Installing Protect

Before you begin

Import solution

  1. Log into the Tanium Console using an account with Administrator privileges.
  2. From the Main menu, click Tanium Solutions.
  3. Click Import X.X (where X.X is the current module version number) under Protect.
  4. Tanium Protect is a Tanium licensed solution. If it does not appear on the Tanium Modules page, contact your Technical Account Manager (TAM).
  5. If you are prompted, click Proceed with Import. Enter your credentials.

After the Tanium Protect installation and configuration process completes, you see the message Import completed successfully, and Protect appears in the main menu.

Set service account

A Protect service account user must be created and then configured within Protect to run several background processes, such as creating the actions to distribute the Protect - Tools package. This user must have the following role and access configured:

  • Administrator or Content Administrator role

  1. From the Protect Home page, in the Configure Protect section, click the Set Up Service Credentials step and click Set up service account .
  2. Enter the Tanium credentials and click Save.
  3. You can also set or update the service account from the Protect settings. From the Protect Home page, click Settings , and update the service account settings in the Service Account section. Click Save.

For more information about Protect privileges, see User role requirements.

Change Endpoint Status Report Settings

Click Settings on the top right of the Protect Home page and go to General to change the following settings that govern how you can use Protect to interact with endpoints:

Question Completion Percentage

This setting specifies what percentage of endpoints must respond to the question before the question is considered complete. If questions take a long time to complete in your Tanium environment, you might want to lower the percentage in this setting. By default, Question Completion Percentage is set to 85%.

Reissue Action Interval

This setting specifies how often Protect enforcement actions are reissued. By default, enforcement actions are reissued every hour. The minimum allowed value for this field is 10 minutes.

Aggregate Results Reissue Action Interval

This setting specifies how often you want report data gathered on endpoints. By default, aggregate results actions are reissued every hour. The minimum allowed value for this field is 10 minutes.

Distribute Over Time

This setting controls whether endpoints apply enforcements the moment they receive the action (Immediate) or at unique moments within the saved action interval (Diffused). Diffusing enforcements over time can help prevent a surge in network traffic in exchange for a slower time to compliance. The default setting for Distribute Over Time is 0 where all enforcements are deployed at once.

Endpoint Status Checking Profile

This setting governs the interval at which updates are retrieved from endpoints. By default, Endpoint Status Checking Profile is set to Production mode. Aggressive mode consumes the majority of Tanium Client resources to provide extremely rapid status updates and, thereby, degrades the responsiveness of other Tanium modules. For best results, do not configure Protect to run in Aggressive mode in production environments.

Automatically Install EMET Prerequisites

This setting determines whether prerequisite EMET software is automatically installed if it is not detected on your system. This setting is enabled by default.

For best results, consult with your TAM before modifying any Protect settings.

Set defaults for AppLocker

In the Configure Protect section of the Protect Home page, click Set AppLocker rules within Settings on the Set Defaults for AppLocker tab. Review these settings to determine if you should modify them.

AppLocker settings allow you to configure default AppLocker rules, which are included automatically in any AppLocker policy you define. Default AppLocker rules are generally used to exclude trusted system files from AppLocker scans.

Protect allows you to select Whitelist or Blacklist templates for default Allow rules. You can also create a Custom template and define custom default Allow and/or Deny rules.

You can choose a Rule Template and define default Allow and Deny rules in AppLocker settings by clicking Settings at the top right of the Protect home page or by clicking Set Defaults for AppLocker > Set AppLocker rules within Settings in the Configure Protect section of the Protect home page.

The Blacklist Rule Template has the default All files Allow rule, which allows all executables to run. You can then specify Deny rules to block specific applications.

You cannot modify or delete this default rule.

The Whitelist Rule Template, by default, allows only applications that administrators run, or that are run out of special folders specified as follows:

  • All files located in the Program Files folder: applies to Everyone
  • All files located in the Windows folder: applies to Everyone
  • All files: applies to Administrators

You can expand the allowed applications by adding additional Allow rules or Deny rules to specify exceptions to otherwise allowed applications.

The Blacklist Rule Template is the default template used in Protect for new deployments until you change it.

The Custom Rule Template does not contain any default Allow or Deny rules.

To go back to the original default settings, click Restore to Default.

Add exceptions to default AppLocker rules

With rule exceptions, you can specify files or folders to exclude from a default AppLocker rule.

You can create exceptions for Path and Publisher AppLocker rule types only. You cannot create exceptions for Hash AppLocker rule types.

  1. Click + Add exception next to Exceptions in the Deny or Allow section.
  2. Configure the Exception type.
    1. For Path, provide the full name or path in the Path field.
    2. For Hash, provide the Hash and File Size (bytes).
    3. For Publisher, provide the Publisher, Product Name, File Name, and File Version, indicating if you want earlier or later versions included or only the version you specify. Use the * character as a wildcard in any of these values.
  3. Select the Windows user to which the exception applies. You can choose Everyone or Administrators.
  4. To add more exceptions, click + Add exception.

Upload Anti-malware

In the Configure Protect > Upload Anti-Malware section of the Protect home page, click Upload anti-malware within Settings. Review these settings to determine if you should modify them.

If Protect has a problem with an anti-malware definition, an Error displays next to the definition under Anti-Malware Definitions Status in the Health section of the Protect home page. View the error reason from the Anti-Malware page, which you can access by clicking Settings > Anti-Malware.

Microsoft System Center Endpoint Protection (SCEP) Installation

Anti-malware policies require that either SCEP or Windows Defender is installed on endpoints. When SCEP installation is enabled, enforcing an Anti-malware policy automatically installs SCEP on endpoints that do not support Windows Defender.

You can choose one of the following:

  • Disable SCEP Installation: This is the default state in Protect. Leave disabled if you are creating Anti-malware SCEP rules and already have SCEP installed on your endpoints.
  • Enable SCEP Installation: Use this option to automatically install SCEP on endpoints that do not support Windows Defender. Once enabled, click Choose Installer or Update Installer to upload an installer file.
  • Note: The Microsoft System Center Configuration Manager includes the SCEP client installation file. For more help locating the SCEP installer, contact your TAM.

Please refer to Microsoft Technet: Endpoint Protection for more information about SCEP.

Managed Anti-Malware Definitions Download URLs

Windows Anti-malware policies can use Tanium to download and distribute Windows Anti-malware definitions.

You can choose one of the following:

  • Automatically retrieve definitions from Microsoft: This is the default setting. Definitions are downloaded from Microsoft.
  • Download definitions from custom URLs: Use this option if your network cannot reach Microsoft, and you want to host the files on a local server and specify that URL.

The URLs listed under Managed Anti-Malware Definitions Download URLs specify the Microsoft links Protect uses to download definitions.

Please refer to Microsoft Technet: File-Share-Based Definition Updates for more information about Anti-malware settings.

Manage Windows device classes and devices

Click Settings on the top right of the Protect home page and go to Device Control to manage the global list of Windows device classes and devices for use with Windows device control policies.

Device Classes

The list includes the predefined device classes that are provided by Microsoft and any additional device classes that were added, either from this page or through a device control policy. Click Device Classes to manage the global list of device classes.

  • Use the sort menu to sort the list by Name, Type, or Associated Policy.
  • Use the types filter to filter the list by class: All Types, Custom, or Default.
  • Use the Filter by name field to filter the list by a specific name.
  • Click Create to add a custom device class to the global list.
  • You can edit or delete custom device classes:
    • Select a custom device class and click Edit to update the configuration for that device class.
    • Select a custom device class and click Delete to delete that device class.

Only custom device classes can be modified or deleted. You cannot modify or delete the default device classes. Changes that are made to device classes through the global list are pushed out to all policies that reference the device class. If you delete a device class, it is removed from all policies where it is referenced.

Devices

This list includes devices that were added from this page or through a device control policy. Click Devices to manage the global list of devices.

  • Use the sort menu to sort the list by Name or Associated Policy.
  • Use the Filter by name field to filter the list by a specific name.
  • Click Create to add a new device to the global list.
  • Select a device and click Edit to update the configuration for that device.
  • Select a device and click Delete to delete that device.

Changes that are made to devices through the global list are pushed out to all policies that reference the device. If you delete a device class, it is removed from all policies where it is referenced.

Configure endpoint encryption settings

Before you create endpoint encryption policies, you must configure a Postgres database to store the recovery keys. Specify the connection settings for this database on the Endpoint Encryption tab:

  • Postgres Connection String: This string is used to connect to your Postgres database and is usually formatted as: postgres://<Postgres user>:<Postgres password>@<Postgres server IP address>:<port number>/<database name>

    For example, postgres://postgresuser:********@192.20.30.40:5432/protect.

  • Protect Service Token: This token is a string that must be at least 12 characters long and contain an uppercase, lowercase, numeric, and special character. It is used to connect the recovery portal to the Postgres database to retrieve lost keys.
  • DB Pool: Specify the maximum number of connections that are allowed to the database. The default value is 5.

    A connection is made whenever the Protect service needs to communicate with the database. When the maxiumum number of connections is reached, the service waits until a connection is available to complete the action.

  • Postgres Server CRT File: Provide the CRT file for the Postgres server.
  • Key Encryption Key: Specify the password to use as the key encryption key (KEK) to encrypt data encryption keys (DEKs). This password must be at least 12 characters long and contain an uppercase, lowercase, numeric, and special character.

    You must save this password outside of Protect for future reference. If you are in a disaster recovery scenario for Protect and a user forgets their PIN or password, you must use this password to access the BitLocker recovery keys. If you cannot access Protect due to a failure and you do not know this password, the endpoint is unrecoverable.

Deploy Protect tools

Some policies and sensors require Protect tools to be deployed to the endpoint. This is an optional setting, but initial policy enforcements take longer to apply and some sensors do not work without these tools.

  1. From the Protect Home page, click Settings and go to Tools.
  2. Select one or more computer groups to which you want to deploy tools.
  3. Click Save.

The first time you deploy Protect tools to an endpoint, you must wait four hours for the Tanium Client to restart before an endpoint returns sensor results for sensors that depend on Protect tools.

What to do next

See Getting started for more information about using Protect.

Last updated: 11/5/2019 4:18 PM | Feedback