Using Tanium Client-related Tanium content

The Tanium Core Platform includes Tanium content that facilitates Tanium Client administration.

Default Content

The Tanium Server imports the Taniumâ„¢ Default Content pack when you initially sign into the Tanium Console. The pack contains a key set of saved questions, packages, and sensors for collecting information from endpoints and taking actions. The pack also includes saved questions and scheduled actions that relate to the deployment of the Tanium Client. To familiarize yourself with Tanium Client-related content, access the following Tanium Console pages from the Main menu:

  • Administration > Actions > Scheduled Actions: Review the actions that are scheduled to run against the Default action group.
  • Administration > Content > Sensors: Search for client-related sensors.
  • Administration > Content > Packages: Search for client-related packages.
  • Administration > Content > Saved Questions: Search for client-related questions.

Client Upgrade

The Client Upgrade content pack facilitates upgrading the Tanium Client on Windows endpoints. It is available in all deployments and is categorized as core content on the Administration > Configuration > Solutions page. Contact Tanium Support to import the ClientUpgradeNonWindows content pack for upgrading the Tanium Client on non-Windows endpoints. You must manually upgrade non-Windows endpoints using an installer package (available from the Client Management Overview page) or use third-party software. Contact Tanium Support for additional guidance.

Table 1:   Client Upgrade content pack for Windows endpoints
Content Object name Description
Saved questions Windows Clients Older Than <version> For Targeting The results of this question indicate which Tanium Clients on Windows endpoints do not have the latest client version.
Packages Update Tanium Client <version> Files: SetupClient.exe, set-service-permissions-back-to-default.vbs

Command: cmd /c start /B "" cmd /c "cscript.exe set-service-permissions-back-to-default.vbs & net stop "Tanium Client" & net stop "TaniumClient" & taskkill /f /im taniumclient.exe & SetupClient.exe /S & net start "Tanium Client" & net start "TaniumClient""

Timeout: 900
Sensors Client Brand Use to fine-tune a targeting question.
Scheduled actions Update Any Tanium Client to <version> By default, the Tanium Server deploys this action hourly and distributes the deployment over 15 minutes.

To upgrade Tanium Clients on Windows endpoints, see Upgrading Tanium Clients.

Client Service Hardening

The Client Service Hardening content pack includes saved questions, packages, and scheduled actions that you can use to restrict user access to the Tanium Client from a local Windows host endpoint.

The Tanium Client installs as a normal application on Windows. While the protocols that the client uses to communicate with TaaS the Tanium Server and peer clients are designed to be secure and prevent rogue sensors or actions, it is still imperative to protect the Tanium Client itself from an attacker or a tinkering end user.

Table 2:   Client Service Hardening content pack
Content Object name Description
Categories Client Service Hardening Contains the dashboards that this table lists.
Dashboards Control Service State Permissions Controlling which accounts have permissions to start and stop services is often the first and most effective way to protect the integrity of your Tanium Client deployment.

Many organizations have given some or all of their end users permissions to be a local administrator. For this reason, Tanium typically recommends that you restrict service control to the local SYSTEM account instead.

Set Client Directory Permissions Default permissions allow several user types to view or modify files in the Tanium Client directory. While this does not mean that an attacker could cause the client to run sensors or packages that TaaS the Tanium Server did not issue, because these actions are digitally signed, it could lead to performance issues or extra bandwidth consumption while the information is re-synchronized.

Setting the file system permissions to SYSTEM is recommended.
Hide From Add-Remove Programs Controlling whether users can view the Tanium Client in the Windows Add/Remove Programs list or in the Programs menu does not by itself directly affect the security of the client. A user with permissions to uninstall an application could also launch the uninstallation manually. This dashboard helps to reduce accidental uninstallations and preempt inquisitive end users from trying to tamper with the client.

Hide the client from the Add/Remove Programs list and perform regular audits of unmanaged assets to look for systems with missing or non-functioning clients.

Saved questions Tanium Client Service Control Permissions Issues the following question: Get Tanium Client Service Control Status contains Service Control from all machines with Tanium Client Service Control Status contains Service Control
Tanium Client Directory Permissions Issues the following question: Get Tanium Client Directory Permissions from all machines
Tanium Client Visible in Add-Remove Programs Issues the following question: Get Tanium Client Uninstall Hidden contains No from all machines with Tanium Client Uninstall Hidden contains No
Tanium Client Hidden From Add-Remove Programs Issues the following question: Get Tanium Client Uninstall Hidden contains Yes from all machines with Tanium Client Uninstall Hidden contains Yes
Scheduled actions Control Service State Permissions Grant permission to start or stop the Tanium Client service to only the local administrator or local system account.
Hide From Add-Remove Programs Hide the Tanium Client from the Add/Remove Programs list.
Packages Client Service Hardening - Allow Only Local Admins to Control Service Files: allow-only-admins-to-control-service.vbs

Command: cmd /c cscript.exe allow-only-admins-to-control-service.vbs

Timeout: 900
Client Service Hardening - Allow Only Local SYSTEM to Control Service Files: allow-only-local-system-to-control-services.vbs

Command: cmd /c cscript.exe allow-only-local-system-to-control-services.vbs

Timeout: 600
Client Service Hardening - Reset permissions on Tanium Client directory Files: reset_directory_permissions.vbs

Command: cmd /c cscript //T:60 reset_directory_permissions.vbs

Timeout: 600
Client Service Hardening - Set SYSTEM only permissions on Tanium Client directory Files: modify_directory_permissions.vbs

Command: cmd /c cscript //T:60 modify_directory_permissions.vbs

Timeout: 600
Client Service Hardening - Set Service Permissions to Defaults Files: set-service-permissions-back-to-default.vbs

Command: cmd /c cscript.exe set-service-permissions-back-to-default.vbs

Timeout: 600
Client Service Hardening - Hide Client from Add-Remove Programs File: hide-client-from-add-remove.vbs

Command: cmd /c cscript.exe hide-client-from-add-remove.vbs

Timeout: 600
Client Service Hardening - Show Client in Add-Remove Programs Files: show-client-in-add-remove-programs.vbs

Command: cmd /c cscript.exe show-client-in-add-remove-programs.vbs

Timeout: 600
Sensors Tanium Client Directory Permissions Returns the current status of the Tanium Client directories permissions and whether they are set as restricted to SYSTEM.

Example result: Restricted - SYSTEM
Tanium Client Service Control Status Returns whether the Tanium Client service has special permissions set such that regular users, or non-SYSTEM users, can control the service.

Example result: Service Control Restricted to Administrators
Tanium Client Uninstall Hidden Returns whether the Tanium Client is hidden from the Add/Remove Programs list.

Example result: Yes

The following workflow shows how to use the Client Service Hardening content pack to hide the Tanium Client from the Windows Add/Remove Programs list:

  1. Contact Tanium Support to import the Client Service Hardening content pack into TaaS.
  2. From the Interact menu, click Content.
  3. In the Categories panel, browse to Client Service Hardening.
  4. Click a question to drill into the saved question page for it.
  5. Select the appropriate results row and click Deploy Action to display the configuration page.
  6. Verify the package and action details and then scroll down to preview the action.
  7. Click Deploy Action to initiate the action.

    8. The page reloads to display the Action Summary.

  8. Review the status to confirm expected results.
  1. From the Main menu, go to Administration > Configuration > Solutions, scroll to the Content section, select the Client Service Hardening solution, and click Import Solution.
  2. Review the list of content objects and click Import.
  3. From the Interact menu, click Content.
  4. In the Categories panel, browse to Client Service Hardening.
  5. Click a question to drill into the saved question page for it.
  6. Select the appropriate results row and click Deploy Action to display the configuration page.
  7. Verify the package and action details and then scroll down to preview the action.
  8. Click Deploy Action to initiate the action.

    9. The page reloads to display the Action Summary.

  9. Review the status to confirm expected results.