Securing an Installation

It is important to consider security risks and potential attacks on a user's the environment/system. Such threats that may afflict a system may include things such as Cross Frame Scripting or Clickjacking. 

Fortunately, users can secure their installation via the following methods:

• Windows Integrated Security
• Securing Cookies: HTTPS Installations Only
• Configuring Same Site Cookies
• Displaying Exception Details
• Excluding specific File Extensions This tag makes the necessary changes to the Content-Security-Policy by adding custom headers that will embed Decisions with the domain in [BasePortalURL] 
• Securing TLS

Installing Using Windows Integrated Security

If a user previously set up MSSQL Server with their Windows Authentication credentials, they may use these credentials to use Windows Integrated Security for their Database Connection.

1. Run the installer and continue until reaching the Settings window. Define the desired Directory. Then, check the Show Service Settings box and click Next.
2. From the Service Settings window, under Service Account, select Specify Account, then input the corresponding Windows Username and Password. Then click Next.
   
   Note that these Account credentials should match the login for the computer installing Decisions.
   
3. Establish a database connection. Then under Connection Settings, select Windows Integrated Security. Then click Next. 
   
4. Proceed with the rest of the installation as demonstrated in the previous example. 

Secure Cookies: HTTPS Installations Only

• Secure Cookies is a feature that no longer requires configuration in v7.
• If an installation is using HTTPS for web traffic communication, Decisions will by use Secure Cookies by default. 

Same Site Cookies

1. From the Decisions Server Folder within the default Decisions installation location (typically C:\Program Files\Decisions), add the following XML value to the Settings.xml file.

   <DefaultSameSiteCookieMode></DefaultSameSiteCookieMode>

   
   

2. Enter one of the following text values between the DefaultSameSiteCookieMode tags according to the desired cookie settings.

   Text Value	Cookie Properties
   None	Indicates the client should disable same site restrictions
   Lax	Indicates the client should send the cookie with "same-site requests, and with "cross-site" top-level navigations.
   Strict	Indicates the client should only send the cookie with "same-site" requests.

   
   

   The following screenshot provides an example of the DefaultSameSiteCookieMode configuration in the Settings.xml file of a Decisions App Server.

Enabling Show Exception Details 

1. From the Decisions Studio, navigate to System > Settings. Open Portal Settings. 
2. Under PORTAL SETTINGS, enable the Show Exception Details setting, then click SAVE.
   
   This setting enables Exception Details to display within the Portal. This is enabled by default.
   
   

Protecting Against Cross-Frame Scripting (XFS) Attacks and Clickjacking

1. Navigate to C:\Program Files\Decisions\Decisions Server and open the Settings.xml as an Administrator.
2. Add the following code before the closing </Settings> tags in the xml.
   
   This tag makes the necessary changes to the Content-Security-Policy by adding custom headers that will embed Decisions with the domain in [BasePortalURL].

   <CustomHeaders>
   	<CustomHeader>
   		<Name>Content-Security-Policy</Name>
   		<Value>frame-ancestors 'self'; default-src 'self'; script-src https://[BasePortalURL] 'unsafe-inline' 'unsafe-eval'; img-src 'self' 'unsafe-inline' data:; style-src 'self' 'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; worker-src 'self' 'unsafe-inline' blob:</Value>
   	</CustomHeader>
   	<CustomHeader>
   		<Name>X-Content-Type-Options</Name>
   		<Value>nosniff</Value>
   	</CustomHeader>
   </CustomHeaders>

   
   

3. Restart the server. If applied correctly, the tags as shown for requests in the Chrome Dev Tools.
   

Enabling Transport Layer Security (TLS) 

The following section demonstrates how to enable Decisions to run with the most secure TLS Setting. Refer to Microsoft's documentation for more information on TLS settings. Decisions supports versions 1.0, 1.1, 1.2, and 1.3.

1. From Decisions Studio, navigate to System > Settings. Open Integration Settings. 
2. Under SETTINGS > Security Option, select Secure. Save and exit.

   
   

v7.12+ - Enabling HTTP Strict Transport Security (HSTS) 

By using HSTS, via response header, a web app can set up in in a way that prevents any communications from being conducted via HTTP. This can be used to prevent access to any untrusted or invalid certificates.

1. From from DecisionsServerInstaller.exe, click EDIT SETTINGS.
2. Locate and set EnableHttp to False. 
3. Set EnableHttps to True, then Set EnableHsts to True.
   
   
4. Click Save to save the Settings and exit the window.
5. Restart Decisions via RESTART SERVICE.
   
   

Excluding File Extensions

Excluding File Extensions, helps to limit the type of files that can be added to a Decisions environment, thus protecting users from the threat of potentially harmful files. To do so:

1. From Decisions Studio, navigate to System > Settings > Portal Settings. Navigate to the GLOBALIZATION SETTINGS category. 
2. Under Extensions Not Allowed, define the desired extensions within the text box, to exclude them. 

Excluded Extensions List

The following list represents the type of extensions (executable/scripts) that can be restricted via the Extensions Not Allowed box.

Expand the above to tag to view the list of extensions available for exclusion.