Applying compensating controls

Compensating controls are security best practices or configurations for hardware, operating systems, and storage that you can apply to endpoints to reduce the risk score for those endpoints.

The Risk Overview page includes a Compensating Controls Impacting Risk chart that summarizes the controls in your environment and shows the number of endpoints on which that control is implemented.

screen capture of the Compensating Controls Impacting Risk chart

Some compensating controls do not apply to all supported endpoint operating systems, which is why the total for a particular compensating control, such as UAC Enabled, might not equal the total number of endpoints reporting to Risk.

The Compensating Controls page includes a chart that shows which endpoints are missing a specific control. screen capture of the Compensating Controls page






Hardware configuration

Windows: TPM Status

Trusted Platform Module (TPM) technology is an international standard that provides hardware-based, security-related functions via a secure cryptoprocessor. TPM technology is used to maintain platform integrity and security, protect cryptographic keys, and secure communications. TPM capabilities require hardware components and operating system and software initialization. For more information about TPM, see Microsoft: Trusted Platform Module Technology Overview.

To reduce your risk score, ensure that Windows endpoints use a TPM chip. Enforce provides this information to Risk. To examine the TPM status for endpoints, ask this question in Interact: Get Computer Name and Enforce - TPM Status from all machines. Consult the documentation for the hardware on the endpoint for details on enabling use of the TPM chip.

Implementing this control reduces the risk score for an endpoint by 1%.

Operating system configuration

Windows and Linux: Host Firewall Enabled

Host-based firewalls help to block unsolicited and unwanted incoming network traffic. Blocking unwanted traffic by default is critical for protecting enterprise endpoints from malicious traffic and network-aware malicious code.

To reduce your risk score, ensure that endpoints use a firewall. Enforce provides this information to Risk. To examine the firewall status for endpoints, ask this question in Interact: Get Computer Name and Enforce - Host Firewall Enabled from all machines. You can use Enforce to administer firewalls on Windows and Linux endpoints. For more information, see Enforce User Guide: Create a Windows firewall management policy and Enforce User Guide: Create a Linux firewall management policy.

Implementing this control reduces the risk score for an endpoint by 6%.

Windows: PowerShell Execution Policy

An execution policy is part of the PowerShell security strategy. Execution policies determine whether you can load configuration files, such as your PowerShell profile, run scripts, and whether scripts must be digitally signed before they run.

To reduce your risk score, ensure that endpoints use a PowerShell execution policy. Client Management provides this information to Risk. To examine the PowerShell Execution policy status for endpoints, ask this question in Interact: Get Computer Name and Tanium PowerShell Execution Policy from all machines. Use the Set-ExecutionPolicy cmdlet to implement changes to PowerShell execution policies for Windows endpoints. For more information, see Microsoft: Set-ExecutionPolicy.

Implementing this control reduces the risk score for an endpoint by 1%.

Windows: AV Present/Enabled

Windows Security Center (WSC) detects whether third-party antivirus, anti-malware or security suite software is installed. WSC automatically recognizes any new software installations and disables the bundled Microsoft protection suite. WSC monitors and reports on the status and health of third-party software. If WSC cannot identify an active security application, check to ensure that it is properly installed and registered with WSC.

To reduce your risk score, ensure that Windows endpoints use WSC-registered security software. Tanium Core Content sensors provide this information to Risk. To examine the antivirus software status for endpoints, ask this question in Interact: Get Computer Name and Windows Security Center Registered Antivirus Software from all machines with Is Windows equals true and look at the Protection column. You can use Enforce to administer Windows-based anti-malware applications (SCEP or Windows Defender) on Windows endpoints. For more information, see Enforce User Guide: Create an Anti-malware policy.

Implementing this control reduces the risk score for an endpoint by 2%.

Windows: AV Recently Updated

Windows Security Center (WSC) automatically receives regular updates to security definitions and monitors registered third-party anti-malware applications to ensure that they remain up to date. If WSC reports that the installed anti-malware software is not up to date, verify that automatic updates are enabled and that the anti-malware suite is properly registered with WSC.

To reduce your risk score, ensure that the WSC-registered security software on Windows endpoints is up to date. Tanium Core Content sensors provide this information to Risk. To examine the antivirus software definitions status for endpoints, ask this question in Interact: Get Computer Name and Windows Security Center Registered Antivirus Software from all machines with Is Windows equals true and look at the Definitions column. You can use Enforce to administer Windows-based anti-malware applications (SCEP or Windows Defender) on Windows endpoints. For more information, see Enforce User Guide: Create an Anti-malware policy. The Deploy definition update using Tanium option in the anti-malware policy controls whether the Tanium Client distributes definition updates.

Implementing this control reduces the risk score for an endpoint by 2%.

Windows: DEP Enabled

Data Execution Prevention (DEP) is a system-level memory protection feature that is built into modern operating systems, and is also known as executable space protection.

To reduce your risk score, enable DEP on endpoints. Tanium Core Content sensors provide this information to Risk. To examine the DEP status for Windows endpoints, ask this question in Interact: Get Computer Name and Data Execution Prevention Enabled from all machines with Is Windows equals true. You can enable DEP by using Group Policy on Windows endpoints. For more information about enabling DEP on Windows endpoints, see Microsoft: Override Process Mitigation Options to help enforce app-related security policies.

Implementing this control reduces the risk score for an endpoint by 1%.

Windows (Windows 10 / Server 2016 or later): DeviceGuard

Windows Defender Device Guard hardens an endpoint against security threats and is primarily focused on preventing malicious code execution. Windows Defender Device Guard consists of three components: Configurable Code Integrity (CCI), VSM Protected Code Integrity, and Platform and UEFI Secure Boot.

To reduce your risk score, enable Windows Defender Device Guard on Windows endpoints. Tanium Default Content sensors provide this information to Risk. To examine the Windows Defender Device Guard status for Windows endpoints, ask this question in Interact: Get Computer Name and DeviceGuard Status from all machines with Is Windows equals true. You can enable Windows Defender Device Guard by using Group Policy on Windows endpoints.

Implementing this control reduces the risk score for an endpoint by 1%.

Windows (Windows 10 / Server 2016 or later): CredGuard

Windows Defender Credential Guard hardens key system and user secrets against compromise and minimizes credential theft via malicious code execution.

To reduce your risk score, enable Credential Guard on Windows endpoints. Tanium Default Content sensors provide this information to Risk. To examine the Device Guard status for Windows endpoints, ask this question in Interact: Get Computer Name and CredGuard Status from all machines with Is Windows equals true. You can enable Windows Defender Credential Guard by using Group Policy, the registry, or the Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard hardware readiness tool. For more information, see Microsoft: Manage Windows Defender Credential Guard.

Implementing this control reduces the risk score for an endpoint by 1%.

Windows: UAC Enabled

User Account Control (UAC) is an access control enforcement feature on Windows operating systems. When enabled and configured appropriately, UAC helps to prevent malicious system-wide changes and mitigate the impact of malicious code. UAC is typically enabled and configured via Group Policy.

To reduce your risk score, enable UAC on Windows endpoints. Tanium Incident Response sensors provide this information to Risk. To examine the UAC settings and status for Windows endpoints, ask this question in Interact: Get Computer Name and Windows Credential Security Settings from all machines with Is Windows equals true. You can enable UAC by using Group Policy. For more information, see Microsoft: User Account Control and WMI.

Implementing this control reduces the risk score for an endpoint by 2%.

Windows: Run LSASS as PPL

The Local Security Authority Server Service (LSASS) is a process on Windows endpoints that validates users for local and remote sign ins and enforces local security policies. Running LSASS as a protected process (RunAsPPL) is a security hardening configuration that helps prevent code injection and credential theft.

To reduce your risk score, use the RunAsPPL configuration on Windows endpoints. Tanium Incident Response sensors provide this information to Risk. To examine the RunAsPPL settings and status for Windows endpoints, ask this question in Interact: Get Computer Name and Windows Credential Security Settings from all machines with Is Windows equals true. In the Setting Name column, find Run LSASS as protected process light (PPL) and confirm that it is set to Enabled in the Setting Value column. You can modify Windows Credential Guard settings by editing the registry or using Group Policy. For more information, see Microsoft: Configuring Additional LSA Protection.

Implementing this control reduces the risk score for an endpoint by 1%.

Windows: RDP Restricted Admin

Remote Desktop Protocol (RDP) Restricted Administrative (RestrictedAdmin) Mode is a hardening configuration that prevents the transmission of reusable credentials to the remote systems during initial RDP connections to endpoints. This configuration helps to prevent credential harvesting from compromised endpoints and helps prevent attacker privilege elevation and lateral movement.

To reduce your risk score, enable the RestrictedAdmin Mode on Windows endpoints. Tanium Incident Response sensors provide this information to Risk. To examine the RDP settings and status for Windows endpoints, ask this question in Interact: Get Computer Name and Windows Credential Security Settings from all machines with Is Windows equals true. In the Setting Name column, find RDP Restricted Administration Mode and confirm that it is set to Enabled in the Setting Value column. You can modify Remote Desktop Services settings by editing the registry or using Group Policy. For more information, see Microsoft TechNet: Remote Desktop Services: Enable Restricted Admin mode.

Implementing this control reduces the risk score for an endpoint by 1%.

Windows: Remote UAC Local Account Token Filter

Windows User Account Control (UAC) allows application of a remote hardening restriction called LocalAccountTokenFilterPolicy. With UAC enabled along with this restriction, filtering the privileged token for local administrator accounts prevents the elevated privileges of these accounts from being used over the network. This helps prevent credential theft and lateral movement by malicious attackers.

To reduce your risk score, enable the LocalAccountTokenFilterPolicy restriction for UAC. Tanium Incident Response sensors provide this information to Risk. To examine the UAC settings and status for Windows endpoints, ask this question in Interact: Get Computer Name and Windows Credential Security Settings from all machines with Is Windows equals true. In the Setting Name column, find Remote UAC Local Account Token Filter and confirm that it is set to Enabled in the Setting Value column. You can modify this setting by editing the registry or Group Policy. For more information, see Microsoft: Description of User Account Control and remote restrictions.

You might need to click See all to see this setting in the results grid in Interact.

Implementing this control reduces the risk score for an endpoint by 1%.

Storage configuration

Windows and macOS: Storage Encryption Status

Volume level disk encryption helps protect data at rest. Encrypting enterprise data is a necessary control to help prevent data theft, legal liability, reputation damage, and financial loss. Modern operating systems typically include methods to implement volume level encryption, and third-party software can also provide this capability.

To reduce your risk score, encrypt local storage on endpoints. Tanium Core Content sensors provide this information to Risk. To examine the storage encryption status for endpoints, ask this question in Interact: Get Computer Name and Storage Encryption Status from all machines. You can use Enforce to administer storage encryption using BitLocker and FileVault. For more information, see Enforce User Guide: Create a BitLocker policy and Enforce User Guide: Create a FileVault policy.

Implementing this control reduces the risk score for an endpoint by 4%.

Windows: USB Protected

Attackers can detect when a USB device connects to a new endpoint and use that connectivity to infect the endpoint with malware and establish persistence. When a USB device is write-protected, files can be read from the device, but nothing can be saved or copied onto it, which can prevent the device from spreading malicious code between endpoints.

To reduce your risk score, ensure that USB devices that connect to endpoints are write-protected. Tanium Core Content sensors provide this information to Risk. To examine the USB write protection status for endpoints, ask this question in Interact: Get USB Write Protected from all machines. You can use Enforce to configure USB write protection on Windows endpoints. For more information, see Enforce User Guide: Create a Windows device control policy.

Implementing this control reduces the risk score for an endpoint by 1%.