Applying compensating controls

Compensating controls are security best practices or configurations for hardware, operating systems, and storage that you can apply to endpoints to reduce the risk score for those endpoints.

View compensating controls overview

  1. View a summary of controls and the number of endpoints on which a control is implemented. From the Benchmark menu, go to Tanium Risk Score and view the Compensating Controls section.

    screen capture of the Compensating Controls Impacting Risk chart

    Some compensating controls do not apply to all supported endpoint operating systems, which is why the total for a particular compensating control, such as UAC Enabled, might not equal the total number of endpoints reporting to Risk.

  2. To see which endpoints are missing a specific control, see the chart on Compensating Controls page.

    screen capture of the Compensating Controls page






Configure hardware

Windows: Enable TPM

For more information about Trusted Platform Module (TPM), see Microsoft: Trusted Platform Module Technology Overview.

Implementing this control reduces the risk score for an endpoint by 1%.

  1. View a summary of the TPM status. From the Benchmark menu, go to Tanium Risk Score and view the Compensating Controls Impacting Risk section. On the Compensating Controls page, you can see TPM Status information.
  2. To reduce your risk score, ensure that Windows endpoints use a TPM chip. Enforce provides this information to Benchmark. To examine the TPM status for endpoints, ask this question in Interact: Get Computer Name and Enforce - TPM Status from all machines. Consult the documentation for the hardware on the endpoint for details on enabling use of the TPM chip.

Configure operating systems

Windows and Linux: Enable a host-based firewall to block unwanted network traffic

For more information about host-based firewalls, see National Institute of Standards and Technology (NIST): Guidelines on Firewalls and Firewall Policy, section 2-2.

Implementing this control reduces the risk score for an endpoint by 6%.

  1. View a summary of the host firewall status. From the Benchmark menu, go to Tanium Risk Score and view the Compensating Controls Impacting Risk section. On the Compensating Controls page, you can see Host Firewall Status information.
  2. To reduce your risk score, ensure that endpoints use a firewall. Enforce provides this information to Benchmark. To examine the firewall status for endpoints, ask this question in Interact: Get Computer Name and Enforce - Host Firewall Enabled from all machines. You can use Enforce to administer firewalls on Windows and Linux endpoints. For more information, see Enforce User Guide: Create a Windows firewall management policy and Enforce User Guide: Create a Linux firewall management policy.

Windows: Use a PowerShell execution policy

For more information about PowerShell execution policies, see Microsoft: about_Execution_Policies.

Implementing this control reduces the risk score for an endpoint by 1%.

  1. View a summary of the PowerShell execution policy status. F From the Benchmark menu, go to Tanium Risk Score and view the Compensating Controls Impacting Risk section. On the Compensating Controls page, you can see PowerShell Execution Policy information.
  2. To reduce your risk score, ensure that endpoints use a PowerShell execution policy. Client Management provides this information to Benchmark. To examine the PowerShell Execution policy status for endpoints, ask this question in Interact: Get Computer Name and Tanium PowerShell Execution Policy from all machines. Use the Set-ExecutionPolicy cmdlet to implement changes to PowerShell execution policies for Windows endpoints. For more information, see Microsoft: Set-ExecutionPolicy.

Windows: Install and enable security software registered with Windows Security Center

For more information about Windows Security Center (WSC), see Microsoft: Windows Security Center.

Implementing this control reduces the risk score for an endpoint by 2%.

  1. View a summary of the antivirus software status. From the Benchmark menu, go to Tanium Risk Score and view the Compensating Controls Impacting Risk section. On the Compensating Controls page, you can see AV Present/Enabled information.
  2. To reduce your risk score, ensure that Windows endpoints use WSC-registered security software. Tanium Core Content sensors provide this information to Benchmark. To examine the antivirus software status for endpoints, ask this question in Interact: Get Computer Name and Windows Security Center Registered Antivirus Software from all machines with Is Windows equals true and look at the Protection column. You can use Enforce to administer Windows-based anti-malware applications (SCEP or Windows Defender) on Windows endpoints. For more information, see Enforce User Guide: Create an Anti-malware policy.

Windows: Update antivirus software

Verify that automatic updates are enabled and that the software is registered with WSC. For more information about WSC, see Microsoft: Windows Security Center.

Implementing this control reduces the risk score for an endpoint by 2%.

  1. View a summary of the antivirus update status. From the Benchmark menu, go to Tanium Risk Score and view the Compensating Controls Impacting Risk section. On the Compensating Controls page, you can see AV Recently Updated information.
  2. To reduce your risk score, ensure that the WSC-registered security software on Windows endpoints is up to date. Tanium Core Content sensors provide this information to Benchmark. To examine the antivirus software definitions status for endpoints, ask this question in Interact: Get Computer Name and Windows Security Center Registered Antivirus Software from all machines with Is Windows equals true and look at the Definitions column. You can use Enforce to administer Windows-based anti-malware applications (SCEP or Windows Defender) on Windows endpoints. For more information, see Enforce User Guide: Create an Anti-malware policy. The Deploy definition update using Tanium option in the anti-malware policy controls whether the Tanium Client distributes definition updates.

Windows: Enable Data Execution Prevention (DEP)

For more information, see Microsoft: Data Execution Prevention.

Implementing this control reduces the risk score for an endpoint by 1%.

  1. View a summary of the DEP status. From the Benchmark menu, go to Tanium Risk Score and view the Compensating Controls Impacting Risk section. On the Compensating Controls page, you can see DEP Enabled information.
  2. To reduce your risk score, enable DEP on endpoints. Tanium Core Content sensors provide this information to Benchmark. To examine the DEP status for Windows endpoints, ask this question in Interact: Get Computer Name and Data Execution Prevention Enabled from all machines with Is Windows equals true. You can enable DEP by using Group Policy on Windows endpoints. For more information about enabling DEP on Windows endpoints, see Microsoft: Override Process Mitigation Options to help enforce app-related security policies.

Windows (Windows 10 / Server 2016 or later): Enable Windows Defender Device Guard

For more information, see Microsoft blog: Windows 10 Device Guard and Credential Guard Demystified.

Implementing this control reduces the risk score for an endpoint by 1%.

  1. View a summary of the Device Guard status. From the Benchmark menu, go to Tanium Risk Score and view the Compensating Controls Impacting Risk section. On the Compensating Controls page, you can see DeviceGuard information.
  2. To reduce your risk score, enable Windows Defender Device Guard on Windows endpoints. Tanium Default Content sensors provide this information to Benchmark. To examine the Windows Defender Device Guard status for Windows endpoints, ask this question in Interact: Get Computer Name and DeviceGuard Status from all machines with Is Windows equals true. You can enable Windows Defender Device Guard by using Group Policy on Windows endpoints.

Windows (Windows 10 / Server 2016 or later): Enable Windows Defender Credential Guard

For more information, see Microsoft: Protect derived domain credentials with Windows Defender Credential Guard.

Implementing this control reduces the risk score for an endpoint by 1%.

  1. View a summary of the Credential Guard status. From the Benchmark menu, go to Tanium Risk Score and view the Compensating Controls Impacting Risk section. On the Compensating Controls page, you can see CredGuard information.
  2. To reduce your risk score, enable Credential Guard on Windows endpoints. Tanium Default Content sensors provide this information to Benchmark. To examine the Device Guard status for Windows endpoints, ask this question in Interact: Get Computer Name and CredGuard Status from all machines with Is Windows equals true. You can enable Windows Defender Credential Guard by using Group Policy, the registry, or the Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard hardware readiness tool. For more information, see Microsoft: Manage Windows Defender Credential Guard.

Windows: Enable User Account Control

For more information, see Microsoft: How User Account Control works.

Implementing this control reduces the risk score for an endpoint by 2%.

  1. View a summary of the UAC status. From the Benchmark menu, go to Tanium Risk Score and view the Compensating Controls Impacting Risk section. On the Compensating Controls page, you can see UAC Enabled information.
  2. To reduce your risk score, enable UAC on Windows endpoints. Tanium Incident Response sensors provide this information to Benchmark. To examine the UAC settings and status for Windows endpoints, ask this question in Interact: Get Computer Name and Windows Credential Security Settings from all machines with Is Windows equals true. You can enable UAC by using Group Policy. For more information, see Microsoft: User Account Control and WMI.

Windows: Run LSASS as PPL

For more information on Local Security Authority Server Service (LSASS), see Microsoft: Configuring Additional LSA Protection.

Implementing this control reduces the risk score for an endpoint by 1%.

  1. View a summary of the LSASS status. From the Benchmark menu, go to Tanium Risk Score and view the Compensating Controls Impacting Risk section. On the Compensating Controls page, you can see Run LSASS as PPL information.
  2. To reduce your risk score, use the RunAsPPL configuration on Windows endpoints. Tanium Incident Response sensors provide this information to Benchmark. To examine the RunAsPPL settings and status for Windows endpoints, ask this question in Interact: Get Computer Name and Windows Credential Security Settings from all machines with Is Windows equals true. In the Setting Name column, find Run LSASS as protected process light (PPL) and confirm that it is set to Enabled in the Setting Value column. You can modify Windows Credential Guard settings by editing the registry or using Group Policy. For more information, see Microsoft: Configuring Additional LSA Protection.

Windows: Enable Remote Desktop Protocol Restricted Administrative Mode

For more information on Remote Desktop Protocol (RDP) Restricted Administrative (RestrictedAdmin) Mode, see Microsoft TechNet: Remote Desktop Services: Enable Restricted Admin mode.

Implementing this control reduces the risk score for an endpoint by 1%.

  1. View a summary of the RDP RestrictedAdmin Mode status. From the Benchmark menu, go to Tanium Risk Score and view the Compensating Controls Impacting Risk section. On the Compensating Controls page, you can see RDP Restricted Admin information.
  2. To reduce your risk score, enable the RestrictedAdmin Mode on Windows endpoints. Tanium Incident Response sensors provide this information to Risk. To examine the RDP settings and status for Windows endpoints, ask this question in Interact: Get Computer Name and Windows Credential Security Settings from all machines with Is Windows equals true. In the Setting Name column, find RDP Restricted Administration Mode and confirm that it is set to Enabled in the Setting Value column. You can modify Remote Desktop Services settings by editing the registry or using Group Policy. For more information, see Microsoft TechNet: Remote Desktop Services: Enable Restricted Admin mode.

Windows: Apply the LocalAccountTokenFilterPolicy restriction

For more information on LocalAccountTokenFilterPolicy, see Microsoft: Description of User Account Control and remote restrictions.

Implementing this control reduces the risk score for an endpoint by 1%.

  1. View a summary of the LocalAccountTokenFilterPolicy status. From the Benchmark menu, go to Tanium Risk Score and view the Compensating Controls Impacting Risk section. On the Compensating Controls page, you can see Remote UAC Local Account Token Filter information.
  2. To reduce your risk score, enable the LocalAccountTokenFilterPolicy restriction for UAC. Tanium Incident Response sensors provide this information to Risk. To examine the UAC settings and status for Windows endpoints, ask this question in Interact: Get Computer Name and Windows Credential Security Settings from all machines with Is Windows equals true. In the Setting Name column, find Remote UAC Local Account Token Filter and confirm that it is set to Enabled in the Setting Value column. You can modify this setting by editing the registry or Group Policy. For more information, see Microsoft: Description of User Account Control and remote restrictions.

    You might need to click See all to see this setting in the results grid in Interact.

Configure storage

Windows and macOS: Enable storage encryption

For more information about storage encryption, see Microsoft: BitLocker and Apple: Intro to FileVault.

Implementing this control reduces the risk score for an endpoint by 4%.

  1. View a summary of the storage encryption status. From the Benchmark menu, go to Tanium Risk Score and view the Compensating Controls Impacting Risk section. On the Compensating Controls page, you can see Storage Encryption Status information.
  2. To reduce your risk score, encrypt local storage on endpoints. Tanium Core Content sensors provide this information to Risk. To examine the storage encryption status for endpoints, ask this question in Interact: Get Computer Name and Storage Encryption Status from all machines. You can use Enforce to administer storage encryption using BitLocker and FileVault. For more information, see Enforce User Guide: Create a BitLocker policy and Enforce User Guide: Create a FileVault policy.

Windows: Enable USB write protection

To reduce your risk score, ensure that USB devices that connect to endpoints are write-protected. Tanium Core Content sensors provide this information to Risk.

Implementing this control reduces the risk score for an endpoint by 1%.

  1. View a summary of the USB write protection status. From the Benchmark menu, go to Tanium Risk Score and view the Compensating Controls Impacting Risk section. On the Compensating Controls page, you can see USB Protected information.
  2. To examine the USB write protection status for endpoints, ask this question in Interact: Get USB Write Protected from all machines. You can use Enforce to configure USB write protection on Windows endpoints. For more information, see Enforce User Guide: Create a Windows device control policy.