Home

Version 8

Securing a Decisions Installation

28 Dec 2022
4 Minutes to read

Print
Share
Dark

Light

Securing a Decisions Installation

Updated on 28 Dec 2022
4 Minutes to read

Print
Share
Dark

Light

Overview

When installing, it is important to consider possible security risks and potential attacks on an instance or environment.

Fortunately, there are a number of ways to secure an installation including:

Installing with Windows Integrated Security credentials
Configuring cookies
Enabling HTTP Strict Transport Security (HSTS)
Securing TLS
Displaying exception details
Excluding specific file extensions
Protecting against cross-frame scripting and/or clickjacking

Installing with Windows Integrated Security

If a user previously set up MSSQL Server with their Windows authentication credentials, they may use these same credentials to enable Windows Integrated Security on their database connection.

This may be beneficial for system administrators reliant on Windows Integrated Security and for users conducting a local installation.

Proceed with installation until the Database Setup and Hosting Options section of the Installation Guide.
From the Settings section, define the desired Directory. Enable the Show Service Settings checkbox. Click Next.
In the Service Settings window, under Service Account select Specify Account.

Input the Windows Username and Password matching the Windows account logged into the installing computer/FileSystem. Click Next.
From the Database Setup page, select MS SQL for the Database Type. Under Connection Type, select Basic and then enter the corresponding database server and name via DB Server and DB Database respectively.

Under Connection Settings, select Windows Integrated Security. Click Next.
Proceed with the rest of the installation.

Configuring Cookies

Secure Cookies for HTTPS

Secure cookies no longer require configuration in v8.

If an installation uses HTTPS for web traffic communication, secure cookies are enabled by default.

Same Site Cookies

From the Decisions Server Folder within the default Decisions installation location aka C:\Program Files\Decisions, add the following value to the Settings.xml file.
```
<DefaultSameSiteCookieMode></DefaultSameSiteCookieMode>
```

Enter one of the following text values between the DefaultSameSiteCookieMode tags according to the desired cookie settings.

Text Value	Cookie Properties
None	Indicates the client should disable same site restrictions
Lax	Indicates the client should send the cookie with "same-site requests, and with "cross-site" top-level navigations.
Strict	Indicates the client should only send the cookie with "same-site" requests.

Securing Session ID in Logs

If using v8.5+, users can encrypt the Session ID when viewing logs.

Run the Decisions Installer and click EDIT SETTINGS.
Scroll down to ObfuscateSessionIdInLogs and change the value to True.
Click Save.

Enabling HTTP Strict Transport Security (HSTS)

Available in v8.1+

If interested in upgrading, review the Upgrading section and consult support@decisions.com.

By using HSTS via response header, a web app can prevent any HTTP communications by forcing only HTTPS communications. This may prevent access to any untrusted or invalid certificates. It also disables prompts asking a user to temporarily trust a certificate.

Method 1

The following instructions configure this for a self-hosted installation.

Complete a Decisions installation.
Run the installer as an Administrator. Click EDIT SETTINGS.
Locate the EnableHttp setting and set it to False.
Locate the EnableHttps setting and set it to True. Set the HttpsPort to 443.
Locate the EnableHsts setting and set it to True. Click Save to confirm.
Restart Decisions via RESTART SERVICE.

Method 2

Navigate to C:\Program Files\Decisions\Decisions Server and open the Settings.xml file.
Set the <EnableHsts> value to false.

Add the following to the <CustomHeaders> node:

<CustomHeader>
<Name>Strict-Transport-Security</Name>
<Value>max-age=31536000;includeSubDomains</Value>
</CustomHeader>

Save the Settings.xml file.
Restart Decisions.

Setting Custom Header for Containerised Instance

For containerised instances, the custom header can be set by adding DECISIONS_CUSTOMHEADERS=[{"Name": "Strict-Transport-Security","Value": "max-age=31536000;includeSubDomains"}] to the environment variable file.

Securing TLS (Transport Layer Security)

From Decisions Studio, navigate to System > Settings. Open Integration Settings.
Under SETTINGS > Security Option, select Secure. Click SAVE.

Show Exception Details

The Show Exception Details setting displays exception details within the Portal and is enabled by default. To locate this setting:

From the Decisions Studio, navigate to System > Settings. Open Portal Settings.
Under the PORTAL SETTINGS category, enable the Show Exception Details setting, then click SAVE.

Extensions Not Allowed

In this feature, admin users can block certain file type extensions from being imported or used by the users into the Decisions portal.

From Decisions Studio, navigate to Portal Settings. Search for extensions in the search bar.
To block certain file extensions in Portal, enter them under Extensions Not Allowed.
Note:
If the Extensions Not Allowed field is left empty. No files will be blocked, and all the files will be allowed in the instance.
The following list details all extensions/executables/scripts that can be restricted by the Extensions Not Allowed setting.

File Extension	File Type
.asa	ASP Declarations file
.ashx	ASP.NET Web handler file. Web handlers are software modules that handle Raw HTTP requests received by ASP.NET.
.asmx	ASP.NET Web Services source file
.asp/,aspx	Active Server Page files
.bat	Batch file
.chm	Compiled HTML Help file
.cmd	Microsoft Windows NT command script
.com	Microsoft MS-DOS program
.dll	Windows dynamic-link library
.exe	Executable file
.gadget	Windows Gadget
.hlp	Help file
.hta	HTML program
.htr	Script file
.htw	HTML document
.msc	Microsoft Common Console document
.msh	Microsoft Agent Script helper
.msh1	Microsoft Agent Script helper
.msh1xml	Microsoft Agent Script helper
.msh2	Microsoft Agent Script helper
.msh2xml	Microsoft Agent Script helper
.mshxml	Microsoft Agent Script helper
.msi	Microsoft Windows Installer package file
.msp	Windows Installer Update package file
.pif	Shortcut to MS-DOS program
.pl	Perl script
.prf	System file
.prg	Program Source file
.ps1	Windows PowerShell cmdlet file
.ps1xml	Windows PowerShell Display configuration file
.ps2	Windows PowerShell cmdlet file
.ps2xml	Windows PowerShell Display configuration file
.psc1	Windows PowerShell Console file
.psc2	Windows PowerShell Console file
.rar	Compressed file
.reg	Registration entries
.rem	ACT! Database maintenance file
.scf	Windows Explorer command file
.scr	Screensaver
.sfx	Compressed file
.shb	Windows shortcut
.shtm	HTML file that contains Server-Side directives
.shtml	HTML file that contains Server-Side directives
.stm	HTML file that contains Server-Side directives
.svc	Windows Communication Foundation (WCF) Service file
.url	Uniform Resource Locator (Internet shortcut)
.vbe	VBScript Encoded Script file
.vbs	VBScript file
.zip	Compressed file

Use Extensions Allowed

In this feature, admin users can allow only certain file type extensions from being imported or used by the users into the Decisions portal.

From Decisions Studio, navigate to Portal Settings. Search for extensions in the search bar.
Enable Use Extensions Allowed.
Enter the List of Extensions under the Extensions Allowed field.
Note:
If .zip and .decobj are not mentioned, the Import and Export actions will not work.
If the Extensions Allowed field is left empty, no files will be allowed in the portal.

Protecting Against Cross-Frame Scripting (XFS) Attacks and Clickjacking

Navigate to C:\Program Files\Decisions\Decisions Server and open the Settings.xml as an Administrator.

Add the following code before the closing </Settings> tags in the xml.

This tag makes the necessary changes to the Content-Security-Policy by adding custom headers that will embed Decisions with the domain in [BasePortalURL].

<CustomHeaders>
	<CustomHeader>
		<Name>Content-Security-Policy</Name>
		<Value>frame-ancestors 'self'; default-src 'self'; script-src https://[BasePortalURL] 'unsafe-inline' 'unsafe-eval'; img-src 'self' 'unsafe-inline' data:; style-src 'self' 'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; worker-src 'self' 'unsafe-inline' blob:</Value>
		<Name>X-Content-Type-Options</Name>
		<Value>nosniff</Value>
	</CustomHeader>
	<CustomHeader>
		<Name>X-Content-Type-Options</Name>
		<Value>nosniff</Value>
	</CustomHeader>
</CustomHeaders>

Restart the server. If applied correctly, the tags as shown for requests in the Chrome Dev Tools.

For further information on Installation, visit the Decisions Forum.

Was this article helpful?

What's Next

Configuring the Server for SSL (HTTPS)

Table of contents

Overview
Installing with Windows Integrated Security
Configuring Cookies
Securing Session ID in Logs
Enabling HTTP Strict Transport Security (HSTS)
Securing TLS (Transport Layer Security)
Show Exception Details
Extensions Not Allowed
Use Extensions Allowed
Protecting Against Cross-Frame Scripting (XFS) Attacks and Clickjacking