Which edition do I need to use baseline check?
The Advanced, Enterprise, and Ultimate editions include baseline check at no extra cost. For users of the Anti-virus edition and those with a value-added plan, you can enable baseline checks by purchasing the Cloud Security Posture Management (CSPM) add-on. After purchasing CSPM, you will have access to all baseline check items.
Each edition supports a different set of check items:
| Edition | Supported check items | Not supported |
|---|---|---|
| Advanced | Default policy and weak password baselines | All other check items |
| Enterprise | All check policies | Container security check items |
| Ultimate | All check policies and all check items | None |
Enterprise and Ultimate editions support one-click fix for baseline risks detected on a Linux server based on Alibaba Cloud standards or Multi-Level Protection Scheme (MLPS) standards.
For more information, see Activate baseline check.
Why does Security Center fail to verify a fixed baseline risk?
The most common cause is that the Security Center agent is offline. Troubleshoot why the Security Center agent is offline and then trigger verification again.
What are the differences between baselines and vulnerabilities?
Baselines define the minimum security requirements for system configurations and management — covering service and application settings, operating system settings, permission assignments, and system management rules. The baseline check feature evaluates weak passwords, account permissions, identity authentication, password policies, access control, security audits, and intrusion prevention, then surfaces recommendations to address any gaps.
Vulnerabilities are flaws in operating systems or security policies, including software design defects and coding errors. Attackers can exploit these flaws to access, steal, or damage your data. Fix detected vulnerabilities as soon as possible to protect your assets.
Why does the check item "Make sure that each user has a unique user ID, does not use simple passwords, and changes the password periodically" still fail after one-click fix?
Two sub-items were not selected during the one-click fix, so they remain unresolved.
If the affected assets use non-password login methods, one-click fix is not supported for those assets. After fixing all other configuration items, configure an allowlist policy for this check item on those assets.
Why does the check item "Assign an account and permissions for each user" fail?
The Status of the check item shows Not Passed even though the host configuration — including home directory permissions, number of users, and umask value — appears to match the fixing suggestions.
Run the following commands to confirm the umask value and the actual number of non-administrator accounts that the baseline check detects:
grep umask /etc/bashrc |grep -v '#'|awk -F ' ' '{print $2}'|sort -r|head -1
grep umask /etc/profile |grep -v '#'|awk -F ' ' '{print $2}'|sort -r|head -1
cat /etc/passwd | egrep -v '(root|halt|sync|shutdown)' | awk -F: '($7!="/bin/false"&&$7!="/sbin/nologin"&&$7!="/usr/sbin/nologin"&&$6!="/var/lib/libuuid"&&$6!="") { print $6 }' |wc -lThe baseline check counts only non-administrator accounts. If the output shows more accounts than the fixing suggestions allow, that is the cause of the failure.
Add a non-administrator user on the host as per the fixing suggestions, then re-verify the check item in Security Center.
Why do I get the "illegal auth" error when creating a baseline check policy?
| Cause | Solution |
|---|---|
| The new order has not taken effect yet after enabling baseline check. | Try again later. |
| The Security Center instance has expired. | Renew the subscription to Security Center. |
[MLPS compliance] Why does the Windows baseline check for Multi-Level Protection Scheme (MLPS) Level 2 still flag "Unwanted system services, default sharing, and high-risk ports should be turned off" even after I block the ports?
Blocking ports with a firewall or security group does not stop the underlying services. The baseline check detects the services themselves, not just whether the ports are reachable externally. Log in to your instance and disable the services for each flagged port.
The steps below use Windows 10 (64-bit).
Port 135
Press Windows+R, enter
dcomcnfg, and click OK to open the Component Service dialog box.In the left navigation bar, go to Component Service > Computers > My Computer, right-click My Computer, and click Properties.
On the Default Properties tab, clear Enable Distributed COM on this computer (E).
On the Default Protocols tab, select Connection-based TCP/IP and click Remove.
Click OK.
Ports 136, 137, and 138
Press Windows+S, enter
Control Panelin the search box, and open Control Panel.Click Network and Internet.
Click Network and Sharing Center, then click the connected network.
Click Properties.
Clear File and Printer Sharing for Microsoft Networks and Client for Microsoft Networks.
Click OK and close all open dialog boxes.
Port 139
Press Windows+S, enter
Control Panelin the search box, and open Control Panel.Click Network and Internet.
Click Network and Sharing Center, then click Change adapter settings on the left.
Right-click the active network adapter (for example, Ethernet) and click Properties.
Double-click Internet Protocol Version 4 (TCP/IPv4).
Click Advanced and go to the WINS tab.
Select Disable NetBIOS over TCP/IP and click OK.
Click OK again and close all open dialog boxes.
Port 445
Press Windows+R, enter
regedit, and click OK to open Registry Editor.Navigate to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > NetBT > Parameters.
Right-click Parameters, then go to Create > String Value and name it
SMBDeviceEnabled.Double-click
SMBDeviceEnabled, set Value data to0, and click OK. Close Registry Editor.Press Windows+R and enter
services.mscto open the Services management console.Double-click the Server service, set Startup type to Disabled and Service status to Stopped, then click Apply and close the dialog box.