Security Hardening Checklist

The following list provides recommendations for improving the security ("hardening") of your Tableau Server installation.

Installing security updates

Security updates are included in the latest versions and maintenance releases (MR) of Tableau Server. You cannot install security updates as patches. Rather, you must upgrade to a current version or MR to update Tableau Server with the latest security fixes.

Always reference the most current version of this topic after upgrading. The current version includes /current/ in the topic URL.

For example, the US version URL is: https://help.tableau.com/current/server/en-us/security_harden.htm.

1. Update to the current version

We recommend that you always run the latest version of Tableau Server. Additionally, Tableau periodically publishes maintenance releases of Tableau Server that include fixes for known security vulnerabilities. (Information regarding known security vulnerabilities can be found on the Security Bulletins page.) We recommend that you review maintenance release notifications to determine whether you should install them.

To get the latest version or maintenance release of Tableau Server, visit the Customer Portal(Link opens in a new window) page.

2. Configure SSL/TLS with a valid, trusted certificate

Secure Sockets Layer (SSL/TLS) is essential for helping to protect the security of communications with Tableau Server. Configure Tableau Server with a valid, trusted certificate (not a self-signed certificate) so that Tableau Desktop, mobile devices, and web clients can connect top the server over a secured connection. For more information, see SSL.

3. Disable older versions of TLS

Tableau Server uses TLS to authenticate and encrypt many connections between components and with external clients. External clients, such as browsers, Tableau Desktop, Tableau Mobile connect to Tableau using TLS over HTTPS. Transport layer security (TLS) is an improved version of SSL. In fact, older versions of SSL (SSL v2 and SSL v3) are no longer considered to be adequately secure communication standards. As a result, Tableau Server does not allow external clients to use SSL v2 or SSL v3 protocols to connect. We recommend that you only allow external clients to connect to Tableau Server with TLS v1.3.

Specifically, we recommend that you disable TLS v1, TLS v1.1, and TLS v1.2 on Tableau Server. However, before you disable a specific version of TLS, verify that the browsers(Link opens in a new window) that your users connect to Tableau Server with support TLS v1.3. In some cases, you may need to preserve support for TLSv1.1.

The following tsm command enables TLS v1.3 (using the "all" parameter) and disables SSL v2, SSL v3, TLS v1, TLS v1.1, and TLS v1.2 (by prepending the minus [-] character to a given protocol). TLS v1.3 is not yet supported by all components of Tableau Server.

tsm configuration set -k ssl.protocols -v "all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2"

tsm pending-changes apply

If the pending changes require a server restart, the pending-changes apply command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case there is no restart. You can suppress the prompt using the --ignore-prompt option, but this does not change the restart behavior. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.

4. Configure SSL encryption for internal traffic

Configure Tableau Server to use SSL to encrypt all traffic between the Postgres repository and other server components. By default, SSL is disabled for communications between server components and the repository. We recommend enabling internal SSL for all instances of Tableau Server, even single-server installations. Enabling internal SSL is especially important for multi-node deployments. See Configure SSL for Internal Postgres Communication.

5. Enable firewall protection

Tableau Server was designed to operate inside a protected internal network.

Important: Do not run Tableau Server, or any components of Tableau Server on the internet or in a DMZ. Tableau Server must be run within the corporate network protected by an internet firewall. We recommend configuring a reverse proxy solution for internet clients that need to connect to Tableau Server. See Configuring Proxies for Tableau Server.

A local firewall should be enabled on the operating system to protect Tableau Server in single and multi-node deployments. In a distributed (multi-node) installation of Tableau Server, communication between nodes does not use secure communication. Therefore, you should enable firewalls on the computers that host Tableau Server.

To prevent a passive attacker from observing communications between nodes, configure a segregated virtual LAN or other network layer security solution.

See Tableau Services Manager Ports to understand which ports and services Tableau Server requires.

6. Restrict access to the server computer and to important directories

Tableau Server configuration files and log files can contain information that is valuable to an attacker. Therefore, restrict physical access to the machine that is running Tableau Server. In addition, make sure that only authorized and trusted users have access to the Tableau Server files in the C:\ProgramData\Tableaudirectory.

7. Update the Tableau Server Run As User account

By default, Tableau Server runs under the predefined Network Services (NT Authority\Network Service) Windows account. Using the default account is acceptable in scenarios where Tableau Server does not need to connect to external data sources that require Windows authentication. However, if your users require access to data sources that are authenticated by Active Directory, update the Run As User to a domain account. It's important to minimize the rights of the account that you use for the Run As User. For more information, see Run As Service Account.

8. Generate fresh secrets and tokens

Any Tableau Server service that communicates with repository or the cache server must first authenticate with a secret token. The secret token is generated during Tableau Server setup. The encryption key that internal SSL uses to encrypt traffic to Postgres repository is also generated at during setup.

We recommend that after you install Tableau Server, you generate new encryption keys for your deployment.

These security assets can be regenerated with the tsm security regenerate-internal-tokens command.

Run the following commands:

tsm security regenerate-internal-tokens

tsm pending-changes apply

9. Disable services that you're not using

To minimize the attack surface of the Tableau Server, disable any connection points that are not needed.

REST API

The REST API interface is enabled by default. If no applications will make REST API calls to your installation of Tableau Server 9.3 (or later), disable it by using the following commands:

tsm configuration set -k api.server.enabled -v false

tsm pending-changes apply

Important: Tableau Prep uses REST API to access Tableau Server. If your organization uses Tableau Prep, do not disable REST API.

JMX Service

JMX is disabled by default. If it's enabled but you're not using it, you should disable it by using the following:

tsm configuration set -k service.jmx_enabled -v false

tsm pending-changes apply

10. Verify session lifetime configuration

By default, Tableau Server does not have an absolute session timeout. This means that browser-based client (Web authoring) sessions can remain open indefinitely if the Tableau Server inactivity timeout is not exceeded. The default inactivity timeout is 240 minutes.

If your security policy requires it, you can set an absolute session timeout. Be sure to set your absolute session timeout in a range that allows the longest-running extract or publishing operations in your organization. Setting the session timeout too low may result in extract and publishing failures for long-running operations.

To set the session timeout run the following commands:

tsm configuration set -k wgserver.session.apply_lifetime_limit -v true

tsm configuration set -k wgserver.session.lifetime_limit -v value, where value is the number of minutes. The default is 1440, which is 24 hours.

tsm configuration set -k wgserver.session.idle_limit -v value, where value is the number of minutes. The default is 240.

tsm pending-changes apply

Sessions for connected clients (Tableau Desktop, Tableau Mobile, Tableau Prep Builder, Bridge, and personal access tokens) use OAuth tokens to keep users logged in by re-establishing a session. You can disable this behavior if you want all Tableau client sessions to be solely governed by the browser-based session limits controlled by the commands above. See Disable Automatic Client Authentication.

11. Configure a server allowlist for file-based data sources

By default, Tableau Server allows authorized Tableau Server users to build workbooks that use files on the server as file-based data sources (such as spreadsheets). In this scenario, files are accessed by the Run As Service Account.

To prevent unwanted access to files, we recommend that you configure allowlist functionality. This lets you limit the Run As service account to just the directory paths where you host data files.

  1. On the computer running Tableau Server, identify the directories where you will host data source files.

    Important Make sure the file paths you specify in this procedure exist on the server. If the paths do not exist when the computer starts, Tableau Server will not start.

  2. Run the following commands:

    tsm configuration set -k native_api.allowed_paths -v "path" , where path is the directory to add to the allowlist. All subdirectories of the specified path will be added to the allowlist. If you want to specify multiple paths, separate them with a semicolon, as in this example:

    tsm configuration set -k native_api.allowed_paths -v "c:\datasources;c:\HR\data"

    tsm pending-changes apply

12. Enable HTTP Strict Transport Security for web browser clients

HTTP Strict Transport Security (HSTS) is a policy configured on web application services, such as Tableau Server. When a conforming browser encounters a web application running HSTS, then all communications with the service must be over a secured (HTTPS) connection. HSTS is supported by major browsers.

For more information about how HSTS works and the browsers that support it, see The Open Web Application Security Project web page, HTTP Strict Transport Security Cheat Sheet(Link opens in a new window).

To enable HSTS, run the following commands on Tableau Server:

tsm configuration set -k gateway.http.hsts -v true

By default, HSTS policy is set for one year (31536000 seconds). This time period specifies the amount of time in which the browser will access the server over HTTPS. You should consider setting a short max-age during initial roll-out of HSTS. To change this time period, run tsm configuration set -k gateway.http.hsts_options -v max-age=<seconds>. For example, to set HSTS policy time period to 30 days, enter tsm configuration set -k gateway.http.hsts_options -v max-age=2592000.

tsm pending-changes apply

13. Disable Guest access

Core-based licenses of Tableau Server include a Guest user option, which allows any user in your organization to see and interact with Tableau views embedded in web pages.

Guest user access is enabled by default on Tableau Servers deployed with core-based licensing.

Guest access allows users to see embedded views. The Guest user cannot browse the Tableau Server interface or see server interface elements in the view, such as user name, account settings, comments, and so on.

If your organization has deployed Tableau Server with core licensing and Guest access is not required, then disable Guest access.

You can disable Guest access at the server or site level.

You must be a server administrator to disable the Guest account at either the server or the site level.

To disable Guest access at the server level:

  1. In the site menu, click Manage All Sites and then click Settings > General.

  2. For Guest Access, clear the Enable Guest account check box.

  3. Click Save.

To disable Guest access for a site:

  1. In the site menu, select a site.

  2. Click Settings, and on the Settings page, clear the Enable Guest account check box.

For more information, see Guest User.

14. Set referrer-policy HTTP header to 'same-origin'

Beginning in 2019.2, Tableau Server includes the ability to configure Referrer-Policy HTTP header behavior. This policy is enabled with a default behavior that will include the origin URL for all "secure as" connections (no-referrer-when-downgrade), which sends origin referrer information only to like connections (HTTP to HTTP) or those that are more secure (HTTP to HTTPS).

However, we recommend setting this value to same-origin, which only sends referrer information to same-site origins. Requests from outside the site will not receive referrer information.

To update the referrer-policy to same-origin, run the following commands:

tsm configuration set -k gateway.http.referrer_policy -v same-origin

tsm pending-changes apply

For more information about configuring additional headers to improve security, see HTTP Response Headers.

15. Configure TLS for SMTP connection

Beginning in 2019.4, Tableau Server includes the ability to configure TLS for the SMTP connection.

Tableau Server can be optionally configured to connect to a mail server. After configuring SMTP, Tableau Server can be configured to email server administrators about system failures, and email server users about subscribed views and data-driven alerts.

To configure TLS for SMTP:

  1. Upload a compatible certificate to Tableau Server. See tsm security custom-cert add.
  2. Configure TLS connection using TSM CLI.

    Run the following TSM commands to enable and force TLS connections to the SMTP server and to enable certificate verification.

    tsm configuration set -k svcmonitor.notification.smtp.ssl_enabled -v true

    tsm configuration set -k svcmonitor.notification.smtp.ssl_required -v true

    tsm configuration set -k svcmonitor.notification.smtp.ssl_check_server_identity -v true

    By default, Tableau Server will support TLS versions 1, 1.1, and 1.2, but we recommend that you specify the highest TLS version that the SMTP server supports.

    Run the following command to set the version. Valid values are SSLv2Hello, SSLv3, TLSv1, TLSv1.1, and TLSv1.2. The following example sets the TLS version to version 1.2.:

    tsm configuration set -k svcmonitor.notification.smtp.ssl_versions -v "TLSv1.2"

    For more information about other TLS configuration options, see Configure SMTP Setup.

  3. Restart Tableau Server to apply changes. Run the following command:

    tsm pending-changes apply

16. Configure SSL for LDAP

If your Tableau Server deployment is configured to use a generic LDAP external identity store, we recommend configuring SSL to protect authentication between Tableau Server and your LDAP server. See LDAP over SSL.

If your Tableau Server deployment is configured to use Active Directory, we recommend enabling Kerberos to protect authentication traffic. See Kerberos.

17. Scope permissions for non-default installation locations

If you install Tableau Server on Windows to a non-default location then we recommend manually scoping the permissions on the custom installation directory to reduce access.

By default, Tableau Server will install on the system drive. The drive where Windows is installed is the system drive. In most cases, the system drive is the C:\ drive. In this default case, Tableau Server will install into the following directories:

  • C:\Program Files\Tableau\Tableau Server\packages

  • C:\ProgramData\Tableau\Tableau Server

However, many customers install onto a non-system drive or into a different directory. If you selected a different installation drive or directory location during Setup, then the data directory for Tableau Server will install into the same path.

To scope permissions on the custom installation directory, only the following accounts should have the corresponding permissions on the installation folder and all subfolders:

Set permissions for this account: Permissions required
The user account that is used to install and upgrade Tableau Server Full control
The user account that is used to run TSM commands Full control
System account Full control
Run As service account, Network Service, and Local Service Read & execute

A procedure for setting these permissions can be found at Installing in a non-default location.

Change List

Date Change
September 2017 Ported and updated for Tableau Services Manager and Linux platform.
May 2018 Added clarification: Do not disable REST API in organizations that are running Tableau Prep.
May 2019 Added recommendation for referrer-policy HTTP header.
June 2019 Removed recommendation to disable Triple-DES. As of version 2019.3, Triple-DES is no longer a default supported cipher for SSL. See What's Changed - Things to Know Before You Upgrade.
January 2020 Added recommendation to configure TLS for SMTP.
February 2020 Added recommendation to configure SSL for LDAP server.
May 2020 Added TLS v1.3 to the disabled list of TLS ciphers. Added clarification to introduction about topic versioning.
August 2020 Added scoped permissions for non-default installations on Windows
October 2020 Added TLS v1.3 as a default supported cipher.
Thanks for your feedback! There was an error submitting your feedback. Please try again.