bam.nr-data.net","errorBeacon":"bam.nr-data.net","licenseKey":"5febff3e0e","applicationID":"96358297","agentToken":null,"applicationTime":30.055049,"transactionName":"MVBabEEHChVXU0IIXggab11RIBYHW1VBDkMNYEpRHCgBHkJaRU52I2EXF1oIAA9VUUIOQxUaUVdWST8VQ1JiGEEDaBdjWgI5","queueTime":0,"ttGuid":"9432c2c43e0ad13b"}; (window.NREUM||(NREUM={})).init={ajax:{deny_list:["bam.nr-data.net"]}};(window.NREUM||(NREUM={})).loader_config={licenseKey:"5febff3e0e",applicationID:"96358297"};;/*! For license information please see nr-loader-rum-1.283.2.min.js.LICENSE.txt */ (()=>{var e,t,r={122:(e,t,r)=>{"use strict";r.d(t,{a:()=>i});var n=r(944);function i(e,t){try{if(!e||"object"!=typeof e)return(0,n.R)(3);if(!t||"object"!=typeof t)return(0,n.R)(4);const r=Object.create(Object.getPrototypeOf(t),Object.getOwnPropertyDescriptors(t)),o=0===Object.keys(r).length?e:r;for(let a in o)if(void 0!==e[a])try{if(null===e[a]){r[a]=null;continue}Array.isArray(e[a])&&Array.isArray(t[a])?r[a]=Array.from(new Set([...e[a],...t[a]])):"object"==typeof e[a]&&"object"==typeof t[a]?r[a]=i(e[a],t[a]):r[a]=e[a]}catch(e){(0,n.R)(1,e)}return r}catch(e){(0,n.R)(2,e)}}},555:(e,t,r)=>{"use strict";r.d(t,{Vp:()=>c,fn:()=>s,x1:()=>u});var n=r(384),i=r(122);const o={beacon:n.NT.beacon,errorBeacon:n.NT.errorBeacon,licenseKey:void 0,applicationID:void 0,sa:void 0,queueTime:void 0,applicationTime:void 0,ttGuid:void 0,user:void 0,account:void 0,product:void 0,extra:void 0,jsAttributes:{},userAttributes:void 0,atts:void 0,transactionName:void 0,tNamePlain:void 0},a={};function s(e){try{const t=c(e);return!!t.licenseKey&&!!t.errorBeacon&&!!t.applicationID}catch(e){return!1}}function c(e){if(!e)throw new Error("All info objects require an agent identifier!");if(!a[e])throw new Error("Info for ".concat(e," was never set"));return a[e]}function u(e,t){if(!e)throw new Error("All info objects require an agent identifier!");a[e]=(0,i.a)(t,o);const r=(0,n.nY)(e);r&&(r.info=a[e])}},217:(e,t,r)=>{"use strict";r.d(t,{D0:()=>m,gD:()=>v,xN:()=>h});r(860).K7.genericEvents;const n="experimental.marks",i="experimental.measures",o="experimental.resources",a=e=>{if(!e||"string"!=typeof e)return!1;try{document.createDocumentFragment().querySelector(e)}catch{return!1}return!0};var s=r(614),c=r(944),u=r(384),l=r(122);const d="[data-nr-mask]",f=()=>{const e={feature_flags:[],experimental:{marks:!1,measures:!1,resources:!1},mask_selector:"*",block_selector:"[data-nr-block]",mask_input_options:{color:!1,date:!1,"datetime-local":!1,email:!1,month:!1,number:!1,range:!1,search:!1,tel:!1,text:!1,time:!1,url:!1,week:!1,textarea:!1,select:!1,password:!0}};return{ajax:{deny_list:void 0,block_internal:!0,enabled:!0,autoStart:!0},distributed_tracing:{enabled:void 0,exclude_newrelic_header:void 0,cors_use_newrelic_header:void 0,cors_use_tracecontext_headers:void 0,allowed_origins:void 0},get feature_flags(){return e.feature_flags},set feature_flags(t){e.feature_flags=t},generic_events:{enabled:!0,autoStart:!0},harvest:{interval:30},jserrors:{enabled:!0,autoStart:!0},logging:{enabled:!0,autoStart:!0},metrics:{enabled:!0,autoStart:!0},obfuscate:void 0,page_action:{enabled:!0},page_view_event:{enabled:!0,autoStart:!0},page_view_timing:{enabled:!0,autoStart:!0},performance:{get capture_marks(){return e.feature_flags.includes(n)||e.experimental.marks},set capture_marks(t){e.experimental.marks=t},get capture_measures(){return e.feature_flags.includes(i)||e.experimental.measures},set capture_measures(t){e.experimental.measures=t},capture_detail:!0,resources:{get enabled(){return e.feature_flags.includes(o)||e.experimental.resources},set enabled(t){e.experimental.resources=t},asset_types:[],first_party_domains:[],ignore_newrelic:!0}},privacy:{cookies_enabled:!0},proxy:{assets:void 0,beacon:void 0},session:{expiresMs:s.wk,inactiveMs:s.BB},session_replay:{autoStart:!0,enabled:!1,preload:!1,sampling_rate:10,error_sampling_rate:100,collect_fonts:!1,inline_images:!1,fix_stylesheets:!0,mask_all_inputs:!0,get mask_text_selector(){return e.mask_selector},set mask_text_selector(t){a(t)?e.mask_selector="".concat(t,",").concat(d):""===t||null===t?e.mask_selector=d:(0,c.R)(5,t)},get block_class(){return"nr-block"},get ignore_class(){return"nr-ignore"},get mask_text_class(){return"nr-mask"},get block_selector(){return e.block_selector},set block_selector(t){a(t)?e.block_selector+=",".concat(t):""!==t&&(0,c.R)(6,t)},get mask_input_options(){return e.mask_input_options},set mask_input_options(t){t&&"object"==typeof t?e.mask_input_options={...t,password:!0}:(0,c.R)(7,t)}},session_trace:{enabled:!0,autoStart:!0},soft_navigations:{enabled:!0,autoStart:!0},spa:{enabled:!0,autoStart:!0},ssl:void 0,user_actions:{enabled:!0,elementAttributes:["id","className","tagName","type"]}}},g={},p="All configuration objects require an agent identifier!";function m(e){if(!e)throw new Error(p);if(!g[e])throw new Error("Configuration for ".concat(e," was never set"));return g[e]}function h(e,t){if(!e)throw new Error(p);g[e]=(0,l.a)(t,f());const r=(0,u.nY)(e);r&&(r.init=g[e])}function v(e,t){if(!e)throw new Error(p);var r=m(e);if(r){for(var n=t.split("."),i=0;i<n.length-1;i++)if("object"!=typeof(r=r[n[i]]))return;r=r[n[n.length-1]]}return r}},371:(e,t,r)=>{"use strict";r.d(t,{V:()=>f,f:()=>d});var n=r(122),i=r(384),o=r(154),a=r(324);let s=0;const c={buildEnv:a.F3,distMethod:a.Xs,version:a.xv,originTime:o.WN},u={customTransaction:void 0,disabled:!1,isolatedBacklog:!1,loaderType:void 0,maxBytes:3e4,onerror:void 0,ptid:void 0,releaseIds:{},appMetadata:{},session:void 0,denyList:void 0,timeKeeper:void 0,obfuscator:void 0,harvester:void 0},l={};function d(e){if(!e)throw new Error("All runtime objects require an agent identifier!");if(!l[e])throw new Error("Runtime for ".concat(e," was never set"));return l[e]}function f(e,t){if(!e)throw new Error("All runtime objects require an agent identifier!");l[e]={...(0,n.a)(t,u),...c},Object.hasOwnProperty.call(l[e],"harvestCount")||Object.defineProperty(l[e],"harvestCount",{get:()=>++s});const r=(0,i.nY)(e);r&&(r.runtime=l[e])}},324:(e,t,r)=>{"use strict";r.d(t,{F3:()=>i,Xs:()=>o,xv:()=>n});const n="1.283.2",i="PROD",o="CDN"},154:(e,t,r)=>{"use strict";r.d(t,{OF:()=>c,RI:()=>i,WN:()=>l,bv:()=>o,gm:()=>a,mw:()=>s,sb:()=>u});var n=r(863);const i="undefined"!=typeof window&&!!window.document,o="undefined"!=typeof WorkerGlobalScope&&("undefined"!=typeof self&&self instanceof WorkerGlobalScope&&self.navigator instanceof WorkerNavigator||"undefined"!=typeof globalThis&&globalThis instanceof WorkerGlobalScope&&globalThis.navigator instanceof WorkerNavigator),a=i?window:"undefined"!=typeof WorkerGlobalScope&&("undefined"!=typeof self&&self instanceof WorkerGlobalScope&&self||"undefined"!=typeof globalThis&&globalThis instanceof WorkerGlobalScope&&globalThis),s=Boolean("hidden"===a?.document?.visibilityState),c=/iPad|iPhone|iPod/.test(a.navigator?.userAgent),u=c&&"undefined"==typeof SharedWorker,l=((()=>{const e=a.navigator?.userAgent?.match(/Firefox[/\s](\d+\.\d+)/);Array.isArray(e)&&e.length>=2&&e[1]})(),Date.now()-(0,n.t)())},687:(e,t,r)=>{"use strict";r.d(t,{Ak:()=>c,Ze:()=>d,x3:()=>u});var n=r(836),i=r(606),o=r(860),a=r(646);const s={};function c(e,t){const r={staged:!1,priority:o.P3[t]||0};l(e),s[e].get(t)||s[e].set(t,r)}function u(e,t){e&&s[e]&&(s[e].get(t)&&s[e].delete(t),g(e,t,!1),s[e].size&&f(e))}function l(e){if(!e)throw new Error("agentIdentifier required");s[e]||(s[e]=new Map)}function d(e="",t="feature",r=!1){if(l(e),!e||!s[e].get(t)||r)return g(e,t);s[e].get(t).staged=!0,f(e)}function f(e){const t=Array.from(s[e]);t.every((([e,t])=>t.staged))&&(t.sort(((e,t)=>e[1].priority-t[1].priority)),t.forEach((([t])=>{s[e].delete(t),g(e,t)})))}function g(e,t,r=!0){const o=e?n.ee.get(e):n.ee,s=i.i.handlers;if(!o.aborted&&o.backlog&&s){if(r){const e=o.backlog[t],r=s[t];if(r){for(let t=0;e&&t<e.length;++t)p(e[t],r);Object.entries(r).forEach((([e,t])=>{Object.values(t||{}).forEach((t=>{t[0]?.on&&t[0]?.context()instanceof a.y&&t[0].on(e,t[1])}))}))}}o.isolatedBacklog||delete s[t],o.backlog[t]=null,o.emit("drain-"+t,[])}}function p(e,t){var r=e[1];Object.values(t[r]||{}).forEach((t=>{var r=e[0];if(t[0]===r){var n=t[1],i=e[3],o=e[2];n.apply(i,o)}}))}},836:(e,t,r)=>{"use strict";r.d(t,{P:()=>c,ee:()=>u});var n=r(384),i=r(990),o=r(371),a=r(646),s=r(607);const c="nr@context:".concat(s.W),u=function e(t,r){var n={},s={},l={},d=!1;try{d=16===r.length&&(0,o.f)(r).isolatedBacklog}catch(e){}var f={on:p,addEventListener:p,removeEventListener:function(e,t){var r=n[e];if(!r)return;for(var i=0;i<r.length;i++)r[i]===t&&r.splice(i,1)},emit:function(e,r,n,i,o){!1!==o&&(o=!0);if(u.aborted&&!i)return;t&&o&&t.emit(e,r,n);for(var a=g(n),c=m(e),l=c.length,d=0;d<l;d++)c[d].apply(a,r);var p=v()[s[e]];p&&p.push([f,e,r,a]);return a},get:h,listeners:m,context:g,buffer:function(e,t){const r=v();if(t=t||"feature",f.aborted)return;Object.entries(e||{}).forEach((([e,n])=>{s[n]=t,t in r||(r[t]=[])}))},abort:function(){f._aborted=!0,Object.keys(f.backlog).forEach((e=>{delete f.backlog[e]}))},isBuffering:function(e){return!!v()[s[e]]},debugId:r,backlog:d?{}:t&&"object"==typeof t.backlog?t.backlog:{},isolatedBacklog:d};return Object.defineProperty(f,"aborted",{get:()=>{let e=f._aborted||!1;return e||(t&&(e=t.aborted),e)}}),f;function g(e){return e&&e instanceof a.y?e:e?(0,i.I)(e,c,(()=>new a.y(c))):new a.y(c)}function p(e,t){n[e]=m(e).concat(t)}function m(e){return n[e]||[]}function h(t){return l[t]=l[t]||e(f,t)}function v(){return f.backlog}}(void 0,"globalEE"),l=(0,n.Zm)();l.ee||(l.ee=u)},646:(e,t,r)=>{"use strict";r.d(t,{y:()=>n});class n{constructor(e){this.contextId=e}}},908:(e,t,r)=>{"use strict";r.d(t,{d:()=>n,p:()=>i});var n=r(836).ee.get("handle");function i(e,t,r,i,o){o?(o.buffer([e],i),o.emit(e,t,r)):(n.buffer([e],i),n.emit(e,t,r))}},606:(e,t,r)=>{"use strict";r.d(t,{i:()=>o});var n=r(908);o.on=a;var i=o.handlers={};function o(e,t,r,o){a(o||n.d,i,e,t,r)}function a(e,t,r,i,o){o||(o="feature"),e||(e=n.d);var a=t[o]=t[o]||{};(a[r]=a[r]||[]).push([e,i])}},878:(e,t,r)=>{"use strict";function n(e,t){return{capture:e,passive:!1,signal:t}}function i(e,t,r=!1,i){window.addEventListener(e,t,n(r,i))}function o(e,t,r=!1,i){document.addEventListener(e,t,n(r,i))}r.d(t,{DD:()=>o,jT:()=>n,sp:()=>i})},607:(e,t,r)=>{"use strict";r.d(t,{W:()=>n});const n=(0,r(566).bz)()},566:(e,t,r)=>{"use strict";r.d(t,{LA:()=>s,bz:()=>a});var n=r(154);const i="xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx";function o(e,t){return e?15&e[t]:16*Math.random()|0}function a(){const e=n.gm?.crypto||n.gm?.msCrypto;let t,r=0;return e&&e.getRandomValues&&(t=e.getRandomValues(new Uint8Array(30))),i.split("").map((e=>"x"===e?o(t,r++).toString(16):"y"===e?(3&o()|8).toString(16):e)).join("")}function s(e){const t=n.gm?.crypto||n.gm?.msCrypto;let r,i=0;t&&t.getRandomValues&&(r=t.getRandomValues(new Uint8Array(e)));const a=[];for(var s=0;s<e;s++)a.push(o(r,i++).toString(16));return a.join("")}},614:(e,t,r)=>{"use strict";r.d(t,{BB:()=>a,H3:()=>n,g:()=>u,iL:()=>c,tS:()=>s,uh:()=>i,wk:()=>o});const n="NRBA",i="SESSION",o=144e5,a=18e5,s={STARTED:"session-started",PAUSE:"session-pause",RESET:"session-reset",RESUME:"session-resume",UPDATE:"session-update"},c={SAME_TAB:"same-tab",CROSS_TAB:"cross-tab"},u={OFF:0,FULL:1,ERROR:2}},863:(e,t,r)=>{"use strict";function n(){return Math.floor(performance.now())}r.d(t,{t:()=>n})},944:(e,t,r)=>{"use strict";function n(e,t){"function"==typeof console.debug&&console.debug("New Relic Warning: https://github.com/newrelic/newrelic-browser-agent/blob/main/docs/warning-codes.md#".concat(e),t)}r.d(t,{R:()=>n})},284:(e,t,r)=>{"use strict";r.d(t,{t:()=>c,B:()=>s});var n=r(836),i=r(154);const o="newrelic";const a=new Set,s={};function c(e,t){const r=n.ee.get(t);s[t]??={},e&&"object"==typeof e&&(a.has(t)||(r.emit("rumresp",[e]),s[t]=e,a.add(t),function(e={}){try{i.gm.dispatchEvent(new CustomEvent(o,{detail:e}))}catch(e){}}({loaded:!0})))}},990:(e,t,r)=>{"use strict";r.d(t,{I:()=>i});var n=Object.prototype.hasOwnProperty;function i(e,t,r){if(n.call(e,t))return e[t];var i=r();if(Object.defineProperty&&Object.keys)try{return Object.defineProperty(e,t,{value:i,writable:!0,enumerable:!1}),i}catch(e){}return e[t]=i,i}},389:(e,t,r)=>{"use strict";function n(e,t=500,r={}){const n=r?.leading||!1;let i;return(...r)=>{n&&void 0===i&&(e.apply(this,r),i=setTimeout((()=>{i=clearTimeout(i)}),t)),n||(clearTimeout(i),i=setTimeout((()=>{e.apply(this,r)}),t))}}function i(e){let t=!1;return(...r)=>{t||(t=!0,e.apply(this,r))}}r.d(t,{J:()=>i,s:()=>n})},289:(e,t,r)=>{"use strict";r.d(t,{GG:()=>o,sB:()=>a});var n=r(878);function i(){return"undefined"==typeof document||"complete"===document.readyState}function o(e,t){if(i())return e();(0,n.sp)("load",e,t)}function a(e){if(i())return e();(0,n.DD)("DOMContentLoaded",e)}},384:(e,t,r)=>{"use strict";r.d(t,{NT:()=>o,US:()=>l,Zm:()=>a,bQ:()=>c,dV:()=>s,nY:()=>u,pV:()=>d});var n=r(154),i=r(863);const o={beacon:"bam.nr-data.net",errorBeacon:"bam.nr-data.net"};function a(){return n.gm.NREUM||(n.gm.NREUM={}),void 0===n.gm.newrelic&&(n.gm.newrelic=n.gm.NREUM),n.gm.NREUM}function s(){let e=a();return e.o||(e.o={ST:n.gm.setTimeout,SI:n.gm.setImmediate,CT:n.gm.clearTimeout,XHR:n.gm.XMLHttpRequest,REQ:n.gm.Request,EV:n.gm.Event,PR:n.gm.Promise,MO:n.gm.MutationObserver,FETCH:n.gm.fetch,WS:n.gm.WebSocket}),e}function c(e,t){let r=a();r.initializedAgents??={},t.initializedAt={ms:(0,i.t)(),date:new Date},r.initializedAgents[e]=t}function u(e){let t=a();return t.initializedAgents?.[e]}function l(e,t){a()[e]=t}function d(){return function(){let e=a();const t=e.info||{};e.info={beacon:o.beacon,errorBeacon:o.errorBeacon,...t}}(),function(){let e=a();const t=e.init||{};e.init={...t}}(),s(),function(){let e=a();const t=e.loader_config||{};e.loader_config={...t}}(),a()}},843:(e,t,r)=>{"use strict";r.d(t,{u:()=>i});var n=r(878);function i(e,t=!1,r,i){(0,n.DD)("visibilitychange",(function(){if(t)return void("hidden"===document.visibilityState&&e());e(document.visibilityState)}),r,i)}},434:(e,t,r)=>{"use strict";r.d(t,{Jt:()=>o,YM:()=>c});var n=r(836),i=r(607);const o="nr@original:".concat(i.W);var a=Object.prototype.hasOwnProperty,s=!1;function c(e,t){return e||(e=n.ee),r.inPlace=function(e,t,n,i,o){n||(n="");const a="-"===n.charAt(0);for(let s=0;s<t.length;s++){const c=t[s],u=e[c];l(u)||(e[c]=r(u,a?c+n:n,i,c,o))}},r.flag=o,r;function r(t,r,n,s,c){return l(t)?t:(r||(r=""),nrWrapper[o]=t,function(e,t,r){if(Object.defineProperty&&Object.keys)try{return Object.keys(e).forEach((function(r){Object.defineProperty(t,r,{get:function(){return e[r]},set:function(t){return e[r]=t,t}})})),t}catch(e){u([e],r)}for(var n in e)a.call(e,n)&&(t[n]=e[n])}(t,nrWrapper,e),nrWrapper);function nrWrapper(){var o,a,l,d;try{a=this,o=[...arguments],l="function"==typeof n?n(o,a):n||{}}catch(t){u([t,"",[o,a,s],l],e)}i(r+"start",[o,a,s],l,c);try{return d=t.apply(a,o)}catch(e){throw i(r+"err",[o,a,e],l,c),e}finally{i(r+"end",[o,a,d],l,c)}}}function i(r,n,i,o){if(!s||t){var a=s;s=!0;try{e.emit(r,n,i,t,o)}catch(t){u([t,r,n,i],e)}s=a}}}function u(e,t){t||(t=n.ee);try{t.emit("internal-error",e)}catch(e){}}function l(e){return!(e&&"function"==typeof e&&e.apply&&!e[o])}},993:(e,t,r)=>{"use strict";r.d(t,{A$:()=>o,ET:()=>a,p_:()=>i});var n=r(860);const i={ERROR:"ERROR",WARN:"WARN",INFO:"INFO",DEBUG:"DEBUG",TRACE:"TRACE"},o={OFF:0,ERROR:1,WARN:2,INFO:3,DEBUG:4,TRACE:5},a="log";n.K7.logging},773:(e,t,r)=>{"use strict";r.d(t,{z_:()=>o,XG:()=>s,TZ:()=>n,rs:()=>i,xV:()=>a});r(154),r(566),r(384);const n=r(860).K7.metrics,i="sm",o="cm",a="storeSupportabilityMetrics",s="storeEventMetrics"},630:(e,t,r)=>{"use strict";r.d(t,{T:()=>n});const n=r(860).K7.pageViewEvent},782:(e,t,r)=>{"use strict";r.d(t,{T:()=>n});const n=r(860).K7.pageViewTiming},344:(e,t,r)=>{"use strict";r.d(t,{G4:()=>i});var n=r(614);r(860).K7.sessionReplay;const i={RECORD:"recordReplay",PAUSE:"pauseReplay",REPLAY_RUNNING:"replayRunning",ERROR_DURING_REPLAY:"errorDuringReplay"};n.g.ERROR,n.g.FULL,n.g.OFF},234:(e,t,r)=>{"use strict";r.d(t,{W:()=>o});var n=r(836),i=r(687);class o{constructor(e,t){this.agentIdentifier=e,this.ee=n.ee.get(e),this.featureName=t,this.blocked=!1}deregisterDrain(){(0,i.x3)(this.agentIdentifier,this.featureName)}}},603:(e,t,r)=>{"use strict";r.d(t,{j:()=>K});var n=r(860),i=r(555),o=r(371),a=r(908),s=r(836),c=r(687),u=r(289),l=r(154),d=r(944),f=r(773),g=r(384),p=r(344);const m=["setErrorHandler","finished","addToTrace","addRelease","recordCustomEvent","addPageAction","setCurrentRouteName","setPageViewName","setCustomAttribute","interaction","noticeError","setUserId","setApplicationVersion","start",p.G4.RECORD,p.G4.PAUSE,"log","wrapLogger"],h=["setErrorHandler","finished","addToTrace","addRelease"];var v=r(863),b=r(614),y=r(993);var w=r(646),R=r(434);const A=new Map;function E(e,t,r,n){if("object"!=typeof t||!t||"string"!=typeof r||!r||"function"!=typeof t[r])return(0,d.R)(29);const i=function(e){return(e||s.ee).get("logger")}(e),o=(0,R.YM)(i),a=new w.y(s.P);a.level=n.level,a.customAttributes=n.customAttributes;const c=t[r]?.[R.Jt]||t[r];return A.set(c,a),o.inPlace(t,[r],"wrap-logger-",(()=>A.get(c))),i}function _(){const e=(0,g.pV)();m.forEach((t=>{e[t]=(...r)=>function(t,...r){let n=[];return Object.values(e.initializedAgents).forEach((e=>{e&&e.api?e.exposed&&e.api[t]&&n.push(e.api[t](...r)):(0,d.R)(38,t)})),n.length>1?n:n[0]}(t,...r)}))}const x={};function N(e,t,g=!1){t||(0,c.Ak)(e,"api");const m={};var w=s.ee.get(e),R=w.get("tracer");x[e]=b.g.OFF,w.on(p.G4.REPLAY_RUNNING,(t=>{x[e]=t}));var A="api-",_=A+"ixn-";function N(t,r,n,o){const a=(0,i.Vp)(e);return null===r?delete a.jsAttributes[t]:(0,i.x1)(e,{...a,jsAttributes:{...a.jsAttributes,[t]:r}}),j(A,n,!0,o||null===r?"session":void 0)(t,r)}function k(){}m.log=function(e,{customAttributes:t={},level:r=y.p_.INFO}={}){(0,a.p)(f.xV,["API/log/called"],void 0,n.K7.metrics,w),function(e,t,r={},i=y.p_.INFO){(0,a.p)(f.xV,["API/logging/".concat(i.toLowerCase(),"/called")],void 0,n.K7.metrics,e),(0,a.p)(y.ET,[(0,v.t)(),t,r,i],void 0,n.K7.logging,e)}(w,e,t,r)},m.wrapLogger=(e,t,{customAttributes:r={},level:i=y.p_.INFO}={})=>{(0,a.p)(f.xV,["API/wrapLogger/called"],void 0,n.K7.metrics,w),E(w,e,t,{customAttributes:r,level:i})},h.forEach((e=>{m[e]=j(A,e,!0,"api")})),m.addPageAction=j(A,"addPageAction",!0,n.K7.genericEvents),m.recordCustomEvent=j(A,"recordCustomEvent",!0,n.K7.genericEvents),m.setPageViewName=function(t,r){if("string"==typeof t)return"/"!==t.charAt(0)&&(t="/"+t),(0,o.f)(e).customTransaction=(r||"http://custom.transaction")+t,j(A,"setPageViewName",!0)()},m.setCustomAttribute=function(e,t,r=!1){if("string"==typeof e){if(["string","number","boolean"].includes(typeof t)||null===t)return N(e,t,"setCustomAttribute",r);(0,d.R)(40,typeof t)}else(0,d.R)(39,typeof e)},m.setUserId=function(e){if("string"==typeof e||null===e)return N("enduser.id",e,"setUserId",!0);(0,d.R)(41,typeof e)},m.setApplicationVersion=function(e){if("string"==typeof e||null===e)return N("application.version",e,"setApplicationVersion",!1);(0,d.R)(42,typeof e)},m.start=()=>{try{(0,a.p)(f.xV,["API/start/called"],void 0,n.K7.metrics,w),w.emit("manual-start-all")}catch(e){(0,d.R)(23,e)}},m[p.G4.RECORD]=function(){(0,a.p)(f.xV,["API/recordReplay/called"],void 0,n.K7.metrics,w),(0,a.p)(p.G4.RECORD,[],void 0,n.K7.sessionReplay,w)},m[p.G4.PAUSE]=function(){(0,a.p)(f.xV,["API/pauseReplay/called"],void 0,n.K7.metrics,w),(0,a.p)(p.G4.PAUSE,[],void 0,n.K7.sessionReplay,w)},m.interaction=function(e){return(new k).get("object"==typeof e?e:{})};const T=k.prototype={createTracer:function(e,t){var r={},i=this,o="function"==typeof t;return(0,a.p)(f.xV,["API/createTracer/called"],void 0,n.K7.metrics,w),g||(0,a.p)(_+"tracer",[(0,v.t)(),e,r],i,n.K7.spa,w),function(){if(R.emit((o?"":"no-")+"fn-start",[(0,v.t)(),i,o],r),o)try{return t.apply(this,arguments)}catch(e){const t="string"==typeof e?new Error(e):e;throw R.emit("fn-err",[arguments,this,t],r),t}finally{R.emit("fn-end",[(0,v.t)()],r)}}}};function j(e,t,r,i){return function(){return(0,a.p)(f.xV,["API/"+t+"/called"],void 0,n.K7.metrics,w),i&&(0,a.p)(e+t,[r?(0,v.t)():performance.now(),...arguments],r?null:this,i,w),r?void 0:this}}function I(){r.e(296).then(r.bind(r,778)).then((({setAPI:t})=>{t(e),(0,c.Ze)(e,"api")})).catch((e=>{(0,d.R)(27,e),w.abort()}))}return["actionText","setName","setAttribute","save","ignore","onEnd","getContext","end","get"].forEach((e=>{T[e]=j(_,e,void 0,g?n.K7.softNav:n.K7.spa)})),m.setCurrentRouteName=g?j(_,"routeName",void 0,n.K7.softNav):j(A,"routeName",!0,n.K7.spa),m.noticeError=function(t,r){"string"==typeof t&&(t=new Error(t)),(0,a.p)(f.xV,["API/noticeError/called"],void 0,n.K7.metrics,w),(0,a.p)("err",[t,(0,v.t)(),!1,r,!!x[e]],void 0,n.K7.jserrors,w)},l.RI?(0,u.GG)((()=>I()),!0):I(),m}var k=r(217),T=r(122);const j={accountID:void 0,trustKey:void 0,agentID:void 0,licenseKey:void 0,applicationID:void 0,xpid:void 0},I={};var O=r(284);const S=e=>{const t=e.startsWith("http");e+="/",r.p=t?e:"https://"+e};let P=!1;function K(e,t={},r,n){let{init:a,info:c,loader_config:u,runtime:d={},exposed:f=!0}=t;d.loaderType=r;const p=(0,g.pV)();c||(a=p.init,c=p.info,u=p.loader_config),(0,k.xN)(e.agentIdentifier,a||{}),function(e,t){if(!e)throw new Error("All loader-config objects require an agent identifier!");I[e]=(0,T.a)(t,j);const r=(0,g.nY)(e);r&&(r.loader_config=I[e])}(e.agentIdentifier,u||{}),c.jsAttributes??={},l.bv&&(c.jsAttributes.isWorker=!0),(0,i.x1)(e.agentIdentifier,c);const m=(0,k.D0)(e.agentIdentifier),h=[c.beacon,c.errorBeacon];P||(m.proxy.assets&&(S(m.proxy.assets),h.push(m.proxy.assets)),m.proxy.beacon&&h.push(m.proxy.beacon),_(),(0,g.US)("activatedFeatures",O.B),e.runSoftNavOverSpa&&=!0===m.soft_navigations.enabled&&m.feature_flags.includes("soft_nav")),d.denyList=[...m.ajax.deny_list||[],...m.ajax.block_internal?h:[]],d.ptid=e.agentIdentifier,(0,o.V)(e.agentIdentifier,d),e.ee=s.ee.get(e.agentIdentifier),void 0===e.api&&(e.api=N(e.agentIdentifier,n,e.runSoftNavOverSpa)),void 0===e.exposed&&(e.exposed=f),P=!0}},374:(e,t,r)=>{r.nc=(()=>{try{return document?.currentScript?.nonce}catch(e){}return""})()},860:(e,t,r)=>{"use strict";r.d(t,{$J:()=>u,K7:()=>s,P3:()=>c,XX:()=>i,qY:()=>n,v4:()=>a});const n="events",i="jserrors",o="browser/blobs",a="rum",s={ajax:"ajax",genericEvents:"generic_events",jserrors:i,logging:"logging",metrics:"metrics",pageAction:"page_action",pageViewEvent:"page_view_event",pageViewTiming:"page_view_timing",sessionReplay:"session_replay",sessionTrace:"session_trace",softNav:"soft_navigations",spa:"spa"},c={[s.pageViewEvent]:1,[s.pageViewTiming]:2,[s.metrics]:3,[s.jserrors]:4,[s.spa]:5,[s.ajax]:6,[s.sessionTrace]:7,[s.softNav]:8,[s.sessionReplay]:9,[s.logging]:10,[s.genericEvents]:11},u={[s.pageViewEvent]:a,[s.pageViewTiming]:n,[s.ajax]:n,[s.spa]:n,[s.softNav]:n,[s.metrics]:i,[s.jserrors]:i,[s.sessionTrace]:o,[s.sessionReplay]:o,[s.logging]:"browser/logs",[s.genericEvents]:"ins"}}},n={};function i(e){var t=n[e];if(void 0!==t)return t.exports;var o=n[e]={exports:{}};return r[e](o,o.exports,i),o.exports}i.m=r,i.d=(e,t)=>{for(var r in t)i.o(t,r)&&!i.o(e,r)&&Object.defineProperty(e,r,{enumerable:!0,get:t[r]})},i.f={},i.e=e=>Promise.all(Object.keys(i.f).reduce(((t,r)=>(i.f[r](e,t),t)),[])),i.u=e=>"nr-rum-1.283.2.min.js",i.o=(e,t)=>Object.prototype.hasOwnProperty.call(e,t),e={},t="NRBA-1.283.2.PROD:",i.l=(r,n,o,a)=>{if(e[r])e[r].push(n);else{var s,c;if(void 0!==o)for(var u=document.getElementsByTagName("script"),l=0;l<u.length;l++){var d=u[l];if(d.getAttribute("src")==r||d.getAttribute("data-webpack")==t+o){s=d;break}}if(!s){c=!0;var f={296:"sha512-2Y8GMAOGF658KnXzOZ/v+DlLch8TBFvV0tTNnOy9wrpvtDa1t5CdZMyX+LubTymBlzPp6NUjllBghMCZqXBPmg=="};(s=document.createElement("script")).charset="utf-8",s.timeout=120,i.nc&&s.setAttribute("nonce",i.nc),s.setAttribute("data-webpack",t+o),s.src=r,0!==s.src.indexOf(window.location.origin+"/")&&(s.crossOrigin="anonymous"),f[a]&&(s.integrity=f[a])}e[r]=[n];var g=(t,n)=>{s.onerror=s.onload=null,clearTimeout(p);var i=e[r];if(delete e[r],s.parentNode&&s.parentNode.removeChild(s),i&&i.forEach((e=>e(n))),t)return t(n)},p=setTimeout(g.bind(null,void 0,{type:"timeout",target:s}),12e4);s.onerror=g.bind(null,s.onerror),s.onload=g.bind(null,s.onload),c&&document.head.appendChild(s)}},i.r=e=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},i.p="https://js-agent.newrelic.com/",(()=>{var e={374:0,840:0};i.f.j=(t,r)=>{var n=i.o(e,t)?e[t]:void 0;if(0!==n)if(n)r.push(n[2]);else{var o=new Promise(((r,i)=>n=e[t]=[r,i]));r.push(n[2]=o);var a=i.p+i.u(t),s=new Error;i.l(a,(r=>{if(i.o(e,t)&&(0!==(n=e[t])&&(e[t]=void 0),n)){var o=r&&("load"===r.type?"missing":r.type),a=r&&r.target&&r.target.src;s.message="Loading chunk "+t+" failed.\n("+o+": "+a+")",s.name="ChunkLoadError",s.type=o,s.request=a,n[1](s)}}),"chunk-"+t,t)}};var t=(t,r)=>{var n,o,[a,s,c]=r,u=0;if(a.some((t=>0!==e[t]))){for(n in s)i.o(s,n)&&(i.m[n]=s[n]);if(c)c(i)}for(t&&t(r);u<a.length;u++)o=a[u],i.o(e,o)&&e[o]&&e[o][0](),e[o]=0},r=self["webpackChunk:NRBA-1.283.2.PROD"]=self["webpackChunk:NRBA-1.283.2.PROD"]||[];r.forEach(t.bind(null,0)),r.push=t.bind(null,r.push.bind(r))})(),(()=>{"use strict";i(374);var e=i(944),t=i(344),r=i(566);class n{agentIdentifier;constructor(){this.agentIdentifier=(0,r.LA)(16)}#e(t,...r){if("function"==typeof this.api?.[t])return this.api[t](...r);(0,e.R)(35,t)}addPageAction(e,t){return this.#e("addPageAction",e,t)}recordCustomEvent(e,t){return this.#e("recordCustomEvent",e,t)}setPageViewName(e,t){return this.#e("setPageViewName",e,t)}setCustomAttribute(e,t,r){return this.#e("setCustomAttribute",e,t,r)}noticeError(e,t){return this.#e("noticeError",e,t)}setUserId(e){return this.#e("setUserId",e)}setApplicationVersion(e){return this.#e("setApplicationVersion",e)}setErrorHandler(e){return this.#e("setErrorHandler",e)}addRelease(e,t){return this.#e("addRelease",e,t)}log(e,t){return this.#e("log",e,t)}}class o extends n{#e(t,...r){if("function"==typeof this.api?.[t])return this.api[t](...r);(0,e.R)(35,t)}start(){return this.#e("start")}finished(e){return this.#e("finished",e)}recordReplay(){return this.#e(t.G4.RECORD)}pauseReplay(){return this.#e(t.G4.PAUSE)}addToTrace(e){return this.#e("addToTrace",e)}setCurrentRouteName(e){return this.#e("setCurrentRouteName",e)}interaction(){return this.#e("interaction")}wrapLogger(e,t,r){return this.#e("wrapLogger",e,t,r)}}var a=i(860),s=i(217);const c=Object.values(a.K7);function u(e){const t={};return c.forEach((r=>{t[r]=function(e,t){return!0===(0,s.gD)(t,"".concat(e,".enabled"))}(r,e)})),t}var l=i(603);var d=i(687),f=i(234),g=i(289),p=i(154),m=i(384);const h=e=>p.RI&&!0===(0,s.gD)(e,"privacy.cookies_enabled");function v(e){return!!(0,m.dV)().o.MO&&h(e)&&!0===(0,s.gD)(e,"session_trace.enabled")}var b=i(389);class y extends f.W{constructor(e,t,r=!0){super(e.agentIdentifier,t),this.auto=r,this.abortHandler=void 0,this.featAggregate=void 0,this.onAggregateImported=void 0,!1===e.init[this.featureName].autoStart&&(this.auto=!1),this.auto?(0,d.Ak)(e.agentIdentifier,t):this.ee.on("manual-start-all",(0,b.J)((()=>{(0,d.Ak)(e.agentIdentifier,this.featureName),this.auto=!0,this.importAggregator(e)})))}importAggregator(t,r={}){if(this.featAggregate||!this.auto)return;let n;this.onAggregateImported=new Promise((e=>{n=e}));const o=async()=>{let o;try{if(h(this.agentIdentifier)){const{setupAgentSession:e}=await i.e(296).then(i.bind(i,861));o=e(t)}}catch(t){(0,e.R)(20,t),this.ee.emit("internal-error",[t]),this.featureName===a.K7.sessionReplay&&this.abortHandler?.()}try{if(!this.#t(this.featureName,o))return(0,d.Ze)(this.agentIdentifier,this.featureName),void n(!1);const{lazyFeatureLoader:e}=await i.e(296).then(i.bind(i,103)),{Aggregate:a}=await e(this.featureName,"aggregate");this.featAggregate=new a(t,r),t.runtime.harvester.initializedAggregates.push(this.featAggregate),n(!0)}catch(t){(0,e.R)(34,t),this.abortHandler?.(),(0,d.Ze)(this.agentIdentifier,this.featureName,!0),n(!1),this.ee&&this.ee.abort()}};p.RI?(0,g.GG)((()=>o()),!0):o()}#t(e,t){switch(e){case a.K7.sessionReplay:return v(this.agentIdentifier)&&!!t;case a.K7.sessionTrace:return!!t;default:return!0}}}var w=i(630);class R extends y{static featureName=w.T;constructor(e,t=!0){super(e,w.T,t),this.importAggregator(e)}}var A=i(908),E=i(843),_=i(878),x=i(782),N=i(863);class k extends y{static featureName=x.T;constructor(e,t=!0){super(e,x.T,t),p.RI&&((0,E.u)((()=>(0,A.p)("docHidden",[(0,N.t)()],void 0,x.T,this.ee)),!0),(0,_.sp)("pagehide",(()=>(0,A.p)("winPagehide",[(0,N.t)()],void 0,x.T,this.ee))),this.importAggregator(e))}}var T=i(773);class j extends y{static featureName=T.TZ;constructor(e,t=!0){super(e,T.TZ,t),this.importAggregator(e)}}new class extends o{constructor(t){super(),p.gm?(this.features={},(0,m.bQ)(this.agentIdentifier,this),this.desiredFeatures=new Set(t.features||[]),this.desiredFeatures.add(R),this.runSoftNavOverSpa=[...this.desiredFeatures].some((e=>e.featureName===a.K7.softNav)),(0,l.j)(this,t,t.loaderType||"agent"),this.run()):(0,e.R)(21)}get config(){return{info:this.info,init:this.init,loader_config:this.loader_config,runtime:this.runtime}}run(){try{const t=u(this.agentIdentifier),r=[...this.desiredFeatures];r.sort(((e,t)=>a.P3[e.featureName]-a.P3[t.featureName])),r.forEach((r=>{if(!t[r.featureName]&&r.featureName!==a.K7.pageViewEvent)return;if(this.runSoftNavOverSpa&&r.featureName===a.K7.spa)return;if(!this.runSoftNavOverSpa&&r.featureName===a.K7.softNav)return;const n=function(e){switch(e){case a.K7.ajax:return[a.K7.jserrors];case a.K7.sessionTrace:return[a.K7.ajax,a.K7.pageViewEvent];case a.K7.sessionReplay:return[a.K7.sessionTrace];case a.K7.pageViewTiming:return[a.K7.pageViewEvent];default:return[]}}(r.featureName).filter((e=>!(e in this.features)));n.length>0&&(0,e.R)(36,{targetFeature:r.featureName,missingDependencies:n}),this.features[r.featureName]=new r(this)}))}catch(t){(0,e.R)(22,t);for(const e in this.features)this.features[e].abortHandler?.();const r=(0,m.Zm)();delete r.initializedAgents[this.agentIdentifier]?.api,delete r.initializedAgents[this.agentIdentifier]?.features,delete this.sharedAggregator;return r.ee.get(this.agentIdentifier).abort(),!1}}}({features:[R,k,j],loaderType:"lite"})})()})();</script><link data-next-font="size-adjust" rel="preconnect" href="/" crossorigin="anonymous"/><link nonce="nonce-OGI0YWEzYmMtNTVmYi00MDg5LTliN2QtMDU5NjE5NWEwYzMx" rel="preload" href="/_next/static/css/92f230208c8f5fec.css" as="style"/><link nonce="nonce-OGI0YWEzYmMtNTVmYi00MDg5LTliN2QtMDU5NjE5NWEwYzMx" rel="stylesheet" href="/_next/static/css/92f230208c8f5fec.css" data-n-g=""/><noscript data-n-css="nonce-OGI0YWEzYmMtNTVmYi00MDg5LTliN2QtMDU5NjE5NWEwYzMx"></noscript><script defer="" nonce="nonce-OGI0YWEzYmMtNTVmYi00MDg5LTliN2QtMDU5NjE5NWEwYzMx" nomodule="" src="/_next/static/chunks/polyfills-42372ed130431b0a.js"></script><script src="/_next/static/chunks/webpack-a707e99c69361791.js" nonce="nonce-OGI0YWEzYmMtNTVmYi00MDg5LTliN2QtMDU5NjE5NWEwYzMx" defer=""></script><script src="/_next/static/chunks/framework-945b357d4a851f4b.js" nonce="nonce-OGI0YWEzYmMtNTVmYi00MDg5LTliN2QtMDU5NjE5NWEwYzMx" defer=""></script><script src="/_next/static/chunks/main-46992b6f0e7a85fe.js" nonce="nonce-OGI0YWEzYmMtNTVmYi00MDg5LTliN2QtMDU5NjE5NWEwYzMx" defer=""></script><script src="/_next/static/chunks/pages/_app-07799d5d5820dde3.js" nonce="nonce-OGI0YWEzYmMtNTVmYi00MDg5LTliN2QtMDU5NjE5NWEwYzMx" defer=""></script><script src="/_next/static/chunks/178-1500985f9b087e1a.js" nonce="nonce-OGI0YWEzYmMtNTVmYi00MDg5LTliN2QtMDU5NjE5NWEwYzMx" defer=""></script><script src="/_next/static/chunks/pages/indicators/ioe/%5BsubType%5D/%5Bid%5D-ef65021935fc87ad.js" nonce="nonce-OGI0YWEzYmMtNTVmYi00MDg5LTliN2QtMDU5NjE5NWEwYzMx" defer=""></script><script src="/_next/static/RsIzRDoxGcJZTeqNY4h8D/_buildManifest.js" nonce="nonce-OGI0YWEzYmMtNTVmYi00MDg5LTliN2QtMDU5NjE5NWEwYzMx" defer=""></script><script src="/_next/static/RsIzRDoxGcJZTeqNY4h8D/_ssgManifest.js" nonce="nonce-OGI0YWEzYmMtNTVmYi00MDg5LTliN2QtMDU5NjE5NWEwYzMx" defer=""></script></head><body data-base-url="https://www.tenable.com" data-ga4-tracking-id=""><div id="__next"><div class="app__wrapper"><header class="banner"><div class="nav-wrapper"><ul class="list-inline nav-brand"><li class="list-inline-item"><a href="https://www.tenable.com"><img class="logo" src="https://www.tenable.com/themes/custom/tenable/img/logo.png" alt="Tenable"/></a></li><li class="list-inline-item"><a class="app-name" href="https://www.tenable.com/indicators">Indicators</a></li></ul><ul class="nav-dropdown nav"><li class="d-none d-md-block dropdown nav-item"><a aria-haspopup="true" href="#" class="dropdown-toggle nav-link" aria-expanded="false">Settings</a><div tabindex="-1" role="menu" aria-hidden="true" class="dropdown-menu dropdown-menu-right"><h6 tabindex="-1" class="dropdown-header">Links</h6><a href="https://cloud.tenable.com" role="menuitem" class="dropdown-item">Tenable Cloud<!-- --> <i class="fas fa-external-link-alt external-link"></i></a><a href="https://community.tenable.com/login" role="menuitem" class="dropdown-item">Tenable Community &amp; Support<!-- --> <i class="fas fa-external-link-alt external-link"></i></a><a href="https://university.tenable.com/lms/index.php?r=site/sso&amp;sso_type=saml" role="menuitem" class="dropdown-item">Tenable University<!-- --> <i class="fas fa-external-link-alt external-link"></i></a><div tabindex="-1" class="dropdown-divider"></div><span tabindex="-1" class="dropdown-item-text"><div class="d-flex justify-content-between toggle-btn-group flex-row"><div class="label">Theme</div><div role="group" class="ml-3 btn-group-sm btn-group"><button type="button" class="toggle-btn btn btn-outline-primary active">Light</button><button type="button" class="toggle-btn btn btn-outline-primary">Dark</button><button type="button" class="toggle-btn btn btn-outline-primary">Auto</button></div></div></span><div tabindex="-1" class="dropdown-divider"></div><button type="button" tabindex="0" role="menuitem" class="dropdown-item-link dropdown-item">Help</button></div></li></ul><div class="d-block d-md-none"><button type="button" aria-label="Toggle Overlay" class="btn btn-link nav-toggle"><i class="fas fa-bars fa-2x"></i></button></div></div></header><div class="mobile-nav closed"><ul class="flex-column nav"><li class="mobile-header nav-item"><a href="https://www.tenable.com" class="float-left nav-link"><img class="logo" src="https://www.tenable.com/themes/custom/tenable/img/logo-teal.png" alt="Tenable"/></a><a class="float-right mr-2 nav-link"><i class="fas fa-times fa-lg"></i></a></li><li class="nav-item"><a class="nav-link">Plugins<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="collapse"><div class="mobile-collapse"><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins">Overview</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/pipeline">Plugins Pipeline</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/newest">Newest</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/updated">Updated</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/search">Search</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/nessus/families?type=nessus">Nessus Families</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/was/families?type=was">WAS Families</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/nnm/families?type=nnm">NNM Families</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/lce/families?type=lce">LCE Families</a></li><li class="no-capitalize nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/ot/families?type=ot">Tenable OT Security Families</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/families/about">About Plugin Families</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/plugins/release-notes">Release Notes</a></li></div></div><li class="nav-item"><a class="nav-link">Audits<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="collapse"><div class="mobile-collapse"><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/audits">Overview</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/audits/newest">Newest</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/audits/updated">Updated</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/audits/search">Search Audit Files</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/audits/items/search">Search Items</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/audits/references">References</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/audits/authorities">Authorities</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/audits/documentation">Documentation</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/downloads/download-all-compliance-audit-files">Download All Audit Files</a></li></div></div><li class="nav-item"><a class="nav-link">Indicators<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="collapse"><div class="mobile-collapse"><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/indicators">Overview</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/indicators/search">Search</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/indicators/ioa">Indicators of Attack</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/indicators/ioe">Indicators of Exposure</a></li></div></div><li class="nav-item"><a class="nav-link">CVEs<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="collapse"><div class="mobile-collapse"><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/cve">Overview</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/cve/newest">Newest</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/cve/updated">Updated</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/cve/search">Search</a></li></div></div><li class="nav-item"><a class="nav-link">Attack Path Techniques<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="collapse"><div class="mobile-collapse"><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/attack-path-techniques">Overview</a></li><li class="nav-item"><a class="nav-link " href="https://www.tenable.com/attack-path-techniques/search">Search</a></li></div></div><ul id="links-nav" class="flex-column mt-5 nav"><li class="nav-item"><a class="nav-link">Links<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="collapse"><div class="mobile-collapse"><li class="nav-item"><a href="https://cloud.tenable.com" class="nav-link">Tenable Cloud</a></li><li class="nav-item"><a href="https://community.tenable.com/login" class="nav-link">Tenable Community &amp; Support</a></li><li class="nav-item"><a href="https://university.tenable.com/lms/index.php?r=site/sso&amp;sso_type=saml" class="nav-link">Tenable University</a></li></div></div><li class="nav-item"><a class="nav-link">Settings<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="collapse"><div class="mobile-collapse py-3"><li class="nav-item"><div class="d-flex justify-content-between toggle-btn-group flex-row"><div class="label">Theme</div><div role="group" class="ml-3 btn-group-sm btn-group"><button type="button" class="toggle-btn btn btn-outline-primary active">Light</button><button type="button" class="toggle-btn btn btn-outline-primary">Dark</button><button type="button" class="toggle-btn btn btn-outline-primary">Auto</button></div></div></li></div></div></ul></ul></div><div class="app__container"><div class="app__content"><div class="card callout callout-alert callout-bg-danger mb-4"><div class="card-body"><h5 class="mb-2 text-white">Your browser is no longer supported</h5><p class="text-white">Please update or use another browser for this application to function correctly.</p></div></div><div class="row"><div class="col-3 col-xl-2 d-none d-md-block"><h6 class="side-nav-heading">Detections</h6><ul class="side-nav bg-white sticky-top nav flex-column"><li class="nav-item"><a type="button" class="nav-link">Plugins<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="side-nav-collapse collapse"><li class="false nav-item"><a href="/plugins" class="nav-link"><span>Overview</span></a></li><li class="false nav-item"><a href="/plugins/pipeline" class="nav-link"><span>Plugins Pipeline</span></a></li><li class="false nav-item"><a href="/plugins/release-notes" class="nav-link"><span>Release Notes</span></a></li><li class="false nav-item"><a href="/plugins/newest" class="nav-link"><span>Newest</span></a></li><li class="false nav-item"><a href="/plugins/updated" class="nav-link"><span>Updated</span></a></li><li class="false nav-item"><a href="/plugins/search" class="nav-link"><span>Search</span></a></li><li class="false nav-item"><a href="/plugins/nessus/families" class="nav-link"><span>Nessus Families</span></a></li><li class="false nav-item"><a href="/plugins/was/families" class="nav-link"><span>WAS Families</span></a></li><li class="false nav-item"><a href="/plugins/nnm/families" class="nav-link"><span>NNM Families</span></a></li><li class="false nav-item"><a href="/plugins/lce/families" class="nav-link"><span>LCE Families</span></a></li><li class="false nav-item"><a href="/plugins/ot/families" class="nav-link"><span>Tenable OT Security Families</span></a></li><li class="false nav-item"><a href="/plugins/families/about" class="nav-link"><span>About Plugin Families</span></a></li></div><li class="nav-item"><a type="button" class="nav-link">Audits<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="side-nav-collapse collapse"><li class="false nav-item"><a href="/audits" class="nav-link"><span>Overview</span></a></li><li class="false nav-item"><a href="/audits/newest" class="nav-link"><span>Newest</span></a></li><li class="false nav-item"><a href="/audits/updated" class="nav-link"><span>Updated</span></a></li><li class="false nav-item"><a href="/audits/search" class="nav-link"><span>Search Audit Files</span></a></li><li class="false nav-item"><a href="/audits/items/search" class="nav-link"><span>Search Items</span></a></li><li class="false nav-item"><a href="/audits/references" class="nav-link"><span>References</span></a></li><li class="false nav-item"><a href="/audits/authorities" class="nav-link"><span>Authorities</span></a></li><li class="false nav-item"><a href="/audits/documentation" class="nav-link"><span>Documentation</span></a></li><li class="nav-item"><a class="nav-link" href="https://www.tenable.com/downloads/download-all-compliance-audit-files">Download All Audit Files</a></li></div><li class="nav-item"><a type="button" class="nav-link">Indicators<i class="float-right mt-1 fas fa-chevron-down"></i></a></li><div class="side-nav-collapse collapse show"><li class="false nav-item"><a href="/indicators" class="nav-link"><span>Overview</span></a></li><li class="false nav-item"><a href="/indicators/search" class="nav-link"><span>Search</span></a></li><li class="false nav-item"><a href="/indicators/ioa" class="nav-link"><span>Indicators of Attack</span></a></li><li class="active nav-item"><a href="/indicators/ioe" class="nav-link"><span>Indicators of Exposure</span></a></li></div></ul><h6 class="side-nav-heading">Analytics</h6><ul class="side-nav bg-white sticky-top nav flex-column"><li class="nav-item"><a type="button" class="nav-link">CVEs<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="side-nav-collapse collapse"><li class="false nav-item"><a href="/cve" class="nav-link"><span>Overview</span></a></li><li class="false nav-item"><a href="/cve/newest" class="nav-link"><span>Newest</span></a></li><li class="false nav-item"><a href="/cve/updated" class="nav-link"><span>Updated</span></a></li><li class="false nav-item"><a href="/cve/search" class="nav-link"><span>Search</span></a></li></div><li class="nav-item"><a type="button" class="nav-link">Attack Path Techniques<i class="float-right mt-1 fas fa-chevron-right"></i></a></li><div class="side-nav-collapse collapse"><li class="false nav-item"><a href="/attack-path-techniques" class="nav-link"><span>Overview</span></a></li><li class="false nav-item"><a href="/attack-path-techniques/search" class="nav-link"><span>Search</span></a></li></div></ul></div><div class="col-12 col-md-9 col-xl-10"><nav class="d-none d-md-block" aria-label="breadcrumb"><ol class="breadcrumb"><li class="breadcrumb-item"><a href="https://www.tenable.com/indicators">Indicators</a></li><li class="breadcrumb-item"><a href="https://www.tenable.com/indicators/ioe">Indicators of Exposure</a></li><li class="active breadcrumb-item" aria-current="page">C-AUTH-SILO</li></ol></nav><nav class="d-md-none" aria-label="breadcrumb"><ol class="breadcrumb"><li class="breadcrumb-item"><a href="https://www.tenable.com/indicators/ioe"><i class="fas fa-chevron-left"></i> <!-- -->Indicators of Exposure</a></li></ol></nav><div class="mb-3 row"><div class="col-md-8"><h1 class="h2">Privileged Authentication Silo Configuration</h1><h6 class="m-1"><span class="badge badge-high">high</span></h6></div><div class="d-none d-md-block text-right col-md-4"><p class="d-inline mr-2">Language:</p><div class="d-inline language-dropdown dropdown"><button type="button" aria-haspopup="true" aria-expanded="false" class="dropdown-toggle btn btn-secondary">English</button><div tabindex="-1" role="menu" aria-hidden="true" class="dropdown-menu dropdown-menu-right"><a href="https://kr.tenable.com/indicators/ioe/ad/C-AUTH-SILO"><button type="button" tabindex="0" role="menuitem" class="dropdown-item">한국인</button></a><a href="https://es-la.tenable.com/indicators/ioe/ad/C-AUTH-SILO"><button type="button" tabindex="0" role="menuitem" class="dropdown-item">Español</button></a><a href="https://www.tenablecloud.cn/indicators/ioe/ad/C-AUTH-SILO"><button type="button" tabindex="0" role="menuitem" class="dropdown-item">简体中文</button></a><a href="https://de.tenable.com/indicators/ioe/ad/C-AUTH-SILO"><button type="button" tabindex="0" role="menuitem" class="dropdown-item">Deutsch</button></a><a href="https://jp.tenable.com/indicators/ioe/ad/C-AUTH-SILO"><button type="button" tabindex="0" role="menuitem" class="dropdown-item">日本語</button></a><a href="https://fr.tenable.com/indicators/ioe/ad/C-AUTH-SILO"><button type="button" tabindex="0" role="menuitem" class="dropdown-item">Français</button></a><a href="https://zh-tw.tenable.com/indicators/ioe/ad/C-AUTH-SILO"><button type="button" tabindex="0" role="menuitem" class="dropdown-item">繁體中文</button></a><a href="https://www.tenable.com/indicators/ioe/ad/C-AUTH-SILO"><button type="button" tabindex="0" role="menuitem" class="dropdown-item">English</button></a></div></div></div></div><div class="card"><div class="p-3 card-body"><div class="row"><div class="col-md-8"><section class="mb-3"><h4 class="border-bottom pb-1">Description</h4><div><p>Proper management of privileged accounts (users and computers) is important for security to limit the risks of a full Active Directory (AD) environment compromise. In the most recent versions of Windows (Windows Server 2012R2+), Microsoft provides features and a technical design to protect adequately such accounts using authentication silos and policies. This Indicator of Exposure aims to assist AD administrators in the implementation of a model designed to protect those highly privileged (i.e. "Tier-0") accounts.</p> </div></section><section class="mb-3"><h4 class="border-bottom pb-1">Solution</h4><div><p>To enhance security against attackers and malware attempting to steal privileged identities, privileged users should exclusively connect to trusted machines. Employing a "tier model" design, particularly focusing on the highest tier (referred to as "Tier-0"), implement authentication silos and policies. This ensures that the credentials of privileged users are inaccessible on standard workstations and servers.</p> </div></section><section class="mb-3"><h4 class="border-bottom pb-1">See Also</h4><p><a target="_blank" rel="noopener noreferrer" href="https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn486813(v=ws.11)">Authentication Policies and Authentication Policy Silos</a></p><p><a target="_blank" rel="noopener noreferrer" href="https://www.sstic.org/2017/presentation/administration_en_silo/">L&#x27;administration en silo (french reference whitepaper)</a></p></section></div><div class="col-md-4"><section class="mb-3"><h4 class="border-bottom pb-1">Indicator Details</h4><div><p class=""><strong>Name<!-- -->: </strong><span>Privileged Authentication Silo Configuration</span></p></div><div><p class=""><strong>Codename<!-- -->: </strong><span>C-AUTH-SILO</span></p></div><div><p class=""><strong>Severity<!-- -->: </strong><span>High</span></p></div><div><p class=""><strong>Type<!-- -->: </strong><span>Active Directory Indicator of Exposure</span></p></div><strong>MITRE ATT&amp;CK Information<!-- -->: </strong><ul class="pl-3"><li>Tactic: <a href="https://attack.mitre.org/tactics/TA0004/" target="_blank" rel="noopener noreferrer">TA0004<!-- --> - <!-- -->Privilege Escalation</a><ul class="pl-4"><li>Techniques: <a href="https://attack.mitre.org/techniques/T1078/" target="_blank" rel="noopener noreferrer">T1078<!-- --> - <!-- -->Valid Accounts</a></li></ul></li></ul></section></div></div></div></div></div></div></div></div><footer class="footer"><div class="container"><ul class="footer-nav"><li class="footer-nav-item"><a href="https://www.tenable.com/">Tenable.com</a></li><li class="footer-nav-item"><a href="https://community.tenable.com">Community &amp; Support</a></li><li class="footer-nav-item"><a href="https://docs.tenable.com">Documentation</a></li><li class="footer-nav-item"><a href="https://university.tenable.com">Education</a></li></ul><ul class="footer-nav footer-nav-secondary"><li class="footer-nav-item">© <!-- -->2025<!-- --> <!-- -->Tenable®, Inc. All Rights Reserved</li><li class="footer-nav-item"><a href="https://www.tenable.com/privacy-policy">Privacy Policy</a></li><li class="footer-nav-item"><a href="https://www.tenable.com/legal">Legal</a></li><li class="footer-nav-item"><a href="https://www.tenable.com/section-508-voluntary-product-accessibility">508 Compliance</a></li></ul></div></footer><div class="Toastify"></div></div></div><script id="__NEXT_DATA__" type="application/json" nonce="nonce-OGI0YWEzYmMtNTVmYi00MDg5LTliN2QtMDU5NjE5NWEwYzMx">{"props":{"pageProps":{"indicator":{"language_code":"en_US","codename":"C-AUTH-SILO","name":"Privileged Authentication Silo Configuration","id":55,"description":"\u003cp\u003eA step-by-step guide on the configuration of an authentication silo for privileged (Tier-0) accounts.\u003c/p\u003e\n","criticity":"high","exec_summary":"\u003cp\u003eProper management of privileged accounts (users and computers) is important for security to limit the risks of a full Active Directory (AD) environment compromise. In the most recent versions of Windows (Windows Server 2012R2+), Microsoft provides features and a technical design to protect adequately such accounts using authentication silos and policies.\nThis Indicator of Exposure aims to assist AD administrators in the implementation of a model designed to protect those highly privileged (i.e. \"Tier-0\") accounts.\u003c/p\u003e\n","vulnerability_detail":{"detail":"\u003ch4\u003eIntroduction\u003c/h4\u003e\n\u003cp\u003eEffective privileged user and computer management is crucial for mitigating risks associated with credential theft. Microsoft introduced an authentication model based on silos a few years ago to confine authentication to a specific set of computers within the same scope as their users. The Tier-0 silo, the most critical one, should exclusively include the highest-privileged accounts in the environment, such as \"Domain Admins\" user members and \"Domain Controllers\" computers in particular.\u003c/p\u003e\n\u003ch4\u003eAuthentication silos and policies\u003c/h4\u003e\n\u003cp\u003eAuthentication silos, as outlined in the \"Logon Restrictions for Privileged Users\" IoE, share the goal of limiting Tier-0 privileged accounts from exposing their credentials on lower-privileged systems (e.g. standard servers or workstations). This feature focuses on safeguarding users rather than computers, replacing the older concepts in the \"Logon Restrictions for Privileged Users\" IoE with a more contemporary approach to configuring user authentication restrictions.\n\u003cbr\u003eAuthentication silos leverage various foundational elements, including the Kerberos protocol, claims, authentication policies, conditional ACEs, and Kerberos Armoring. The use of these features requires that domain controllers run version 2012 R2 or later.\n\u003cbr\u003eThe silo implementation aims to offer AD administrators a simpler and more robust solution compared to previous authentication restrictions. The objective is to group Tier-0 users and computers within a shared security context, called a \"silo.\" This ensures that these users can only connect to computers within the same silo, whether through Remote Desktop or traditional interactive sessions.\n\u003cbr\u003eAn additional risk of credential theft involves delegating authentication to a computer outside the designated silo. \nTo address the challenges of securing NTLM authentication fully, it is advisable to opt for the Kerberos protocol. To safeguard Tier-0 administrators against both risks, it is recommended to include them in the \"Protected Users\" group.\n\u003cbr\u003eThe interconnected features essential for this IoE are linked as follows:\nAuthentication silo → (requires) → Authentication policy → (requires) → Claims → (requires) → Kerberos Armoring\n\u003cbr\u003eDelving into the intricacies of these concepts exceeds the scope of this IoE. In summary:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eAn authentication silo consists of a collection of computer and user accounts sharing the same security concerns - specifically, privileged objects in our context.\u003c/li\u003e\n\u003cli\u003eAn authentication policy is a set of rules designed to limit authentication in various scenarios. Its purpose is to ensure that users within a silo can authenticate exclusively to silo-designated computers.\u003c/li\u003e\n\u003cli\u003eClaims serve as the foundational components that allow silos and authentication policies to work. Simply put, they act like tags on objects, with these tags specified in the authentication policy configuration.\u003c/li\u003e\n\u003cli\u003eKerberos Armoring enhances the Kerberos protocol for improved security by guarding against potential brute-force attacks on user credentials through network traffic access. It also introduces support for claims, enabling their storage in the user's security token.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eNote: Kerberos Armoring requires configuration on both clients and servers to support silos.\u003c/p\u003e\n\u003ch4\u003ePrerequisite for a Tier-0 authentication silo installation\u003c/h4\u003e\n\u003cp\u003eTo maintain control over the silo and minimize the risk, it's crucial to keep the number of user and computer accounts at a minimum. Before including privileged users in the silo, it's essential to restrict their number by first using the \"Native Administrative Group Members\" IoE.\u003c/p\u003e\n\u003ch4\u003eIoE Objective\u003c/h4\u003e\n\u003cp\u003eThis IoE aims to assist AD administrators in installing and setting up an authentication silo for Tier-0 accounts. Proper configuration is essential to prevent vulnerabilities or gaps in the implementation.\n\u003cbr\u003eThis IoE will address the following questions to ensure that a proper configuration gets implemented:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eAre all Tier-0 users in the \"Protected Users\" group? (This prevents NTLM protocol usage, relying solely on Kerberos authentication.)\u003c/li\u003e\n\u003cli\u003eDo all domain controllers have the minimum required OS version to support authentication silos and policies? (2012R2 and above)\u003cul\u003e\n\u003cli\u003eNote: Silos on the client side require workstations running Windows 8+ and servers running Windows Server 2012+. Lack of compliance won't pose a security risk but prevent Tier-0 user authentication. This IoE does not check for this non-compliance, but you should consider compatibility during configuration.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003eIs Kerberos Armoring correctly configured on clients and servers? This confirmation goes through GPO parameter checks.)\u003c/li\u003e\n\u003cli\u003eIs there a configured authentication silo?\u003c/li\u003e\n\u003cli\u003eIs this authentication silo appropriately configured for Tier-0 accounts, as defined by the product?\u003cul\u003e\n\u003cli\u003eTier-0 users within the silo\u003cul\u003e\n\u003cli\u003eAre all domain privileged users in this list? (Tier-0 users should include members of natively privileged AD groups. Those are provided in the deviance details.)\u003c/li\u003e\n\u003cli\u003eAre there any non-validated or unprivileged users present?\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003eTier-0 computers within the silo\u003cul\u003e\n\u003cli\u003eAre all domain privileged computers in this list? (By default, the IoE considers only domain controllers as privileged computers. However, various IoE options are available to specify and help identify additional servers that should be considered, such as ADCS, WSUS, Exchange, AD backup servers, etc.)\n *Are there any non-validated or unprivileged computers present?\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003eIs the silo's authentication policy configured as intended?\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eAs indicated, this IoE follows a step-by-step approach, displaying deviances only for the relevant information needed to proceed with the installation of an authentication silo for Tier-0 accounts. \nNew deviances will appear as the IoE completes and validates each step, resolving previous deviances in the process. Upon clearing all deviances, the configuration of the authentication silo for Tier-0 accounts is complete and deemed secure.\u003c/p\u003e\n\u003ch4\u003eImportant security reminder\u003c/h4\u003e\n\u003cp\u003eThis IoE cannot analyze an important security aspect: it can only assess data from AD (LDAP/SYSVOL) and cannot query the local configuration of Tier-0 computers. Thus, manual verification is necessary for a crucial configuration aspect on all Tier-0 silo computers: no other administrators, including Helpdesk teams, should have privileges on these machines. This precaution applies to both Tier-0 workstations and computers created using a master file with a generic local Administrator account. This prevents unauthorized access and potential credential theft of Tier-0 users.\u003c/p\u003e\n\u003ch4\u003eSpecial case for the Administrator account\u003c/h4\u003e\n\u003cp\u003eTreat the built-in \"Administrator\" account (RID = 500) as a break glass account, as Microsoft recommends (verify its usage with the \"Recent Use of the Default Administrator Account\" IoE). Only use it as a last resort when other options fail, and you cannot use other domain administrators, like when there is a lockout due to misconfiguration of an authentication silo. In standard situations, store its password securely, whether in a virtual or physical safe to ensure protection.\n\u003cbr\u003eThis implies that, when placed within a silo, this account won't have the same restrictions as other accounts (i.e., it won't function as expected, and won't prevent authentication on non-Tier-0 computers). As such, it's not necessary to include it within the Tier-0 silo. It can serve as a backup mechanism if you lock yourself out of your domain controllers.\u003c/p\u003e\n","exploitability":"No exploit is required"},"recommendation":{"name":"Implement a Tier-0 Authentication Silo and Policy","description":"Define the tier model, specifying which systems and users belong to the highest tier. Subsequently, validate the necessary steps for implementing this model practically in Active Directory.\n","exec_summary":"\u003cp\u003eTo enhance security against attackers and malware attempting to steal privileged identities, privileged users should exclusively connect to trusted machines. Employing a \"tier model\" design, particularly focusing on the highest tier (referred to as \"Tier-0\"), implement authentication silos and policies. This ensures that the credentials of privileged users are inaccessible on standard workstations and servers.\u003c/p\u003e\n","detail":"\u003ch4\u003eIntroduction\u003c/h4\u003e\n\u003cp\u003eAs detailed in this IoE's \"Vulnerability details\" section, the initial step in implementing a Tier-0 authentication silo involves documenting the accounts (users and computers) that need protection within this specific security context.\n\u003cbr\u003eThis IoE assists you by highlighting users inadvertently omitted from the silo. For computers requiring inclusion in the silo, recommendations depend solely on the provided IoE options. Various similar \"named\" options offer insights into server types traditionally deemed highly privileged in an AD environment, such as the following:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eADCS servers could be compromised to generate insecure certificates used for authentication to domain controllers (refer to \"ADCS Dangerous Misconfigurations\" IoE).\u003c/li\u003e\n\u003cli\u003eWSUS servers applying updates to domain controllers could be compromised to deploy fake Windows updates (refer to \"WSUS Dangerous Misconfigurations\" IoE).\u003c/li\u003e\n\u003cli\u003eExchange servers lacking AD schema hardening may possess risky permissions at the domain root (refer to \"Root Objects Permissions Allowing DCSync-Like Attacks\" IoE).\u003c/li\u003e\n\u003cli\u003eetc.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eAllocate time to identify Tier-0 servers carefully. Insufficient system specifications could expose AD to attack paths, while excessive inclusion in the silo might compromise security and visibility. It's advisable to begin conservatively, including only evident privileged servers, and gradually add more servers when there's a pivot path that could compromise the AD or existing silo servers.\n\u003cbr\u003e\u003cbr\u003eThe following sections detail the sequence of deviances that this IoE triggers, offering a step-by-step guide for Tier-0 authentication silo installation. Administrators familiar with configuring authentication silos and policies may opt out of following this procedure. \nNote that the product GUI will present sequentially the interdependent steps, while a deviance will indicate actions that can take place concurrently.\u003c/p\u003e\n\u003ch4\u003e1. Unprotected Tier-0 user account\u003c/h4\u003e\n\u003cp\u003ePrivileged users within a Tier-0 silo should exclusively use the Kerberos protocol, avoiding the NTLM protocol. Additionally, be cautious of potential risks associated with the delegation of authentication for these accounts.\nTo mitigate both potential issues, it's advisable to include these users in the \"Protected Users\" group. Refer to the dedicated IoE \"Protected Users Group Not Used\" for more information on this group and the implications of adding members to it.\n\u003cbr\u003eNote: If necessary, you can disable this check using an option if it does not apply to your situation.\n\u003cbr\u003eFor example, use the following command in PowerShell to add a specific user to the \"Protected Users\" group:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ePS\u0026gt; Add-ADGroupMember -Identity \"Protected Users\" -Members \"adm-t0\"\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch4\u003e2. DCs not up-to-date\u003c/h4\u003e\n\u003cp\u003eTo support authentication silos and their technical dependencies, domain controllers must be \"Windows Server 2012R2\" or later (the required version on the server side). Ensure that you update all domain controllers before configuration.\u003c/p\u003e\n\u003ch4\u003e3a. Client-side misconfiguration\u003c/h4\u003e\n\u003cp\u003eOn the client side, configure a GPO to enable support for claims, compound authentication, and Kerberos armoring. Link this GPO to the containers of servers and workstations in the Tier-0 silo to ensure Tier-0 users can authenticate to them. While it's not a security risk if the GPO is not linked and applied, it may cause authentication issues after creating the silo.\n\u003cbr\u003eTo set this configuration with Group Policy:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOpen the Group Policy Management Console. Create or use an existing GPO and click \u003cem\u003eEdit...\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eIn the console tree under \u003cem\u003eComputer Configuration\u003c/em\u003e, expand the \u003cem\u003ePolicies\u003c/em\u003e folder and navigate until you reach \u003cem\u003eAdministrative Templates\\System\\Kerberos\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eDouble-click on \u003cem\u003eKerberos client support for claims, compound authentication and Kerberos armoring\u003c/em\u003e and select \u003cem\u003eEnabled\u003c/em\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eNote: Remember to link this GPO also to Tier-0 workstations and domain controllers.\u003c/p\u003e\n\u003ch4\u003e3b. Unenforced Kerberos Armoring\u003c/h4\u003e\n\u003cp\u003eThe existing client-side GPO configuration is sufficient for meeting requirements. However, for enhanced security, consider enforcing, rather than requesting, Kerberos armoring. This minimizes the risk of attackers intercepting network traffic and retrieving credentials.\n\u003cbr\u003eTo set this configuration with Group Policy:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOpen the Group Policy Management Console. Create or use the previously created client-side GPO and click \u003cem\u003eEdit...\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eIn the console tree under \u003cem\u003eComputer Configuration\u003c/em\u003e, expand the \u003cem\u003ePolicies\u003c/em\u003e folder and navigate until you reach \u003cem\u003eAdministrative Templates\\System\\Kerberos\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eDouble-click on \u003cem\u003eFail authentication requests when Kerberos armoring is not available\u003c/em\u003e and select \u003cem\u003eEnabled\u003c/em\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eWith these two parameters set, Tier-0 users can authenticate to those computers after the GPO goes into effect (this may take some time and might require a reboot).\u003c/p\u003e\n\u003ch4\u003e3c. Server-side misconfiguration\u003c/h4\u003e\n\u003cp\u003eOn the server side, you must configure domain controllers to support the prerequisites of the authentication silo.\nTo do this, link a GPO to the default domain controllers container (or other organizational units if DCs have moved).\n\u003cbr\u003eTo set this configuration with Group Policy:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eOpen the Group Policy Management Console. Create or use an existing GPO (not the previously created client-side one) and click \u003cem\u003eEdit...\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eIn the console tree under \u003cem\u003eComputer Configuration\u003c/em\u003e, expand the \u003cem\u003ePolicies\u003c/em\u003e folder and navigate until you reach \u003cem\u003eAdministrative Templates\\System\\KDC\u003c/em\u003e.\u003c/li\u003e\n\u003cli\u003eDouble-click on \u003cem\u003eKDC support for claims, compound authentication and Kerberos armoring\u003c/em\u003e, select \u003cem\u003eEnabled\u003c/em\u003e, and set the option \u003cem\u003eClaims, compound authentication for Dynamic Access Control and Kerberos armoring options:\u003c/em\u003e to \u003cem\u003eSupported\u003c/em\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eOnce a domain controller applies this GPO, it makes a change to the \"krbtgt\" account. The IoE validates these changes on the account, and resolution occurs upon detection.\u003c/p\u003e\n\u003ch4\u003e4. Authentication silo misconfiguration\u003c/h4\u003e\n\u003cp\u003eThe silo configuration comprises multiple small steps indicated by checkboxes in the deviance. These changes can occur in any order, and Microsoft's documentation, detailed in the links below the \"Documents\" section, provides exhaustive information on the implementation details.\n\u003cbr\u003eThe \"Active Directory Administrative Center\" is a convenient tool for creating the authentication silo and its associated policy.\nAccess the configuration through the left panel, under the \"Authentication\" category within the \"Authentication Policies\" and \"Authentication Policy Silos\" sub-categories.\n\u003cbr\u003eBegin by creating the Tier-0 authentication policy first, enabling direct referencing inside the Tier-0 silo. Initially, configure both as \"Only audit policy restrictions\" and \"Only audit silo policies\" to create an initial version of the Tier-0 silo. This setting allows you to view Windows event logs to understand the impact before enforcing the configuration.\nOnce you're ready, the reasons below will provide additional assistance to ensure the correct computers and users get included in the silo. Those further checks can only be executed after every steps described here have been completed.\u003c/p\u003e\n\u003ch4\u003e5a. Unreferenced privileged user\u003c/h4\u003e\n\u003cp\u003eThe following reasons offer context on which user and computer accounts to include in the Tier-0 silo and also indicate which accounts to exclude.\n\u003cbr\u003eThis initial topic concerns the importance of having a comprehensive list of user accounts within the Tier-0 silo. Every user account identified as privileged (as explained in detail in the \"Native Administrative Group Members\" IoE) should go inside the silo.\nIf the check returns a list of users that is too extensive, it indicates the need to reduce the number of privileged users beforehand.\n\u003cbr\u003eThe resolution for this reason can only occur after you add every privileged user account to the silo (in the \"Permitted Accounts\" section of the silo configuration). This may require creating new administrative user accounts for managing non-sensitive resources.\u003c/p\u003e\n\u003ch4\u003e5b. Unassigned privileged user\u003c/h4\u003e\n\u003cp\u003eThe second necessary step to include a user in the silo is to assign the user to it. The first step is to \"reference,\" and the second step is to \"assign.\"\n\u003cbr\u003eDo this individually for each user by double-clicking on each account, navigating to the \u003cem\u003eAuthentication Policy Silo\u003c/em\u003e section, selecting the \u003cem\u003eAssign Authentication Policy Silo\u003c/em\u003e checkbox, and choosing the Tier-0 by its name in the \u003cem\u003eAuthentication Policy Silo\u003c/em\u003e section.\u003c/p\u003e\n\u003ch4\u003e5c. Unprivileged user referenced\u003c/h4\u003e\n\u003cp\u003eTo maintain the Tier-0 silo as restricted and minimal as possible, include only the essential privileged user accounts. Remove non-privileged user accounts that should not be part of this silo. If validated and necessary, you can exempt them through the dedicated IoE option.\u003c/p\u003e\n\u003ch4\u003e5d. Unreferenced privileged computer\u003c/h4\u003e\n\u003cp\u003eLike user accounts, include computer accounts in the Tier-0 silo. Unlike the user part, the IoE cannot automatically calculate and suggest privileged computers to facilitate configuration. However, use multiple options to identify servers and workstations to include in this Tier-0 silo.\u003c/p\u003e\n\u003ch4\u003e5e. Unassigned privileged computer\u003c/h4\u003e\n\u003cp\u003eAfter referencing computer accounts, you must also assign them within the Tier-0 silo.\nTo do this, double-click on each computer and navigate to the \u003cem\u003eAuthentication Policy Silo\u003c/em\u003e section. Select the \u003cem\u003eAssign Authentication Policy Silo\u003c/em\u003e checkbox and choose the Tier-0 silo by its name in the \u003cem\u003eAuthentication Policy Silo\u003c/em\u003e section.\u003c/p\u003e\n\u003ch4\u003e5f. Unprivileged computer referenced\u003c/h4\u003e\n\u003cp\u003eLike the user configuration, the Tier-0 silo should only contain privileged computers.\nIf these are not validated, remove them from the \"Permitted Accounts\" section. If accepted, add their organizational units through the dedicated options.\u003c/p\u003e\n\u003ch4\u003e6. Authentication policy misconfiguration\u003c/h4\u003e\n\u003cp\u003eConfigure the authentication policy associated with the Tier-0 silo with a condition to restrict user accounts from authenticating only to computers within the silo. Without this restriction, users' credentials are unprotected and can get compromised on lower-tier computers if administrators authenticate there.\n\u003cbr\u003eTo do this, go to the authentication policy configuration and navigate to the \u003cem\u003eUser Sign On\u003c/em\u003e section. Under \u003cem\u003eClick Edit to define conditions\u003c/em\u003e, create the following condition: \u003cem\u003e(User.AuthenticationSilo Equals \"T0-Silo\")\u003c/em\u003e (adapt the name of the Tier-0 silo accordingly).\u003c/p\u003e\n\u003ch4\u003e7. Multiple uses of the authentication policy\u003c/h4\u003e\n\u003cp\u003eMicrosoft provides two methods for specifying an authentication policy for an account:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eBy being a member of a silo.\u003c/li\u003e\n\u003cli\u003eAlternatively, by manually assigning an authentication policy to the account, outside of a silo.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eAssigning an authentication policy directly to an account (outside of the silo configuration) is not a recommended practice as it complicates the management of both the silo and its policy.\n\u003cbr\u003eTo manually remove an account associated with the authentication policy of a Tier-0 silo, go to the authentication policy configuration and remove every account specified in the \u003cem\u003eAccounts\u003c/em\u003e section.\u003c/p\u003e\n","resources":[{"name":"Authentication Policies and Authentication Silos - Restricting Domain Controller Access","url":"https://social.technet.microsoft.com/wiki/contents/articles/26945.authentication-policies-and-authentication-silos-restricting-domain-controller-access.aspx","type":"hyperlink"},{"name":"Protecting Domain Administrative Credentials","url":"https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/protecting-domain-administrative-credentials/ba-p/259210","type":"hyperlink"}]},"resources":[{"name":"Authentication Policies and Authentication Policy Silos","url":"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn486813(v=ws.11)","type":"hyperlink"},{"name":"L'administration en silo (french reference whitepaper)","url":"https://www.sstic.org/2017/presentation/administration_en_silo/","type":"hyperlink"}],"applicable_resource_types":["ad_group","ad_user","ad_sysvol_pol","ad_domain_dns","ad_msds_auth_n_policy_silo"],"attacker_known_tools":[],"category_id":1,"mitre_attacks":[{"tactic":"TA0004 - Privilege Escalation","techniques":["T1078 - Valid Accounts"]}],"indicator_type":"Active Directory Indicator of Exposure","released":true,"available_languages":["ko_KR","es_001","zh_CN","de_DE","ja_JP","fr_FR","zh_TW","en_US"],"tvdb_export_source":{"file_name":"diff-202502220200.tar.gz","file_path":"exports/tenable_ad_ioe/v2","data_file_name":"C-AUTH-SILO","created_at":"2025-02-22T02:06:47","updated_at":"2025-02-22T02:06:47"},"severity":"high","type":"ioe","subType":"ad","availableLocales":["ko","es","zh-CN","de","ja","fr","zh-TW","en"],"mitre_attack_information":[{"tactic":{"id":"TA0004","name":"Privilege Escalation","url":"https://attack.mitre.org/tactics/TA0004/"},"techniques":[{"id":"T1078","name":"Valid Accounts","url":"https://attack.mitre.org/techniques/T1078/"}]}],"index":"1735837073511_indicator_ad_ioe_en_us"},"type":"ioe","indicatorId":"C-AUTH-SILO","errorStatus":null},"cookies":{},"user":null,"flash":null,"env":{"baseUrl":"https://www.tenable.com","host":"www.tenable.com","ga4TrackingId":""},"isUnsupportedBrowser":true,"__N_SSP":true},"page":"/indicators/ioe/[subType]/[id]","query":{"subType":"ad","id":"C-AUTH-SILO"},"buildId":"RsIzRDoxGcJZTeqNY4h8D","isFallback":false,"isExperimentalCompile":false,"gssp":true,"appGip":true,"locale":"en","locales":["en","de","es","fr","ja","ko","zh-CN","zh-TW"],"defaultLocale":"en","domainLocales":[{"domain":"www.tenable.com","defaultLocale":"en"},{"domain":"de.tenable.com","defaultLocale":"de"},{"domain":"es-la.tenable.com","defaultLocale":"es"},{"domain":"fr.tenable.com","defaultLocale":"fr"},{"domain":"jp.tenable.com","defaultLocale":"ja"},{"domain":"kr.tenable.com","defaultLocale":"ko"},{"domain":"www.tenablecloud.cn","defaultLocale":"zh-CN"},{"domain":"zh-tw.tenable.com","defaultLocale":"zh-TW"}],"scriptLoader":[]}</script></body></html>