We have a client who ran a security scan and web.config was flagged. If you use the URL http:\\CognosSite:PortNumber\web.config anyone that uses Cognos can see the contents of that file. Not sure why that is a security threat but my client wants it "fixed". Is this the normal setup for a web service or is there something that I can do to lock down web.config?

------------------------------
brenda grossnickle
BI Programmer Analyst
FIS
------------------------------

#CognosAnalyticswithWatson

Original Message:
Sent: 7/23/2020 4:08:00 PM
From: brenda grossnickle
Subject: web.config flagged by customer security scan

We have a client who ran a security scan and web.config was flagged. If you use the URL http:\\CognosSite:PortNumber\web.config anyone that uses Cognos can see the contents of that file. Not sure why that is a security threat but my client wants it "fixed". Is this the normal setup for a web service or is there something that I can do to lock down web.config?

------------------------------
brenda grossnickle
BI Programmer Analyst
FIS
------------------------------

#CognosAnalyticswithWatson

And adding some, if you are using Apache remove Indexes option from your cognos Directory


<Directory cognos_install/analytics-gw>
<IfModule mod_deflate>
AddOutputFilterByType DEFLATE text/html application/json text/css application/javascript
</IfModule>
Options Indexes MultiViews
AllowOverride None
Require all granted
</Directory>

------------------------------
JEAM COELHO
------------------------------

Original Message:
Sent: Thu July 23, 2020 04:08 PM
From: brenda grossnickle
Subject: web.config flagged by customer security scan

We have a client who ran a security scan and web.config was flagged. If you use the URL http:\\CognosSite:PortNumber\web.config anyone that uses Cognos can see the contents of that file. Not sure why that is a security threat but my client wants it "fixed". Is this the normal setup for a web service or is there something that I can do to lock down web.config?

------------------------------
brenda grossnickle
BI Programmer Analyst
FIS
------------------------------

#CognosAnalyticswithWatson

After doing some research on the issue I found an article from IBM saying how this fixed the issue for 11.1  

 

https://www.ibm.com/support/pages/node/966943

 

I tried it on our system and it worked. I sent the steps to Investar bank and it also solved there issue.

 

 

Here is how to correct the issue

 

1. Create this folder on the H360 Application Server  WEB-INF

 

x:\Program Files\IBM\CognosAnalytics\Bankxx\webcontent\WEB-INF

 

1. Put the attached file in the folder.

 

1. Stop and Restart the IBM Cognos Service

------------------------------
brenda grossnickle
BI Programmer Analyst
FIS
------------------------------

Original Message:
Sent: Thu July 23, 2020 04:08 PM
From: brenda grossnickle
Subject: web.config flagged by customer security scan

We have a client who ran a security scan and web.config was flagged. If you use the URL http:\\CognosSite:PortNumber\web.config anyone that uses Cognos can see the contents of that file. Not sure why that is a security threat but my client wants it "fixed". Is this the normal setup for a web service or is there something that I can do to lock down web.config?

------------------------------
brenda grossnickle
BI Programmer Analyst
FIS
------------------------------

#CognosAnalyticswithWatson