Installing Protect

Use the Tanium Solutions page to install Protect and choose either automatic or manual configuration:

  • Automatic configuration with default settings: (supported on Tanium Core Platform 7.4.2 or later only) Protect is installed with any required dependencies and other selected products. After installation, the Tanium Server automatically configures the recommended default settings. This option is the best practice for most deployments. For more information about the automatic configuration for Protect, see Import and configure Protect with default settings.
  • Manual configuration with custom settings: After installing Protect, you must manually configure required settings. Select this option only if Protect requires settings that differ from the recommended default settings. For more information, see Import and configure Protect with custom settings.

Before you begin

Import and configure Protect with default settings

When you import Protect with automatic configuration, the following default settings are configured:

  • The Protect service account is set to the account that you used to import the module.
  • The Protect action group is set to the computer group All Computers.
  • The Protect tools group is set to All Computers.
  • Optionally, Direct Connect (DEC) is installed and configured. DEC is required for BitLocker and FileVault policies. See Requirements.

To import Protect and configure default settings, be sure to select the Apply Tanium recommended configurations check box while performing the steps under Tanium Console User Guide: Manage Tanium modules. After the import, verify that the correct version is installed: see Verify Protect version.

Import and configure Protect with custom settings

To import Protect without automatically configuring default settings, be sure to clear the Apply Tanium recommended configurations check box while performing the steps under Tanium Console User Guide: Manage Tanium modules. After the import, verify that the correct version is installed: see Verify Protect version.

(Re-imports only) Do not use Protect until the re-import process finishes. Otherwise, you might lose any work still in progress.

  1. Sign in to the Tanium Console using an account with Administrator privileges.
  2. From the main menu, click Administration > Configuration > Solutions.
  3. Click Import X.X (where X.X is the current module version number) under Protect.
  4. Protect is a Tanium licensed solution. If it does not appear on the Tanium Modules page, contact your Technical Account Manager (TAM).
  5. If you are prompted, click Proceed with Import. Enter your credentials.

After the Protect installation and configuration process completes, you see the message Import completed successfully, and Protect appears in the Main menu.

Set service account

A Protect service account user must be created and then configured within Protect to run several background processes, such as creating the actions to distribute the Protect - Tools package. This user must have the following role and access configured:

  • Administrator or Content Administrator role

  1. From the Protect Home page, in the Configure Protect section, click the Set Up Service Credentials step and click Set up service account .
  2. Enter the Tanium credentials and click Save.
  3. You can also set or update the service account from the Protect settings. From the Protect Home page, click Settings , and update the service account settings in the Service Account section. Click Save.

For more information about Protect privileges, see User role requirements.

Change Endpoint Status Report Settings

Click Settings on the top right of the Protect Home page and go to General to change the following settings that govern how you can use Protect to interact with endpoints:

Question Completion Percentage

This setting specifies what percentage of endpoints must respond to the question before the question is considered complete. If questions take a long time to complete in your Tanium environment, you might want to lower the percentage in this setting. By default, Question Completion Percentage is set to 85%.

Reissue Action Interval

This setting specifies how often Protect enforcement actions are reissued. By default, enforcement actions are reissued every hour. The minimum allowed value for this field is 10 minutes.

Aggregate Results Reissue Action Interval

This setting specifies how often you want report data gathered on endpoints. By default, aggregate results actions are reissued every hour. The minimum allowed value for this field is 10 minutes.

Distribute Over Time

This setting controls whether endpoints apply enforcements the moment they receive the action (Immediate) or at unique moments within the saved action interval (Diffused). Diffusing enforcements over time can help prevent a surge in network traffic in exchange for a slower time to compliance. The default setting for Distribute Over Time is 0 where all enforcements are deployed at once.

Endpoint Status Checking Profile

This setting governs the interval at which updates are retrieved from endpoints. By default, Endpoint Status Checking Profile is set to Production mode. Aggressive mode consumes the majority of Tanium Client resources to provide extremely rapid status updates and, thereby, degrades the responsiveness of other Tanium modules.

For best results, do not configure Tanium Protect to run in Aggressive mode in production environments.

Automatically Install EMET Prerequisites

This setting determines whether prerequisite EMET software is automatically installed if it is not detected on your system. This setting is enabled by default.

For best results, consult with your TAM before modifying any Protect settings.

Set defaults for AppLocker

Access the AppLocker settings by clicking Settings on the Protect Home page or by clicking Set Defaults for AppLocker > Set AppLocker rules within Settings in the Configure Protect section of the Protect Home page.

In the AppLocker settings, you can select a Rule Template and define default Allow and Deny rules. A rule template contains the default AppLocker rules that are included automatically in any AppLocker policy you create. The rule template includes Allow and Deny rules to specify which files are allowed to run or are blocked. You can modify these rules in individual policies as needed. You must include at least one Allow rule.

AppLocker Deny rules take precedence over AppLocker Allow rules. See Microsoft: Understanding AppLocker allow and deny actions on rules.

Blacklist rule template

The Blacklist rule templates allow Everyone to run all applications through the (Default Rule) All files Allow rule. This rule is the only rule that is included in this rule template by default. Define the specific applications you want to block by adding Deny rules.

The Blacklist rule template is the default rule template used in Protect until you change it.

You cannot delete or modify the (Default Rule) All files Allow rule in this rule template because this rule template is intended to allow all files to run except those that you specifically block through a Deny rule.

Whitelist rule template

The Whitelist rule template, by default, allows only applications that Administrators run, or that are run out of these folders:

  • All files located in the Program Files folder: applies to Everyone
  • All files located in the Windows folder: applies to Everyone
  • All files: applies to Administrators

The default rules in the whitelist rule templates are based on the Windows AppLocker default rules. For more information, see Microsoft: Understanding AppLocker default rules.

If you choose to enforce the default Protect Whitelist rule template, you might block applications unintentionally. The Whitelist rule template blocks applications without explicitly listing the applications. For example, a program being run by a user out of that user’s profile directory is blocked. For best results, deploy whitelist policies initially in Audit Only mode until audit reports can be reviewed and the intended results are confirmed. See Using best practices with policies and rules: AppLocker policies for an example workflow.

As a best practice, add to the existing default rules to allow or deny applications rather than modifying the default rules. Test any modifications in audit mode first to ensure that they are running as intended before you switch to blocking mode.

The Tanium Client uses BAT, EXE, and VBS files. Be sure that you do not block files in the Tanium Client directory that might break the client functions.

When you edit a blacklist or whitelist template, it becomes a custom template and the pulldown field changes to Custom.

Custom rule template

Use the Custom rule template to create your own template. This rule template does not contain any rules by default.

You can customize any of these rule templates by adding additional Allow rules or Deny rules. Click Save to save your changes. To go back to the original default settings, click Restore to Default.

Add exceptions to default AppLocker rules

Use rule exceptions to specify files or folders to exclude from a default AppLocker rule.

You can create exceptions only for Path and Publisher types. You cannot create exceptions for Hash types.

  1. Click + Add exception next to Exceptions in the Deny or Allow section.
  2. Configure the Exception type:
    1. For Path, provide the full path or file name in the Path field.
    2. For Hash, provide the Hash and optional File Size (bytes).
    3. For Publisher, provide the Publisher, Product Name, and File Name. In the File Version field, indicate whether you want earlier or later versions included or only the exact version you specify. You can use the * character as a wildcard in any of these values.
  3. Click Save to save your changes. To go back to the original default settings, click Restore to Default.

Upload Anti-malware

In the Configure Protect > Upload Anti-Malware section of the Protect home page, click Upload anti-malware within Settings. Review these settings to determine if you should modify them.

If Protect has a problem with an anti-malware definition, an Error displays next to the definition under Anti-Malware Definitions Status in the Health section of the Protect home page. View the error reason from the Anti-Malware page, which you can access by clicking Settings > Anti-Malware.

Microsoft System Center Endpoint Protection (SCEP) Installation

Anti-malware policies require that either SCEP or Windows Defender is installed on endpoints. When SCEP installation is enabled, enforcing an Anti-malware policy automatically installs SCEP on endpoints that do not support Windows Defender.

You can choose one of the following:

  • Disable SCEP Installation: This is the default state in Protect. Leave disabled if you are creating Anti-malware SCEP rules and already have SCEP installed on your endpoints.
  • Enable SCEP Installation: Use this option to automatically install SCEP on endpoints that do not support Windows Defender. Once enabled, click Choose Installer or Update Installer to upload an installer file.
  • The Microsoft System Center Configuration Manager includes the SCEP client installation file. For more help locating the SCEP installer, contact your TAM.

Please refer to Microsoft Technet: Endpoint Protection for more information about SCEP.

Managed Anti-Malware Definitions Download URLs

Windows Anti-malware policies can use Tanium to download and distribute Windows Anti-malware definitions.

You can choose one of the following:

  • Automatically retrieve definitions from Microsoft: This is the default setting. Definitions are downloaded from Microsoft.
  • Download definitions from custom URLs: Use this option if your network cannot reach Microsoft, and you want to host the files on a local server and specify that URL.

The URLs listed under Managed Anti-Malware Definitions Download URLs specify the Microsoft links Protect uses to download definitions.

Please refer to Microsoft Technet: File-Share-Based Definition Updates for more information about Anti-malware settings.

Manage Windows device classes and devices

Click Settings on the top right of the Protect home page and go to Device Control to manage the global list of Windows device classes and devices for use with Windows device control policies.

Device Classes

The list includes the predefined device classes that are provided by Microsoft and any additional device classes that were added, either from this page or through a device control policy. Click Device Classes to manage the global list of device classes.

  • Use the sort menu to sort the list by Name, Type, or Associated Policy.
  • Use the types filter to filter the list by class: All Types, Custom, or Default.
  • Use the Filter by name field to filter the list by a specific name.
  • Click Create to add a custom device class to the global list.
  • You can edit or delete custom device classes:
    • Select a custom device class and click Edit to update the configuration for that device class.
    • Select a custom device class and click Delete to delete that device class.

Only custom device classes can be modified or deleted. You cannot modify or delete the default device classes. Changes that are made to device classes through the global list are pushed out to all policies that reference the device class. If you delete a device class, it is removed from all policies where it is referenced.

Devices

This list includes devices that were added from this page or through a device control policy. Click Devices to manage the global list of devices.

  • Use the sort menu to sort the list by Name or Associated Policy.
  • Use the Filter by name field to filter the list by a specific name.
  • Click Create to add a new device to the global list.
  • Select a device and click Edit to update the configuration for that device.
  • Select a device and click Delete to delete that device.

Changes that are made to devices through the global list are pushed out to all policies that reference the device. If you delete a device class, it is removed from all policies where it is referenced.

Configure endpoint encryption settings

Before you create endpoint encryption policies, you must configure a Postgres database to store the recovery keys. Specify the connection settings for this database on the Endpoint Encryption tab:

  • Postgres Connection String: This string is used to connect to your Postgres database and is usually formatted as: postgres://<Postgres user>:<Postgres password>@<Postgres server address>:<port number>/<database name>

    For example, postgres://postgresuser:********@pgsrv.corp.com:5432/protect.

    The address specified in <Postgres server address> must match the value specified in the Common Name field of the Postgres Server CRT File.

  • Protect Service Token: This token is a string that must be at least 12 characters long and contain an uppercase, lowercase, numeric, and special character. It is used to connect the recovery portal to the Postgres database to retrieve lost keys. If you are using the recovery portal, this string must match the string that is set in the PROTECT_API_TOKEN configuration parameter in the configuration file, ecosystem.config.js, for the recovery portal.
  • DB Pool: Specify the maximum number of connections that are allowed to the database. The default value is 5.

    A connection is made whenever the Protect service needs to communicate with the database. When the maxiumum number of connections is reached, the service waits until a connection is available to complete the action.

  • Postgres Server CRT File: Provide the CRT file for the Postgres server.
  • Key Encryption Key: Specify the password to use as the key encryption key (KEK) to encrypt data encryption keys (DEKs). This password must be at least 12 characters long and contain an uppercase, lowercase, numeric, and special character.

    You must save this password outside of Protect for future reference. If you are in a disaster recovery scenario for Protect and a user forgets their PIN or password, you must use this password to access the BitLocker or FileVault recovery keys. If you cannot access Protect due to a failure and you do not know this password, the endpoint is unrecoverable.

Deploy Protect tools

Some policies and sensors require Protect tools to be deployed to the endpoint. This is an optional setting, but initial policy enforcements take longer to apply and some sensors do not work without these tools.

  1. From the Protect Home page, click Settings and go to Tools.
  2. Select one or more computer groups to which you want to deploy tools.
  3. Click Save.

The first time you deploy Protect tools to an endpoint, you must wait four hours for the Tanium Client to restart before an endpoint returns sensor results for sensors that depend on Protect tools.

Upgrade Protect

For the steps to upgrade Protect, see Tanium Console User Guide: Manage Tanium modules. After the upgrade, verify that the correct version is installed: see Verify Protect version.

Verify Protect version

After you import or upgrade Protect, verify that the correct version is installed:

  1. Refresh your browser.
  2. From the Main menu, click Show Protect to open the Protect Home page.
  3. To display version information, click Info Info.

What to do next

See Getting started for more information about using Protect.