Using Tanium Client-related Tanium content
The Tanium Core Platform includes Tanium content that facilitates Tanium Client administration.
Default Content
The
- Administration > Actions > Scheduled Actions: Review the actions that are scheduled to run against the Default action group.
- Administration > Content > Sensors: Search for client-related sensors.
- Administration > Content > Packages: Search for client-related packages.
- Administration > Content > Saved Questions: Search for client-related questions.
Client Upgrade
The Client Upgrade content pack facilitates upgrading the Tanium Client on Windows endpoints.
Content | Object name | Description |
---|---|---|
Saved questions | Windows Clients Older Than <version> For Targeting | The results of this question indicate which Tanium Clients on Windows endpoints do not have the latest client version. |
Packages | Update Tanium Client <version> | Files:
SetupClient.exe,
set-service-permissions-back-to-default.vbs Command: cmd /c start /B "" cmd /c "cscript.exe set-service-permissions-back-to-default.vbs & net stop "Tanium Client" & net stop "TaniumClient" & taskkill /f /im taniumclient.exe & SetupClient.exe /S & net start "Tanium Client" & net start "TaniumClient"" Timeout: 900 |
Sensors | Client Brand | Use to fine-tune a targeting question. |
Scheduled actions | Update Any Tanium Client to <version> | By default, the Tanium Server deploys this action hourly and distributes the deployment over 15 minutes. |
To upgrade Tanium Clients
Client Service Hardening
The Client Service Hardening content pack includes saved questions, packages, and scheduled actions that you can use to restrict user access to the Tanium Client from a local Windows host endpoint.
The Tanium Client installs as a normal application on Windows. While the protocols that the client uses to communicate with
Content | Object name | Description |
---|---|---|
Categories | Client Service Hardening | Contains the dashboards that this table lists. |
Dashboards | Control Service State Permissions |
Controlling which accounts have permissions to start and stop services is often the first and most effective way to protect the integrity of your Tanium Client deployment.
Many organizations have given some or all of their end users permissions to be a local administrator. For this reason, Tanium typically recommends that you restrict service control to the local SYSTEM account instead. |
Set Client Directory Permissions | Default permissions allow several user types to view or modify files in the Tanium Client directory. While this does not mean that an attacker could cause the client to run sensors or packages that Setting the file system permissions to SYSTEM is recommended. |
|
Hide From Add-Remove Programs | Controlling whether users can view the Tanium Client in the Windows Add/Remove Programs list or in the Programs menu does not by itself directly affect the security of the client. A user with permissions to uninstall an application could also launch the uninstallation manually. This dashboard helps to reduce accidental uninstallations and preempt inquisitive end users from trying to tamper with the client. Hide the client from the Add/Remove Programs list and perform regular audits of unmanaged assets to look for systems with missing or non-functioning clients. |
|
Saved questions | Tanium Client Service Control Permissions | Issues the following question: Get Tanium Client Service Control Status contains Service Control from all machines with Tanium Client Service Control Status contains Service Control |
Tanium Client Directory Permissions | Issues the following question: Get Tanium Client Directory Permissions from all machines | |
Tanium Client Visible in Add-Remove Programs | Issues the following question: Get Tanium Client Uninstall Hidden contains No from all machines with Tanium Client Uninstall Hidden contains No | |
Tanium Client Hidden From Add-Remove Programs | Issues the following question: Get Tanium Client Uninstall Hidden contains Yes from all machines with Tanium Client Uninstall Hidden contains Yes | |
Scheduled actions | Control Service State Permissions | Grant permission to start or stop the Tanium Client service to only the local administrator or local system account. |
Hide From Add-Remove Programs | Hide the Tanium Client from the Add/Remove Programs list. | |
Packages | Client Service Hardening - Allow Only Local Admins to Control Service | Files:
allow-only-admins-to-control-service.vbs Command: cmd /c cscript.exe allow-only-admins-to-control-service.vbs Timeout: 900 |
Client Service Hardening - Allow Only Local SYSTEM to Control Service | Files:
allow-only-local-system-to-control-services.vbs Command: cmd /c cscript.exe allow-only-local-system-to-control-services.vbs Timeout: 600 |
|
Client Service Hardening - Reset permissions on Tanium Client directory | Files:
reset_directory_permissions.vbs Command: cmd /c cscript //T:60 reset_directory_permissions.vbs Timeout: 600 |
|
Client Service Hardening - Set SYSTEM only permissions on Tanium Client directory | Files:
modify_directory_permissions.vbs Command: cmd /c cscript //T:60 modify_directory_permissions.vbs Timeout: 600 |
|
Client Service Hardening - Set Service Permissions to Defaults | Files:
set-service-permissions-back-to-default.vbs Command: cmd /c cscript.exe set-service-permissions-back-to-default.vbs Timeout: 600 |
|
Client Service Hardening - Hide Client from Add-Remove Programs | File: hide-client-from-add-remove.vbs Command: cmd /c cscript.exe hide-client-from-add-remove.vbs Timeout: 600 |
|
Client Service Hardening - Show Client in Add-Remove Programs | Files:
show-client-in-add-remove-programs.vbs Command: cmd /c cscript.exe show-client-in-add-remove-programs.vbs Timeout: 600 |
|
Sensors | Tanium Client Directory Permissions |
Returns the current status of the Tanium Client directories permissions and whether they are set as restricted to SYSTEM.
Example result: Restricted - SYSTEM |
Tanium Client Service Control Status |
Returns whether the Tanium Client service has special permissions set such that regular users, or non-SYSTEM users, can control the service.
Example result: Service Control Restricted to Administrators |
|
Tanium Client Uninstall Hidden |
Returns whether the Tanium Client is hidden from the Add/Remove Programs list.
Example result: Yes |
The following workflow shows how to use the Client Service Hardening content pack to hide the Tanium Client from the Windows Add/Remove Programs list:
- Contact Tanium Support to import the Client Service Hardening content pack into TaaS.
- From the Interact menu, click Content.
- In the Categories panel, browse to Client Service Hardening.
- Click a question to drill into the saved question page for it.
- Select the appropriate results row and click Deploy Action to display the configuration page.
- Verify the package and action details and then scroll down to preview the action.
- Click Deploy Action to initiate the action.
- Review the status to confirm expected results.
The page reloads to display the Action Summary.

- From the Main menu, go to Administration > Configuration > Solutions, scroll to the Content section, select the Client Service Hardening solution, and click Import Solution.
- Review the list of content objects and click Import.
- From the Interact menu, click Content.
- In the Categories panel, browse to Client Service Hardening.
- Click a question to drill into the saved question page for it.
- Select the appropriate results row and click Deploy Action to display the configuration page.
- Verify the package and action details and then scroll down to preview the action.
- Click Deploy Action to initiate the action.
- Review the status to confirm expected results.
The page reloads to display the Action Summary.

Last updated: 1/11/2021 4:39 PM | Feedback