Impact requirements

Review the requirements before you install and use Impact.

Tanium dependencies

Make sure that your environment meets the following requirements.

Component Requirement
Tanium™ Core Platform 7.4 or later
Tanium™ Client 7.2.314.2311 or later 7.4 or later
Tanium products Modules at the following minimum versions are required:
  • Tanium™ Interact 2.2.3 or later
  • Tanium™ Endpoint Configuration 1.0 or later (installed as part of Tanium Client Management 1.5.3 or later) is required for tools deployment and optionally approving configuration changes.

The following modules are optional, but Impact requires the specified minimum versions to work with them:

  • Tanium Trends 3.6.323 or later (optional)

Tanium™ Module Server

Impact is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage.

Endpoints

Supported operating systems

The following endpoint operating systems are supported with Impact.

Operating system OS version
Microsoft Windows Server Microsoft Windows Server 2008 R2 (SP1) and later
Microsoft Windows Workstation Microsoft Windows 7 (SP1) and later

Third-party software

Impact is supported for use with:

  • Active Directory Domain Services that are running on any version of Microsoft Windows Server that is currently supported by Microsoft.
  • Azure Active Directory Domain Services

For supported versions, see Microsoft: Search product lifecycle.

Impact uses Security Identifiers (SIDs) and the Tanium Architecture for Active Directory queries. Because of this structure, the number of queries to the domain controller are low and the overall network traffic generated by Impact is minimal. For more information about this process, see Collect and analyze dataCollect and analyze data.

Active Directory user account

The service account that you specify for Impact is not used for Active Directory queries.

Impact uses the user account that you specify when you configure the connection to domains for Active Directory queries. This user should have limited access. You can specify any user, but if you modified the standard user permissions from the default settings, the user must meet the following minimum requirements so that Impact has access to read attribute data from Active Directory:

  • Member of the Domain Users group
  • Permission to read the objectSID attribute from the domain object in the configured domains
  • Permission to read the objectSID attribute on all users, groups, and computers in the configured domains
  • Permission to Read members on all groups in the configured domains
  • (Optional, best practice) Assign List Contents and Read all properties access on all objects in the configured domains, including the domain object.

Host and network security requirements

Specific ports and processes are needed to run Impact.

Ports

The following ports are required for Impact communication.

Source Destination Port Protocol Purpose
Module Server Tanium as a Service Active Directory Server 389 / 636 LDAP / LDAPS Connecting to the Active Directory server.
Module Server Tanium as a Service Active Directory Global Catalog Server 3268 / 3269 LDAP / LDAPS Required only when connecting to the Active Directory Global Catalog server.

For more information, see Configure connections to domains.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Table 1:   Impact security exclusions
Target Device Notes Process
Module Server   <Module Server>\services\impact-service\TaniumImpactService.exe
  <Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
Windows endpoints   <Tanium Client>\Python38\TPython.exe
  <Tanium Client>\Python38\*.dll
Table 2:   Impact security exclusions
Target Device Notes Process
Windows endpoints   <Tanium Client>\Python38\TPython.exe
  <Tanium Client>\Python38\*.dll

User role requirements

The following tables list the role permissions required to use Impact. For more information about role permissions and associated content sets, see Tanium Core Platform User Guide: Managing RBAC.

Table 3:   Impact user role permissions
Permission Impact Administrator4 Impact Operator42 Impact Service Account2,4 Impact User42 Impact Endpoint Configuration Approver3,41,2

Show Impact1

View the Impact workbench

Impact Service Account

Perform Impact service account tasks

Impact Service Account Write

Update the Impact service account

Impact Service Account Read

View the Impact service account

Impact Domains Write

Create and edit Impact domains

Impact Domains Read

View Impact domains

21 2

Impact Sync Start

Start the Impact synchronization

Impact Sync Status Read

View the Impact synchronization status

Impact Shortest Path Read

View the shortest path graphs

Impact Asset Impact Read

View the impact rating for assets

Impact Asset Details Read

View the details for an asset

Impact Asset Items Read

View the items for an asset

Impact Support Bundle Read

View the Impact support bundle

Impact Endpoint Configuration Approve

Allows users to approve Endpoint Configuration items for Impact

1 To install Impact, you must have the reserved role of Administrator.

2 This role provides Tanium Data Service permissions (through Interact). You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see the Tanium Interact User Guide: User role requirements.

31 This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see the Tanium Endpoint Configuration User Guide: User role requirements.

42 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.


Table 4:   Provided Impact Micro Admin and Advanced user role permissions
Permission Role Type Content Set for Permission Impact Administrator Impact Operator Impact Service Account Impact User Impact Endpoint Configuration Approver
Read User Micro Admin Default
Write Action Group Micro Admin Default
Read Action Group Micro Admin Default
Read Sensor Advanced Reserved
Read Sensor Advanced Default
Read Sensor Advanced Client Management
Read Sensor Advanced Base
Read Sensor Advanced Interact
Read Sensor Advanced Impact
Read Sensor Advanced Core Content
Read Plugin Advanced Reserved
Read Plugin Advanced Impact
Read Plugin Advanced Endpoint Configuration
Execute Plugin Advanced Reserved
Execute Plugin Advanced Impact
Execute Plugin Advanced Endpoint Configuration
Read Own Action Advanced Impact
Read Action Advanced Impact
Write Action Advanced Impact
Read Package Advanced Impact
Show Preview Advanced Impact