- 19 May 2022
- 3 Minutes to read
-
Print
-
DarkLight
Securing a Decisions Installation
- Updated on 19 May 2022
- 3 Minutes to read
-
Print
-
DarkLight
Overview
When installing, it is important to consider possible security risks and potential attacks on an instance or environment.
Fortunately, there are a number of ways to secure an installation including:
- Installing with Windows Integrated Security credentials
- Configuring cookies
- Enabling HTTP Strict Transport Security (HSTS)
- Securing TLS
- Displaying exception details
- Excluding specific file extensions
- Protecting against cross-frame scripting and/or clickjacking
Installing with Windows Integrated Security
If a user previously set up MSSQL Server with their Windows authentication credentials, they may use these same credentials to enable Windows Integrated Security on their database connection.
This may be beneficial for system administrators reliant on Windows Integrated Security and for users conducting a local installation.
- Proceed with installation until the Database Setup and Hosting Options section of the Installation Guide.
- From the Settings section, define the desired Directory. Enable the Show Service Settings checkbox. Click Next.
- In the Service Settings window, under Service Account select Specify Account.
Input the Windows Username and Password matching the Windows account logged into the installing computer/FileSystem. Click Next. - From the Database Setup page, select MS SQL for the Database Type. Under Connection Type, select Basic and then enter the corresponding database server and name via DB Server and DB Database respectively.
Under Connection Settings, select Windows Integrated Security. Click Next. - Proceed with the rest of the installation.
Configuring Cookies
Secure Cookies for HTTPS
Secure cookies no longer require configuration in v8.
If an installation uses HTTPS for web traffic communication, secure cookies are enabled by default.
Same Site Cookies
- From the Decisions Server Folder within the default Decisions installation location aka C:\Program Files\Decisions, add the following value to the Settings.xml file.
<DefaultSameSiteCookieMode></DefaultSameSiteCookieMode>
- Enter one of the following text values between the DefaultSameSiteCookieMode tags according to the desired cookie settings.
Text Value Cookie Properties None Indicates the client should disable same site restrictions Lax Indicates the client should send the cookie with "same-site requests, and with "cross-site" top-level navigations. Strict Indicates the client should only send the cookie with "same-site" requests.
Enabling HTTP Strict Transport Security (HSTS)
By using HSTS via response header, a web app can prevent any HTTP communications by forcing only HTTPS communications. This may prevent access to any untrusted or invalid certificates. It also disables prompts asking a user to temporarily trust a certificate.
The following instructions configure this for a self-hosted installation.
- Complete a Decisions installation.
- Run the installer as an Administrator. Click EDIT SETTINGS.
- Locate the EnableHttp setting and set it to False.
- Locate the EnableHttps setting and set it to True. Set the HttpsPort to 443.
- Locate the EnableHsts setting and set it to True. Click Save to confirm.
- Restart Decisions via RESTART SERVICE.
Securing TLS (Transport Layer Security)
- From Decisions Studio, navigate to System > Settings. Open Integration Settings.
- Under SETTINGS > Security Option, select Secure. Click SAVE.
Show Exception Details
- From the Decisions Studio, navigate to System > Settings. Open Portal Settings.
- Under the PORTAL SETTINGS category, enable the Show Exception Details setting, then click SAVE.
Excluding File Extensions
Excluding file extensions limit the allowed file types within an instance, thus protecting users from the threat of potentially harmful, unknown files.
- From Decisions Studio, navigate to System > Settings > Portal Settings.
- Navigate to the GLOBALIZATION SETTINGS category.
- Under Extensions Not Allowed, enter the file extensions to exclude within the text box. Click SAVE to confirm.
Excluded Extensions List
The following list details all extensions/executable/scripts that can be restricted by the Extensions Not Allowed setting.
File Extension | File Type |
---|---|
.asa | ASP Declarations file |
.ashx | ASP.NET Web handler file. Web handlers are software modules that handle Raw HTTP requests received by ASP.NET. |
.asmx | ASP.NET Web Services source file |
.asp/,aspx | Active Server Page files |
.bat | Batch file |
.chm | Compiled HTML Help file |
.cmd | Microsoft Windows NT command script |
.com | Microsoft MS-DOS program |
.dll | Windows dynamic-link library |
.exe | Executable file |
.gadget | Windows Gadget |
.hlp | Help file |
.hta | HTML program |
.htr | Script file |
.htw | HTML document |
.msc | Microsoft Common Console document |
.msh | Microsoft Agent Script helper |
.msh1 | Microsoft Agent Script helper |
.msh1xml | Microsoft Agent Script helper |
.msh2 | Microsoft Agent Script helper |
.msh2xml | Microsoft Agent Script helper |
.mshxml | Microsoft Agent Script helper |
.msi | Microsoft Windows Installer package file |
.msp | Windows Installer Update package file |
.pif | Shortcut to MS-DOS program |
.pl | Perl script |
.prf | System file |
.prg | Program Source file |
.ps1 | Windows PowerShell cmdlet file |
.ps1xml | Windows PowerShell Display configuration file |
.ps2 | Windows PowerShell cmdlet file |
.ps2xml | Windows PowerShell Display configuration file |
.psc1 | Windows PowerShell Console file |
.psc2 | Windows PowerShell Console file |
.rar | Compressed file |
.reg | Registration entries |
.rem | ACT! Database maintenance file |
.scf | Windows Explorer command file |
.scr | Screensaver |
.sfx | Compressed file |
.shb | Windows shortcut |
.shtm | HTML file that contains Server-Side directives |
.shtml | HTML file that contains Server-Side directives |
.stm | HTML file that contains Server-Side directives |
.svc | Windows Communication Foundation (WCF) Service file |
.url | Uniform Resource Locator (Internet shortcut) |
.vbe | VBScript Encoded Script file |
.vbs | VBScript file |
.zip | Compressed file |
Protecting Against Cross-Frame Scripting (XFS) Attacks and Clickjacking
- Navigate to C:\Program Files\Decisions\Decisions Server and open the Settings.xml as an Administrator.
- Add the following code before the closing </Settings> tags in the xml.
This tag makes the necessary changes to the Content-Security-Policy by adding custom headers that will embed Decisions with the domain in [BasePortalURL].<CustomHeaders> <CustomHeader> <Name>Content-Security-Policy</Name> <Value>frame-ancestors 'self'; default-src 'self'; script-src https://[BasePortalURL] 'unsafe-inline' 'unsafe-eval'; img-src 'self' 'unsafe-inline' data:; style-src 'self' 'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; worker-src 'self' 'unsafe-inline' blob:</Value> <Name>X-Content-Type-Options</Name> <Value>nosniff</Value> </CustomHeader> <CustomHeader> <Name>X-Content-Type-Options</Name> <Value>nosniff</Value> </CustomHeader> </CustomHeaders>
- Restart the server. If applied correctly, the tags as shown for requests in the Chrome Dev Tools.