Impact requirements

Review the requirements before you install and use Impact.

Core platform dependencies

Make sure that your environment meets the following requirements:

  • Tanium™ Core Platform servers: 7.4 or later

  • Tanium™ Client: Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.

    If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Solution dependencies

Other Tanium solutions are required for Impact to function (required dependencies) or for specific Impact features to work (feature-specific dependencies). The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.

Some Impact dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies and Feature-specific dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Impact requires.

Tanium recommended installation

If you select Tanium Recommended Installation when you import Impact, the Tanium Server automatically imports all your licensed solutions at the same time. See Tanium Console User Guide: Import all modules and services.

Import specific solutions

If you select only Impact to import, you must manually import dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Required dependencies

Impact has the following required dependencies at the specified minimum versions:

Feature-specific dependencies

Impact has the following feature-specific dependencies at the specified minimum versions:

  • Tanium Connect 5.8.54 or later is required to send Impact data to destinations.
  • Tanium™ Direct Connect 2.3 or later is required to run satellite synchronizations.
  • Tanium Threat Response 2.5.1 or later is required to display Impact ratings for alerts in Threat Response.
  • Tanium Trends 3.6.323 or later to view the Impact Trends board.

Client extensions

Tanium Endpoint Configuration installs client extensions for Impact on endpoints. Client Extensions perform tasks that are common to certain Tanium solutions. The Tanium Client uses code signatures to verify the integrity of each client extension prior to loading the extension on the endpoint. Each client extension has recommended security exclusions to allow the Tanium processes to run without interference. See Security exclusions for more information. The following client extensions perform Impact functions:

  • Config CX - Provides installation and configuration of extensions on endpoints. Tanium Client Management installs this client extension.
  • Core CX - Provides a management framework API for all other client extensions and exposes operating system metrics. Tanium Client Management installs this client extension.
  • DEC CX - Provides a direct connection between endpoint and Module ServerTanium Cloud. Tanium Direct Connect installs this client extension. This is a feature-specific dependency for Impact satellite synchronization.

Tanium™ Module Server

Impact is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage.

For information about Module Server sizing in a Windows deployment, see Tanium Core Platform Deployment Guide for Windows: Host system sizing guidelines.

Endpoints

Supported operating systems

The following endpoint operating systems are supported with Impact.

Operating system OS version Notes
Microsoft Windows Server Microsoft Windows Server 2008 R2 (SP1) and later Windows Server 2008 R2 SP1 requires Microsoft KB2758857.
Microsoft Windows Workstation Microsoft Windows 7 (SP1) and later Windows 7 Service Pack 1 requires Microsoft KB2758857.

Third-party software

Impact is supported for use with:

  • Active Directory Domain Services that are running on any version of Microsoft Windows Server that is currently supported by Microsoft.
  • Azure Active Directory Domain Services

For supported versions, see Microsoft: Search Product and Services Lifecycle Information.

You can synchronize Impact with Active Directory in two different ways: service or satellite. As a best practice, use the satellite synch, which connects Tanium™ Cloud to an endpoint that behaves as a satellite to enable communication with the Active Directory server. With service, Tanium Cloud connects to the Active Directory server through proxy access. If you use the service type, consider the following:

Impact uses Security Identifiers (SIDs) and the Tanium Architecture for Active Directory queries. Because of this structure, the number of queries to the domain controller are low and the overall network traffic generated by Impact is minimal. For more information about this process, see Collect and analyze dataCollect and analyze data.

Active Directory user account

The service account that you specify for Impact is not used for Active Directory queries.

Impact uses the user account that you specify when you configure the connection to domains for Active Directory queries. This user should have limited access. You can specify any user, but if you modified the standard user permissions from the default settings, the user must meet the following minimum requirements so that Impact has access to read attribute data from Active Directory:

  • Member of the Domain Users group
  • Permission to read the objectSID attribute from the domain object in the configured domains
  • Permission to read the objectSID attribute on all users, groups, and computers in the configured domains
  • Permission to Read members on all groups in the configured domains
  • (Optional, best practice) Assign List Contents and Read all properties access on all objects in the configured domains, including the domain object.

Host and network security requirements

Specific ports and processes are needed to run Impact.

Ports

The following ports are required for Impact communication.

Source Destination Port Protocol Purpose
Module Server Tanium Cloud or satellite Active Directory Server 389 / 636 LDAP / LDAPS Connecting to the Active Directory server.
Module Server Tanium Cloud or satellite Active Directory Global Catalog Server 3268 / 3269 LDAP / LDAPS Required only when connecting to the Active Directory Global Catalog server.

For more information, see Configure connections to domainsConfigure connections to domains.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

For Tanium Cloud ports, see Tanium Cloud Deployment Guide: Host and network security requirements.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Impact security exclusions
Target Device Notes Exclusion Type Exclusion
Module Server   Process <Module Server>\services\impact-service\TaniumImpactService.exe
  Process <Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
  Windows endpoints   Process <Tanium Client>\Python38\TPython.exe
  Folder <Tanium Client>\Python38
  Process <Tanium Client>\TaniumCX.exe
  Process <Tanium Client>\TaniumClientExtensions.dll
  Process <Tanium Client>\TaniumClientExtensions.dll.sig
When Direct Connect is installed; satellite synch only Process <Tanium Client>\extensions\TaniumDEC.dll
When Direct Connect is installed; satellite synch only Process <Tanium Client>\extensions\TaniumDEC.dll.sig
Impact security exclusions
Target Device Notes Exclusion Type Exclusion
Windows endpoints   Process <Tanium Client>\Python38\TPython.exe
  Folder <Tanium Client>\Python38
  Process <Tanium Client>\TaniumCX.exe
  Process <Tanium Client>\TaniumClientExtensions.dll
  Process <Tanium Client>\TaniumClientExtensions.dll.sig
When Direct Connect is installed; satellite synch only Process <Tanium Client>\extensions\TaniumDEC.dll
When Direct Connect is installed; satellite synch only Process <Tanium Client>\extensions\TaniumDEC.dll.sig

User role requirements

The following tables list the role permissions required to use Impact. To review a summary of the predefined roles, see Set up Impact users.

For more information about role permissions and associated content sets, see Tanium Console User Guide: Managing RBAC.

Impact user role permissions
Permission Impact Administrator3 Impact Operator31 Impact Service Account1,2,3,4 Impact User31 Impact Endpoint Configuration Approver2

Impact

View the Impact workbench


SHOW

SHOW

SHOW1

Impact Asset Details

View the details for an asset


READ

READ

READ

Impact Asset Impact

View the impact rating for assets


READ

READ

READ

Impact Asset Items

View the items for an asset


READ

READ

READ

Impact Domains

View, create and edit Impact domains


READ
WRITE

READ
WRITE

Impact Service

Allows users to configure the Impact service


CONFIGURE

Impact Service Account

View and update the Impact service account; perform Impact service account tasks


READ
WRITE

READ
WRITE
EXECUTE

Impact Settings

View and edit Impact settings


READ
WRITE

READ
WRITE

READ
WRITE

Impact Shortest Path

View the shortest path graphs


READ

READ

READ

Impact Support Bundle

View the Impact support bundle


READ

Impact Sync

Start the Impact synchronization


START

START

Impact Sync Status

View the Impact synchronization status


READ

READ

READ

1 This role provides Tanium Data Service permissions (through Interact). You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: Tanium Data Service permissions.

21 This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see the Tanium Endpoint Configuration User Guide: User role requirements.

31 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

4 If you installed Tanium Client Management, Endpoint Configuration is installed, and by default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to this role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

5This role provides satellite permissions (through Tanium Direct Connect). For more information, see Tanium Direct Connect User Guide: User role requirements.


Provided Impact administration and platform content permissions
Permission Permission Type Impact Administrator1 Impact Operator1 Impact Service Account1 Impact User1 Impact Endpoint Configuration Approver
Action Group Administration
READ
WRITE
User Administration
READ

READ
Action Platform content
READ
WRITE
Own Action Platform content
READ
Package Platform content
READ
Plugin Platform content
READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE
Sensor Platform content
READ

You can view which content sets are granted to any role in the Tanium Console.

1 This role provides content set permissions for Tanium Trends. You can view which Trends content sets are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.