Impact requirements
Review the requirements before you
Tanium dependencies
Make sure that your environment meets the following requirements.
| Component | Requirement |
|---|---|
| Tanium™ Core Platform | 7.4 or later |
| Tanium™ Client |
|
| Tanium products | Modules at the following minimum versions are required:
The following modules are optional, but Impact requires the specified minimum versions to work with them:
|
Tanium™ Module Server
Impact is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage.
Endpoints
Supported operating systems
The following endpoint operating systems are supported with Impact.
| Operating system | OS version |
|---|---|
| Microsoft Windows Server | Microsoft Windows Server 2008 R2 (SP1) and later |
| Microsoft Windows Workstation | Microsoft Windows 7 (SP1) and later |
Third-party software
Impact is supported for use with:
- Active Directory Domain Services that are running on any version of Microsoft Windows Server that is currently supported by Microsoft.
- Azure Active Directory Domain Services
For supported versions, see Microsoft: Search product lifecycle.
- The connection to the LDAP server must use LDAP over TLS (also referred to as secure LDAP or LDAPS). For steps to configure LDAPS in Azure Active Directory Domain Services, see Microsoft: Configure secure LDAP for an Azure Active Directory Domain Services managed domain.
- As a best practice, restrict network traffic to flow only between the IP range for your LDAP server and Tanium as a Service (TaaS) over the associated ports. For port information, see Ports.
- If you are using Azure Active Directory Domain Services, you must configure Microsoft Azure to allow network connections from TaaS. For more information, see Microsoft: Lock down secure LDAP access over the internet.
Impact uses Security Identifiers (SIDs) and the Tanium Architecture for Active Directory queries. Because of this structure, the number of queries to the domain controller are low and the overall network traffic generated by Impact is minimal. For more information about this process, see Collect and analyze dataCollect and analyze data.
Active Directory user account
The service account that you specify for Impact is not used for Active Directory queries.
Impact uses the user account that you specify when you configure the connection to domains for Active Directory queries. This user should have limited access. You can specify any user, but if you modified the standard user permissions from the default settings, the user must meet the following minimum requirements so that Impact has access to read attribute data from Active Directory:
- Member of the Domain Users group
- Permission to read the objectSID attribute from the domain object in the configured domains
- Permission to read the objectSID attribute on all users, groups, and computers in the configured domains
- Permission to Read members on all groups in the configured domains
- (Optional, best practice) Assign List Contents and Read all properties access on all objects in the configured domains, including the domain object.
Host and network security requirements
Specific ports and processes are needed to run Impact.
Ports
The following ports are required for Impact communication.
| Source | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
|
|
Active Directory Server |
|
|
Connecting to the Active Directory server. |
|
|
Active Directory Global Catalog Server |
|
|
Required only when connecting to the Active Directory Global Catalog server. For more information, see Configure connections to domains. |
Security exclusions
If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.
| Target Device | Notes | Process |
|---|---|---|
| Module Server | <Module Server>\services\impact-service\TaniumImpactService.exe | |
| <Module Server>\services\endpoint-configuration-service\TaniumEndpointConfigService.exe | ||
| Windows endpoints | <Tanium Client>\Python38\TPython.exe | |
| <Tanium Client>\Python38\*.dll |
| Target Device | Notes | Process |
|---|---|---|
| Windows endpoints | <Tanium Client>\Python38\TPython.exe | |
| <Tanium Client>\Python38\*.dll |
User role requirements
The following tables list the role permissions required to use Impact. For more information about role permissions and associated content sets, see Tanium Core Platform User Guide: Managing RBAC.
| Permission | Impact Administrator4 | Impact Operator42 | Impact Service Account2,4 | Impact User42 | Impact Endpoint Configuration Approver |
|---|---|---|---|---|---|
|
Show Impact View the Impact workbench |
|
|
|
|
|
|
Impact Service Account Perform Impact service account tasks |
|
|
|
|
|
|
Impact Service Account Write Update the Impact service account |
|
|
|
|
|
|
Impact Service Account Read View the Impact service account |
|
|
|
|
|
|
Impact Domains Write Create and edit Impact domains |
|
|
|
|
|
|
Impact Domains Read View Impact domains |
|
21
|
|
2
|
|
|
Impact Sync Start Start the Impact synchronization |
|
|
|
|
|
|
Impact Sync Status Read View the Impact synchronization status |
|
|
|
|
|
|
Impact Shortest Path Read View the shortest path graphs |
|
|
|
|
|
|
Impact Asset Impact Read View the impact rating for assets |
|
|
|
|
|
|
Impact Asset Details Read View the details for an asset |
|
|
|
|
|
|
Impact Asset Items Read View the items for an asset |
|
|
|
|
|
|
Impact Support Bundle Read View the Impact support bundle |
|
|
|
|
|
|
Impact Endpoint Configuration Approve Allows users to approve Endpoint Configuration items for Impact |
|
|
|
|
|
|
1 To install Impact, you must have the reserved role of Administrator. 2 This role provides Tanium Data Service permissions (through Interact). You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see the Tanium Interact User Guide: User role requirements. 31 This role provides module permissions for Tanium Endpoint Configuration. You can view which Endpoint Configuration permissions are granted to this role in the Tanium Console. For more information, see the Tanium Endpoint Configuration User Guide: User role requirements. 42 This role provides module permissions for Tanium Trends. You can view which Trends permissions are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements. |
|||||
| Permission | Role Type | Content Set for Permission | Impact Administrator | Impact Operator | Impact Service Account | Impact User | Impact Endpoint Configuration Approver |
|---|---|---|---|---|---|---|---|
| Read User | Micro Admin | Default |
|
|
|
|
|
| Write Action Group | Micro Admin | Default |
|
|
|
|
|
| Read Action Group | Micro Admin | Default |
|
|
|
|
|
| Read Sensor | Advanced | Reserved |
|
|
|
|
|
| Read Sensor | Advanced | Default |
|
|
|
|
|
| Read Sensor | Advanced | Client Management |
|
|
|
|
|
| Read Sensor | Advanced | Base |
|
|
|
|
|
| Read Sensor | Advanced | Interact |
|
|
|
|
|
| Read Sensor | Advanced | Impact |
|
|
|
|
|
| Read Sensor | Advanced | Core Content |
|
|
|
|
|
| Read Plugin | Advanced | Reserved |
|
|
|
|
|
| Read Plugin | Advanced | Impact |
|
|
|
|
|
| Read Plugin | Advanced | Endpoint Configuration |
|
|
|
|
|
| Execute Plugin | Advanced | Reserved |
|
|
|
|
|
| Execute Plugin | Advanced | Impact |
|
|
|
|
|
| Execute Plugin | Advanced | Endpoint Configuration |
|
|
|
|
|
| Read Own Action | Advanced | Impact |
|
|
|
|
|
| Read Action | Advanced | Impact |
|
|
|
|
|
| Write Action | Advanced | Impact |
|
|
|
|
|
| Read Package | Advanced | Impact |
|
|
|
|
|
| Show Preview | Advanced | Impact |
|
|
|
|
|
Last updated: 10/23/2020 9:50 AM | Feedback