安全强化清单

安装安全更新

安全更新包含在 Tableau Server 的最新版本和维护版本 （MR） 中。您无法将安全更新作为修补程序进行安装。相反，您必须升级到当前版本或 MR，才能使用最新的安全修补程序更新 Tableau Server。

升级后，请始终引用本主题的最新版本。当前版本包含在主题 URL 中。/current/

例如，美国版本 URL 为：https://help.tableau.com/current/server/en-us/security_harden.htm。

1. 更新到当前版本

我们建议您始终运行最新版本的 Tableau Server。此外，Tableau 会定期发布 Tableau Server 的维护版本，其中包括对已知安全漏洞的修复。（有关已知安全漏洞的信息，请参阅 Tableau 安全公告页面和Salesforce 安全公告（链接将在新窗口中打开）页。我们建议您查看维护版本通知，以确定是否应安装它们。

要获取 Tableau Server 的最新版本或维护版本，请访问客户门户（链接将在新窗口中打开）页。

2. 使用有效的可信证书配置 SSL/TLS

安全套接字层 （SSL/TLS） 对于帮助保护与 Tableau Server 的通信安全性至关重要。使用有效的受信任证书（不是自签名证书）配置 Tableau Server，以便 Tableau Desktop、移动设备和 Web 客户端可以通过安全连接连接服务器顶部。有关详细信息，请参阅 SSL。

3. 禁用旧版本的 TLS

Tableau Server 使用 TLS 对组件之间以及与外部客户端之间的许多连接进行身份验证和加密。外部客户端（如浏览器、Tableau Desktop、Tableau Mobile）使用 TLS 通过 HTTPS 连接到 Tableau。传输层安全性 （TLS） 是 SSL 的改进版本。事实上，旧版本的 SSL（SSL v2 和 SSL v3）不再被认为是足够安全的通信标准。因此，Tableau Server 不允许外部客户端使用 SSL v2 或 SSL v3 协议进行连接。

我们建议您允许外部客户端使用 TLS v1.3 和 TLS v1.2 连接到 Tableau Server。

TLS v1.2 仍被视为安全协议，许多客户端（包括 Tableau Desktop）尚不支持 TLS v1.3。

支持 TLS v1.3 的客户端将协商 TLS v1.3，即使服务器支持 TLS v1.2 也是如此。

以下 tsm 命令启用 TLS v1.2 和 v1.3（使用“all”参数），并禁用 SSL v2、SSL v3、TLS v1 和 TLS v1.1（通过在给定协议中预置减号 [-] 字符）。TLS v1.3 尚未受 Tableau Server 所有组件的支持。

tsm configuration set -k ssl.protocols -v "all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1"

tsm pending-changes apply

您还可以修改 Tableau Server 用于 SSL/TLS 会话的密码套件的默认列表。有关详细信息，请参阅 tsm 配置集“选项”中的 ssl.ciphersuite 部分。

4. 为内部流量配置 SSL 加密

将 Tableau Server 配置为使用 SSL 加密 Postgres 存储库与其他服务器组件之间的所有流量。默认情况下，对服务器组件和存储库之间的通信禁用 SSL。我们建议为 Tableau Server 的所有实例启用内部 SSL，甚至是单服务器安装。启用内部 SSL 对于多节点部署尤其重要。请参见为内部 Postgres 通信配置 SSL。

5. Enable firewall protection

Tableau Server was designed to operate inside a protected internal network.

Important: Do not run Tableau Server, or any components of Tableau Server on the internet or in a DMZ. Tableau Server must be run within the corporate network protected by an internet firewall. We recommend configuring a reverse proxy solution for internet clients that need to connect to Tableau Server. See Configuring Proxies for Tableau Server.

A local firewall should be enabled on the operating system to protect Tableau Server in single and multi-node deployments. In a distributed (multi-node) installation of Tableau Server, communication between nodes does not use secure communication. Therefore, you should enable firewalls on the computers that host Tableau Server.

To prevent a passive attacker from observing communications between nodes, configure a segregated virtual LAN or other network layer security solution.

See Tableau Services Manager Ports to understand which ports and services Tableau Server requires.

6. Restrict access to the server computer and to important directories

Tableau Server 配置文件和日志文件可能包含对攻击者有价值的信息。因此，请限制对运行 Tableau Server 的计算机的物理访问。此外，请确保只有经过授权和受信任的用户才能访问目录中的 Tableau Server 文件。C:\ProgramData\Tableau

7. 更新 Tableau 服务器用户运行身份帐户

默认情况下，Tableau Server 在预定义的网络服务（NT 颁发机构\网络服务）Windows 帐户下运行。在 Tableau Server 不需要连接到需要 Windows 身份验证的外部数据源的情况下，使用默认帐户是可以接受的。但是，如果用户需要访问由 Active Directory 进行身份验证的数据源，请将用户运行身份更新为域帐户。请务必最大程度地减少用于用户运行身份的帐户的权限。有关详细信息，请参阅运行身份服务帐户。

8. 生成新的机密和令牌

与存储库或缓存服务器通信的任何 Tableau Server 服务都必须首先使用机密令牌进行身份验证。密钥令牌是在 Tableau 服务器安装过程中生成的。内部 SSL 用于加密发往 Postgres 存储库的流量的加密密钥也会在 安装过程中生成。

我们建议您在安装 Tableau Server 后，为部署生成新的加密密钥。

可以使用该命令重新生成这些安全资产。tsm security regenerate-internal-tokens

运行以下命令：

tsm security regenerate-internal-tokens

tsm pending-changes apply

9. 禁用不使用的服务

若要最大程度地减少 Tableau 服务器的攻击面，请禁用任何不需要的连接点。

捷讯服务

默认情况下，JMX 处于禁用状态。如果它已启用，但您没有使用它，则应使用以下命令将其禁用：

tsm configuration set -k service.jmx_enabled -v false

tsm pending-changes apply

10. 验证会话生存期配置

默认情况下，Tableau Server 没有绝对的会话超时。这意味着，如果未超过 Tableau Server 不活动超时，基于浏览器的客户端（Web 制作）会话可以无限期地保持打开状态。默认不活动超时为 240 分钟。

如果安全策略需要，则可以设置绝对会话超时。请确保将绝对会话超时设置在允许组织中运行时间最长的数据提取上载或工作簿发布操作的范围内。将会话超时设置得太低可能会导致长时间运行的操作的提取和发布失败。

要设置会话超时，请运行以下命令：

tsm configuration set -k wgserver.session.apply_lifetime_limit -v true

tsm configuration set -k wgserver.session.lifetime_limit -v value，其中值是分钟数。默认值为 1440，即 24 小时。

tsm configuration set -k wgserver.session.idle_limit -v value，其中值是分钟数。默认值为 240。

tsm pending-changes apply

已连接客户端（Tableau Desktop、Tableau Mobile、Tableau Prep Builder、Bridge 和个人访问令牌）的会话使用 OAuth 令牌通过重新建立会话来使用户保持登录状态。如果您希望所有 Tableau 客户端会话仅由上述命令控制的基于浏览器的会话限制控制，则可以禁用此行为。请参见禁用自动客户端身份验证。

11. 为基于文件的数据源配置服务器白名单

默认情况下，Tableau Server 允许授权的 Tableau Server 用户构建工作簿，这些工作簿将服务器上的文件用作基于文件的数据源（如电子表格）。在这种情况下，文件由运行身份服务帐户访问。

为防止对文件进行不必要的访问，我们建议您配置白名单功能。这使您可以将运行身份服务帐户限制为仅承载数据文件的目录路径。

1. 在运行 Tableau Server 的计算机上，确定将承载数据源文件的目录。

   重要请确保在此过程中指定的文件路径存在于服务器上。如果计算机启动时路径不存在，则 Tableau Server 将不会启动。

2. 运行以下命令：

   tsm configuration set -k native_api.allowed_paths -v "path"，其中 path 是要添加到白名单的目录。指定路径的所有子目录都将添加到白名单中。如果要指定多个路径，请用分号分隔它们，如以下示例所示：

   tsm configuration set -k native_api.allowed_paths -v "c:\datasources;c:\HR\data"

   tsm pending-changes apply

12. Enable HTTP Strict Transport Security for web browser clients

HTTP Strict Transport Security (HSTS) is a policy configured on web application services, such as Tableau Server. When a conforming browser encounters a web application running HSTS, then all communications with the service must be over a secured (HTTPS) connection. HSTS is supported by major browsers.

For more information about how HSTS works and the browsers that support it, see The Open Web Application Security Project web page, HTTP Strict Transport Security Cheat Sheet(Link opens in a new window).

To enable HSTS, run the following commands on Tableau Server:

tsm configuration set -k gateway.http.hsts -v true

By default, HSTS policy is set for one year (31536000 seconds). This time period specifies the amount of time in which the browser will access the server over HTTPS. You should consider setting a short max-age during initial roll-out of HSTS. To change this time period, run . For example, to set HSTS policy time period to 30 days, enter .tsm configuration set -k gateway.http.hsts_options -v max-age=tsm configuration set -k gateway.http.hsts_options -v max-age=2592000

tsm pending-changes apply

13. Disable Guest access

Core-based licenses of Tableau Server include a Guest user option, which allows any user in your organization to see and interact with Tableau views embedded in web pages.

Guest user access is enabled by default on Tableau Servers deployed with core-based licensing.

Guest access allows users to see embedded views. The Guest user cannot browse the Tableau Server interface or see server interface elements in the view, such as user name, account settings, comments, and so on.

If your organization has deployed Tableau Server with core licensing and Guest access is not required, then disable Guest access.

You can disable Guest access at the server or site level.

You must be a server administrator to disable the Guest account at either the server or the site level.

To disable Guest access at the server level:

1. In the site menu, click Manage All Sites and then click Settings > General.

2. For Guest Access, clear the Enable Guest account check box.

3. Click Save.

To disable Guest access for a site:

1. In the site menu, select a site.

2. Click Settings, and on the Settings page, clear the Enable Guest account check box.

For more information, see Guest User.

14. Set referrer-policy HTTP header to 'same-origin'

Beginning in 2019.2, Tableau Server includes the ability to configure Referrer-Policy HTTP header behavior. This policy is enabled with a default behavior that will include the origin URL for all "secure as" connections (), which sends origin referrer information only to like connections (HTTP to HTTP) or those that are more secure (HTTP to HTTPS). no-referrer-when-downgrade

However, we recommend setting this value to , which only sends referrer information to same-site origins. Requests from outside the site will not receive referrer information. same-origin

To update the referrer-policy to , run the following commands:same-origin

tsm configuration set -k gateway.http.referrer_policy -v same-origin

tsm pending-changes apply

For more information about configuring additional headers to improve security, see HTTP Response Headers.

15. Configure TLS for SMTP connection

Beginning in 2019.4, Tableau Server includes the ability to configure TLS for the SMTP connection. Tableau Server only supports STARTTLS (Opportunistic or Explicit TLS).

Tableau Server can be optionally configured to connect to a mail server. After configuring SMTP, Tableau Server can be configured to email server administrators about system failures, and email server users about subscribed views and data-driven alerts.

To configure TLS for SMTP:

1. Upload a compatible certificate to Tableau Server. See tsm security custom-cert add.

2. Configure TLS connection using TSM CLI.

   Run the following TSM commands to enable and force TLS connections to the SMTP server and to enable certificate verification.

   tsm configuration set -k svcmonitor.notification.smtp.ssl_enabled -v true

   tsm configuration set -k svcmonitor.notification.smtp.ssl_required -v true

   tsm configuration set -k svcmonitor.notification.smtp.ssl_check_server_identity -v true

   By default, Tableau Server will support TLS versions 1, 1.1, and 1.2, but we recommend that you specify the highest TLS version that the SMTP server supports.

   Run the following command to set the version. Valid values are , ,, , and . The following example sets the TLS version to version 1.2.:SSLv2HelloSSLv3 TLSv1TLSv1.1TLSv1.2

   tsm configuration set -k svcmonitor.notification.smtp.ssl_versions -v "TLSv1.2"

   For more information about other TLS configuration options, see Configure SMTP Setup.

3. Restart Tableau Server to apply changes. Run the following command:

   tsm pending-changes apply

16. Configure SSL for LDAP

If your Tableau Server deployment is configured to use a generic LDAP external identity store, we recommend configuring SSL to protect authentication between Tableau Server and your LDAP server. See Configure Encrypted Channel to LDAP External Identity Store.

If your Tableau Server deployment is configured to use Active Directory, we recommend enabling Kerberos to protect authentication traffic. See Kerberos.

17. Scope permissions for non-default installation locations

If you install Tableau Server on Windows to a non-default location then we recommend manually scoping the permissions on the custom installation directory to reduce access.

By default, Tableau Server will install on the system drive. The drive where Windows is installed is the system drive. In most cases, the system drive is the C:\ drive. In this default case, Tableau Server will install into the following directories:

• C:\Program Files\Tableau\Tableau Server\packages

• C:\ProgramData\Tableau\Tableau Server

However, many customers install onto a non-system drive or into a different directory. If you selected a different installation drive or directory location during Setup, then the data directory for Tableau Server will install into the same path.

To scope permissions on the custom installation directory, only the following accounts should have the corresponding permissions on the installation folder and all subfolders:

A procedure for setting these permissions can be found at Installing in a non-default location.

Change List