Security Hardening Checklist
The following list provides recommendations for improving the security ("hardening") of your Tableau Server installation.
Looking for Tableau Server on Linux? See Security Hardening Checklist(Link opens in a new window)
Installing security updates
Security updates are included in the latest versions and maintenance releases (MR) of Tableau Server. You cannot install security updates as patches. Rather, you must upgrade to a current version or MR to update Tableau Server with the latest security fixes.
Always reference the most current version of this topic after upgrading. The current version includes /current/
in the topic URL.
For example, the US version URL is: https://help.tableau.com/current/server/en-us/security_harden.htm.
1. Update to the current version
We recommend that you always run the latest version of Tableau Server. Additionally, Tableau periodically publishes maintenance releases of Tableau Server that include fixes for known security vulnerabilities. (Information regarding known security vulnerabilities can be found on the Tableau Security Bulletins page and the Salesforce Security Advisories(Link opens in a new window) page.) We recommend that you review maintenance release notifications to determine whether you should install them.
To get the latest version or maintenance release of Tableau Server, visit the Customer Portal(Link opens in a new window) page.
2. Configure SSL/TLS with a valid, trusted certificate
Secure Sockets Layer (SSL/TLS) is essential for helping to protect the security of communications with Tableau Server. Configure Tableau Server with a valid, trusted certificate (not a self-signed certificate) so that Tableau Desktop, mobile devices, and web clients can connect to the server over a secured connection. For more information, see SSL.
3. Disable older versions of TLS
Tableau Server uses TLS to authenticate and encrypt many connections between components and with external clients. External clients, such as browsers, Tableau Desktop, Tableau Mobile connect to Tableau using TLS over HTTPS. Transport layer security (TLS) is an improved version of SSL. In fact, older versions of SSL (SSL v2 and SSL v3) are no longer considered to be adequately secure communication standards. As a result, Tableau Server does not allow external clients to use SSL v2 or SSL v3 protocols to connect.
We recommend that you allow external clients to connect to Tableau Server with TLS v1.3 and TLS v1.2.
TLS v1.2 is still regarded as a secure protocol and many clients (including Tableau Desktop) do not yet support TLS v1.3.
TLS v1.3 capable clients will negotiate TLS v1.3 even if TLS v1.2 is supported by the server.
The following tsm command enables TLS v1.2 and v1.3 (using the "all" parameter) and disables SSL v2, SSL v3, TLS v1, and TLS v1.1 (by prepending the minus [-] character to a given protocol). TLS v1.3 is not yet supported by all components of Tableau Server.
tsm configuration set -k ssl.protocols -v "all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1"
tsm pending-changes apply
To modify the protocols that govern SSL for the Tableau Server PostgreSQL repository, see pgsql.ssl.ciphersuite.
You can also modify the default list of cipher suites that Tableau Server uses for SSL/TLS sessions. For more information see the ssl.ciphersuite section at tsm configuration set Options.
4. Configure SSL encryption for internal traffic
Configure Tableau Server to use SSL to encrypt all traffic between the Postgres repository and other server components. By default, SSL is disabled for communications between server components and the repository. We recommend enabling internal SSL for all instances of Tableau Server, even single-server installations. Enabling internal SSL is especially important for multi-node deployments. See Configure SSL for Internal Postgres Communication.
5. Enable firewall protection
Tableau Server was designed to operate inside a protected internal network.
Important: Do not run Tableau Server, or any components of Tableau Server on the internet or in a DMZ. Tableau Server must be run within the corporate network protected by an internet firewall. We recommend configuring a reverse proxy solution for internet clients that need to connect to Tableau Server. See Configuring Proxies and Load Balancers for Tableau Server.
A local firewall should be enabled on the operating system to protect Tableau Server in single and multi-node deployments. In a distributed (multi-node) installation of Tableau Server, communication between nodes does not use secure communication. Therefore, you should enable firewalls on the computers that host Tableau Server.
To prevent a passive attacker from observing communications between nodes, configure a segregated virtual LAN or other network layer security solution.
See Tableau Services Manager Ports to understand which ports and services Tableau Server requires.
6. Restrict access to the server computer and to important directories
Tableau Server configuration files and log files can contain information that is valuable to an attacker. Therefore, restrict physical access to the machine that is running Tableau Server. In addition, make sure that only authorized and trusted users have access to the Tableau Server files in the C:\ProgramData\Tableau
directory.
7. Update the Tableau Server Run As User account
By default, Tableau Server runs under the predefined Network Services (NT Authority\Network Service) Windows account. Using the default account is acceptable in scenarios where Tableau Server does not need to connect to external data sources that require Windows authentication. However, if your users require access to data sources that are authenticated by Active Directory, update the Run As User to a domain account. It's important to minimize the rights of the account that you use for the Run As User. For more information, see Run As Service Account.
8. Generate fresh secrets and tokens
Any Tableau Server service that communicates with repository or the cache server must first authenticate with a secret token. The secret token is generated during Tableau Server setup. The encryption key that internal SSL uses to encrypt traffic to Postgres repository is also generated at during setup.
We recommend that after you install Tableau Server, you generate new encryption keys for your deployment.
These security assets can be regenerated with the tsm security regenerate-internal-tokens
command.
Run the following commands:
tsm security regenerate-internal-tokens
tsm pending-changes apply
9. Disable services that you're not using
To minimize the attack surface of the Tableau Server, disable any connection points that are not needed.
JMX Service
JMX is disabled by default. If it's enabled but you're not using it, you should disable it by using the following:
tsm configuration set -k service.jmx_enabled -v false
tsm pending-changes apply
10. Verify session lifetime configuration
By default, Tableau Server does not have an absolute session timeout. This means that browser-based client (Web authoring) sessions can remain open indefinitely if the Tableau Server inactivity timeout is not exceeded. The default inactivity timeout is 240 minutes.
If your security policy requires it, you can set an absolute session timeout. Be sure to set your absolute session timeout in a range that allows the longest-running extract uploads or workbook publishing operations in your organization. Setting the session timeout too low may result in extract and publishing failures for long-running operations.
To set the session timeout run the following commands:
tsm configuration set -k wgserver.session.apply_lifetime_limit -v true
tsm configuration set -k wgserver.session.lifetime_limit -v value
, where value is the number of minutes. The default is 1440, which is 24 hours.
tsm configuration set -k wgserver.session.idle_limit -v value
, where value is the number of minutes. The default is 240.
tsm pending-changes apply
Sessions for connected clients (Tableau Desktop, Tableau Mobile, Tableau Prep Builder, Bridge, and personal access tokens) use OAuth tokens to keep users logged in by re-establishing a session. You can disable this behavior if you want all Tableau client sessions to be solely governed by the browser-based session limits controlled by the commands above. See Disable Automatic Client Authentication.
11. Configure a server allowlist for file-based data sources
As of October 2023 Tableau Server releases, default file-based access behavior has changed. Previously, Tableau Server allowed authorized Tableau Server users to build workbooks that use files on the server as file-based data sources (such as spreadsheets). With the October 2023 releases, access to files stored on Tableau or on remote shares must be specifically configured on Tableau Server using the setting described here.
This setting allows you to limit access by the Run As Service Account only to those directories that you specify.
To configure access to shared files, you must configure allowlist functionality. This lets you limit the Run As service account to just the local directory paths, or shared directories where you host data files.
-
On the computer running Tableau Server, identify the directories where you will host data source files.
Important Make sure the file paths you specify in this setting exist and are accessible by the service account.
-
Run the following commands:
tsm configuration set -k native_api.allowed_paths -v "path"
, where path is the directory to add to the allowlist. All subdirectories of the specified path will be added to the allowlist. You must add a trailing backslash to the specified path. If you want to specify multiple paths, separate them with a semicolon, as in this example:tsm configuration set -k native_api.allowed_paths -v "c:\datasources;\\HR\data\"
tsm pending-changes apply
12. Enable HTTP Strict Transport Security for web browser clients
HTTP Strict Transport Security (HSTS) is a policy configured on web application services, such as Tableau Server. When a conforming browser encounters a web application running HSTS, then all communications with the service must be over a secured (HTTPS) connection. HSTS is supported by major browsers.
For more information about how HSTS works and the browsers that support it, see The Open Web Application Security Project web page, HTTP Strict Transport Security Cheat Sheet(Link opens in a new window).
To enable HSTS, run the following commands on Tableau Server:
tsm configuration set -k gateway.http.hsts -v true
By default, HSTS policy is set for one year (31536000 seconds). This time period specifies the amount of time in which the browser will access the server over HTTPS. You should consider setting a short max-age during initial roll-out of HSTS. To change this time period, run tsm configuration set -k gateway.http.hsts_options -v max-age=<seconds>
. For example, to set HSTS policy time period to 30 days, enter tsm configuration set -k gateway.http.hsts_options -v max-age=2592000
.
tsm pending-changes apply
13. Disable Guest access
Core-based licenses of Tableau Server include a Guest user option, which allows any user in your organization to see and interact with Tableau views embedded in web pages.
Guest user access is enabled by default on Tableau Servers deployed with core-based licensing.
Guest access allows users to see embedded views. The Guest user cannot browse the Tableau Server interface or see server interface elements in the view, such as user name, account settings, comments, and so on.
If your organization has deployed Tableau Server with core licensing and Guest access is not required, then disable Guest access.
You can disable Guest access at the server or site level.
You must be a server administrator to disable the Guest account at either the server or the site level.
To disable Guest access at the server level:
-
In the site menu, click Manage All Sites and then click Settings > General.
-
For Guest Access, clear the Enable Guest account check box.
-
Click Save.
To disable Guest access for a site:
-
In the site menu, select a site.
-
Click Settings, and on the Settings page, clear the Enable Guest account check box.
For more information, see Guest User.
14. Set referrer-policy HTTP header to 'same-origin'
Beginning in 2019.2, Tableau Server includes the ability to configure Referrer-Policy HTTP header behavior. This policy is enabled with a default behavior that will include the origin URL for all "secure as" connections (no-referrer-when-downgrade
), which sends origin referrer information only to like connections (HTTP to HTTP) or those that are more secure (HTTP to HTTPS).
However, we recommend setting this value to same-origin
, which only sends referrer information to same-site origins. Requests from outside the site will not receive referrer information.
To update the referrer-policy to same-origin
, run the following commands:
tsm configuration set -k gateway.http.referrer_policy -v same-origin
tsm pending-changes apply
For more information about configuring additional headers to improve security, see HTTP Response Headers.
15. Configure TLS for SMTP connection
Beginning in 2019.4, Tableau Server includes the ability to configure TLS for the SMTP connection. Tableau Server only supports STARTTLS (Opportunistic or Explicit TLS).
Tableau Server can be optionally configured to connect to a mail server. After configuring SMTP, Tableau Server can be configured to email server administrators about system failures, and email server users about subscribed views and data-driven alerts.
To configure TLS for SMTP:
- Upload a compatible certificate to Tableau Server. See tsm security custom-cert add.
- Configure TLS connection using TSM CLI.
Run the following TSM commands to enable and force TLS connections to the SMTP server and to enable certificate verification.
tsm configuration set -k svcmonitor.notification.smtp.ssl_enabled -v true
tsm configuration set -k svcmonitor.notification.smtp.ssl_required -v true
tsm configuration set -k svcmonitor.notification.smtp.ssl_check_server_identity -v true
By default, Tableau Server will support TLS versions 1, 1.1, and 1.2, but we recommend that you specify the highest TLS version that the SMTP server supports.
Run the following command to set the version. Valid values are
SSLv2Hello
,SSLv3
,TLSv1
,TLSv1.1
, andTLSv1.2
. The following example sets the TLS version to version 1.2.:tsm configuration set -k svcmonitor.notification.smtp.ssl_versions -v "TLSv1.2"
For more information about other TLS configuration options, see Configure SMTP Setup.
- Restart Tableau Server to apply changes. Run the following command:
tsm pending-changes apply
16. Configure SSL for LDAP
If your Tableau Server deployment is configured to use a generic LDAP external identity store, we recommend configuring SSL to protect authentication between Tableau Server and your LDAP server. See Configure Encrypted Channel to LDAP External Identity Store.
If your Tableau Server deployment is configured to use Active Directory, we recommend enabling Kerberos to protect authentication traffic. See Kerberos.
17. Scope permissions for non-default installation locations
If you install Tableau Server on Windows to a non-default location then we recommend manually scoping the permissions on the custom installation directory to reduce access.
By default, Tableau Server will install on the system drive. The drive where Windows is installed is the system drive. In most cases, the system drive is the C:\ drive. In this default case, Tableau Server will install into the following directories:
-
C:\Program Files\Tableau\Tableau Server\packages
-
C:\ProgramData\Tableau\Tableau Server
However, many customers install onto a non-system drive or into a different directory. If you selected a different installation drive or directory location during Setup, then the data directory for Tableau Server will install into the same path.
To scope permissions on the custom installation directory, only the following accounts should have the corresponding permissions on the installation folder and all subfolders:
Set permissions for this account: | Permissions required |
---|---|
The user account that is used to install and upgrade Tableau Server | Full control |
The user account that is used to run TSM commands | Full control |
System account | Full control |
Run As service account, Network Service, and Local Service | Read & execute |
A procedure for setting these permissions can be found at Installing in a non-default location.
Change List
Date | Change |
---|---|
May 2018 | Added clarification: Do not disable REST API in organizations that are running Tableau Prep. |
May 2019 | Added recommendation for referrer-policy HTTP header. |
June 2019 | Removed recommendation to disable Triple-DES. As of version 2019.3, Triple-DES is no longer a default supported cipher for SSL. See What's Changed - Things to Know Before You Upgrade. |
January 2020 | Added recommendation to configure TLS for SMTP. |
February 2020 | Added recommendation to configure SSL for LDAP server. |
May 2020 | Added TLS v1.3 to the disabled list of TLS ciphers. Added clarification to introduction about topic versioning. |
August 2020 | Added scoped permissions for non-default installations on Windows |
October 2020 | Added TLS v1.3 as a default supported cipher. |
January 2021 | Added clarification: All products enabled by the Data Management license require REST API. |
February 2021 | Removed recommendation to disable REST API. The API is now used internally by Tableau Server and disabling it may limit functionality. |