Review the requirements before you install and use Impact.
Make sure that your environment meets the following requirements.
|Tanium™ Core Platform||7.4 or later|
|Tanium™ Client||Any supported Tanium Client version for Windows endpoints.
For specific client versions, see Tanium Client User Guide: Requirements.
|Tanium products||Modules at the following minimum versions are required:
Impact is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage.
Supported operating systems
The following endpoint operating systems are supported with Impact.
|Operating system||OS version|
|Microsoft Windows Server||Microsoft Windows Server 2008 and later|
|Microsoft Windows Workstation||Microsoft Windows 7 and later|
Impact is supported for use with:
- Active Directory Domain Services that are running on any version of Microsoft Windows Server that is currently supported by Microsoft
- Azure Active Directory Domain Services
For supported versions, see Microsoft: Search product lifecycle.
Impact uses Security Identifiers (SIDs) and the Tanium Architecture for Active Directory queries. Because of this structure, the number of queries to the domain controller are low and the overall network traffic generated by Impact is minimal.
The service account that you specify for Impact is not used for Active Directory queries.
Impact uses the user account that you specify when you configure the connection to domains for Active Directory queries. This user should have limited access. You can use any user, but if you modified the standard user permissions from the default settings, the user must meet the following minimum requirements so that Impact has access to read attribute data from Active Directory:
- Member of the Domain Users group
- Permission to read the objectSID attribute from the domain object in the configured domains
- Permission to read the objectSID attribute on all users, groups, and computers in the configured domains
- Permission to Read members on all groups in the configured domains
(Optional, best practice) Assign List Contents and Read all properties access on all objects in the configured domains, including the domain object.
Specific ports and processes are needed to run Impact.
The following ports are required for Impact communication.
|Module Server||Active Directory Server||389 / 636||LDAP / LDAPS||Connecting to the Active Directory server.|
|Module Server||Active Directory Global Catalog Server||3268 / 3269||LDAP / LDAPS||Required only when connecting to the Active Directory Global Catalog server.
For more information, see Configure connections to domains.
If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference.
|Module Server (Windows)||<Module Server>\services\impact-service\TaniumImpactService.exe|
|Windows endpoints||<Tanium Client>\Python38\TPython.exe|
The following tables list the role permissions required to use Impact. For more information about role permissions and associated content sets, see Tanium Core Platform User Guide: Managing RBAC.
|Permission||Impact Administrator||Impact Service Account||Impact User|
View the Impact workbench
Impact Service Account3
Perform Impact service account tasks
Impact Service Account Write
Update the Impact service account
Impact Service Account Read
View the Impact service account
Impact Domains Write
Create and edit Impact domains
Impact Domains Read
View Impact domains
Impact Sync Start
Start the Impact synchronization
Impact Sync Status Read
View the Impact synchronization status
Impact Shortest Path Read
View the shortest path graphs
Impact Asset Impact Read
View the impact rating for assets
Impact Asset Details Read
View the details for an asset
Impact Asset Items Read
View the items for an asset
Impact Support Bundle Read
View the Impact support bundle
1 To install Impact, you must have the reserved role of Administrator.
2 Denotes a provided permission.
3 Also provides the Interact Data Collection Registration Read, Data Collection Registration Write, and Data Collection Start permissions.
|Permission||Role Type||Content Set for Permission||Impact Administrator||Impact Service Account||Impact User|
|Read User||Micro Admin||Default|
|Write Action Group||Micro Admin||Default|
|Read Action Group||Micro Admin||Default|
|Read Sensor||Advanced||Client Management|
|Read Sensor||Advanced||Core Content|
|Read Own Action||Advanced||Impact|
Last updated: 8/4/2020 3:32 PM | Feedback