All Active Directory accounts synchronized with Tanium for non-privileged functions must be non-privileged domain accounts.
An XCCDF Rule
Description
<VulnDiscussion>Tanium has the ability to synchronize with Active Directory for Tanium account management. Tanium advises that all replicated accounts for non-privileged level functions should be non-privileged domain accounts. In doing so, should a vulnerability in the industry standard OpenSSL libraries used by Tanium ever come to light, no privileged account information could be gained by an attacker. This is simply good housekeeping and should be exercised with any such platform product.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-234099r612749_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Access Active Directory with appropriate credentials.
For each User, where a synced account is in the Tanium console as a privileged user, adjust the user to an appropriate security group in Active Directory.
Verify, after syncing with Tanium, the non-privileged user account is no longer in a privileged role within Tanium.