Impact requirements
Review the requirements before you
Core platform dependencies
Make sure that your environment meets the following requirements:
-
Tanium license that includes Impact
Impact is no longer included as part of the Tanium Core Platform and now requires a license. All existing Impact customers can continue to use Impact for free.
-
Tanium™ Core Platform servers: 7.5.4.1158 or later
- Tanium™ Client: Any supported version of Tanium Client. For the Tanium Client versions supported for each OS, see Tanium Client Management User Guide: Client version and host system requirements.
If you use a client version that is not listed, certain product features might not be available, or stability issues can occur that can only be resolved by upgrading to one of the listed client versions.
Solution dependencies
Other Tanium solutions are required for Impact to function (required dependencies) or for specific Impact features to work (feature-specific dependencies). The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.
Some Impact dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies and Feature-specific dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Impact requires.
Tanium recommended installation
If you select Tanium Recommended Installation when you import Impact, the Tanium Server automatically imports all your licensed solutions at the same time. See Tanium Console User Guide: Import all modules and services.
Import specific solutions
If you select only Impact to import and are using Tanium Core Platform 7.5.2.3531 with Tanium Console 3.0.72 or later, the Tanium Server automatically imports the latest available versions of any required dependencies that are missing. If some required dependencies are already imported but their versions are earlier than the minimum required for Impact, the server automatically updates those dependencies to the latest available versions.
If you select only Impact to import and you are using Tanium Core Platform 7.5.2.3503 or earlier with Tanium Console 3.0.64 or earlier, you must manually import or update required dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.
Required dependencies
Impact has the following required dependencies at the specified minimum versions. You must install the dependencies in the listed order.
- Tanium™ Interact 2.2.3 or later
- Tanium™ System User Service 1.0.77 or later
- Tanium™ RDB Service 1.2.31 or later
- Tanium™ Directory Query 1.0 or later
- Tanium™ Criticality 1.1 or later
- Tanium™ Endpoint Configuration 1.2 or later (installed as part of Tanium™ Client Management 1.5 or later)
Feature-specific dependencies
Impact has the following feature-specific dependencies at the specified minimum versions:
- Tanium Connect 5.8.54 or later is required to send Impact data to destinations.
- Tanium Threat Response 2.5.1 or later is required to display Impact ratings for alerts in Threat Response.
- Tanium Trends 3.6.323 or later is required to view the Impact Trends board.
Client extensions
Tanium Endpoint Configuration installs client extensions for Impact on endpoints. Client Extensions perform tasks that are common to certain Tanium solutions. The Tanium Client uses code signatures to verify the integrity of each client extension prior to loading the extension on the endpoint. Each client extension has recommended security exclusions to allow the Tanium processes to run without interference. See Security exclusions for more information. The following client extensions perform Impact functions:
- Config CX - Provides installation and configuration of extensions on endpoints. Tanium Client Management installs this client extension.
- Core CX - Provides a management framework API for all other client extensions and exposes operating system metrics. Tanium Client Management installs this client extension.
- DEC CX - Provides a direct connection between endpoint and
Tanium™ Module Server
Impact is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage.
For information about Module Server sizing in a Windows deployment, see Tanium Core Platform Deployment Guide for Windows: Host system sizing guidelines.
Endpoints
Supported operating systems
The following endpoint operating systems are supported with Impact.
| Operating system | OS version | Notes |
|---|---|---|
| Microsoft Windows Server | Microsoft Windows Server 2008 R2 (SP1) and later | Windows Server 2008 R2 SP1 requires Microsoft KB2758857. |
| Microsoft Windows Workstation | Microsoft Windows 7 (SP1) and later | Windows 7 Service Pack 1 requires Microsoft KB2758857. |
Host and network security requirements
Specific ports and processes are needed to run Impact.
Ports
The following ports are required for Impact communication.
| Source | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
|
|
Active Directory Server |
|
|
Connecting to the Active Directory server. |
|
|
Active Directory Global Catalog Server |
|
|
Required only when connecting to the Active Directory Global Catalog server. For more information, see Configure connections to domainsConfigure connections to domains. |
Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.
For Tanium Cloud ports, see Tanium Cloud Deployment Guide: Host and network security requirements.
Security exclusions
If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.
| Target Device | Notes | Exclusion Type | Exclusion |
|---|---|---|---|
| Module Server | Process | <Module Server>\services\impact-service\TaniumImpactService.exe | |
| Process | <Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe | ||
| Windows endpoints | Process | <Tanium Client>\Python38\TPython.exe | |
| Folder | <Tanium Client>\Python38 | ||
| Process | <Tanium Client>\TaniumCX.exe | ||
| Process | <Tanium Client>\TaniumClientExtensions.dll | ||
| Process | <Tanium Client>\TaniumClientExtensions.dll.sig | ||
| When Direct Connect is installed; satellite sync only | Process | <Tanium Client>\extensions\TaniumDEC.dll | |
| When Direct Connect is installed; satellite sync only | Process | <Tanium Client>\extensions\TaniumDEC.dll.sig |
| Target Device | Notes | Exclusion Type | Exclusion |
|---|---|---|---|
| Windows endpoints | Process | <Tanium Client>\Python38\TPython.exe | |
| Folder | <Tanium Client>\Python38 | ||
| Process | <Tanium Client>\TaniumCX.exe | ||
| Process | <Tanium Client>\TaniumClientExtensions.dll | ||
| Process | <Tanium Client>\TaniumClientExtensions.dll.sig | ||
| When Direct Connect is installed; satellite sync only | Process | <Tanium Client>\extensions\TaniumDEC.dll | |
| When Direct Connect is installed; satellite sync only | Process | <Tanium Client>\extensions\TaniumDEC.dll.sig |
User role requirements
The following tables list the role permissions required to use Impact. To review a summary of the predefined roles, see Set up Impact users.
For more information about role permissions and associated content sets, see Tanium Console User Guide: Managing RBAC.
On installation, Impact creates a Impact user to automatically manage the Impact service account. Do not edit or delete the Impact user.
| Permission | Impact Administrator1,2,3 | Impact Operator1,2,3 | Impact User2,3 | Impact Endpoint Configuration Approver |
|---|---|---|---|---|
|
Impact View the Impact workbench |
SHOW |
SHOW |
SHOW |
|
|
Impact Asset Details View the details for an asset |
READ |
READ |
READ |
|
|
Impact Asset Impact View the impact rating for assets |
READ |
READ |
READ |
|
|
Impact Asset Items View the items for an asset |
READ |
READ |
READ |
|
|
Impact Endpoint Configuration Approve Impact items in Endpoint Configuration |
|
|
|
APPROVE |
|
Impact Settings View and edit Impact settings |
READ WRITE |
READ WRITE |
|
|
|
Impact Shortest Path View the shortest path graphs |
READ |
READ |
READ |
|
|
Impact Support Bundle View the Impact support bundle |
READ |
|
|
|
|
Impact Sync Start the Impact synchronization |
START |
START |
|
|
|
Impact Sync Status View the Impact synchronization status |
READ |
READ |
READ |
|
|
1 This role provides satellite permissions (through Tanium Direct Connect). For more information, see Tanium Direct Connect User Guide: User role requirements. 2 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements. 3 This role provides module permissions for Tanium Directory Query. You can view which Directory Query permissions are granted to this role in the Tanium Console. For more information, see Tanium Directory Query User Guide: User role requirements. |
||||
| Permission | Impact Administrator1,2 | Impact Operator1,2 | Impact User2 | Impact Endpoint Configuration Approver2,3 |
|---|---|---|---|---|
| Plugin |
READ EXECUTE |
READ EXECUTE |
READ EXECUTE |
READ EXECUTE |
| Saved Question |
READ |
READ |
READ |
|
| Sensor |
READ |
READ |
READ |
|
|
To view which content set permissions are granted to a role, see Tanium Console User Guide: View effective role permissions. 1 This role provides content set permissions for Tanium Interact. You can view which Interact content sets are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: User role requirements. 2 This role provides content set permissions for Tanium Trends. You can view which Trends content sets are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements. 3 This role provides content set permissions for Tanium Direct Connect. You can view which Direct Connect content sets are granted to this role in the Tanium Console. For more information, see Tanium Direct Connect User Guide: User role requirements. |
||||
Last updated: 5/30/2023 2:15 PM | Feedback