Using Tanium Client-related Tanium content
The Tanium Core Platform includes Tanium content that facilitates Tanium Client administration.
Default Content
The Tanium Server imports the Taniumâ„¢ Default Content pack when you initially log into the Tanium Console. The pack contains a key set of saved questions, packages, and sensors that you use to get data from endpoints and take actions, including the saved questions and scheduled actions related to the deployment of the Tanium Client itself. To familiarize yourself with the Tanium Client-related content:
- From the Main menu, select Console > Actions > Scheduled Actions and review the actions that are scheduled to run against the action group named Default.
- From the Main menu, select Console > Content > Sensors and search for client-related sensors.
- From the Main menu, select Console > Content > Packages and search for client-related packages.
- From the Main menu, select Console > Content > Saved Questions and search for client-related questions.
Client Upgrade
The Client Upgrade content pack facilitates upgrading the Tanium Client on Windows endpoints. It is available in all deployments and is categorized as core content on the Tanium Solutions page. To import the ClientUpgradeNonWindows content pack for upgrading the Tanium Client on non-Windows endpoints, consult your Technical Account Manager (TAM).
| Content | Object name | Description |
|---|---|---|
| Saved questions | Windows Clients Older Than <version> For Targeting | A targeting question designed to return Tanium Clients on Windows that have not been upgraded to the latest version. |
| Packages | Update Tanium Client <version> | Files:
SetupClient.exe,
set-service-permissions-back-to-default.vbs Command: cmd /c start /B "" cmd /c "cscript.exe set-service-permissions-back-to-default.vbs & net stop "Tanium Client" & net stop "TaniumClient" & taskkill /f /im taniumclient.exe & SetupClient.exe /S & net start "Tanium Client" & net start "TaniumClient"" Timeout: 900 |
| Sensors | Client Brand | Use to fine-tune a targeting question. |
| Scheduled actions | Update Any Tanium Client to <version> | By default, runs every hour and is distributed over 15 minutes. |
To upgrade Windows clients, see Upgrading Tanium Clients.
Client Service Hardening
The Client Service Hardening content pack includes saved questions, packages, and scheduled actions that you can use to restrict how the Tanium Client can be accessed from the local Windows system.
The Tanium Client installs as a normal application on Windows. While the protocols used to communicate with the Tanium Server and peer clients are designed to be secure and prevent rogue sensors or actions, it is still imperative that the Tanium Client itself be protected from an attacker or just a tinkering end user.
| Content | Object name | Description |
|---|---|---|
| Categories | Client Service Hardening | Contains dashboards related to this content. |
| Dashboards | Control Service State Permissions |
Controlling which accounts have permissions to start and stop services is often the first, and most effective, way you can protect the integrity of your Tanium Client deployment.
Many organizations have given some or all of their end users permissions to be a local administrator. For this reason, Tanium typically recommends you restrict service control to the local SYSTEM account instead. |
| Set Client Directory Permissions | Default permissions allow several user types to view or modify files in the Tanium Client directory. While this does not mean that an attacker could cause the agent to run sensors or packages that were not issued by the Tanium Server, because these actions are digitally signed, it could lead to performance issues or extra bandwidth consumption while the information is re-synchronized. Setting the file system permissions to SYSTEM is recommended. | |
| Hide From Add-Remove Programs | Controlling whether or not the Tanium Client is viewable in the Add/Remove Programs or simply Programs menu does not directly affect the security of the agent by itself. A user with permissions to uninstall an application would also be able to launch the uninstall manually. This is a useful layer that will help reduce accidental uninstallations and preempt the more inquisitive end users from trying to tamper with the agent. Hiding the client from Add/Remove Programs is considered a best practice and should be used alongside of regular audits of unmanaged assets to look for systems with missing or non-functioning agents. | |
| Saved questions | Tanium Client Service Control Permissions | Get Tanium Client Service Control Status containing "Service Control" from all machines with Tanium Client Service Control Status containing "Service Control" |
| Tanium Client Directory Permissions | Get Tanium Client Directory Permissions from all machines | |
| Tanium Client Visible in Add-Remove Programs | Get Tanium Client Uninstall Hidden containing "No" from all machines with Tanium Client Uninstall Hidden containing "No" | |
| Tanium Client Hidden From Add-Remove Programs | Get Tanium Client Uninstall Hidden containing "Yes" from all machines with Tanium Client Uninstall Hidden containing "Yes" | |
| Scheduled actions | Control Service State Permissions | Grant permission to start or stop the Tanium Client service to only the local administrator or local system account. |
| Hide From Add-Remove Programs | Hide the Tanium Client from the Windows Add-Remove Programs list. | |
| Packages | Client Service Hardening - Allow Only Local Admins to Control Service | Files:
allow-only-admins-to-control-service.vbs Command: cmd /c cscript.exe allow-only-admins-to-control-service.vbs Timeout: 900 |
| Client Service Hardening - Allow Only Local SYSTEM to Control Service | Files:
allow-only-local-system-to-control-services.vbs Command: cmd /c cscript.exe allow-only-local-system-to-control-services.vbs Timeout: 600 |
|
| Client Service Hardening - Reset permissions on Tanium Client directory | Files:
reset_directory_permissions.vbs Command: cmd /c cscript //T:60 reset_directory_permissions.vbs Timeout: 600 |
|
| Client Service Hardening - Set SYSTEM only permissions on Tanium Client directory | Files:
modify_directory_permissions.vbs Command: cmd /c cscript //T:60 modify_directory_permissions.vbs Timeout: 600 |
|
| Client Service Hardening - Set Service Permissions to Defaults | Files:
set-service-permissions-back-to-default.vbs Command: cmd /c cscript.exe set-service-permissions-back-to-default.vbs Timeout: 600 |
|
| Client Service Hardening - Hide Client from Add-Remove Programs | File: hide-client-from-add-remove.vbs Command: cmd /c cscript.exe hide-client-from-add-remove.vbs Timeout: 600 |
|
| Client Service Hardening - Show Client in Add-Remove Programs | Files:
show-client-in-add-remove-programs.vbs Command: cmd /c cscript.exe show-client-in-add-remove-programs.vbs Timeout: 600 |
|
| Sensors | Tanium Client Directory Permissions |
Returns the current status of the Tanium Client directories permissions and if they have been set as restricted to SYSTEM.
Example: Restricted - SYSTEM |
| Tanium Client Service Control Status |
Returns whether the Tanium Client service has special permissions set such that regular users, or non-SYSTEM users, can control the service.
Example: Service Control Restricted to Administrators |
|
| Tanium Client Uninstall Hidden |
Returns whether the Tanium Client is hidden from the Add-Remove programs list.
Example: Yes |
The following workflow shows how to use the Client Service Hardening content pack to hide the Tanium Client from the Windows Add-Remove Programs list:
- From the Main menu, click Solutions, scroll to the Tanium Content section, select the Client Service Hardening solution, and click Import Solution.
- Review the list of content objects and click Import.
- From the Interact menu, click Content.
- In the Categories panel, browse to Client Service Hardening.
- Click a question to drill into the saved question page for it.
- Select the appropriate results row and click Deploy Action to display the configuration page.
- Verify the package and action details and then scroll down to preview the action.
- Click Deploy Action to initiate the action.
- Review the status to confirm expected results.
The page reloads to display the Action Summary.
Last updated: 6/30/2020 4:27 PM | Feedback