The reason that this becomes an issue is due to most likely an outdated .htaccess file. Please note that Acquia Cloud does not use Windows services so these warnings made known by security scans/teams are application level that developers can resolve.
web.config accessible to the public (Windows Vulnerability Detected) | Acquia Product Documentation
Cloud Platform
web.config accessible to the public (Windows Vulnerability Detected)