Impact requirements

Review the requirements before you install and use Impact.

Tanium dependencies

Make sure that your environment meets the following requirements.

Component	Requirement
Tanium™ Core Platform	7.4 or later
Tanium™ Client	Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client User Guide: Client version and host system requirements. If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.
Tanium products	Modules at the following minimum versions are required: Tanium™ Interact 2.2.3 or later Tanium™ Endpoint Configuration 1.2 or later (installed as part of Tanium™ Client Management 1.5 or later) The following modules are optional, but Impact requires the specified minimum versions to work with them: Tanium Trends 3.6.323 or later (optional)

Component

Requirement

Tanium™ Core Platform

7.4 or later

Tanium™ Client

Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client User Guide: Client version and host system requirements.

If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.

Tanium products

Modules at the following minimum versions are required:

Tanium™ Interact 2.2.3 or later
Tanium™ Endpoint Configuration 1.2 or later (installed as part of Tanium™ Client Management 1.5 or later)

The following modules are optional, but Impact requires the specified minimum versions to work with them:

Tanium Trends 3.6.323 or later (optional)

Tanium™ Module Server

Impact is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage.

Endpoints

Supported operating systems

The following endpoint operating systems are supported with Impact.

Operating system	OS version	Notes
Microsoft Windows Server	Microsoft Windows Server 2008 R2 (SP1) and later
Microsoft Windows Workstation	Microsoft Windows 7 (SP1) and later	Windows 7 Service Pack 1 requires Microsoft KB2758857.

Third-party software

Impact is supported for use with:

Active Directory Domain Services that are running on any version of Microsoft Windows Server that is currently supported by Microsoft.
Azure Active Directory Domain Services

For supported versions, see Microsoft: Search product lifecycle.

The connection to the LDAP server must use LDAP over TLS (also referred to as secure LDAP or LDAPS). For steps to configure LDAPS in Azure Active Directory Domain Services, see Microsoft: Configure secure LDAP for an Azure Active Directory Domain Services managed domain.
As a best practice, restrict network traffic to flow only between the IP range for your LDAP server and Tanium as a Service (TaaS) over the associated ports. For port information, see Ports.
If you are using Azure Active Directory Domain Services, you must configure Microsoft Azure to allow network connections from TaaS. For more information, see Microsoft: Lock down secure LDAP access over the internet.

Impact uses Security Identifiers (SIDs) and the Tanium Architecture for Active Directory queries. Because of this structure, the number of queries to the domain controller are low and the overall network traffic generated by Impact is minimal. For more information about this process, see Collect and analyze data Collect and analyze data.

Active Directory user account

The service account that you specify for Impact is not used for Active Directory queries.

Impact uses the user account that you specify when you configure the connection to domains for Active Directory queries. This user should have limited access. You can specify any user, but if you modified the standard user permissions from the default settings, the user must meet the following minimum requirements so that Impact has access to read attribute data from Active Directory:

Member of the Domain Users group
Permission to read the objectSID attribute from the domain object in the configured domains
Permission to read the objectSID attribute on all users, groups, and computers in the configured domains
Permission to Read members on all groups in the configured domains
(Optional, best practice) Assign List Contents and Read all properties access on all objects in the configured domains, including the domain object.

Host and network security requirements

Specific ports and processes are needed to run Impact.

Ports

The following ports are required for Impact communication.

Source	Destination	Port	Protocol	Purpose
Module Server Tanium as a Service	Active Directory Server	389 / 636	LDAP / LDAPS	Connecting to the Active Directory server.
Module Server Tanium as a Service	Active Directory Global Catalog Server	3268 / 3269	LDAP / LDAPS	Required only when connecting to the Active Directory Global Catalog server. For more information, see Configure connections to domains Configure connections to domains.

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.

Impact security exclusions
Target Device	Notes	Process
Module Server		<Module Server>\services\impact-service\TaniumImpactService.exe
Module Server		<Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe
Windows endpoints		<Tanium Client>\Python38\TPython.exe
Windows endpoints		<Tanium Client>\Python38\*.dll

Impact security exclusions
Target Device	Notes	Process
Windows endpoints		<Tanium Client>\Python38\TPython.exe
Windows endpoints		<Tanium Client>\Python38\*.dll

User role requirements

The following tables list the role permissions required to use Impact. For more information about role permissions and associated content sets, see Tanium Core Platform User Guide: Managing RBAC.

Impact user role permissions
Permission	Impact Operator⁴²	Impact User⁴²
Show Impact¹ View the Impact workbench
Impact Service Account Perform Impact service account tasks
Impact Service Account Write Update the Impact service account
Impact Service Account Read View the Impact service account
Impact Domains Write Create and edit Impact domains
Impact Domains Read View Impact domains	²¹	²
Impact Sync Start Start the Impact synchronization
Impact Sync Status Read View the Impact synchronization status
Impact Shortest Path Read View the shortest path graphs
Impact Asset Impact Read View the impact rating for assets
Impact Asset Details Read View the details for an asset
Impact Asset Items Read View the items for an asset
Impact Support Bundle Read View the Impact support bundle
Impact Endpoint Configuration Approve Allows users to approve Endpoint Configuration items for Impact
¹ To install Impact, you must have the Import Signed Content micro admin permission or the reserved role of Administrator. ² This role provides Tanium Data Service permissions (through Interact). You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see the Tanium Interact User Guide: User role requirements. ³¹ This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see the Tanium Endpoint Configuration User Guide: User role requirements. ⁴² This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements. ⁵ If you installed Tanium Client Management, Endpoint Configuration is installed, and byBy default, configuration changes initiated by the module service account (such as tool deployment) require approval. You can bypass approval for module-generated configuration changes by applying the Endpoint Configuration Bypass Approval permission to this role and adding the relevant content sets. For more information, see Tanium Endpoint Configuration User Guide: User role requirements.

Provided Impact Micro Admin and Advanced user role permissions
Permission	Role Type	Content Set for Permission
Read User	Micro Admin	Default
Write Action Group	Micro Admin	Default
Read Action Group	Micro Admin	Default
Read Sensor	Advanced	Reserved
Read Sensor	Advanced	Default
Read Sensor	Advanced	Client Management
Read Sensor	Advanced	Base
Read Sensor	Advanced	Interact
Read Sensor	Advanced	Impact
Read Sensor	Advanced	Core Content
Read Plugin	Advanced	Reserved
Read Plugin	Advanced	Impact
Read Plugin	Advanced	Endpoint Configuration
Execute Plugin	Advanced	Reserved
Execute Plugin	Advanced	Impact
Execute Plugin	Advanced	Endpoint Configuration
Read Own Action	Advanced	Impact
Read Action	Advanced	Impact
Write Action	Advanced	Impact
Read Package	Advanced	Impact
Show Preview	Advanced	Impact