Security Center provides features that detect and fix common vulnerabilities and checks baseline configurations. It can fix vulnerabilities beforehand and harden system security based on the results of baseline checks. This protects your system against intrusions. This topic describes the best practices for vulnerability fixing and baseline checks in hybrid cloud scenarios.

Vulnerability fixing

Security Center allows you to detect and fix common vulnerabilities with a few clicks. For more information, see Overview. The following sections describe how to build servers that have Windows system, Linux software, and application vulnerabilities and how to fix the vulnerabilities.

Fix Windows system vulnerabilities

Prerequisites

A server is built. The server has Windows system vulnerabilities. The following procedure describes how to build the server:

  1. Create a server that runs the 64-bit Windows Server 2008 R2 Enterprise Edition.
  2. Install the Security Center agent on the server.
    For more information about how to install the Security Center agent, see Install the Security Center agent.
  3. Log on to the Security Center console. In the left-side navigation pane, click Assets. On the page that appears, click the Server(s) tab. Verify that the status of the installed Security Center agent is Enable.

Procedure

  1. Log on to the server as the admin user.
  2. Uninstall an update of the server. Example: KB4014565.
    In the Windows operating system, click the Start button and choose Control Panel > All Control Panel Items > Programs and Features > View installed updates. Then, uninstall the update KB4014565.
  3. Trigger vulnerability detection.
    1. Log on to the Security Center console.
    2. In the left-side navigation pane, click Assets.
    3. Click the Server(s) tab.
    4. Select the server and click Security check in the lower part.
    5. In the Security Check dialog box, select Vulnerability check and click OK.
    The security check requires 1 to 5 minutes.
  4. In the left-side navigation pane, choose Precaution > Vulnerabilities.
  5. Click the Windows System tab to view the vulnerabilities detected on the server.
  6. Click the name of a vulnerability to go to the details panel.
  7. Click Verify in the Actions column. In the Verify message, click OK.
    The status of the vulnerability changes to Verifying. After verification, you can check whether the vulnerability is fixed.
  8. Click the More icon icon in the Actions column and click Ignore. In the Ignore dialog box, enter remarks for the operation and click OK.
    If you want to view the ignored vulnerability, select Handled as the search condition. Security Center does not report this vulnerability the next time it detects vulnerabilities.
  9. Click Unignore in the Actions column of the ignored vulnerability. In the Unignore message, click OK.
    After you cancel ignoring the vulnerability, you can view the vulnerability again in the vulnerability list.
  10. Click Fix in the Actions column. In the Repair dialog box, select Create snapshots automatically and fix and click Fix Now.
    After the vulnerability is fixed, you must restart the server. The status of the vulnerability changes to Handled (To Be Restarted).

    If the fixing fails, the status of the vulnerability changes to Fix Failed. You can click the Tip icon icon to view the cause of the failure.

  11. If the Security Center agent is offline, click Details in the Actions column to view the assets affected by the vulnerability, the fixing command, and impact descriptions. If the Security Center agent is offline, the Fix and Verify buttons are dimmed.
  12. If you want to view the vulnerability information of all assets in an asset group, select the asset group as the search condition. In the list that appears, select all vulnerabilities and click the Download icon icon.

Fix Linux software vulnerabilities

Prerequisites

A server is built. The server runs a CentOS operating system and has the Security Center agent installed. The following procedure describes how to build the server:

  1. Create a server that runs a CentOS operating system.
  2. Install the Security Center agent on the server.
    For more information about how to install the Security Center agent, see Install the Security Center agent.
  3. Log on to the Security Center console. In the left-side navigation pane, click Assets. On the page that appears, click the Server(s) tab. Verify that the status of the installed Security Center agent is Enable.

Procedure

  1. Optional:Download the RPM package of a specified Linux software vulnerability and install the package on the server.
    If the server has Linux software vulnerabilities, skip this step.
  2. Trigger vulnerability detection.
    1. Log on to the Security Center console.
    2. In the left-side navigation pane, click Assets.
    3. Click the Server(s) tab.
    4. Select the server and click Security check in the lower part.
    5. In the Security Check dialog box, select Vulnerability check and click OK.
    The security check requires 1 to 5 minutes.
  3. In the left-side navigation pane, choose Precaution > Vulnerabilities.
  4. On the Linux Software tab, view the vulnerabilities detected on the server.
  5. Click the name of a vulnerability to go to the details panel.
  6. Click Verify in the Actions column. In the Verify message, click OK.
    The status of the vulnerability changes to Verifying. After verification, you can check whether the vulnerability is fixed.
  7. Click the More icon icon in the Actions column and click Ignore. In the Ignore dialog box, enter remarks for the operation and click OK.
    If you want to view the ignored vulnerability, select Handled as the search condition. Security Center does not report this vulnerability the next time it detects vulnerabilities.
  8. Click Unignore in the Actions column of the ignored vulnerability. In the Unignore message, click OK.
    After you cancel ignoring the vulnerability, you can view the vulnerability again in the vulnerability list.
  9. Click Fix in the Actions column. In the Repair dialog box, select Create snapshots automatically and fix and click Fix Now.
    After the vulnerability is fixed, you must restart the server. The status of the vulnerability changes to Handled (To Be Restarted).

    If the fixing fails, the status of the vulnerability changes to Fix Failed. You can click the Tip icon icon to view the cause of the failure.

  10. If the Security Center agent is offline, click Details in the Actions column to view the assets affected by the vulnerability, the fixing command, and impact descriptions. If the Security Center agent is offline, the Fix and Verify buttons are dimmed.
  11. If you want to view the vulnerability information of all assets in an asset group, select the asset group as the search condition. In the list that appears, select all vulnerabilities and click the Download icon icon.

Fix application vulnerabilities

Prerequisites

A server is built. The server has application vulnerabilities. The following procedure describes how to build the server:

  1. Create a server that runs a CentOS operating system and set a weak logon password for the server. Example: 123456.
  2. Install the Security Center agent on the server.
    For more information about how to install the Security Center agent, see Install the Security Center agent.
  3. Log on to the Security Center console. In the left-side navigation pane, click Assets. On the page that appears, click the Server(s) tab. Verify that the status of the installed Security Center agent is Enable.

Procedure

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Vulnerabilities.
  3. On the Vulnerabilities page, click the Application tab.
  4. On the Application tab, click Scan now.
    The security check requires 1 to 5 minutes.
  5. In the list of detected vulnerabilities, select a vulnerability and click Add to Whitelist.
  6. Click the name of a vulnerability to go to the details panel.
  7. On the Detail tab, view the suggestions on how to fix the vulnerability.
    Note Security Center can detect application vulnerabilities, but cannot fix the application vulnerabilities. You must manually fix the application vulnerabilities on your server based on Suggestions provided on the Detail tab.
  8. Click Verify in the Actions column. In the Verify message, click OK.
    The status of the vulnerability changes to Verifying. After verification, you can check whether the vulnerability is fixed.
  9. Click the More icon icon in the Actions column and click Ignore. In the Ignore dialog box, enter remarks for the operation and click OK.
    If you want to view the ignored vulnerability, select Handled as the search condition. Security Center does not report this vulnerability the next time it detects vulnerabilities.
  10. Click Unignore in the Actions column of the ignored vulnerability. In the Unignore message, click OK.
    After you cancel ignoring the vulnerability, you can view the vulnerability again in the vulnerability list.

Baseline checks

The baseline check feature checks the configurations of server operating systems, databases, software, and containers. It also provides descriptions of check results and suggestions on security hardening. The following sections describe how to build servers that use weak logon passwords and how to detect Windows and MySQL weak logon passwords on these servers.

Detect Windows weak logon passwords

Prerequisites

A server is built. The server runs a Windows operating system and uses a weak logon password.

  1. Create a server that runs the 64-bit Windows Server 2016.
  2. Install the Security Center agent on the server.
    For more information about how to install the Security Center agent, see Install the Security Center agent.
  3. Log on to the Security Center console. In the left-side navigation pane, click Assets. On the page that appears, click the Server(s) tab. Verify that the status of the installed Security Center agent is Enable.

Procedure

  1. Log on to the server as the admin user.
  2. Create a test user on the server and set the password of the user to 123.
    Open Windows Command Prompt and run the net user test 123/add command to create the test user and set its password to 123.
  3. Perform a baseline check on the server.
    1. Log on to the Security Center console.
    2. In the left-side navigation pane, click Assets.
    3. Click the Server(s) tab.
    4. Select the server and click Security check in the lower part.
    5. In the Security Check dialog box, select Baseline check and click OK.
    The security check requires 1 to 5 minutes.
  4. In the left-side navigation pane, choose Precaution > Baseline Check.
  5. On the Baseline Check page, view the results of the baseline check. Detect Windows weak logon passwords

Detect MySQL weak logon passwords

Prerequisites

A server is built. The server runs a Windows operating system and uses a weak logon password. In addition, a MySQL service is deployed on the server.

  1. Create a server that runs a Windows operating system and deploy a MySQL service on the server.
  2. Install the Security Center agent on the server.
    For more information about how to install the Security Center agent, see Install the Security Center agent.
  3. Log on to the Security Center console. In the left-side navigation pane, click Assets. On the page that appears, click the Server(s) tab. Verify that the status of the installed Security Center agent is Enable.

Procedure

  1. Log on to the server as the admin user.
  2. Set the password of the root user for the MySQL service to 123.
  3. Perform a baseline check on the server.
    1. Log on to the Security Center console.
    2. In the left-side navigation pane, click Assets.
    3. Click the Server(s) tab.
    4. Select the server and click Security check in the lower part.
    5. In the Security Check dialog box, select Baseline check and click OK.
    The security check requires 1 to 5 minutes.
  4. In the left-side navigation pane, choose Precaution > Baseline Check.
  5. On the Baseline Check page, view the results of the baseline check.
  6. Click the baseline Weak password - Mysql DB login weak password baseline to go to the details panel.
  7. Find the server and click View in the Actions column to view the baseline risks that are detected on the server.
  8. Select a check item based on which baseline risks are detected and click Details in the Actions column to view the item descriptions, remarks, and suggestions on how to fix baseline risks.