Security Hardening Checklist
The following list provides recommendations for improving the security ("hardening") of your Tableau Server installation.
1. Update to the current version
We recommend that you always run the latest version of Tableau Server. Additionally, Tableau periodically publishes maintenance releases of Tableau Server that include fixes for known security vulnerabilities. (Information regarding known security vulnerabilities can be found on the Security Bulletins page.) We recommend that you review maintenance release notifications to determine whether you should install them.
2. Configure SSL/TLS with a valid, trusted certificate
Secure Sockets Layer (SSL/TLS) is essential for helping to protect the security of communications with Tableau Server. Configure Tableau Server with a valid, trusted certificate (not a self-signed certificate) so that Tableau Desktop, mobile devices, and web clients can connect top the server over a secured connection. For more information, see SSL.
3. Disable older versions of TLS
Tableau Server uses TLS to authenticate and encrypt many connections between components and with external clients. External clients, such as browsers, Tableau Desktop, Tableau Mobile connect to Tableau using TLS over HTTPS. Transport layer security (TLS) is an improved version of SSL. In fact, older versions of SSL (SSL v2 and SSL v3) are no longer considered to be adequately secure communication standards. As a result, Tableau Server does not allow external clients to use SSL v2 or SSL v3 protocols to connect. We recommend that you only allow external clients to connect to Tableau Server with TLS v1.2.
Specially, we recommend that you disable TLS v1 and TLS v1.1 on Tableau Server. However, before you disable a specific version of TLS, verify that the browsers that your users connect to Tableau Server with support TLS v1.2. In some cases, you may need to preserve support for TLSv1.1.
The following tabadmin command enables TLS v1.2 (using the "all" parameter) and disables SSL v2, SSL v3, TLS v1, and TLS v1.1 (by prepending the minus [-] character to a given protocol).
tabadmin set ssl.protocols "all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1"
4. Disable Triple-DES cipher suite
The Triple-DES cipher suite is no longer considered adequate to encrypt sessions on the internet. Specifically, running Triple-DES ciphers leaves the Tableau Server vulnerable to information disclosure and denial of service attacks. You can learn more at the National Vulnerability Database webpage for CVE-2016-2183.
Triple-DES is enabled by default on the version of OpenSSL that is running on Tableau Server. However, other deprecated cipher suites (MD5 and RC4) are disabled. To add Triple-DES to the list of disabled ciphers, run the following commands. (The
!aNULL parameter forces clients to use a legitimate cipher.)
tabadmin set ssl.ciphersuite HIGH:MEDIUM:!aNULL:!MD5:!RC4:!3DES
5. Configure SSL encryption for internal traffic
Configure Tableau Server to use SSL to encrypt all traffic between the Postgres repository and other server components. By default, SSL is disabled for communications between server components and the repository. We recommend enabling internal SSL for all instances of Tableau Server, even single-server installations. Enabling internal SSL is especially important for multi-node deployments. See Configure Internal SSL
6. Enable firewall protection
Tableau Server was designed to operate inside a protected internal network. Do not set up Tableau Server in the same network with your internet gateway or in a DMZ. Tableau Server must be protected by external firewall. The platform firewall, such as the Windows firewall, should be enabled to protect Tableau sever in single and multi-node deployments.
In a distributed (multi-node) installation of Tableau Server, communication between nodes does not use secure communication. Therefore, you should enable firewalls on the computers that host Tableau Server. By default, the Tableau installation process configures ports in the Windows firewall so that server components can communicate with each other. If you're configuring a different firewall, or if you need to configure the Windows firewall after you've installed Tableau Server, see Tableau Server Ports to understand which ports and services Tableau Server requires.
To prevent a passive attacker from observing communications between nodes, configure a segregated virtual LAN or other network layer security solution.
Important: Do not run Tableau Server, or any components of Tableau Server on the internet or in a DMZ. Tableau Server must be run within the corporate network protected by an internet firewall. We recommend configuring a reverse proxy solution for internet clients that need to connect to Tableau Server. See Configuring Proxies for Tableau Server.
7. Restrict access to the server computer and to important directories
Tableau Server configuration files and log files can contain information that is valuable to an attacker. Therefore, restrict physical access to the machine that is running Tableau Server. In addition, make sure that only authorized and trusted users have access to the Tableau Server files in the
C:\ProgramData\Tableau directory. By default, the permissions on these directories are restrictive, therefore we do not recommend changing permissions at the directory level.
8. Update the Tableau Server Run As User account
By default, Tableau Server runs under the predefined Network Services (NT Authority\Network Service) Windows account. Using the default account is acceptable in scenarios where Tableau Server does not need to connect to external data sources that require Windows authentication. However, if your users require access to data sources that are authenticated by Active Directory, update the Run As User to a domain account. It's important to minimize the rights of the account that you use for the Run As User. For more information, see Run As User.
9. Generate fresh asset keys
Tableau Server encrypts embedded database credentials before they are stored in the repository. The credentials are encrypted with asset keys. We recommend that after you install Tableau Server, you generate new encryption keys for your deployment. To do this, use the tabadmin assetkeys command.
10. Refresh server token and encryption key
Any Tableau Server service that communicates with repository or the cache server must first authenticate with a secret token. The secret token is generated during Tableau Server Setup. In addition, the encryption key that internal SSL uses to encrypt traffic to Postgres repository is also generated at during Setup. If your organization follows a security policy to update shared secrets and encryption keys on a regular schedule, you should include the token and key in that process. See the tabadmin regenerate_internal_tokens command for more information.
11. Disable services that you're not using
To minimize the attack surface of the Tableau Server, disable any connection points that are not needed.
The REST API interface is enabled by default. If no applications will make REST API calls to your installation of Tableau Server 9.3 (or later), disable it by using the following sequence of tabadmin commands:
tabadmin set api.server.enabled false
Important: Tableau Prep uses REST API to access Tableau Server. If your organization uses Tableau Prep, do not disable REST API.
JMX is disabled by default. If it's enabled but you're not using it, you should disable it by using the following sequence of tabadmin commands:
tabadmin set service.jmx_enabled false
12. Verify session lifetime configuration
By default, Tableau Server does not have an absolute session timeout. This means that client sessions can remain open indefinitely if the Tableau Server inactivity timeout is not exceeded. (The default inactivity timeout is 240 minutes.)
If your security policy requires it, you can set an absolute session timeout. Be sure to set your absolute session timeout in a range that allows the longest-running extract or publishing operations in your organization. Setting the session timeout too low may result in extract and publishing failures for long-running operations.
Use the following sequence of tabadmin commands.
tabadmin set wgserver.session.apply_lifetime_limit true
tabadmin set wgserver.session.lifetime_limit "value", where value is the number of minutes. The default is 1440, which is 24 hours.
tabadmin set wgserver.session.idle_limit "value", where value is the number of minutes. The default is 240.
13. Configure a server safelist for file-based data sources
By default, Tableau Server allows authorized Tableau Server users to build workbooks that use files on the server as file-based data sources (such as spreadsheets). In this scenario, files are accessed by the Run As User account.
To prevent unwanted access to files, we recommend that you configure safelist (sometimes referred to as "whitelist") functionality. This lets you limit Run As User access to just the directory paths where you host data files.
On the computer running Tableau Server, identify the directories where you will host data source files.
Important Make sure the file paths you specify in this procedure exist on the server. If the paths do not exist when the computer starts, Tableau Server will not start.
Run the following tabadmin commands:
tabadmin set native_api.allowed_paths "path", where path is the directory to add to the safelist. Note! All subdirectories of the specified path will be added to the safelist. If you want to specify multiple paths, separate them with a semicolon, as in this example:
tabadmin set native_api.allowed_paths "c:\datasources;c:\HR\data"
HTTP Strict Transport Security (HSTS) is a policy configured on web application services, such as Tableau Server. When a conforming browser encounters a web application running HSTS, then all communications with the service must be over a secured (HTTPS) connection. HSTS is supported by major browsers.
For more information about how HSTS works and the browsers that support it, see The Open Web Application Security Project web page, HTTP Strict Transport Security Cheat Sheet.
To enable HSTS, run the following tabadmin commands on Tableau Server:
tabadmin set gateway.http.hsts: true
By default, HSTS policy is set for one year (31536000 seconds). This time period specifies the amount of time in which the browser will access the server over HTTPS. You should consider setting a short max-age during initial roll-out of HSTS. To change this time period, run
tabadmin set gateway.http.hsts_options: max-age=<seconds>. For example, to set HSTS policy time period to 30 days, enter
tabadmin set gateway.http.hsts_options: max-age=2592000.
15. Disable Guest access
Core-based licenses of Tableau Server include a Guest user option, which allows any user in your organization to see and interact with Tableau views embedded in web pages.
Guest user access is enabled by default on Tableau Servers deployed with core-based licensing.
Guest access allows users to see embedded views. The Guest user cannot browse the Tableau Server interface or see server interface elements in the view, such as user name, account settings, comments, and so on.
If your organization has deployed Tableau Server with core licensing and Guest access is not required, then disable Guest access.
You can disable Guest access at the server or site level.
You must be a server administrator to disable the Guest account at either the server or the site level.
To disable Guest access at the server level:
In the site menu, click Manage All Sites and then click Settings > General.
For Guest Access, clear the Enable Guest account check box.
To disable Guest access for a site:
In the site menu, select a site.
Click Settings, and on the Settings page, clear the Enable Guest account check box.
For more information, see Guest User.
|December 2016||Added "Disable Triple-DES cipher suite"|
|May 2017||Added "Enable HTTP Strict Transport Security for web browser clients;" "Disable Guest Access"|
|May 2018||Added clarification: Do not disable REST API in organizations that are running Tableau Prep.|