Hello, everyone!
This week, Jonathan MacDonald – or Jmac, as we like to call him at the Information Lab – came to teach us about Tableau Server. As the company’s defacto expert on the topic, the tips he had to share with us were simple and effective, and relevant to anyone who is either going to have to setup and administer a Tableau Server or simply interact with it as a user.
As someone who is going to spend most of his time interacting with sensitive company data as a Tableau and Alteryx consultant, I know the value of hardening a server and protecting it from any would be hackers or data thieves. However, as a business analyst with a pretty weak IT background, I genuinely have no idea how to protect myself or my data infrastructure from the outside world. Or should I say, had no idea. Thanks to JMac’s tips, and some very high-quality documentation provided by Tableau, I know the basic simple steps one can take to dramatically increase his Tableau Server’s overall security. The entirety of the information I will be sharing with you can be found right here – I really recommend you check that link if you are the server administrator for your organization – but if you’re just interested in the subject, or were just asked by your boss to give your server a look and upgrade it, here are simple things you can do using the tabadmin commands.
Before you get started, please read this:
- The entirety of this guide will require you to use tabadmin commands. These commands are used to perform certain administrative tasks and change Tableau Server configuration settings. The tabadmin command line tool comes pre-installed with Tableau Server, so no need for any installation, it’s already on your machine. To access these commands, you are first going to have to open command prompt as an administrator and navigate to the Tableau Server bin configuration using this command:
- cd “C:\Program Files\Tableau\Tableau Server\10.3\bin” : If you are using another version of Tableau server, change the value “10.3” to the corresponding one in your machine
- The reason you need to navigate to this directory is that this is where your tabadmin command line tool is located, and using the tabadmin commands would not work if you were using command prompt from another directory.
- As soon as you’ve done this step, you’re ready to use tabadmin commands!
- cd “C:\Program Files\Tableau\Tableau Server\10.3\bin” : If you are using another version of Tableau server, change the value “10.3” to the corresponding one in your machine
- Many of the changes we will be making below will involve following the exact same structure of commands. Here’s what it looks like, and why we do it that way:
- tabadmin stop: Stop the server before issuing the command
- tabadmin set <some command>: Enter the command you want based on the changes you want to make
- tabadmin configure: Push all the changes through to all of the server’s configuration file
- tabadmin start: Restart your server
- The only thing that will systematically change in each of the hardening steps below is the <some command> part. This is where we will input specific commands to improve different aspects of the server’s security.
- Finally, using tabadmin and the command prompt tool is some pretty advanced stuff, meaning there is a change you can “break” your server if you don’t do the right thing. I would only recommend doing this if you are pretty knowledgeable about servers and IT, or to practice on a fake dummy server if you’ve never done this before. You have been warned!
With that out of the way, let’s start hardening our server!
1. Disable Older Versions of TLS
What does this do?
Tableau Server uses TLS to authenticate and encrypt connections between many of its components and external clients. Don’t worry too much about what this means, just consider it the methodology that the server uses to communicate with other pieces of software, such as a browser. The problem is that older versions of TLS – TLS v1 and v1.1 – are not considered all that secured anymore, and so we’re going to want to disable them so that only applications using TLS v1.2 can communicate with our server. You should make sure that your users are using a browser that does use TLS v1.2 before you did or else they won’t be able to access it anymore! You can check this here.
What you’ll need to type in:
tabadmin stop
tabadmin set ssl.protocols "all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1"
tabadmin configure
tabadmin start
2. Disable Triple-DES Cipher Suite
What does this do?
A cipher suite is a complete set of methods needed to secure a network connection. Once again, don’t worry too much about what this means, just know that the Triple-DES Cipher suite isn’t considered all that secure anymore, and it’s better to disable it so that you don’t expose your server to a denial of service attack or data theft.
What you need to type in:
tabadmin stop
tabadmin set ssl.ciphersuite HIGH:MEDIUM:!aNULL:!MD5:!RC4:!3DES
tabadmin configure
tabadmin start
3. Generate Fresh asset keys
What does this do?
To protect your data sources, Tableau Server will encrypt all the credentials embedded within them that allow you to access them. The credentials are encrypted using something called an asset key. Generating fresh asset keys allows you to make sure that if anybody has somehow managed to obtain them that they will not be able to decipher the embedded data source credentials anymore. I really recommend you check the documentation on this one, as you will want to make sure you know where your new asset keys will be stored and may want to chose your own asset key passphrase – the password that gives you access to them on your machine.
What you need to type in:
tabadmin assetkeys --auto_create
By choosing the auto_create argument, this command will automatically generate a key passphrase for you. The file with the passphrase can be found in ProgramData\Tableau\Tableau Server\data\tabsvc\config and will be called asset_keys.yml
4. Regenerate Internal Security Tokens
What does this do?
Tableau Server uses security tokens to communicate internally with its different components. These include the passwords used by the server to access the repository, and the certificates used to validate internal connections between components. It’s important to regenerate from time to time in case someone has managed to infiltrate the server.
What you need to type in:
tabadmin regenerate_internal_tokens --passwords
tabadmin regenerate_internal_tokens --certs
5. Disable Services You’re Not Using
What does this do?
A few services that can be used to access your Server or communicate with it externally are by default turned on. If you’re not using them, it’s best to just turn them off so you remove the “surface” – to paraphrase JMac – of the server that could potentially be attacked. In particular, the REST API and JMX service should be disabled if they aren’t actively being used.
What you need to type in
tabadmin stop
tabadmin set api.server.enabled false
tabadmin configure
tabadmin set service.jmx_enabled false
tabadmin configure
tabadmin start
6. Enable HTTP Strict Transport Security for web browser Clients
What does this do?
In simple terms, HTTPS is the secured version of HTTP, the protocol used by your browser to exchange data with a website it is connected to. Pretty much. By enabling HTTPS, you are ensuring that any communication between your server and a conforming web browser will be properly encrypted using the HTTPS specifications.
What you need to type in
tabadmin stop
tabadmin set gateway.http.hsts: true
tabadmin configure
tabadmin start
That’s all I’ve got for now! As I said, all of these tips are available in Tableau’s security hardening documentation. I selected these ones out of the list of 15 because these are the ones JMac made us go through yesterday, and because they require very little effort and only a few simple tabadmin commands. For a full guide, head over to the link posted above. However, for the time being, you’ve managed to increase your server’s security and refresh many of its key encryption keys and security tokens, so if your server had been compromised, you can guarantee that the hackers have been pushed out now! Another win for the good guys, oooh yeaaah.