Security Hardening Checklist

The following list provides recommendations for improving the security (‘hardening’) of your Tableau Server installation.

Installing security updates

Security updates are included in the latest versions and maintenance releases (MR) of Tableau Server. You cannot install security updates as patches. Rather, you must upgrade to a current version or MR to update Tableau Server with the latest security fixes.

Always reference the most current version of this topic after upgrading. The current version includes /current/ in the topic URL.

For example, the US version URL is: https://help.tableau.com/current/server/en-gb/security_harden.htm.

1. Update to the current version

We recommend that you always run the latest version of Tableau Server. Additionally, Tableau periodically publishes maintenance releases of Tableau Server that include fixes for known security vulnerabilities. (Information regarding known security vulnerabilities can be found on the Tableau Security Bulletins page and the Salesforce Security Advisories(Link opens in a new window) page.) We recommend that you review maintenance release notifications to determine whether you should install them.

To get the latest version or maintenance release of Tableau Server, visit the Customer Portal(Link opens in a new window) page.

2. Configure SSL/TLS with a valid, trusted certificate

Secure Sockets Layer (SSL/TLS) is essential for helping to protect the security of communications with Tableau Server. Configure Tableau Server with a valid, trusted certificate (not a self-signed certificate) so that Tableau Desktop, mobile devices and web clients can connect to the server over a secured connection. For more information, see SSL.

3. Disable older versions of TLS

Tableau Server uses TLS to authenticate and encrypt many connections between components and with external clients. External clients, such as browsers, Tableau Desktop and Tableau Mobile connect to Tableau using TLS over HTTPS. Transport layer security (TLS) is an improved version of SSL. In fact, older versions of SSL (SSL v2 and SSL v3) are no longer considered to be adequately secure communication standards. As a result, Tableau Server does not allow external clients to use SSL v2 or SSL v3 protocols to connect.

We recommend that you allow external clients to connect to Tableau Server with TLS v1.3 and TLS v1.2.

TLS v1.2 is still regarded as a secure protocol and many clients (including Tableau Desktop) do not yet support TLS v1.3.

TLS v1.3 capable clients will negotiate TLS v1.3 even if TLS v1.2 is supported by the server.

The following tsm command enables TLS v1.2 and v1.3 (using the "all" parameter) and disables SSL v2, SSL v3, TLS v1 and TLS v1.1 (by prepending the minus [-] character to a given protocol). TLS v1.3 is not yet supported by all components of Tableau Server.

tsm configuration set -k ssl.protocols -v "all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1"

tsm pending-changes apply

To modify the protocols that govern SSL for the Tableau Server PostgreSQL repository, see pgsql.ssl.ciphersuite.

You can also modify the default list of cipher suites that Tableau Server uses for SSL/TLS sessions. For more information see the ssl.ciphersuite section at tsm configuration set Options.

4. Configure SSL encryption for internal traffic

Configure Tableau Server to use SSL to encrypt all traffic between the Postgres repository and other server components. By default, SSL is disabled for communications between server components and the repository. We recommend enabling internal SSL for all instances of Tableau Server, even single-server installations. Enabling internal SSL is especially important for multi-node deployments. See Configure SSL for Internal Postgres Communication.

5. Enable firewall protection

Tableau Server was designed to operate inside a protected internal network.

Important: Do not run Tableau Server, or any components of Tableau Server on the internet or in a DMZ. Tableau Server must be run within the corporate network protected by an internet firewall. We recommend configuring a reverse proxy solution for internet clients that need to connect to Tableau Server. See Configuring Proxies and Load Balancers for Tableau Server.

A local firewall should be enabled on the operating system to protect Tableau Server in single and multi-node deployments. In a distributed (multi-node) installation of Tableau Server, communication between nodes does not use secure communication. Therefore, you should enable firewalls on the computers that host Tableau Server.

To prevent a passive attacker from observing communications between nodes, configure a segregated virtual LAN or other network layer security solution.

See Tableau Services Manager Ports to understand which ports and services Tableau Server requires.

6. Restrict access to the server computer and to important directories

Tableau Server configuration files and log files can contain information that is valuable to an attacker. Therefore, restrict physical access to the machine that is running Tableau Server. In addition, make sure that only authorised and trusted users have access to the Tableau Server files in the C:\ProgramData\Tableaudirectory.

7. Update the Tableau Server Run As User account

By default, Tableau Server runs under the predefined Network Services (NT Authority\Network Service) Windows account. Using the default account is acceptable in scenarios where Tableau Server does not need to connect to external data sources that require Windows authentication. However, if your users require access to data sources that are authenticated by Active Directory, update the Run As User to a domain account. It's important to minimise the rights of the account that you use for the Run As User. For more information, see Run As Service Account.

8. Generate fresh secrets and tokens

Any Tableau Server service that communicates with repository or the cache server must first authenticate with a secret token. The secret token is generated during Tableau Server setup. The encryption key that internal SSL uses to encrypt traffic to Postgres repository is also generated at during setup.

We recommend that after you install Tableau Server, you generate new encryption keys for your deployment.

These security assets can be regenerated with the tsm security regenerate-internal-tokens command.

Run the following commands:

tsm security regenerate-internal-tokens

tsm pending-changes apply

9. Disable services that you're not using

To minimise the attack surface of the Tableau Server, disable any connection points that are not needed.

JMX Service

JMX is disabled by default. If it's enabled but you're not using it, you should disable it by using the following:

tsm configuration set -k service.jmx_enabled -v false

tsm pending-changes apply

10. Verify session lifetime configuration

By default, Tableau Server does not have an absolute session timeout. This means that browser-based client (Web authoring) sessions can remain open indefinitely if the Tableau Server inactivity timeout is not exceeded. The default inactivity timeout is 240 minutes.

If your security policy requires it, you can set an absolute session timeout. Be sure to set your absolute session timeout in a range that allows the longest-running extract uploads or workbook publishing operations in your organisation. Setting the session timeout too low may result in extract and publishing failures for long-running operations.

To set the session timeout run the following commands:

tsm configuration set -k wgserver.session.apply_lifetime_limit -v true

tsm configuration set -k wgserver.session.lifetime_limit -v value, where value is the number of minutes. The default is 1440, which is 24 hours.

tsm configuration set -k wgserver.session.idle_limit -v value, where value is the number of minutes. The default is 240.

tsm pending-changes apply

Sessions for connected clients (Tableau Desktop, Tableau Mobile, Tableau Prep Builder, Bridge and personal access tokens) use OAuth tokens to keep users logged in by re-establishing a session. You can disable this behaviour if you want all Tableau client sessions to be solely governed by the browser-based session limits controlled by the commands above. See Disable Automatic Client Authentication.

11. Configure a server allowlist for file-based data sources

As of October 2023 Tableau Server releases, default file-based access behaviour has changed. Previously, Tableau Server allowed authorised Tableau Server users to build workbooks that use files on the server as file-based data sources (such as spreadsheets). With the October 2023 releases, access to files stored on Tableau or on remote shares must be specifically configured on Tableau Server using the setting described here.

This setting allows you to limit access by the Run As Service Account only to those directories that you specify.

To configure access to shared files, you must configure allowlist functionality. This lets you limit the Run As service account to just the local directory paths, or shared directories where you host data files.

  1. On the computer running Tableau Server, identify the directories where you will host data source files.

    Important Make sure the file paths you specify in this setting exist and are accessible by the service account.

  2. Run the following commands:

    tsm configuration set -k native_api.allowed_paths -v "path" , where path is the directory to add to the allowlist. All subdirectories of the specified path will be added to the allowlist. You must add a trailing backslash to the specified path. If you want to specify multiple paths, separate them with a semicolon, as in this example:

    tsm configuration set -k native_api.allowed_paths -v "c:\datasources;\\HR\data\"

    tsm pending-changes apply

12. Enable HTTP Strict Transport Security for web browser clients

HTTP Strict Transport Security (HSTS) is a policy configured on web application services, such as Tableau Server. When a conforming browser encounters a web application running HSTS, then all communications with the service must be over a secured (HTTPS) connection. HSTS is supported by major browsers.

For more information about how HSTS works and the browsers that support it, see The Open Web Application Security Project web page, HTTP Strict Transport Security Cheat Sheet(Link opens in a new window).

To enable HSTS, run the following commands on Tableau Server:

tsm configuration set -k gateway.http.hsts -v true

By default, HSTS policy is set for one year (31536000 seconds). This time period specifies the amount of time in which the browser will access the server over HTTPS. You should consider setting a short max-age during initial roll-out of HSTS. To change this time period, run tsm configuration set -k gateway.http.hsts_options -v max-age=<seconds>. For example, to set HSTS policy time period to 30 days, enter tsm configuration set -k gateway.http.hsts_options -v max-age=2592000.

tsm pending-changes apply

13. Disable Guest access

Core-based licences of Tableau Server include a Guest user option, which allows any user in your organisation to see and interact with Tableau views embedded in web pages.

Guest user access is enabled by default on Tableau Servers deployed with core-based licensing.

Guest access allows users to see embedded views. The Guest user cannot browse the Tableau Server interface or see server interface elements in the view, such as user name, account settings, comments and so on.

If your organisation has deployed Tableau Server with core licensing and Guest access is not required, then disable Guest access.

You can disable Guest access at the server or site level.

You must be a server administrator to disable the Guest account at either the server or the site level.

To disable Guest access at the server level:

  1. In the site menu, click Manage All Sites and then click Settings > General.

  2. For Guest Access, clear the Enable Guest account check box.

  3. Click Save.

To disable Guest access for a site:

  1. In the site menu, select a site.

  2. Click Settings, and on the Settings page, untick the Enable Guest account box.

For more information, see Guest User.

14. Set referrer-policy HTTP header to 'same-origin'

Beginning in 2019.2, Tableau Server includes the ability to configure Referrer-Policy HTTP header behaviour. This policy is enabled with a default behaviour that will include the origin URL for all "secure as" connections (no-referrer-when-downgrade), which sends origin referrer information only to like connections (HTTP to HTTP) or those that are more secure (HTTP to HTTPS).

However, we recommend setting this value to same-origin, which only sends referrer information to same-site origins. Requests from outside the site will not receive referrer information.

To update the referrer-policy to same-origin, run the following commands:

tsm configuration set -k gateway.http.referrer_policy -v same-origin

tsm pending-changes apply

For more information about configuring additional headers to improve security, see HTTP Response Headers.

15. Configure TLS for SMTP connection

Beginning in 2019.4, Tableau Server includes the ability to configure TLS for the SMTP connection. Tableau Server only supports STARTTLS (Opportunistic or Explicit TLS).

Tableau Server can be optionally configured to connect to a mail server. After configuring SMTP, Tableau Server can be configured to email server administrators about system failures, and email server users about subscribed views and data-driven alerts.

To configure TLS for SMTP:

  1. Upload a compatible certificate to Tableau Server. See tsm security custom-cert add.
  2. Configure TLS connection using TSM CLI.

    Run the following TSM commands to enable and force TLS connections to the SMTP server and to enable certificate verification.

    tsm configuration set -k svcmonitor.notification.smtp.ssl_enabled -v true

    tsm configuration set -k svcmonitor.notification.smtp.ssl_required -v true

    tsm configuration set -k svcmonitor.notification.smtp.ssl_check_server_identity -v true

    By default, Tableau Server will support TLS versions 1, 1.1 and 1.2, but we recommend that you specify the highest TLS version that the SMTP server supports.

    Run the following command to set the version. Valid values are SSLv2Hello, SSLv3, TLSv1, TLSv1.1, and TLSv1.2. The following example sets the TLS version to version 1.2.:

    tsm configuration set -k svcmonitor.notification.smtp.ssl_versions -v "TLSv1.2"

    For more information about other TLS configuration options, see Configure SMTP Setup.

  3. Restart Tableau Server to apply changes. Run the following command:

    tsm pending-changes apply

16. Configure SSL for LDAP

If your Tableau Server deployment is configured to use a generic LDAP external identity store, we recommend configuring SSL to protect authentication between Tableau Server and your LDAP server. See Configure Encrypted Channel to LDAP External Identity Store.

If your Tableau Server deployment is configured to use Active Directory, we recommend enabling Kerberos to protect authentication traffic. See Kerberos.

17. Scope permissions for non-default installation locations

If you install Tableau Server on Windows to a non-default location then we recommend manually scoping the permissions on the custom installation directory to reduce access.

By default, Tableau Server will install on the system drive. The drive where Windows is installed is the system drive. In most cases, the system drive is the C:\ drive. In this default case, Tableau Server will install into the following directories:

  • C:\Program Files\Tableau\Tableau Server\packages

  • C:\ProgramData\Tableau\Tableau Server

However, many customers install onto a non-system drive or into a different directory. If you selected a different installation drive or directory location during Setup, then the data directory for Tableau Server will install into the same path.

To scope permissions on the custom installation directory, only the following accounts should have the corresponding permissions on the installation folder and all subfolders:

Set permissions for this account:Permissions required
The user account that is used to install and upgrade Tableau ServerFull control
The user account that is used to run TSM commandsFull control
System accountFull control
Run As service account, Network Service and Local ServiceRead & execute

A procedure for setting these permissions can be found at Installing in a non-default location.

Change List

DateChange
May 2018Added clarification: Do not disable REST API in organizations that are running Tableau Prep.
May 2019Added recommendation for referrer-policy HTTP header.
June 2019Removed recommendation to disable Triple-DES. As of version 2019.3, Triple-DES is no longer a default supported cipher for SSL. See What's Changed - Things to Know Before You Upgrade.
January 2020Added recommendation to configure TLS for SMTP.
February 2020Added recommendation to configure SSL for LDAP server.
May 2020Added TLS v1.3 to the disabled list of TLS ciphers. Added clarification to introduction about topic versioning.
August 2020Added scoped permissions for non-default installations on Windows
October 2020Added TLS v1.3 as a default supported cipher.
January 2021Added clarification: All products enabled by the Data Management license require REST API.
February 2021Removed recommendation to disable REST API. The API is now used internally by Tableau Server and disabling it may limit functionality.
Thanks for your feedback!Your feedback has been successfully submitted. Thank you!