In previous posting on configuring Intel vPro technology, I often used a standard known Intel AMT administrator password in the configuration profile. This single password was then provided in the connection profile. Although the approach is convenient for testing and troubleshooting purposes, it may cause concern about security. Should someone determine the single Intel AMT administrator password within the environment, they could play some terrible tricks using the out-of-band capabilities.
While talking with an application engineer for the Altiris\vPro solution, a point was brought to my attention - use the randomize password option in the configuration profile. To ensure the Altiris console is able to continue using the technology, use "Runtime AMT credentials" in the Connection Profile. A setup like this will require the OOB Site Service (which is Intel SCS with customizations from Altiris) to be installed in the environment, and OOB Site Service manages the configuration of the Intel vPro Technology. When "Runtime AMT credentials" are used, the Altiris environment then queries the OOB Site Service for the matching Intel AMT administrator password of the system.
It may be interesting to know that a similar approach is done with other management consoles. Microsoft SCCM does not use Intel SCS, yet does have the ability to manage the configuration of Intel vPro Technology. Within SCCM, if a 1:many operation is done, the system performs a lookup for the assigned randomized password of the configuration vPro client. Similarly, within the BigFix solution which does utilize Intel SCS for configuration management of Intel vPro Technology - it needs to know the associated SCS server to perform the lookup of the Intel AMT administrator password.
The rest of this article provides screenshots and brief instructions on how to configure this in an Altiris 7 environment (aka Symantec Management Platform)
The first step is to set the configuration profile to randomize the Intel AMT Administrator password. The screenshot below shows an example of the configuration profile with "Random Creation" selected.
Once a change to the configuration profile is made - the affected system must receive the modified profile. A "reconfiguration" event can be started on-demand, or a "Maintenance" event can be schedule on a monthly interval.
Keep in mind that maintenance events work by the last recorded event of an individual system plus the stated monthly timeframe. Therefore - if one client is configured every day at 2pm, the maintain event will run on same sequence of client system at 2pm one month after the original time stamp. A configuration event will apply the full configuration profile in addition to randomizing the Intel AMT administrator password (if that setting is specified in the profile). If only the "Change Intel AMT administrator password" option is selected - only that event will occur. Thus you configure full reconfiguration every 12 months, with Intel AMT administrator password being changed monthly for all affected clients.
To further emphasize the randomization of the Intel AMT administrator password, the screenshot below is a snapshot of the actual database records at the start of my test.
The next screenshot is after a reconfiguration was done on the same set of clients. Notice the admin_password and provisioning_time have changed.
In a production environment - access to the actual database records is not likely. The database security will prevent unauthorized access. The OOB Site service has a service account into the database (which by default is randomized at time of installation - both the username and the password). The trick is ensuring "Runtime AMT credentials" are specified to direct the Altiris Pluggable Protocol Architecture (i.e. the Connection Profile) to query the OOB Site Service for the correct password based on the target system. Did that sound complicated? Fortunately the actual console setting is really simple.
The Connection Manager - with Default Connection Profile - can be adjusted as shown below.
Once this is done - use Real-Time System Manager, TaskServer, Deployment Service 7.1, or other components that are able to utilize the OOB Site Service and related Out-of-Band Management functionality. The connections will be made using the realtime credentials.
One last thought - what if you want to retain an alternative account to access the system? Well - it can be done yet keep in mind the security constraints.
One approach is to define a Digest User in the ACL (Access Control List) of the configuration profile. This Digest user account and password will be applied to the configuration of every client that receives the profile. The screenshot below shows an example of a single user account.
If we refer back to the opening statements of this article - you might be asking yourself a question - "Why would I give myself a backdoor? What if someone figured out that single digest user account?" My suggestion is limit the AMT Realms to only General Information or related subset. If you select "PT Administration" - this gives full control of the configuration and usage of the technology for that account. Utilize this account as a backup to validate Intel vPro Technology is responding, accessing via Intel AMT WebUI.
Perhaps a better approach - and something seen in other management consoles - is to use Active Directory integration with a Kerberos group\user account. The Kerberos account is then applied for role-based security determined by authorized groups\users... which will likely change more often than Intel vPro configurations. For more information how to setup Kerberos integration, see the article series starting at Part 1: Configuring AD Integration and Kerberos Authentication for Intel vPro Technology
The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries