Using Tanium Client-related Tanium content

The Tanium Core Platform includes Tanium content that facilitates Tanium Client administration.

Initial Content

The Tanium Server imports the Initial Content packs when you initially log into the Tanium Console. The packs contain a key set of saved questions, packages, and sensors that you use to get data from endpoints and take actions, including the saved questions and scheduled actions related to the deployment of the Tanium Client itself. To familiarize yourself with the Tanium Client-related Initial Content:

1. Go to Actions > Scheduled Actions and review the actions that are scheduled to run against the action group named Default.
2. Go to Content > Sensors and search for client-related sensors.
3. Go to Content > Packages and search for client-related packages.
4. Go to Content > Saved Questions and search for client-related questions.

Client Upgrade

The Client Upgrade content pack facilitates upgrading the Tanium Client on Windows endpoints. It is available in all deployments and is categorized as core content on the Tanium Solutions page. To import the the ClientUpgradeNonWindows content pack for upgrading the Tanium Client on non-Windows endpoints, consult your Technical Account Manager (TAM).

Table 1:   Client Upgrade content pack for Windows endpoints

Content	Object name	Description
Saved questions	Windows Clients Older Than <version> For Targeting	A targeting question designed to return Tanium Clients on Windows that have not been upgraded to the latest version.
Packages	Update Tanium Client <version>	Files: SetupClient.exe, set-service-permissions-back-to-default.vbs Command: cmd /c start /B "" cmd /c "cscript.exe set-service-permissions-back-to-default.vbs & net stop "Tanium Client" & net stop "TaniumClient" & taskkill /f /im taniumclient.exe & SetupClient.exe /S & net start "Tanium Client" & net start "TaniumClient"" Timeout: 900
Sensors	Client Brand	Use to fine-tune a targeting question.
Scheduled actions	Update Any Tanium Client to <version>	By default, runs every hour and is distributed over 15 minutes.

To upgrade Windows clients, see Upgrading Tanium Clients.

Client Service Hardening

The Client Service Hardening content pack includes saved questions, packages, and scheduled actions that you can use to restrict how the Tanium Client can be accessed from the local Windows system.

The Tanium Client installs as a normal application on Windows. While the protocols used to communicate with the Tanium Server and peer clients are designed to be secure and prevent rogue sensors or actions, it is still imperative that the Tanium Client itself be protected from an attacker or just a tinkering end user.

Table 2:   Client Service Hardening content pack

Content	Object name	Description
Categories	Client Service Hardening	Contains dashboards related to this content.
Dashboards	Control Service State Permissions	Controlling which accounts have permissions to start and stop services is often the first, and most effective, way you can protect the integrity of your Tanium Client deployment. Many organizations have given some or all of their end users permissions to be a local administrator. For this reason, Tanium typically recommends you restrict service control to the local SYSTEM account instead.
	Set Client Directory Permissions	Default permissions allow several user types to view or modify files in the Tanium Client directory. While this does not mean that an attacker could cause the agent to run sensors or packages that were not issued by the Tanium Server, because these actions are digitally signed, it could lead to performance issues or extra bandwidth consumption while the information is re-synchronized. Setting the file system permissions to SYSTEM is recommended.
	Hide From Add-Remove Programs	Controlling whether or not the Tanium Client is viewable in the Add/Remove Programs or simply Programs menu does not directly affect the security of the agent by itself. A user with permissions to uninstall an application would also be able to launch the uninstall manually. This is a useful layer that will help reduce accidental uninstallations and preempt the more inquisitive end users from trying to tamper with the agent. Hiding the client from Add/Remove Programs is considered a best practice and should be used alongside of regular audits of unmanaged assets to look for systems with missing or non-functioning agents.
Saved questions	Tanium Client Service Control Permissions	Get Tanium Client Service Control Status containing "Service Control" from all machines with Tanium Client Service Control Status containing "Service Control"
	Tanium Client Directory Permissions	Get Tanium Client Directory Permissions from all machines
	Tanium Client Visible in Add-Remove Programs	Get Tanium Client Uninstall Hidden containing "No" from all machines with Tanium Client Uninstall Hidden containing "No"
	Tanium Client Hidden From Add-Remove Programs	Get Tanium Client Uninstall Hidden containing "Yes" from all machines with Tanium Client Uninstall Hidden containing "Yes"
Scheduled actions	Control Service State Permissions	Grant permission to start/stop Tanium Client service to only the local administrator or local system account.
	Hide From Add-Remove Programs	Hide the Tanium Client from the Windows Add-Remove Programs list.
Packages	Client Service Hardening - Allow Only Local Admins to Control Service	Files: allow-only-admins-to-control-service.vbs Command: cmd /c cscript.exe allow-only-admins-to-control-service.vbs Timeout: 900
	Client Service Hardening - Allow Only Local SYSTEM to Control Service	Files: allow-only-local-system-to-control-services.vbs Command: cmd /c cscript.exe allow-only-local-system-to-control-services.vbs Timeout: 600
	Client Service Hardening - Reset permissions on Tanium Client directory	Files: reset_directory_permissions.vbs Command: cmd /c cscript //T:60 reset_directory_permissions.vbs Timeout: 600
	Client Service Hardening - Set SYSTEM only permissions on Tanium Client directory	Files: modify_directory_permissions.vbs Command: cmd /c cscript //T:60 modify_directory_permissions.vbs Timeout: 600
	Client Service Hardening - Set Service Permissions to Defaults	Files: set-service-permissions-back-to-default.vbs Command: cmd /c cscript.exe set-service-permissions-back-to-default.vbs Timeout: 600
	Client Service Hardening - Hide Client from Add-Remove Programs	File: hide-client-from-add-remove.vbs Command: cmd /c cscript.exe hide-client-from-add-remove.vbs Timeout: 600
	Client Service Hardening - Show Client in Add-Remove Programs	Files: show-client-in-add-remove-programs.vbs Command: cmd /c cscript.exe show-client-in-add-remove-programs.vbs Timeout: 600
Sensors	Tanium Client Directory Permissions	Returns the current status of the Tanium Client directories permissions and if they have been set as restricted to SYSTEM. Example: Restricted - SYSTEM
	Tanium Client Service Control Status	Returns whether the Tanium Client service has special permissions set such that regular users, or non-SYSTEM users, can control the service. Example: Service Control Restricted to Administrators
	Tanium Client Uninstall Hidden	Returns whether the Tanium Client is hidden from the Add-Remove programs list. Example: Yes

The following workflow shows how to use the Client Service Hardening content pack to hide the Tanium Client from the Windows Add-Remove Programs list:

1. Go to Tanium Solutions, scroll to the Tanium Content table, select the Client Service Hardening solution, and click Import Solution.
2. Review the list of content objects and click Import.
3. Go to Interact > Categories and browse to Client Service Hardening.
4. Click a question to drill into the saved question page for it.
5. Select the appropriate results row and click Deploy Action to display the configuration page.
6. Verify the package and action details and then scroll down to preview the action.
7. Click Deploy Action to initiate the action.

The page reloads to display the Action Summary.


8. Review the status to confirm expected results.