Tanium™ Enforce User Guide Version 1.7.60 April 27, 2021 The information in this document is subject to change without notice. Further, the information provided in this document is provided “as is” and is believed to be accurate, but is presented without any warranty of any kind, express or implied, except as provided in Tanium’s customer sales terms and conditions. Unless so otherwise provided, Tanium assumes no liability whatsoever, and in no event shall Tanium or its suppliers be liable for any indirect, special, consequential, or incidental damages, including without limitation, lost profits or loss or damage to data arising out of the use or inability to use this document, even if Tanium Inc. has been advised of the possibility of such damages. Any IP addresses used in this document are not intended to be actual addresses. Any examples, command display output, network topology diagrams, and other figures included in this document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Please visit https://docs.tanium.com for the most current Tanium product documentation. This documentation may provide access to or information about content, products (including hardware and software), and services provided by third parties (“Third Party Items”). With respect to such Third Party Items, Tanium Inc. and its affiliates (i) are not responsible for such items, and expressly disclaim all warranties and liability of any kind related to such Third Party Items and (ii) will not be responsible for any loss, costs, or damages incurred due to your access to or use of such Third Party Items unless expressly set forth otherwise in an applicable agreement between you and Tanium. Further, this documentation does not require or contemplate the use of or combination with Tanium products with any particular Third Party Items and neither Tanium nor its affiliates shall have any responsibility for any infringement of intellectual property rights caused by any such combination. You, and not Tanium, are responsible for determining that any combination of Third Party Items with Tanium products is appropriate and will not cause infringement of any third party intellectual property rights. Tanium is committed to the highest accessibility standards to make interaction with Tanium software more intuitive and to accelerate the time to success. To ensure high accessibility standards, Tanium complies with the U.S. Federal regulations - specifically Section 508 of the Rehabilitation Act of 1998. We have conducted third-party accessibility assessments over the course of product development for many years, and most recently a comprehensive audit against the WCAG 2.1 / VPAT 2.3 standards for all major product modules was completed in September 2019. Tanium can make available any VPAT reports on a module-by-module basis as part of a larger solution planning process for any customer or prospect. As new products and features are continuously delivered, Tanium will conduct testing to identify potential gaps in compliance with accessibility guidelines. Tanium is committed to making best efforts to address any gaps quickly, as is feasible, given the severity of the issue and scope of the changes. These objectives are factored into the ongoing delivery schedule of features and releases with our existing resources. Tanium welcomes customer input on making solutions accessible based on your Tanium modules and assistive technology requirements. Accessibility requirements are important to the Tanium customer community and we are committed to prioritizing these compliance efforts as part of our overall product roadmap. Tanium maintains transparency on our progress and milestones and welcomes any further questions or discussion around this work. Contact your sales representative, email Tanium Support at [email protected], or email [email protected] to make further inquiries. Tanium is a trademark of Tanium, Inc. in the U.S. and other countries. Third-party trademarks mentioned are the property of their respective owners. © 2021 Tanium Inc. All Rights Reserved Page 2 © 2021 Tanium Inc. All rights reserved. © 2021 Tanium Inc. All Rights Reserved Page 3 Table of contents Overview 11 Policy 11 Policy setting 11 Enforcement 11 Integration with other Tanium products 12 Threat Response 12 Trends 12 Succeeding with Enforce 13 Step 1: Gain organizational effectiveness 14 Step 2: Install modules and set up Enforce 14 Step 3: Step 2: Plan Policies 14 Step 4: Step 3: Create policies: General 15 Step 5: Step 4: Create policies: Anti-malware 15 Step 6: Step 5: Create policies: Device control 16 Step 7: Step 6: Create policies: Disk encryption 16 Step 8: Step 7: Create policies: Host firewall 17 Step 9: Step 8: Create policies: Machine administrative templates 17 Step 10: Step 9: Check Enforce health 17 Step 11: Step 10: Monitor Enforce metrics 18 Gaining organizational effectiveness 19 Change management 19 RACI chart 19 Organizational alignment 21 Measuring success 21 Enforce maturity 21 Benchmark metrics 22 Maturity workflow 22 © 2021 Tanium Inc. All Rights Reserved Page 4 Requirements 26 Tanium dependencies 26 Tanium™ Module Server 27 Endpoints 27 Anti-malware policy 27 System Center Endpoint Protection (SCEP) 27 Windows Defender 27 AppLocker 27 BitLocker policy 27 Device Control - Windows policy 27 FileVault policy 28 Firewall Management - Windows 28 Firewall Management - Linux 28 Machine Administrative Templates 28 Remediation - Windows 28 Remediation - Linux 28 Remediation - Mac 28 SRP Management 28 Host and network security requirements 29 Security exclusions 29 Internet URLs 30 Required ports 30 User role requirements 31 Installing 40 Before you begin 40 Import and configure Enforce with default settings 40 Import and configure Enforce with custom settings 41 Configure service account 41 Manage dependencies for Tanium solutions 41 Upgrade Enforce 42 © 2021 Tanium Inc. All Rights Reserved Page 5 Verify Enforce version 42 Configuring 43 Configure Enforce action group 43 Getting started 44 Upload Anti-malware 44 Microsoft System Center Endpoint Protection (SCEP) Installation 44 Action Lock Override 44 Managed Anti-Malware definitions download URLs 44 Set defaults for AppLocker 45 Create Default AppLocker rules 48 Configure Endpoint Encryption settings 49 Install Shared Services 49 Specify the Encryption Key 50 Endpoint encryption recovery database 50 Self hosted recovery key Database Requirements 50 Configure the self hosted encryption database 51 Connect to postgresql 51 Connect to Microsoft SQL server 55 Manage Windows device classes and devices 55 Next steps 57 Create Policies 57 Enforcements 57 Creating policies 58 Create an Anti-malware policy 59 Default Windows Defender policy 59 Configure a new anti-malware policy 60 Create an AppLocker policy 61 Import an AppLocker rule 65 Create a BitLocker policy 65 View BitLocker Recovery Keys 69 © 2021 Tanium Inc. All Rights Reserved Page 6 Create a Windows device control policy 69 Create a Windows device control policy to administer removable devices 71 Create a Windows device control policy to administer all devices 71 Create a FileVault policy 74 Create the policy 75 Create a Windows firewall management policy 78 Create a new Windows firewall rule 80 Import firewall rules from a Windows TSV file 81 Import firewall rules from Tanium Endpoints 82 Create a Linux firewall management policy 83 Create a new Linux firewall rule 84 Import Linux firewall rules from Tanium endpoints 86 Create a Machine administrative template policy 87 Create a remediation policy 91 Remediation policy file pattern matching examples 92 Create a purge remediation policy 93 Create an SRP management policy 96 Create an SRP process rule using a path 96 Create an SRP process rule using a hash 97 Import policies 98 Export policies 98 Prioritize policies 98 Enforcing policies 99 Create enforcements 99 Create enforcements from policy details 101 Enforce policies from enforcements 101 View enforcements 101 Filter results 101 Remove an enforcement 102 Using best practices with policies 103 © 2021 Tanium Inc. All Rights Reserved Page 7 Anti-malware policies 103 AppLocker policies workflow 103 Example workflow using default Allow List Rule Template 103 Firewall rules 104 SRP management rules 104 Policy limitations 104 Role-based access control and configuration visibility 104 Scanning for anti-malware on-demand 105 Configure scans 105 View scan details 106 Filtering 107 View scan results 107 Merge 107 Drill Down 108 Copy Results 108 Live Updates 109 Export Results 109 Check Health 109 Troubleshooting 110 Collect logs 110 Enforce sensors 110 Monitor and troubleshoot Enforce coverage status (% of total) 112 Monitor and troubleshoot policy enforcement status (% of total) 113 Monitor and troubleshoot host firewall status on endpoints 113 Monitor and troubleshoot disk encryption status on endpoints 114 Monitor and troubleshoot antivirus status on endpoints 115 Remove Enforce tools from endpoints 116 Uninstall Enforce 117 Disable and remove Enforce policies 118 Resolve Active Directory policy conflicts 118 © 2021 Tanium Inc. All Rights Reserved Page 8 Contact Tanium support 119 Reference: Windows encryption management 120 Endpoint requirements 120 Configuration requirements 120 Choose where to host the database 120 Create a self hosted database to store the recovery keys 120 recovery key Database Requirements 121 Install the End-User Notifications service and initialize endpoints 121 Install