Getting started with policies

Perform the following tasks to get started with Enforce policies.

Upload Anti-malware

Anti-malware policies require that either SCEP or Windows Defender is installed on endpoints. When SCEP installation is enabled, enforcing an Anti-malware policy automatically installs SCEP on endpoints that do not support Windows Defender.

From the Enforce Overview page, click Settings and then click Anti-Malware. Review settings to determine if you should modify them.

Microsoft System Center Endpoint Protection (SCEP) Installation

You can choose one of the following installations:

  • Disable SCEP Installation: This is the default state. Leave disabled if you are creating Anti-malware SCEP rules and already have SCEP installed on your endpoints.
  • Enable SCEP Installation: Use this option to automatically install SCEP on endpoints that do not support Windows Defender. After it is enabled, click Choose File or Update File to upload an installer file.
  • The Microsoft System Center Configuration Manager includes the SCEP client installation file.

For more information about SCEP, see Microsoft Technet: Endpoint Protection.

If Enforce has an issue with an anti-malware definition, an Error displays next to the definition in the Anti-Malware Definitions Status section of the Health tab on the Enforce Anti-Malware page. View the error reason from Anti-Malware tab of the Enforce Settings .

Action Lock Override

You can override action locks on endpoints for anti-malware enforcements. For more information about action locks, see Tanium Console User Guide: Managing action locks.

To override actions locks for anti-malware enforcements:

  1. From the Enforce Overview page, click Settings .
  2. In the General tab, enable the Anti-Malware Override check box.

Managed Anti-Malware definitions download URLs

Windows Anti-malware policies can use Tanium to download and distribute Windows Anti-malware definitions.

You can choose one of the following options:

  • Automatically retrieve definitions from Microsoft: This is the default setting. Definitions are downloaded from Microsoft.
  • Download definitions from custom URLs: Use this option if your network cannot reach Microsoft, and you want to host the files on a local server and specify that URL.

The URLs listed in the Managed Anti-Malware Definitions Download URLs section of the Anti-Malware tab in the Enforce Settings specify the Microsoft links that Enforce uses to download definitions. See Internet URLs

For more information, see Create an Anti-malware policy.

Set defaults for AppLocker

From the Enforce Overview page, click Settings and then click AppLocker to access the AppLocker settings.

In AppLocker settings, you can select a Rule Template and define default Allow and Deny rules. A rule template contains the default AppLocker rules that are included automatically in any AppLocker policy you create. The rule template includes Allow and Deny rules to specify which files are allowed to run or are blocked. You can modify these rules in individual policies as needed. You must include at least one Allow rule.

In AppLocker settings, you can select a Rule Template and define default Allow and Deny rules. A rule template contains the default AppLocker rules that are included automatically in any AppLocker policy you create. The rule template includes Allow and Deny rules to specify which files are allowed to run or are blocked. You can modify these rules in individual policies as needed. You must include at least one Allow rule.


AppLocker Deny rules take precedence over AppLocker Allow rules. For more information, see Microsoft: Understanding AppLocker allow and deny actions on rules.

Block List rule template

The Block List rule templates allow Everyone to run all applications through the (Default Rule) All files allow rule. This rule is the only rule that is included in this rule template by default. Define the specific applications you want to block by adding Deny rules.

You cannot delete or modify the (Default Rule) All files allow rule in this rule template because this rule template is intended to allow all files to run except those that you specifically block through a Deny rule.

The Block List rule template is the default rule template used in Enforce until you change it.

Allow List rule template

The Allow List rule template, by default, allows only applications that Administrators run, or that are run out of these folders:

  • All files located in the Program Files folder: applies to Everyone
  • All files located in the Windows folder: applies to Everyone
  • All files: applies to Administrators

The default rules in the allow list rule templates are based on the Windows AppLocker default rules. For more information, see Microsoft: Understanding AppLocker default rules.

If you choose to enforce the default Allow List rule template, you might block applications unintentionally. The Allow List rule template blocks applications without explicitly listing the applications. For example, a program being run by a user out of that user’s profile directory is blocked. For best results, deploy allow list policies initially in Audit Only mode until audit reports can be reviewed and the intended results are confirmed. See AppLocker policies workflow for an example workflow.

The Tanium Client uses BAT, EXE, and VBS files. Be sure that you do not block files in the Tanium Client directory that might break the client functions.

Add to the existing default rules to allow or deny applications rather than modifying the default rules. Test any modifications in audit mode first to ensure that they are running as intended before you switch to blocking mode.

When you edit a block list or allow list template, it becomes a custom template.

Custom rule template

Use the Custom rule template to create your own template. This rule template does not contain any rules by default.

You can customize any of these rule templates by adding additional Allow rules or Deny rules. Click Save to save your changes. To go back to the original default settings, click Restore to Default.

Create Default AppLocker rules

Use rule exceptions to specify files or folders to exclude from a default AppLocker rule. You can create default executable rules, default Windows installer rules, and default script rules.

  1. Expand a category: Default Executable Rules, Default Windows Installer Rules, or Default Script Rules and select a template: Allow List, Block List, Custom.
  2. Click Create to add a new default rule. Each rule type contains the same configuration fields.
    1. Enter a Name for the rule.
    2. Select a type: Hash, Path, Publisher.
    3. For Hash, provide the Hash and optional File Size (bytes). Optionally, click the + sign to add another hash rule.
    4. For Path, provide the full path or file name in the Path field.
    5. For Publisher, provide the Publisher, Product Name, and File Name. In the File Version field, use the dropdown list to indicate whether you want earlier or later versions included or only the exact version you specify. You can use the * character as a wildcard character in any of these values.
  3. In the Windows User section, select whether this rule applies to Everyone or only Administrators.
  4. Click Save for the rule.
  5. Click Create for the policy.

Configure Endpoint Encryption settings

Install Shared Services

Tanium BitLocker and FileVault policies require the installation of shared services. A checklist displays in the Endpoint Encryption tab of the Enforce Settings to show you the status of each of the required services. See Tanium dependencies for shared service version requirements.

  1. The End-User Notifications service must be installed and the End-User Notifications package must be pushed out to endpoints where the BitLocker policy is enforced.
  2. The Direct Connect service must be installed and the Direct Connect package must be pushed out to endpoints where the BitLocker policy is enforced.
  3. Core Content must be installed and pushed out to endpoints.

You can create disk encryption policies even if one or more of these components are not in place, but the policy is not successfully enforced until the entire configuration is on the endpoint.

Specify the Encryption Key

Before you create a BitLocker or FileVault policy, you must specify the Key Encryption Key:

  1. From the Enforce Overview page, click Settings and then click Endpoint Encryption.
  2. Click Generate Key.
  3. Click Save Key to copy the key to the clipboard. Then store it outside of the Tanium Console for safe-keeping. In a disaster recovery scenario, you must use this key.


Endpoint encryption recovery database

Before you create endpoint encryption policies, you must configure a database to store the recovery keys. This database can be hosted on the Tanium Module Server or it can be a separate database you set up and configure.

Choose where to host the database:

  • Tanium Module Server hosted - If you select to host the database on the Tanium Module Server, you must agree to back up the database by selecting the check box. No further configuration is required.

    The database files are located in the Tanium\Tanium Module Server\services\enforce-services-files\postgresql directory. For more information about backup instructions, see Tanium Platform Deployment Guide: Back up Tanium Core Platform servers and databases.

  • Self hosted - If you select to host the database on your own server, you must configure it as follows:

Self hosted recovery key Database Requirements

Requirements for Postgres and Microsoft SQL Server databases.

  • CPU: 4 Cores
  • RAM: 8 GB
  • Hard Drive: 80 GB

Configure the self hosted encryption database

  • You must first generate and save the key encryption key as detailed in Specify the Encryption Key.
  • Select a database server type: Postgresql or Microsoft SQL Server.

Connect to postgresql

The following information is used to connect to your Postgresql database.

The provided database must be SSL enabled.

  1. Enter the database server Host Name.
  2. Enter the Port number.
  3. Enter the User name and Password to sign in to the database.
  4. Enter the Database name.
  5. Click Choose File to upload the Postgres server certificate file and then click Save.
    This file is used to securely connect the recovery portal to the Postgres database to retrieve lost keys.






Connect to Microsoft SQL server

The following information is used to connect to your Microsoft SQL server database.

The provided database must be SSL enabled.

  1. Enter the database server Host Name.
  2. Enter the Port number.
  3. Enter the User name to sign in to the database.
  4. Enter the Password to sign in to the database.
  5. (Optional) Provide the Domain name of the database server.
  6. Enter the Database name and then click Save.

See Create a BitLocker policy or Create a FileVault policy for further instructions.

Optionally, you can configure a self-service recovery portal that users can access if they forget their PIN or password. See Reference: Encryption management recovery portal.

Manage Windows device classes and devices

From the Enforce Overview page, click Settings and go to Device Control to manage the global list of Windows device classes and devices for use with Windows device control policies.

Device Classes

The list includes the predefined device classes that are provided by Microsoft and any additional device classes that were added, either from this page or through a device control policy. Click Device Classes to manage the global list of device classes.

The list includes the predefined device classes that are provided by Microsoft and any additional device classes that were added, either from this page or through a device control policy. Click Device Classes to manage the global list of device classes.

  • Use the sort menu to sort the list by Name, Type, or Associated Policy.
  • Use the Filter by name field to filter the list by a specific name.
  • Click Create to add a custom device class to the global list.
  • You can edit or delete custom device classes:
    • Select a custom device class and click Edit to update the configuration for that device class.
    • Select a custom device class and click Delete to delete that device class.

Only custom device classes can be modified or deleted. You cannot modify or delete the default device classes. Changes that are made to device classes through the global list are pushed out to all policies that reference the device class. If you delete a device class, it is removed from all policies where it is referenced.

Devices

This list includes devices that were added from this page or through a device control policy. Click Devices to manage the global list of devices.

  • Use the sort menu to sort the list by Name or Associated Policy.
  • Use the Filter by name field to filter the list by a specific name.
  • Click Create to add a new device to the global list.
  • Select a device and click Edit to update the configuration for that device.
  • Select a device and click Delete to delete that device.

Changes that are made to devices through the global list are pushed out to all policies that reference the device. If you delete a device class, it is removed from all policies where it is referenced.

See Create a Windows device control policy for further instructions.

Next steps

Create Policies

Configure Windows administrative policies for computer groups. See Creating policies.

Enforcements

After policies are configured, create enforcements to apply them to endpoints. See Enforcing policies.