Did you know that Symantec Endpoint Encryption has an “autologon” capability? Wouldn’t it be great if full disk encryption solutions didn’t inhibit client management, especially when using Intel® vPro™ Technology for out-of-band management?

Security is often the nemesis of manageability, just as manageability can be the nemesis of security. Full drive encryption may cause a lot of trouble when attempting out-of-band management, power-on and patch, trying to enforce a balance of power usage with Green IT requirements, and so forth. It is truly unfortunate that today's environments require the extra security precautions. Yet as much as I might complain about all the added security - especially power-on and pre-boot authentication for a device - I also respect the underlying effort to protect data. I, as like many others out there, have been a victim of identity theft (personal data, credit\financial data, etc) due to a provider of services (retail, healthcare, financial, etc) having a unit or system compromised thus exposing very valuable customer data and information. I can appreciate the reason for additional protection yet the overall success of a client management implementation may be frustrated by such demanding security requirements. If only we could trust one another and not have to lock our houses, our cars, our desk drawers, our labs, our files, and so forth. Since that state of utopia isn’t likely, what options do we have?

With all the added security requirements to protect data, a few core problems arise for remote out-of-band management solution examples shown previously (see http://www.symantec.com/connect/articles/combining-band-and-out-band-management and http://www.symantec.com/connect/articles/scripting-intel-amt-remote-power ). Basically, if a pre-boot authentication (PBA) is required, how do you auto-login a collection of clients that are remotely powered on via Intel® vPro™ technology and need to receive a software update from Altiris Client Management Suite?

All glimmers of hope should not fade away just yet. While talking with some Symantec Endpoint Encryption experts during ManageFusion 2009 in Las Vegas, I came across an interesting insight. There is a way to temporarily disable or bypass the pre-boot authentication (PBA). “Disable” may be the wrong term, but it prompted some additional investigation on how to retain the benefits of a remote repair or software update session initiated by Intel® vPro™ Technology management when full disk encryption (FDE) is used. The focus point is not necessarily how Intel® vPro™ technology addresses this, yet more importantly an awareness of the tools, processes, and options available from a holistic point of view. The following data may be of interest in your respective discussions to find a happy medium between security and manageability tenets.

Brief Background

The intent of this section is to help focus the conversation and provide context. Volumes of data have been written on what is only summarized below regarding disk encryption. If you have a constructive viewpoint or insight to the summary below, please state.

The main question I keep asking is “How do you handle software distribution or other client computing maintenance events in your environment today?” This question receives a variety of responses:

• Systems are powered on 24 hours a day
  • That might compete with Green IT initiatives, and could possibly defeat the original intent of FDE. Plus, how do you ensure the systems are powered on 24 hours a day? What happens to you patch saturation or PC support routines if a system with FDE is not powered on 24 hours a day?
• Software distributions or maintenance activities occur during business hours
  • Effectively this means that the user must be present to provide credentials to the PBA. It also means that existing client management processes are impacted, along with impact to user productivity.
• A defined maintenance windows is scheduled
  • Either the users are asked to leave their systems on during that maintenance window, or a mechanism is used to bypass or autologon to the PBA. More will be addressed in the next section.
• For a single system diagnostic and remediation, the user enters the required authentication credentials for the disk encryption solution
  • The “user” could be a local PC technician with administrative level authentication. If this is the process today, the same process would be used for Intel® vPro™ technology based out-of-band management activities. If the user’s operating system will not load, you still have out-of-band management functionality via Intel® vPro™ technology. Although some might prefer absolutely no end-user involvement during the diagnostic and troubleshooting session, their involvement might prevent a sneaker-net or truck roll response. In my own case, IT HelpDesk personnel are often in a different building, state, or country to where I am located at the time I needed support. If a remote desktop session (i.e. PC Anywhere or similar) cannot be established, the technician and user might both be inconvenienced. More will be addressed in the next section

Generally speaking, drive encryption applies primarily to devices which are outside the corporate environment. Laptops are the most commonly targeted platform, although desktop systems will also be targeted depending on your security policies and requirements. From a manageability perspective, laptops will often have a higher cost and associated challenges (i.e. less manageable) than desktops. This should not be a surprise, since desktop systems are often in a controlled environment, whereas a laptop introduces a number of variables on location, connectivity, physical access, and so forth. If interested in hearing what analysts and Intel® vPro™ technology evangelists have said about the cost savings and estimates, see the following video (http://www.podtech.net/home/4679/roi-intel-vpro-technology-in-the-enterprise ). In case you didn’t watch the video, there’s a few hundred dollar difference between costs savings of desktop versus laptop when using Intel® vPro™ technology. This is not due to the technology, but more to the circumstances of the device location, connectivity, and so forth. There are still benefits to be gained.

Instead of listing all the drive encryption vendors, it may be helpful to categorize the approaches taken to secure the filesystem.

First – are you using a full disk encryption, partition encryption, or folder\file encryption solution? Since definitions and viewpoints will differ, here is my brief description of each – and I’m open to friendly debate on correct terminology:

• Folder\file encryption – Target a specific folder\file within your filesystem using an application loaded on the local operating system. Similar in principle to password protecting a file. This will not affect Intel® vPro™ Technology functionality
• Partition or MBR encryption – This basically secures sectors or locations on the physical drive. A software based application or driver is needed to access. This driver might be inserted into the operating system boot sequence, thus prompting a user for authentication prior or during the operating system boot process. Authentication can be password, smartcard, or other based on other mechanisms. Although this will not affect the core Intel® vPro™ technology out-of-band management capabilities, such as remote power management, it will affect the in-band management functionality (i.e. software distribution).
• Full Disk Encryption (FDE) – This approach commonly uses a pre-boot authentication (PBA) operating system, such as a secure Linux or Windows Pre-Execution environment. The PBA may be text or graphic user interface based. Although this will not affect the out-of-band management capabilities of Intel® vPro™ Technology, it will affect in-band management functionality (i.e. software distribution)

In understanding what type of solution you might have, the next question might be how that drive encryption solution handles key management. In essence, there are different roles and security levels determining who is able to provide appropriate credentials to the PBA. The drive encryption solution may have an administrative credential, or your security policies may dictate that only a defined user is able to provide correct credentials to the PBA. Although I have heard about a certificate based approach – where the PBA is able to communicate on the network to central directory or certificate authority – I am not directly familiar with what solutions actually take this approach.

To summarize the above statements – understand how your drive encryption solution works, especially how it applies to current PC support and maintenance operations. Collaboration between IT operations and security teams may be required.

Autologon for Pre-Boot Authentication

Now to the golden nugget discovered during ManageFusion – there is a way to schedule an AutoLogin time period via Symantec EndPoint Encryption. Perhaps a common knowledge for some, yet an exciting discovery which prompted further investigation.

In the image below, a Symantec Endpoint Encryption group policy can be defined to bypass user authentication (i.e. bypass the preboot authentication) for a specified time period and specified number of instances.

Some coordination would be required to make this happen, yet hopefully the benefits outweigh the effort. To a previous comment, understanding how the support processes are handled today with restrictive security policies will help align tools, processes, and approaches to further enhance.

Do other disk encryption solutions offer similar capabilities? This is where I need your help. The following is a summary of information I’ve received thus far on how similar workarounds can be accomplished:

• McAfee Safeboot 5.1 – $AutoBoot$ user account in the Safeboot database. A tool or script to remotely unlock the drive.
• Utimaco Safeguard Enterprise Management Center 5.3 – Secure Wake-on LAN option which sounds similar in concept to the example shown above (i.e. GPO based setting)
• Checkpoint Pointsec FDE R70 – For a remote repair to a single system, Checkpoint provides an update to replace their GUI-based PBA with a text-based interface. The text-based interface remotely viewed and accessed via Serial-over-LAN Redirection session (one of many capabilities within the Intel® vPro™ technology platform)
• Wave (Seagate HDD with FDE) – Using the Embassy Remote Admin Manager, an option to remotely Unlock drives.
• PGP – For drive recovery purposes, using Symantec Ghost 10 and IDE-Redirection, an bootable ISO can be used to grab data off an encrypted drive. See the following knowledge base article - https://pgp.custhelp.com/cgi-bin/pgp.cfg/php/enduser/popup_adp.php?p_sid=yrNPqpsi&p_lva=603&p_li=&p_faqid=693&p_created=1166468952&p_sp=cF9zcmNo

Will Intel® vPro™ Technology provide more security integration?

My intent and focus is to address what is commonly available today, and provide awareness on you might overcome immediate hurdles around full disk encryption (FDE) and client system management. Intel® vPro™ technology is a tool to extend the reach of the PC or HelpDesk technician. There are efforts underway to further integrate and enhance the abilities of Intel® vPro™ technology. As the technologies or software integrations become available, more information will be shared.

To provide a teaser to other security integrations and focus, have you seen the Anti-Theft offering of Intel® vPro™ technology? Take a look at http://www.intel.com/technology/anti-theft/index.htm and http://www.youtube.com/watch?v=bnTggBxhOVk

The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries