Security Best Practices For A Yellowfin Instance


The biggest point I can make here is: update, update, update! We release monthly patches to our major versions, containing defect fixes, enhancements, and library updates. If you let yourself fall behind on updates, you may be leaving older library versions in play. We have an article on the best practices regarding a Yellowfin update, I highly suggest you review the article and develop an update plan.

Other Considerations

Configure HTTPS to encrypt your authentication to Yellowfin. This will help protect user credentials from being intercept by sniffing or man in the middle attacks.

Encrypt traffic between Yellowfin and your RDBMS. This can be done for both data sources and the configuration database. As this process may vary between RDBMS types, some independent research will have to be done. If you have issues with a particular step don't hesitate to submit a support ticket.

Password Policies and credentials. Change the default credentials! Yellowfin has a configurable password policy. This can be accessed via 'Administration' > 'Configuration' > Padlock Icon > 'Password Settings':

Alternatively, if you have Active Directory, Yellowfin supports LDAP Authentication. This allows a more centralized, granular control over password policies and users.

Run the service as a non-privileged user. It's best practice to create a service user for any running service, which helps mitigate an attacker from spreading through the system with root or admin privileges. If you're running Yellowfin on Linux, you can follow this article to properly set up your service. In Windows, this can be altered through the Services applet. I like to ensure the user doesn't have login or shell permissions.

Database credentials. Set up specific users that Yellowfin will use to access any RDBMS. Using a root account or an over-privileged account only leaves doors open in the event of a breach. In example, if I'm reporting against a MySQL Database, I'll create a user account with SELECT Privileges on the database I'd like to report on. Principle of least privilege here.

Firewalls. Ensure your host-based firewall only allows what's needed to access the services running on the server. This process seems tedious, but once it's done it rarely needs adjustment.

Disable access to information pages of Yellowfin from unauthenticated users. These pages provide system and library information about the Yellowfin instance, among other things. This is possible via this article.

Monitor Tomcat's version and update it. Our upgrade process doesn't update the bundled Tomcat that ships with Yellowfin. We have information on this process available here.

All of these considerations will help to increase your security stance. As always, don't hesitate to reach out and open a support ticket for any particular concerns. We are here to help!

Is this article helpful?
2 0 0