Anybody heard of Micro Focus DSD?

We installed COBOL Server 2.3 Update 1 on a Windows Server 2008 server with File Share as the only server role installed/setup/enabled. Our IT security people periodically run a commercially available network scanning tool they refer to as ACAS in order to assure compliance with all of Navy's rules. The following is an excerpt from an e-mail my supervisor just received from them - The software/website is part of the Micro Focus DSD package. It's likely an embedded webserver installed as part of that package. There may be an update to the software, or there may be no way to fix this other than through the vendor. This is the output from the ACAS plugin: When processing the following request : GET / HTTP/1.0 this web server leaks the following private IP address : 172.17.5.118 as found in the following collection of HTTP headers : HTTP/1.0 200 OK Server: Micro Focus DSD 1.20.15 Cache-control: private,no-cache ?Pragma: no-cache Expires: -1 Content-Type: text/html Set-Cookie: MF_CLIENT=mfuser ; path=/; HttpOnly MF-Cookie-1: MF_CLIENT=mfuser ; Set-Cookie: MF_SESSION=d47636b0 ; path=/; HttpOnly MF-Cookie-2: MF_SESSION=d47636b0 ; Set-Cookie: MF_DS=172.17.5.118:86 ; path=/; HttpOnly MF-Cookie-3: MF_DS=172.17.5.118:86 ; Set-Cookie: MF_CONTACT=1462794401 ; path=/; HttpOnly MF-Cookie-3: MF_CONTACT=1462794401 ; Content-Length: 35432 Since this server doesn't have IIS installed or active, how can it be responding to web requests? And what is Micro Focus DSD?
  • Verified Answer

    "Micro Focus DSD" is the name that MFDS, the Micro Focus Directory Server, uses to identify itself in HTTP responses. It's not a separate product; it's part of several Micro Focus products, including Visual COBOL, Enterprise Developer, and Enterprise Server.

    IIS is only one HTTP server among many. The absence of IIS just means IIS won't be responding to HTTP requests. In this case, it's MFDS that's responding to the requests from ACAS.

    I would call the "issue" being reported by ACAS a false positive - in fact, I think it's a meaningless check. Unfortunately most of these web scanning tools are rather poor quality; they flag many things that have little or no security impact, or are outright incorrect.

    If you need to have this changed to comply with a requirement, please open an incident and ask your Micro Focus Customer Care representative to raise a problem report so Development can schedule a change. (It's not really accurate to call it a "fix", since the existing behavior isn't broken, except in the mind of whoever added that check to ACAS.)

  • Thank you for the response.  I've followed your advice and opened an incident.  If I can't "close this hole", so to speak, then I will perpetually have to describe/explain/defend its existence to the never-ending column of admin-type managers sticking their noses into technical matters.