Prevent none entrusted people to access the TM1 data on the Windows Server

Product:
Cognos TM1 version 9.5.1

Problem:
Prevent none entrusted people to access the TM1 data on the Windows Server.

Cause:
If you rename the file }ClientProperties.cub in the TM1 folder, then all passwords in the TM1 cube is replaced with “blank” and you can easy access the TM1 cube from a program like Architect.

Solution:
Recommendation is to also secure the windows folders where you have TM1 instances created to only allow the Windows service account access.

Note down what Windows service account are running the TM1 services in Windows.
Stop the TM1 service.
In Windows Explorer go to the folder for you TM1 instance e.g. \tm1servers\tm1planning
Right click on TM1Planning and select Properties
In the tab Security click on Advance button.
In “Advance Security Settings for …” uncheck the mark for “Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here.”
On the Security dialog that pops up select the “remove” button
Now all access rights for that folder are removed.
Click on the “add” button
Enter the name of the service account and click on check names
(You may need to change locations to be the entire windows domain)
Mark allow for Full Control.

I recommend to also adding the local administrator group and system to the folder as a backup access point, but this increase the risk of access.

Click OK several times to get out of the Security dialog.

Now you can start the TM1 service and check if you can login from Architect.
The password for the TM1 Planning Sample application is apple for the admin user.