In any security environment, the first thing that I am asked for is a way to protect the Tanium client from end-user tampering. This is a very common request when it comes to security related software. An innovative TAM at Tanium has built a solution pack which is documented on the community site called “Client Service Hardening”. This solution pack contains a collection of sensors, packages and saved questions related to locking down the Tanium Client service and the file system on Windows endpoints. I would like to explore that solution below.
Acquiring and Importing the Solution
Just like any of the solution packs available from Tanium, to receive a copy of the solution xml, you need to contact your Technical Account Manager and they’d be glad to share it with you.
Once you have the ClientServiceHardening.xml, import it by browsing to your Console->Authoring->Import Content.
Overwrite any database duplicates, although you should not see any unless you’ve imported an older version of this solution pack like I have.
Using the Solution
The first thing you’ll notice after importing is a new Dashboard Group. This group wraps a few dashboards together that pertain to hardening the Tanium Client service on your endpoints. Particularly the following three areas:
- 1. Hiding the Tanium Client from the Add/Remove Programs Control Panel Applet.
- 2. ACLs for the Client Service itself
- Tanium Client directory permissions.
You should implement all three of these in order to fully lock down the Tanium Client Service. Let’s look at and implement each one sequentially.
Hide from Add-Remove Programs
The first thing we will impellent is to hide the Tanium Client from the Windows Add-Remove Control Panel Applet. This is extremely easy to do. Select the Hide From Add-Remove Programs dashboard…
After the questions have completed, right click the “No” answer within the Tanium Client Visible in Add-Remove Programs answer grid. Choose to “Deploy Action” and the Client Service Hardening – Hide Client from Add-Remove Programs should be the default package selected… then step through the action deployment. I’d recommend setting this package to reoccur at least once a day in order to catch systems that might not be online right now. In my infrastructure, I’ve configured the action to reoccur every 6 hours since I have laptops coming on and off throughout the day. I also know this is a Windows-Only action, thus my Action Group is “All Windows Computers”. Note that the action group was configured ahead of time and only has a single computer group configured with “Operating System contains Win”. This action group gives me assurances that this action will only run my windows systems and not my Linux or Mac systems. This action group could have easily been something else like only “Workstations”, “Laptops”, etc.
Now as this action runs within my environment, the Tanium Client will disappear from the Add-Remove Programs list.
Locking down the Tanium Client Service
The next thing to configure is the ACLs on the Tanium Client service. This will prevent users and/or administrators from stopping the Tanium Client service. Implementing this is also an easy thing to do… Open the Control Service State Permissions dashboard…
Please note that if an end-user has administrative privileges on an endpoint, it is entirely possible they also have advanced knowledge of ACLs and will be able to reset these permissions in order to stop the service.
All of your windows systems should report back “Service Control is set to default permissions” just like in my environment pictured above. Right click on that answer and “Deploy Action”…The default is Client Service Hardening – Allow Only Local Admins to Control Service, however you could lock the service to allow only the SYSTEM account by selecting the Client Service Hardening – Allow Only Local SYSTEM to Control Service package. I chose to lock it down to SYSTEM since many of my users are configured with local admin privileges and just like before, I will have this scheduled action set to run every 6 hours and only apply to my “All Windows Computers” action group.
Set Tanium Client Directory Permissions
Lastly we need to lock down the folder permissions of the Tanium Client. This is the file system level permissions which allow users to browse the “…\Tanium\Tanium Client\” client root directory.
Open the Set Client Directory Permissions dashboard and in the single answer grid, right click on the “Not Restricted” answer to “Deploy Action”.
The default action here is Client Service Hardening – Set SYSTEM only permissions on Tanium Client directory. By default, the Program Files directory is locked down to administrators, thus SYSTEM is the only available configuration package. Just like with the previous two actions, I will configure this to run every 6 hours and only on my windows systems.
The client hardening techniques covered in this article are very close if not exactly the same security measures that Antivirus and other Vendors take to secure their agents on enterprise endpoints.
This solution pack also includes packages for resetting the defaults for each of these security configuration settings… so if you want to un-harden the client, it is certainly possible.
Let me know if you have any questions about this article… If you have questions about the content, I encourage you to reach out to firstname.lastname@example.org and one of their extremely helpful Technical Account Managers would be able to assist.