Securing an Installation
  • 27 Jul 2022
  • 3 Minutes to read
  • Dark
    Light

Securing an Installation

  • Dark
    Light

It is important to consider security risks and potential attacks on a user's the environment/system. Such threats that may afflict a system may include things such as Cross Frame Scripting or Clickjacking

Fortunately, users can secure their installation via the following methods:

  • Windows Integrated Security
  • Securing Cookies: HTTPS Installations Only
  • Configuring Same Site Cookies
  • Displaying Exception Details
  • Excluding specific File Extensions 
  • Securing TLS
Considerations and Assistance 
Please review Upgrading Decisions (v6 to v7) for important considerations before proceeding with an upgrade.

If assistance is required to secure a Decisions installation, contact support@decisions.com.

Installing Using Windows Integrated Security

If a user previously set up MSSQL Server with their Windows Authentication credentials, they may use these credentials to use Windows Integrated Security for their Database Connection.

Installing with Windows Integrated Security may especially be beneficial for System Administrators that are reliant on Windows Integrated Security or users conducting a Local installation.
  1. Run the installer and continue until reaching the Settings window. Define the desired Directory. Then, check the Show Service Settings box and click Next.
  2. From the Service Settings window, under Service Account, select Specify Account, then input the corresponding Windows Username and Password. Then click Next.

    Note that these Account credentials should match the login for the computer installing Decisions.
  3. Establish a database connection. Then under Connection Settings, select Windows Integrated Security. Then click Next. 
  4. Proceed with the rest of the installation as demonstrated in the previous example. 
Password Reset
The default password provided by Decisions should be changed immediately to secure the environment. 

Secure Cookies: HTTPS Installations Only

  • Secure Cookies is a feature that no longer requires configuration in v7.
  • If an installation is using HTTPS for web traffic communication, Decisions will by use Secure Cookies by default. 

Same Site Cookies

  1. From the Decisions Server Folder within the default Decisions installation location (typically C:\Program Files\Decisions), add the following XML value to the Settings.xml file.
    <DefaultSameSiteCookieMode></DefaultSameSiteCookieMode>


  2. Enter one of the following text values between the DefaultSameSiteCookieMode tags according to the desired cookie settings.

    Text ValueCookie Properties
    NoneIndicates the client should disable same site restrictions
    LaxIndicates the client should send the cookie with "same-site requests, and with "cross-site" top-level navigations.
    StrictIndicates the client should only send the cookie with "same-site" requests.

    The following screenshot provides an example of the DefaultSameSiteCookieMode configuration in the Settings.xml file of a Decisions App Server.


Enabling Show Exception Details 

  1. From the Decisions Studio, navigate to System > Settings. Open Portal Settings
  2. Under PORTAL SETTINGS, enable the Show Exception Details setting, then click SAVE.

    This setting enables Exception Details to display within the Portal. This is enabled by default.


Protecting Against Cross-Frame Scripting (XFS) Attacks and Clickjacking

  1. Navigate to C:\Program Files\Decisions\Decisions Server and open the Settings.xml as an Administrator.
  2. Add the following code before the closing </Settings> tags in the xml.

    This tag makes the necessary changes to the Content-Security-Policy by adding custom headers that will embed Decisions with the domain in [BasePortalURL].
    <CustomHeaders>
    	<CustomHeader>
    		<Name>Content-Security-Policy</Name>
    		<Value>frame-ancestors 'self'; default-src 'self'; script-src https://[BasePortalURL] 'unsafe-inline' 'unsafe-eval'; img-src 'self' 'unsafe-inline' data:; style-src 'self' 'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; worker-src 'self' 'unsafe-inline' blob:</Value>
    		<Name>X-Content-Type-Options</Name>
    		<Value>nosniff</Value>
    	</CustomHeader>
    	<CustomHeader>
    		<Name>X-Content-Type-Options</Name>
    		<Value>nosniff</Value>
    	</CustomHeader>
    </CustomHeaders>


  3. Restart the server. If applied correctly, the tags as shown for requests in the Chrome Dev Tools.



Enabling Transport Layer Security (TLS) 

The following section demonstrates how to enable Decisions to run with the most secure TLS Setting. Refer to Microsoft's documentation for more information on TLS settings.

  1. From Decisions Studio, navigate to System > Settings. Open Integration Settings
  2. Under SETTINGS > Security Option, select Secure. Save and exit.



v7.12+ - Enabling HTTP Strict Transport Security (HSTS) 

By using HSTS, via response header, a web app can set up in in a way that prevents any communications from being conducted via HTTP. This can be used to prevent access to any untrusted or invalid certificates.

  1. From from DecisionsServerInstaller.exe, click EDIT SETTINGS.
  2. Locate and set EnableHttp to False
  3. Set EnableHttps to True, then Set EnableHsts to True.

  4. Click Save to save the Settings and exit the window.
  5. Restart Decisions via RESTART SERVICE.


Excluding File Extensions

Excluding File Extensions, helps to limit the type of files that can be added to a Decisions environment, thus protecting users from the threat of potentially harmful files. To do so:

  1. From Decisions Studio, navigate to System > Settings > Portal Settings. Navigate to the GLOBALIZATION SETTINGS category. 
  2. Under Extensions Not Allowed, define the desired extensions within the text box, to exclude them. 

Excluded Extensions List

The following list represents the type of extensions (executable/scripts) that can be restricted via the Extensions Not Allowed box.

Excluded Extensions

File ExtensionFile Type 
.asaASP Declarations file
.ashxASP.NET Web handler file. Web handlers are software modules that handle Raw HTTP requests received by ASP.NET.
.asmxASP.NET Web Services source file
.asp/,aspxActive Server Page files 
.bat Batch file
.chmCompiled HTML Help file 
.cmdMicrosoft Windows NT command script
.comMicrosoft MS-DOS program
.dllWindows dynamic-link library
.exeExecutable file 
.gadgetWindows Gadget
.hlpHelp file
.htaHTML program 
.htr Script file
.htwHTML document
.msc Microsoft Common Console document 
.mshMicrosoft Agent Script helper
.msh1 Microsoft Agent Script helper
.msh1xmlMicrosoft Agent Script helper
.msh2Microsoft Agent Script helper 
.msh2xmlMicrosoft Agent Script helper
.mshxmlMicrosoft Agent Script helper
.msiMicrosoft Windows Installer package file 
.mspWindows Installer Update package file 
.pifShortcut to MS-DOS program
.plPerl script
.prfSystem file
.prgProgram Source file
.ps1 Windows PowerShell cmdlet file
.ps1xmlWindows PowerShell Display configuration file
.ps2 Windows PowerShell cmdlet file 
.ps2xmlWindows PowerShell Display configuration file
.psc1Windows PowerShell Console file
.psc2 Windows PowerShell Console file
.rarCompressed file
.regRegistration entries 
.remACT! Database maintenance file
.scfWindows Explorer command file
.scrScreensaver 
.sfxCompressed file 
.shbWindows shortcut 
.shtmHTML file that contains Server-Side directives
.shtmlHTML file that contains Server-Side directives 
.stmHTML file that contains Server-Side directives 
.svc Windows Communication Foundation (WCF) Service file
.urlUniform Resource Locator (Internet shortcut) 
.vbeVBScript Encoded Script file
.vbs VBScript file
.zipCompressed file



Expand the above to tag to view the list of extensions available for exclusion.


For further information on Installation, visit the Decisions Forum.

Was this article helpful?