Requirements

Tanium dependencies

In addition to a license for the Protect module, make sure that your environment meets the following requirements.

Component Requirement
Platform Version 7.2 or later
Tanium™ Client 7.2.314.3211 or later
Tanium™ Direct Connect Version 1.1.0 or later. Required only when you use BitLocker policies.
Tanium™ End-User Notifications Version 1.5.0 or later. Required only when you use BitLocker policies.

Tanium Module Server

Protect is installed and runs as a service on the Tanium™ Module Server host computer. The impact on the Module Server is minimal and depends on usage. For more information, contact your TAM.

Installation prerequisites

The Tanium Module server must be running when you install Protect.

Required credentials

Before installing Protect, you need to have a service account with Tanium Administrator credentials.

To initialize Protect, you must have a valid Tanium account with Action Author permissions. Protect uses this account to perform internal maintenance tasks.

System requirements

Following are the requirements for each policy and rule type in Protect:

Anti-malware policy

System Center Endpoint Protection (SCEP)

  • Windows 7
  • Windows Server 2008 R2, 2012 or 2012 R2

Windows Defender

  • Windows 8 or 10
  • Windows Server 2016

AppLocker policy

  • Windows 7 Enterprise, Ultimate, or Embedded
  • Windows 8 Enterprise, 8.1 Enterprise, or 10 Enterprise
  • Windows Server 2008 R2 or later

BitLocker policy

  • Windows 7 Enterprise or Ultimate

    Windows 7 endpoints must have a TPM chip to use BitLocker.

  • Windows 8 Enterprise or Pro
  • Windows 10 Education, Pro Education, Enterprise, or Pro

Device Control - Windows policy

  • Windows 7 or later
  • Windows Server 2008 R2 or later

EMET policy

  • Windows Vista or later
  • Windows Server 2008 or later

Firewall Management - Windows policy

  • Windows Vista or later
  • Windows Server 2008 or later

Firewall Management - Linux policy

  • CentOS 6 and 7
  • Red Hat Enterprise Linux (RHEL) 6 and 7
  • Ubuntu 16

Remediation - Windows policy

  • Windows 7 or later
  • Windows Server 2008 R2 or later

Remediation - Linux policy

  • CentOS 6 and 7
  • RHEL 6 and 7
  • Ubuntu 16

Remediation - Mac policy

  • Mac OS X 10.8 Mountain Lion

SRP management policy

  • Windows Vista or later
  • Windows Server 2008 or later

Host and network security requirements

Specific processes are needed to run Protect.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference.

Table 1:   Protect security exclusions
Target Device Process
Module Server <Tanium Module Server>\services\protect-service\7za.exe
<Tanium Module Server>\services\protect-service\node.exe
Windows x86 endpoints <Tanium Client>\Tools\StdUtils\7za.exe
<Tanium Client>\Tools\Protect\LocalPolicyTool.exe (for Anti-Malware, AppLocker, and SRP policies)
<Tanium Client>\Tools\LocalPolicyTool.exe (for Windows device control policies)
<Tanium Client>\Tools\Protect\devcon32.exe
Windows x64 endpoints <Tanium Client>\Tools\StdUtils\7za.ex
<Tanium Client>\Tools\Protect\LocalPolicyTool.exe (for Anti-Malware, AppLocker, and SRP policies)
<Tanium Client>\Tools\LocalPolicyTool.exe (for Windows device control policies)
<Tanium Client>\Tools\Protect\devcon64.exe

Ports

The following ports are required for Protect communication.

Component Port Direction Purpose
Module Server 17475 Inbound Required only when you use BitLocker policies. Allows communication between the module server and endpoints for Direct Connect.
Module Server 17476 Loopback Required only when you use BitLocker policies. Allows notifications on endpoints from the End-User Notifications service.

User role requirements

The following user roles are supported in Protect. The four predefined roles are Protect Administrator, Protect Recovery Key Viewer, Protect User, and Protect Read Only user.

Table 2:   Protect User Role Privileges for Tanium 7.1.314.3071 or later
Privilege Protect Administrator Protect Recovery Key Viewer Protect User Protect Read Only User

Show Protect1

View the Protect workbench.

2 2 2 2

Protect Read

View policies, enforcements, reports, and results for Protect questions asked in Interact. Export policies.

2 2 2

Protect Write

Create and edit policies, enforcements, and reports. Import and re-prioritize policies.

Protect Settings Write

Change the global settings for the Protect module.

Protect Recovery Keys Read

View encryption recovery keys.

1 To install Protect, you must have the reserved role of Administrator.

2 Denotes a provided permission.

 

Table 3:   Provided Protect Micro Admin and Advanced User Role Permissions for Tanium 7.1.314.3071 or later
Permission Role Type Content Set for Permission Protect Administrator Protect User Protect Read Only User
Read User Micro Admin  


Ask Dynamic Questions Advanced  


Approve Action Advanced Protect


Approve Action Advanced Protect Anti-malware Definitions


Execute Plugin Advanced Protect


Read Action Advanced Protect


Read Action Advanced Protect Anti-malware Definitions


Read Package Advanced Protect


Read Package Advanced Protect Anti-malware Definitions


Read Sensor Advanced Reserved


Read Sensor Advanced Protect


Write Action Advanced Protect


Write Action Advanced Protect Anti-malware Definitions


Write Package Advanced Protect


Write Package Advanced Protect Anti-malware Definitions


Write Saved Question Advanced Protect



Table 4:   Optional role for Protect
Role Enables

A micro admin role that grants the Read System Status permission

Access to select Individual Computers when you enforce a policy.

For more information, see Tanium Platform User Guide: Create a Micro Admin Role.

Last updated: 11/19/2019 7:44 PM | Feedback