Tanium™ Protect User Guide
Total Page:16
File Type:pdf, Size:1020Kb
Tanium™ Protect User Guide Version 1.9.8 April 05, 2019 The information in this document is subject to change without notice. Further, the information provided in this document is provided “as is” and is believed to be accurate, but is presented without any warranty of any kind, express or implied, except as provided in Tanium’s customer sales terms and conditions. Unless so otherwise provided, Tanium assumes no liability whatsoever, and in no event shall Tanium or its suppliers be liable for any indirect, special, consequential, or incidental damages, including without limitation, lost profits or loss or damage to data arising out of the use or inability to use this document, even if Tanium Inc. has been advised of the possibility of such damages. Any IP addresses used in this document are not intended to be actual addresses. Any examples, command display output, network topology diagrams, and other figures included in this document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Please visit https://docs.tanium.com for the most current Tanium product documentation. Tanium is a trademark of Tanium, Inc. in the U.S. and other countries. Third-party trademarks mentioned are the property of their respective owners. © 2019 Tanium Inc. All rights reserved. © 2019 Tanium Inc. All Rights Reserved Page 2 Table of contents Overview 8 Policy 8 Rule 8 Computer group 8 Enforcement 8 Getting started 10 Requirements 11 Tanium dependencies 11 Tanium Module Server 11 Installation prerequisites 11 Required credentials 11 System requirements 11 Anti-malware policy 11 System Center Endpoint Protection (SCEP) 11 Windows Defender 12 AppLocker policy 12 EMET policy 12 Windows firewall management policy 12 Linux firewall management policy 12 SRP management rules 12 Remediation policy 12 Remediation - Windows 12 Remediation - Linux 12 © 2019 Tanium Inc. All Rights Reserved Page 3 Remediation - Mac 13 Host and network security requirements 13 Security exclusions 13 User role requirements 13 Installing Protect 17 Import solution 17 Protect home page 17 Set service account 17 Change Endpoint Status Report Settings 18 Set defaults for AppLocker 19 Add exceptions to default AppLocker rules 21 Upload Anti-malware 21 Microsoft System Center Endpoint Protection (SCEP) Installation 23 Managed Anti-Malware Definitions Download URLs 23 Manage Windows device classes and devices 24 Device Classes 24 Devices 25 Deploy Protect tools 25 What to do next 26 Creating policies 27 Create an Anti-malware policy 28 Create an AppLocker policy 30 Create a new AppLocker policy 32 Import an AppLocker rule 34 Create a Windows device control policy 35 © 2019 Tanium Inc. All Rights Reserved Page 4 Create a Windows device control policy to administer removable storage 40 Create a Windows device control policy to administer all devices 40 Create an EMET policy 43 Create a Windows firewall management policy 46 Create a new Windows firewall rule 46 Import firewall rules from a Windows TSV file 47 Import firewall rules from Tanium Endpoints 49 Create a Linux firewall management policy 50 Create a new Linux firewall rule 50 Import Linux firewall rules from Tanium endpoints 52 Create an SRP Management policy 53 Create an SRP process rule using a path 53 Create an SRP process rule using a hash 53 Search for firewall and SRP management rules 54 Create a remediation policy 54 Import policies 55 Export policies 55 Working with policies 56 Enforce policies 56 Remove a policy enforcement 57 View policies 57 Prioritize policies 57 View policy details 58 Selecting Protect computer groups 60 Running reports 64 © 2019 Tanium Inc. All Rights Reserved Page 5 Using best practices with policies and rules 68 Anti-malware policies 68 AppLocker policies 68 Example workflow using default Whitelist Rule Template 68 EMET rules 69 EMET reporting settings 70 Default action settings for EMET 70 Firewall rules 71 SRP management rules 71 Policy limitations 71 Uninstalling Protect and removing Protect policies 72 How to uninstall Protect 72 How to disable and remove Protect policies 72 Find all endpoints online 73 Deploy removal packages 73 Troubleshooting 74 Collect logs 74 View usage statistics 74 Enable Microsoft System Center Endpoint Protection (SCEP) Installation 74 Reference: Anti-malware settings 77 Client Interface 77 Exclusions 77 MAPS 78 Network Inspection System 78 Quarantine 79 © 2019 Tanium Inc. All Rights Reserved Page 6 Real-time Protection 79 Remediation 81 Reporting 82 Scan 83 Signature Updates 87 System Center Endpoint Protect 89 Threats 89 Windows Defender 89 Reference: Enforcement errors 91 © 2019 Tanium Inc. All Rights Reserved Page 7 Overview Protect delivers proactive protection to block malicious attacks on endpoints using native operating system and third-party controls at the speed and scale of Tanium across your environment. Policy Configuration for a specific application containing settings for particular policy type. Protect supports Anti-malware, AppLocker, Enhanced Mitigation Experience Toolkit (EMET), Firewall, and Software Restriction policies. Policies are targeted at computer groups. Rule Specific security controls contained within a policy. Computer group Defined in the Administration section of Tanium™ Console. You can target enforcement of policies to one or more computer groups for which you have management rights. Enforcement An enforcement occurs when a policy is successfully applied to a computer group. Following are definitions of the three possible enforcement states: Enforced A policy has been successfully enforced. All rules and configurations of the policy are in effect on the targeted endpoint. Partially enforced A higher priority policy of the same type is overriding this policy. See the enforcement state reason for more information. Unenforced © 2019 Tanium Inc. All Rights Reserved Page 8 The policy is not in effect on the targeted endpoint. See the enforcement state reason for more information. This documentation may provide access to or information about content, products (including hardware and software), and services provided by third parties (“Third Party Items”). With respect to such Third Party Items, Tanium Inc. and its affiliates (i) are not responsible for such items, and expressly disclaim all warranties and liability of any kind related to such Third Party Items and (ii) will not be responsible for any loss, costs, or damages incurred due to your access to or use of such Third Party Items unless expressly set forth otherwise in an applicable agreement between you and Tanium. Further, this documentation does not require or contemplate the use of or combination with Tanium products with any particular Third Party Items and neither Tanium nor its affiliates shall have any responsibility for any infringement of intellectual property rights caused by any such combination. You, and not Tanium, are responsible for determining that any combination of Third Party Items with Tanium products is appropriate and will not cause infringement of any third party intellectual property rights. © 2019 Tanium Inc. All Rights Reserved Page 9 Getting started 1. Install Tanium Protect. For more information, see Installing Protect on page 17. 2. Create policies and rules. For more information, see Creating policies on page 27. 3. Enforce policies and prioritize them. For more information, see Working with policies on page 56. 4. Target computer groups. For more information, see Selecting Protect computer groups on page 60. 5. Run reports. For more information, see Running reports on page 64. © 2019 Tanium Inc. All Rights Reserved Page 10 Requirements Tanium dependencies Review the requirements before you install and use Protect. Component Requirement Platform Version 7.0 or later Tanium Client 6.0.314.1293 or later License For information about licensing Protect, contact your Technical Account Manager (TAM). Tanium Module Server Protect is installed and runs as a service on the Tanium™ Module Server host computer. The impact on the Module Server is minimal and depends on usage. For more information, contact your TAM. Installation prerequisites The Tanium Module server must be running when you install Protect. Required credentials Before installing Protect, you need to have a service account with Tanium Administrator credentials. To initialize Protect, you must have a valid Tanium account with Action Author permissions. Protect uses this account to perform internal maintenance tasks. System requirements Following are the requirements for each policy and rule type in Protect: Anti-malware policy SYSTEM CENTER ENDPOINT PROTECTION (SCEP) l Windows 7 l Windows Server 2008 R2 or 2012 © 2019 Tanium Inc. All Rights Reserved Page 11 WINDOWS DEFENDER l Windows 8 or 10 l Windows Server 2016 AppLocker policy l Windows 7 Enterprise, Ultimate, or Embedded l Windows 8 Enterprise, 8.1 Enterprise, or 10 Enterprise l Windows Server 2008 R2 or later EMET policy l Windows Vista or later l Windows Server 2008 or later Windows firewall management policy l Windows Vista or later l Windows Server 2008 or later Linux firewall management policy l CentOS 6 and 7 l Red Hat Enterprise Linux (RHEL) 6 and 7 l Ubuntu 16 SRP management rules l Windows Vista or later l Windows Server 2008 or later Remediation policy REMEDIATION - WINDOWS l Windows 7 or later REMEDIATION - LINUX l CentOS 6 and 7 l RHEL 6 and 7 l Ubuntu 16 © 2019 Tanium Inc. All Rights Reserved Page 12 REMEDIATION - MAC l Mac OS X 10.8 Mountain Lion Host