Security Center monitors the security status of your assets in real time, and provides a security score for your assets and the number of detected risks. This topic describes the ranges of scores and deduction items.
Security scores
| Security score | Description | Font color |
|---|---|---|
| 95 to 100 | Your assets are secure. | Green |
| 85 to 94 | Your assets are exposed to a few of security risks. We recommend that you reinforce the security of your system at the earliest opportunity. | Yellow |
| 70 to 84 | Your assets are exposed to a large number of security risks. We recommend that you reinforce the security of your system at the earliest opportunity. | Yellow |
| 69 or lower | Your assets are at high risk. We recommend that you reinforce the security of your system at the earliest opportunity. | Red |
Deduction items
Note
- The maximum security score is 100, and the minimum security score is 10.
- If the security score is greater than 60 after penalty points are endorsed but unhandled alerts are detected, the final score is still 60.
- If the security score is greater than 80 after penalty points are endorsed but unhandled alerts or vulnerabilities are detected, the final score is still 80.
- If the security score is greater than 90 after penalty points are endorsed but unhandled baseline risks are detected, the final score is still 90.
- All paid editions in the following table indicate the Anti-virus, Advanced, Enterprise, and Ultimate editions of Security Center.
| Category | Edition | Reduction item | Penalty point | Suggestion |
|---|---|---|---|---|
| Configurations of core features | All paid editions | Web tamper proofing is disabled. | 5 | Enable web tamper proofing |
| Basic | No rules are configured to prevent brute-force attacks. | 2 | Configure blocking policies based on IP addresses | |
| Basic | Quick installation of the Security Center agent is not authorized. | 2 | If this is the first time that you use this feature, obtain the required permissions. | |
| Advanced, Enterprise, and Ultimate | Configuration assessment is not authorized. | 2 | If this is the first time that you use this feature, obtain the required permissions. | |
| All paid editions | Log analysis is disabled. | 2 | Enable log analysis | |
| All paid editions | Antivirus is disabled. | 2 | Use proactive defense | |
| All paid editions | No anti-ransomware policies are created. | 15 | Create a protection policy | |
| All paid editions | Periodic virus detection is disabled. | 5 | Periodic virus scanning | |
| Advanced, Enterprise, and Ultimate | Container images that can be scanned are not specified. | 5 | Configure a cycle to scan image vulnerabilities | |
| Ultimate | Kubernetes threat detection is disabled. | 5 | Use threat detection on Kubernetes containers | |
| Unhandled alerts | All paid editions | Unhandled high-risk alerts are detected. | 20 | Handle alert events |
| All paid editions | Unhandled medium-risk alerts are detected. | 20 | Handle alert events | |
| All paid editions | Unhandled low-risk alerts are detected. | 20 | Handle alert events | |
| Unfixed vulnerabilities | Advanced, Enterprise, and Ultimate | Unfixed Web-CMS vulnerabilities are detected. | 2 | View and handle Web-CMS vulnerabilities |
| Advanced, Enterprise, and Ultimate | Unfixed Windows system vulnerabilities are detected. | 2 | View and handle Windows system vulnerabilities | |
| Advanced, Enterprise, and Ultimate | Unfixed Linux software vulnerabilities are detected. | 2 | View and handle Linux software vulnerabilities | |
| Advanced, Enterprise, and Ultimate | Unfixed urgent vulnerabilities are detected. | 5 | View and handle urgent vulnerabilities | |
| Advanced, Enterprise, and Ultimate | Urgent vulnerabilities exist but are not detected. If no Elastic Compute Service (ECS) instances are used, no penalty points are endorsed. | 3 | View and handle urgent vulnerabilities | |
| Baseline risks | Enterprise and Ultimate | Baseline risks are detected. | 1 | Manage baseline risks |
| Configuration risks | Advanced, Enterprise, and Ultimate | Anti-DDoS Pro and Anti-DDoS Premium fail the back-to-origin configuration check. |
|
Manage configuration risks |
| Advanced, Enterprise, and Ultimate | Two-factor authentication is disabled for your Alibaba Cloud account. |
|
||
| Advanced, Enterprise, and Ultimate | ApsaraDB RDS fails the security policy check. |
|
||
| Advanced, Enterprise, and Ultimate | High risks are detected in cloud service configurations. | 2 | ||
| Advanced, Enterprise, and Ultimate | Low and medium risks are detected in cloud service configurations. | 1 | ||
| AccessKey pair leaks | All editions | AccessKey pair leaks are detected. | 30 | View and handle AccessKey pair leaks |
| Others | Enterprise and Ultimate | Attack events are detected. | 5 | Improve the security score of your assets |
References
How does the vulnerability scan level affect the security score?
How does the baseline check level affect the security score?