Requirements

Tanium dependencies

In addition to a license for the Protect module, make sure that your environment meets the following requirements.

Component Requirement
Tanium™ Core Platform Version 7.2 or later
Tanium™ Client 7.2.314.3211 or later
Tanium products If you clicked the Install with Recommended Configurations button when you installed Protect, the Tanium Server automatically installed all your licensed modules at the same time. Otherwise, you must manually install the modules that Protect requires, as described under Tanium Console User Guide: Manage Tanium modules.

The following modules are required for Protect BitLocker policies, but Protect requires the given minimum versions to work with them:

  • Tanium™ Direct Connect Version 1.1.0 or later
    For Direct Connect 1.3.0 or later, you must use Protect 2.1.1 or later.
  • Tanium™ End-User Notifications Version 1.5.0 or later

Tanium™ Module Server

Protect is installed and runs as a service on the Tanium Module Server host computer. The impact on the Module Server is minimal and depends on usage. For more information, contact your TAM.

Endpoints

Protect policies support the following endpoint operating systems:

Anti-malware policy

System Center Endpoint Protection (SCEP)

  • Windows 7
  • Windows Server 2008 R2, 2012 or 2012 R2

Windows Defender

  • Windows 8 or 10
  • Windows Server 2016

AppLocker policy

  • Windows 7 Enterprise, Ultimate, or Embedded
  • Windows 8 Enterprise, 8.1 Enterprise, or 10 Enterprise
  • Windows Server 2008 R2 or later

BitLocker policy

  • Windows 7 Enterprise or Ultimate

    Windows 7 endpoints must have a TPM chip to use BitLocker.

  • Windows 8 Enterprise or Pro
  • Windows 10 Education, Pro Education, Enterprise, or Pro

Device Control - Windows policy

  • Windows 7 or later
  • Windows Server 2008 R2 or later

EMET policy

  • Windows Vista or later
  • Windows Server 2008 or later

Firewall Management - Windows policy

  • Windows Vista or later
  • Windows Server 2008 or later

Firewall Management - Linux policy

  • CentOS 6 and 7
  • Red Hat Enterprise Linux (RHEL) 6 and 7
  • Ubuntu 16

Remediation - Windows policy

  • Windows 7 or later
  • Windows Server 2008 R2 or later

Remediation - Linux policy

  • CentOS 6 and 7
  • RHEL 6 and 7
  • Ubuntu 16

Remediation - Mac policy

  • Mac OS X 10.8 Mountain Lion

SRP management policy

  • Windows Vista or later
  • Windows Server 2008 or later

Host and network security requirements

Specific processes are needed to run Protect.

Security exclusions

If security software is in use in the environment to monitor and block unknown host system processes, your security administrator must create exclusions to allow the Tanium processes to run without interference.

Table 1:   Protect security exclusions
Target Device Process
Module Server <Tanium Module Server>\services\protect-service\7za.exe
<Tanium Module Server>\services\protect-service\node.exe
Windows x86 endpoints <Tanium Client>\Tools\StdUtils\7za.exe
<Tanium Client>\Tools\Protect\LocalPolicyTool.exe (for Anti-Malware, AppLocker, and SRP policies)
<Tanium Client>\Tools\LocalPolicyTool.exe (for Windows device control policies)
<Tanium Client>\Tools\Protect\devcon32.exe
<Tanium Client>\Python27\TPython.exe (7.2.x clients)
<Tanium Client>\Python38\TPython.exe (7.4.x clients)
<Tanium Client>\Python38\*.dll (7.4.x clients)
Windows x64 endpoints <Tanium Client>\Tools\StdUtils\7za.ex
<Tanium Client>\Tools\Protect\LocalPolicyTool.exe (for Anti-Malware, AppLocker, and SRP policies)
<Tanium Client>\Tools\LocalPolicyTool.exe (for Windows device control policies)
<Tanium Client>\Tools\Protect\devcon64.exe
<Tanium Client>\Python27\TPython.exe (7.2.x clients)
<Tanium Client>\Python38\TPython.exe (7.4.x clients)
<Tanium Client>\Python38\*.dll (7.4.x clients)
macOS, and Linux x86 and x64 endpoints <Tanium Client>/python27/python (7.2.x clients)
<Tanium Client>/python38/python (7.4.x clients)

Ports

The following ports are required for Protect communication.

Component Port Direction Purpose
Module Server 17475 Inbound Required only when you use BitLocker policies. Allows communication between the Module Server and endpoints for Direct Connect.
Module Server 17476 Loopback Required only when you use BitLocker policies. Allows notifications on endpoints from the End-User Notifications service.
Module Server 5432 Outbound Required only when you use BitLocker policies. Allows communication between the Module Server and the Postgres database where the recovery keys are stored. This port is 5432 by default. If you use a different port, ensure that port is open. You configure this port for use by Protect in the Postgres Connection String field on the Endpoint Encryption tab in the Protect settings.
Module Server 17481 Inbound Required only when you use the recovery portal with BitLocker policies. Allows communication between the Module Server and the recovery portal.
Recovery portal server 80 or 443 Inbound Required only when you use the recovery portal with BitLocker policies. Allows users to access the recovery portal. Use port 80 for HTTP or port 443 for HTTPS. Set the port number and protocol when you run the install script for the portal.
Recovery portal server 389 or 636 Outbound Required only when you use the recovery portal with BitLocker policies. Allows communication between the recovery portal server and the identity server. Use port 389 for LDAP or port 636 for LDAPS.

User role requirements

The following user roles are supported in Protect. The four predefined roles are Protect Administrator, Protect Recovery Key Viewer, Protect User, and Protect Read Only user.

Table 2:   Protect User Role Privileges for Tanium 7.1.314.3071 or later
Privilege Protect Administrator Protect Recovery Key Viewer Protect User Protect Read Only User

Show Protect

View the Protect workbench.

1 1 1 1

Protect Read

View policies, enforcements, reports, and results for Protect questions asked in Interact. Export policies.

1 1 1

Protect Write

Create and edit policies, enforcements, and reports. Import and re-prioritize policies.

Protect Settings Write

Change the global settings for the Protect module.

Protect Recovery Keys Read

View encryption recovery keys.

1 Denotes a provided permission.

 

Table 3:   Provided Protect Micro Admin and Advanced User Role Permissions for Tanium 7.1.314.3071 or later
Permission Role Type Content Set for Permission Protect Administrator Protect User Protect Read Only User
Read User Micro Admin  


Ask Dynamic Questions Advanced  


Approve Action Advanced Protect


Approve Action Advanced Protect Anti-malware Definitions


Execute Plugin Advanced Protect


Read Action Advanced Protect


Read Action Advanced Protect Anti-malware Definitions


Read Package Advanced Protect


Read Package Advanced Protect Anti-malware Definitions


Read Sensor Advanced Reserved


Read Sensor Advanced Protect


Write Action Advanced Protect


Write Action Advanced Protect Anti-malware Definitions


Write Package Advanced Protect


Write Package Advanced Protect Anti-malware Definitions


Write Saved Question Advanced Protect



Table 4:   Optional role for Protect
Role Enables

A micro admin role that grants the Read System Status permission

Access to select Individual Computers when you enforce a policy.

For more information, see Tanium Platform User Guide: Create a Micro Admin Role.