For a solution platform to be secure, some degree of permissions and access control will apply. This article addresses console users, difference of MEBx and Intel® AMT passwords, and Intel® AMT profile access control lists.
Console Users
If already an Altiris console administrator, does a user automatically have Provisioning rights and access? Not necessarily. This portion of the console includes an embedded component called the Intel® Setup and Configuration Service (SCS). The permissions and access are controlled by the "Users" attribute under Configuration Service Settings. At installation, a default entry of the Altiris administrator is added. Yet for further customization or to limit to least privileges for users, some changes may be desired.
The provisioning console users can be selected from the local system or Windows Domain user lists. Each user can be assigned one of four roles where are explained below.
- Enterprise Administrator -- Full control of configuration and setting, including adding or changing Users list and settings.
- Administrator -- Full control of configuration and setting, yet unable to change Users list and settings.
- Operator -- Able to create or modify Profiles, review logs, and related operations. Not able to change properties of Intel® AMT settings, general settings (worker threads, polling interval, etc).
- Log Viewer -- Able to review log messages only.
Adjusting the list of Users and associated Roles will vary based on a production environment policy and mode of operation. From a console and provisioning security perspective, it may be best that a select few (perhaps only one) user have Enterprise Administrator access. The majority of users requiring access may be Operators and Log Viewers.
Password -- Intel® ME and Intel® AMT.
Before we address Intel® AMT profiles, some understanding on the difference between MEBx (e.g Intel® ME) and Intel® AMT passwords. The MEBx has a default user name of "admin", and when the associated password is changed this affects both the MEBx and Intel® AMT passwords.
The MEBx password, also referred to as the Intel® ME password, is changed during USB one-touch provisioning. When the security keys are created, a prompt occurs for the existing and new Intel® ME password per the diagram below. The Intel® ME is accessible ONLY local to the client system.
The Intel® AMT password is used by Intel® SCS to configure the settings as defined by the Intel® AMT profile. This could be viewed as a service account. The password can be changed and randomized by the setting shown below. Note that the user name is default "admin". Selecting Random Creation affects ONLY the Intel® AMT password. The MEBx password remains the same from the pre-provisioning (e.g. setup mode via manually entering the provisioning data or using USB one touch)
The Intel® AMT password can be used to access a provisioned system's WebUI. For production policy purposes, this console interface can be disabled within the Intel® AMT profile or within the MEBx.
With passwords a little more understood, the next topic of permissions and access control lists is next.
Access Control Lists
The image below may be overwhelming at first - if it helps any, this interface will be changing with the next release from Altiris. Let's break down the components to provide some understanding
First - a digest user refers to an account used for HTTP Digest authentication, whether or not TLS is used. (Remember - the user authenticates via HTTP Digest while the session is secured via TLS. See this article. Digest users present a potential challenge - managing a separate list of users from the Windows Active Directory. This is one of the reasons the next release will include Windows Active Directory integration, utilizing Kerberos to more easily manage authorized groups, users, access, and so forth.
Next - the Intel® AMT security realms presents a lot of options which require some additional explanation. The realms provide different functionalities based on local or network access. Confused yet?
Intel® AMT uses SOAP calls and webservices to communicate actions, configuration, and so forth. This is why the AMTSCS virtual directory is required - to send and receive webservice calls. Some procedures and actions are local to the Intel® AMT system. Instead of sending local communications out on the network, the LMS (Local Management Service) driver intercepts and redirect to the management engine. Not all of the security realms utilize or require local access.
Network access is just that - communications sent and received via the network. These communications are intercepted at the network card based on the port. 16992 traffic is non-TLS, 16693 traffic TLS, 16694 is non-TLS redirection, and 16695 is TLS redirection.
A quick clarification on the image below - it is recommended that a digest user NOT be called "admin". Thus the snapshot is erroneous - yet included to make a point. This configuration will conflict with the Intel® AMT password explained above. In essence, the ACL tab focuses on the users of the services applicable to the Intel® AMT systems.
The following table provides an overview of the Intel® AMT realms, their interfaces, brief description, whether local or network access, and to what version of Intel® AMT they apply. A few quick comments and opinion (yes - opinion, see the disclaimer). Some of these realms are really meant for the Intel® AMT admin account only, or for the setup and configuration service. The items in BOLD below are the focus of a Digest or Kerberos user. Also, the name "Circuit Breaker" is now System Defense, and refers to the Network Filtering capabilities within Altiris Real-Time Systems Management.
| Realm |
Interface |
Description |
Local |
Network |
AMT
Release |
| Admin |
EIT Interface |
Implements the Embedded IT service - not intended for ISV use |
x |
|
2.1 and above |
| Admin |
Wireless Configuration Interface |
Manages wireless interface settings |
|
x |
2.5 only |
| Agent Presence Local |
Local Agent Presence |
Used by an application designed to run on the local platform to report that it is running and to send heartbeats periodically |
x |
|
2.0 and above |
| Agent Presence Remote |
Remote Agent Presence |
Used to register local agent applications and to specify the behavior of Intel® AMT when an application is running or stops running unexpectedly |
|
x |
2.0 and above |
| Circuit Breaker |
Circuit Breaker Interface |
Aka System Defense - Used to define filters, counters, and policies to monitor incoming and outgoing network traffic. Ability to block traffic at the NIC when a suspicious condition is detected, based on defined policies |
|
x |
2.0 and above |
| Endpoint Access Control |
Endpoint Access Control |
Returns settings associated with Network Access Control (NAC) |
x |
|
2.5 and above |
| Endpoint Access Control |
Endpoint Access Control Admin |
Configures and enables the NAC posture |
|
x |
2.5 and above |
| Event Management |
Event Manager Interface |
Allows configuring hardware and software events to generate alerts and to send them to a remote console and/or log them locally |
|
x |
1.0 and above |
| Event Management |
Event Log Reader |
Allows definition of a user with privileges only to read the Intel AMT system log |
x |
x |
2.6 and above |
| Firmware Update |
FirmwareUpdate Interface |
Used only by OEMs via Intel-supplied tools to update the Intel® AMT firmware. These functions are not for general ISV use |
x |
x |
2.0 and above |
| General Info |
GeneralInfo Interface |
Returns general setting and status information. With this interface, it is possible to give a user permission to read parameters related to other interfaces without giving permission to change the parameters. |
x |
x |
2.0 and above |
| HW Asset |
Hardware Asset Interface |
Used to retrieve information about the hardware inventory of the platform |
|
x |
1.0 and above |
| Local User Notification |
Local User Notification Interface |
Configured alerts to a user on the local host system via the UNS driver. |
x |
|
2.5 and above |
| Network Time |
Network Time Interface |
Used to set the clock in the Intel® AMT device and synchronize it to network time |
|
x |
2.0 and above |
| PT Administration |
Security Administration Interface |
Manages security control data, such as Access Control lists, Kerberos parameters, TLS, Configuration Parameters, Power saving options and power packages |
|
x |
1.0 and above |
| PT Administration |
Network Administration Interface |
Configures local network options usually set by DHCP service. |
|
x |
1.0 and above |
| Redirection |
Redirection Interface |
Enables and disable the redirection capability and retrieves the redirection log. The redirection interface itself is a separate proprietary interface that does not depend on HTTP/SOAP |
|
x |
1.0 and above |
| Remote Control |
Remote Control Interface |
Enables powering a platform up or down remotely. Check the current power state. Used in conjunction with Redirection |
|
x |
1.0 and above |
| Storage |
Storage Interface |
Used to configure, write to and read from 3PDS. Actual commands in Storage Library |
x |
x |
1.0 and above |
| Storage Admin |
Storage Administration Interface |
Used to configure global parameters that govern the allocation and use of 3PDS |
|
x |
1.0 and above |
Suggestions for Intel® AMT ACL settings
Based on the previous sections, what are the recommended settings of the Intel® AMT profile for a production environment. This will depend on multiple variables per support technician and IT administrator. In addition, different profiles may be assigned to different systems based on their environment, user, and so forth. Lastly, a single profile may have multiple ACLs associated - which will be even more interesting and capable once Kerberos integration is added in.
Below is an example of settings based on generic roles.
- Level 1 HelpDesk Technician - General Info, HW Asset, and Event Management
- The technician is able to review settings, configuration, and events of the Intel® AMT systems. They are unable to reboot, redirect, or isolate.
- Level 2 HelpDesk Technician - In addition to Level 1, Remote and Redirection
- The technician is able to remotely power the system and can redirect the console or IDE for troubleshooting purposes.
- Using Altiris Task Server, the Level 2 Technician could setup a job to check the system power state, boot if needed, apply a patch using Altiris Deployment server, and then return to the previous power state.
- IT administrator - In addition to Level 1 and Level 2 HelpDesk Technicians, Circuit Breaker
- The administrator in coordination with the Security architects can isolate a system and perform all other actions mentioned.
Conclusion
The passwords, permissions, and access control of Intel® AMT are only a portion of the security features built into the platform. By understanding how these are used, customers provisioning Intel® AMT, deploying systems, and looking to utilize the functionality will be better prepared.
The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries.