Securing a Decisions Installation

When installing, it is important to consider possible security risks and potential attacks on an instance or environment.

Fortunately, there are a number of ways to secure an installation including:

• Securing cookies for HTTPS installations
• Show exception details
• Protecting against cross-frame scripting and/or clickjacking
• Protecting against header injection attacks
• Securing TLS
• Excluding specific file extensions

Securing Cookies for HTTPS Installs

There are two locations where the web.config will need to be modified to secure cookies.

• C:\Program Files\Decisions\Decisions Web Host - web.config
• C:\Program Files\Decisions\Decisions Web Host\HUI - web.config
  
  

1. For both of the web.config files, add the following line under the <system.web> section.

   <httpCookies requireSSL="true" ></httpCookies>

2. Then, update the <forms> tag as follows:

   <forms loginUrl=”Login.aspx" timeout=”20160″ slidingExpiration=”true” path=”/” name=”WFAuthCookie” requireSSL=”true”/>

   
   
3. Open the instance as an Administrator then navigate to System > Settings and open Portal Settings.
   
   

Show Exception Details

Within the Edit Portal Settings dialog, scroll to the Portal catalog and enable the Secure Cookies and Show Exception Details settings. This enables exception details to display.

From here, view the details of the error or contact support for additional assistance.

Protecting against Cross-frame Scripting (XFS) attacks and clickjacking

Open the C:\Program Files\Decisions\Decisions Web Host\web.config file and add the following: 

<httpProtocol>
           <customHeaders>
               <add name="X-Frame-Options" value="SAMEORIGIN" />
           </customHeaders>
			<customHeaders>
               <add name="Content-Security-Policy" value="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' 'unsafe-inline' data:; style-src 'self' 'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; worker-src 'self' 'unsafe-inline' blob:" />
               <add name="X-Content-Type-Options" value="nosniff" />
           </customHeaders>
</httpProtocol>

Protecting against header injection attacks

Ensure that you have the Host address set up in your IIS Binding. Note you can set multiple host headers here.

How to secure TLS

Refer to Microsoft's Transport Layer Security (TLS) registry settings article to learn about TLS.

Navigate to System > Settings > Integration Settings. In the Security Options drop-down choose Secure to have Decisions run on the most secure TLS setting.

Excluding File Extensions

Excluding file extensions limit the allowed file types within an instance, thus protecting users from the threat of potentially harmful, unknown files.

• Navigate to System > Settings > Portal Settings 
• Under the  Globalization Settings category, locate the Extensions Not Allowed text box and enter the extension to exclude in the instance. 

Excluded Extensions List

The following list represents the type of extensions (executable/scripts) that can be restricted via the Extensions Not Allowed box.