Using Tanium Client-related Tanium content

The Tanium Core Platform includes Tanium content that facilitates Tanium Client administration.

Default Content

The Tanium Server imports the Tanium™ Default Content pack when you initially sign in to the Tanium Console. The pack contains a key set of saved questions, packages, and sensors for collecting information from endpoints and taking actions. The pack also includes saved questions and scheduled actions that relate to the deployment of the Tanium Client. To familiarize yourself with Tanium Client-related content, access the following Tanium Console pages from the Main menu:

  • Administration > Actions > Scheduled Actions: Review the actions that are scheduled to run against the Default action group.
  • Administration > Content > Sensors: Search for client-related sensors.
  • Administration > Content > Packages: Search for client-related packages.
  • Administration > Content > Saved Questions: Search for client-related questions.

Client Upgrade

The Client Upgrade content pack facilitates upgrading the Tanium Client on Windows endpoints. It is available in all deployments and is categorized as core content on the Administration > Configuration > Solutions page. Contact Tanium Support to import the ClientUpgradeNonWindows content pack for upgrading the Tanium Client on non-Windows endpoints. You must manually upgrade non-Windows endpoints using an installer package (available from the Client Management Home page) or use third-party software. Contact Tanium Support for additional guidance.

 Table 1: Client Upgrade content pack for Windows endpoints
Content Object name Description
Saved questions Windows Clients Older Than <version> For Targeting The results of this question indicate which Tanium Clients on Windows endpoints do not have the latest client version.
Packages Update Tanium Client <version> Files: SetupClient.exe, set-service-permissions-back-to-default.vbs

Command: cmd /c start /B "" cmd /c "cscript.exe set-service-permissions-back-to-default.vbs & net stop "Tanium Client" & net stop "TaniumClient" & taskkill /f /im taniumclient.exe & SetupClient.exe /S & net start "Tanium Client" & net start "TaniumClient""

Timeout: 900

Sensors Client Brand Use to fine-tune a targeting question.
Scheduled actions Update Any Tanium Client to <version> By default, the Tanium Server deploys this action hourly and distributes the deployment over 15 minutes.

To upgrade Tanium Clients on Windows endpoints, see Upgrading Tanium Clients.

Client Service Hardening

The Client Service Hardening content pack includes saved questions, packages, and scheduled actions that you can use to restrict user access to the Tanium Client from a local Windows host endpoint.

The Tanium Client installs as a normal application on Windows. While the protocols that the client uses to communicate with TaaS the Tanium Server and peer clients are designed to be secure and prevent rogue sensors or actions, it is still imperative to protect the Tanium Client itself from an attacker or a tinkering end user.

 Table 2: Client Service Hardening content pack
Content Object name Description
Categories Client Service Hardening Contains the dashboards that this table lists.
Dashboards Control Service State Permissions

Controls which accounts have permission to start and stop services.

Many organizations have given some or all of their end users permissions to be a local administrator. For this reason, Tanium typically recommends that you restrict service control to the local SYSTEM account instead. This restriction is often the first and most effective way to protect the integrity of your Tanium Client deployment.

Set Client Directory Permissions

Controls which accounts have permission to view or modify files in the Tanium Client directory.

Set the file system permissions to SYSTEM. Default permissions allow several user types to view or modify files in the Tanium Client directory. Though digital signing prevents an attacker from causing the client to run sensors or packages that TaaS the Tanium Server did not issue, unnecessary permissions could lead to performance issues or extra bandwidth consumption while information is re-synchronized.

Hide From Add-Remove Programs

Controls whether the Tanium Client is hidden from the Windows Add/Remove Programs list.

Hiding the Tanium Client from the Windows Add/Remove Programs list or the Programs menu does not by itself directly affect the security of the client. A user with permissions to uninstall an application could also launch the uninstallation manually. This dashboard helps to reduce accidental uninstallations and preempt inquisitive end users from trying to tamper with the client.

Hide the client from the Add/Remove Programs list and perform regular audits of unmanaged assets to look for systems with missing or non-functioning clients.

Saved questions Tanium Client Service Control Permissions Issues the following question: Get Tanium Client Service Control Status contains Service Control from all machines with Tanium Client Service Control Status contains Service Control
Tanium Client Directory Permissions Issues the following question: Get Tanium Client Directory Permissions from all machines
Tanium Client Visible in Add-Remove Programs Issues the following question: Get Tanium Client Uninstall Hidden contains No from all machines with Tanium Client Uninstall Hidden contains No
Tanium Client Hidden From Add-Remove Programs Issues the following question: Get Tanium Client Uninstall Hidden contains Yes from all machines with Tanium Client Uninstall Hidden contains Yes
Scheduled actions Control Service State Permissions Grants permission to start or stop the Tanium Client service to only the local administrator or local system account.
Hide From Add-Remove Programs Hides the Tanium Client from the Add/Remove Programs list.
Packages Client Service Hardening - Allow Only Local Admins to Control Service

Files: allow-only-admins-to-control-service.vbs

Command: cmd /c cscript.exe allow-only-admins-to-control-service.vbs

Timeout: 900

Client Service Hardening - Allow Only Local SYSTEM to Control Service

Files: allow-only-local-system-to-control-services.vbs

Command: cmd /c cscript.exe allow-only-local-system-to-control-services.vbs

Timeout: 600

Client Service Hardening - Reset permissions on Tanium Client directory

Files: reset_directory_permissions.vbs

Command: cmd /c cscript //T:60 reset_directory_permissions.vbs

Timeout: 600

Client Service Hardening - Set SYSTEM only permissions on Tanium Client directory

Files: modify_directory_permissions.vbs

Command: cmd /c cscript //T:60 modify_directory_permissions.vbs

Timeout: 600

Client Service Hardening - Set Service Permissions to Defaults

Files: set-service-permissions-back-to-default.vbs

Command: cmd /c cscript.exe set-service-permissions-back-to-default.vbs

Timeout: 600

Client Service Hardening - Hide Client from Add-Remove Programs

File: hide-client-from-add-remove.vbs

Command: cmd /c cscript.exe hide-client-from-add-remove.vbs

Timeout: 600

Client Service Hardening - Show Client in Add-Remove Programs

Files: show-client-in-add-remove-programs.vbs

Command: cmd /c cscript.exe show-client-in-add-remove-programs.vbs

Timeout: 600

Sensors Tanium Client Directory Permissions

Returns the current status of the Tanium Client directories permissions and whether they are set as restricted to SYSTEM.

Example result: Restricted - SYSTEM

Tanium Client Service Control Status

Returns whether the Tanium Client service has special permissions set such that regular users, or non-SYSTEM users, can control the service.

Example result: Service Control Restricted to Administrators

Tanium Client Uninstall Hidden

Returns whether the Tanium Client is hidden from the Add/Remove Programs list.

Example result: Yes

The following workflow shows how to use the Client Service Hardening content pack to hide the Tanium Client from the Windows Add/Remove Programs list:

  1. From the Main menu, go to Administration > Configuration > Solutions, scroll to the Content section, select the Client Service Hardening solution, and click Import Content.
  2. Review the list of content objects and click Import.
  3. Contact Tanium Support to import the Client Service Hardening content pack into TaaS.
  4. From the Interact Home page, scroll to the Content section.
  5. In the Categories panel, select Client Service Hardening.
  6. From the Saved Questions panel, click a saved question to immediately ask the question.
  7. Drill down as necessary. Select the appropriate results row and click Deploy Action.
  8. Verify the package and action details and then click Show preview to continue.
  9. Click Deploy Action.

    The Action Status page opens.

  10. Review the status to confirm expected results.