Directory Query requirements

Review the requirements before you use Directory Query.

Endpoints

Directory Query does not directly deploy packages to endpoints. For Tanium Client operating system support, see Tanium Client Management User Guide: Client version and host system requirements.

Third-party software

Directory Query is supported for use with the following directories:

  • Active Directory Domain Services that are running on any version of Microsoft Windows Server that is currently supported by Microsoft.
  • Azure Active Directory Domain Services

For supported versions, see Microsoft: Search Product and Services Lifecycle Information.

You can synchronize Impact with Active Directory in two different ways: service or satellite. As a best practice, use the satellite sync, which connects Tanium™ Cloud to an endpoint that behaves as a satellite to enable communication with the Active Directory server. With service, Tanium Cloud connects to the Active Directory server through proxy access. If you use the service type, consider the following:

Active Directory user account

Directory Query uses the user account that you specify when you configure the connection to domains for Active Directory queries. This user should have limited access. You can specify any user, but if you modified the standard user permissions from the default settings, the user must meet the following minimum requirements so that Impact has access to read attribute data from Active Directory:

  • Member of the Domain Users group
  • Permission to read the objectSID attribute from the domain object in the configured domains
  • Permission to read the objectSID attribute on all users, groups, and computers in the configured domains
  • Permission to Read members on all groups in the configured domains
  • (Optional, best practice) Assign List Contents and Read all properties access on all objects in the configured domains, including the domain object.

Host and network security requirements

Specific ports and processes are needed to run Directory Query.

Ports

The following ports are required for Directory Query communication.

Source Destination Port Protocol Purpose
Tanium Cloud Tanium Cloud (loopback) 17515 TCP Internal purposes, not externally accessible
Tanium Cloud or satellite Active Directory Server 636 LDAPS Connecting to the Active Directory server.
Tanium Cloud or satellite Active Directory Global Catalog Server 3269 LDAPS Required only when connecting to the Active Directory Global Catalog server.

For more information, see Managing connections to directory servers.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

For Tanium Cloud ports, see Tanium Cloud Deployment Guide: Host and network security requirements.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

No additional process exclusions are required.

User role requirements

The following tables list the role permissions required to use Directory Query. To review a summary of the predefined roles, see Set up Directory Query users.

For more information about role permissions and associated content sets, see Tanium Console User Guide: Managing RBAC.

Directory Query user role permissions
Permission Directory Query Administrator1 Directory Query Operator1 Directory Query User1

Directory Query Domains

Configure domains


QUERY
READ
WRITE


QUERY
READ
WRITE


QUERY
READ

Directory Query Settings

Configure Directory Query service settings


READ
WRITE

READ
WRITE

READ

Directory Query Support Bundle

Generate and view Directory Query support bundle


READ


Directoryquery

View the Directory Query workbench


SHOW

SHOW

SHOW

1This role provides module permissions for Tanium Direct Connect. For more information, see Tanium Direct Connect User Guide: User role requirements.

Provided Directory Query platform content permissions

Permission Directory Query Administrator Directory Query Operator Directory Query User
Plugin
READ
EXECUTE

READ
EXECUTE

READ
EXECUTE
Saved Question
READ

READ

READ
Sensor
READ

READ

READ

To view which content set permissions are granted to a role, see Tanium Console User Guide: View effective role permissions.