Login to participate
Endpoint Management & Virtualization ArticlesRSS

Utilizing Intel® vPro AMT Technology with Task Server - Part 7: Using System Defense with Software Delivery

Joel Smith's picture
Joel Smith
December 5th, 2007
Filed under: , ,

In the previous two segments of this article series the subject of System Defense and System Defense with Task Server functionality was covered. In this piece take the System Defense configuration one step further with the ability to use the Software Delivery Solution Task Server Plug-in. This robust piece allows packages to be delivered to the target system and can be used as an application, script, or other execution engine. See parts 3 through 6 for full details.

Introduction

The port usage for standard package delivery needs to be configured in the System Defense configuration filter file for the Deliver Software function within Task Server. Once properly configured, a system can be locked down on the network but still have the ability to delivery files and initiate execution through the Software Delivery for Task Server Plug-in. This article provides an updated filter file and the details surrounding how to create it.

There are a number of articles to be aware of (or to have knowledge on the subjects) before this article can be properly employed. The first one covers the basics for Software Delivery for Package and Program configuration The second two cover Intel's System Defense and how to configure the Network Filter.

Filter Setup

The filter configuration is different when configuring for Task Server and Software Delivery. Note that the configuration of the Task Server ports differ in this instance (this different configuration can also be substituted for the one published in article 6 of this series).

Details

The four filters are detailed here:

  1. Filter 1 Direction of traffic: Incoming Type of Traffic: TCP Apply to Address: Notification Server Address Treat this address as: Source Range of ports: 50120-50124 Ports are on: Source
  2. Filter 2 Direction of traffic: Outgoing Type of Traffic: TCP Apply to Address: Notification Server Address Treat this address as: Destination Range of ports: 50120-50124 Ports are on: Destination
  3. Filter 3 Direction of traffic: Incoming Type of Traffic: TCP Apply to Address: Notification Server Address Treat this address as: Source Range of ports: 50120-50124 Ports are on: Destination
  4. Filter 4 Direction of traffic: Outgoing Type of Traffic: TCP Apply to Address: Notification Server Address Treat this address as: Destination Range of ports: 50120-50124 Ports are on: Source

See the following explanations on what each filter is doing:

  1. Filter 1 – This is communication using ports 50120-50124 as the sending ports from the Notification Server to the client system.
  2. Filter 2 – This is communication using ports 50120-50124 as the sending ports from the client system to the Notification Server.
  3. Filter 3 – This is communication using ports 50120-50124 as the receiving ports from the client system to the Notification Server.
  4. Filter 4 – This is communication using ports 50120-50124 as the receiving ports from the Notification Server to the client system.

Walkthrough

The following steps walk through applying these filters.

Filter 1

  1. Click the blue plus icon to add a filter. This will launch the wizard. Click 'Next' on the introduction screen.
  2. Choose the options TCP and Incoming, and click 'Next'.
  3. Select the option Address of the Altiris Notification Server, and make the address Source. Click Next.
  4. Choose Range of ports and click 'Next'.
  5. Choose the option Manually type in the lower/upper boundary of the port range and enter in 50120 for lower, and 50124 for upper. Treat the range as Source, and click 'Next' to continue.
  6. Provide a filter name and click 'Finish'.

Filter 2

  1. Click the blue plus icon to add a filter. This will launch the wizard. Click 'Next' on the introduction screen.
  2. Choose the options TCP and Outgoing, and click 'Next'.
  3. Select the option Address of the Altiris Notification Server, and make the address Destination. Click Next.
  4. Choose Range of ports and click 'Next'.
  5. Choose the option Manually type in the lower/upper boundary of the port range and enter in 50120 for lower, and 50124 for upper. Treat the range as Destination, and click 'Next' to continue.
  6. Provide a filter name and click 'Finish'.

Filter 3

  1. Click the blue plus icon to add a filter. This will launch the wizard. Click 'Next' on the introduction screen.
  2. Choose the options TCP and Incoming, and click 'Next'.
  3. Select the option Address of the Altiris Notification Server, and make the address Source. Click Next.
  4. Choose Range of ports and click 'Next'.
  5. Choose the option Manually type in the lower/upper boundary of the port range and enter in 50120 for lower, and 50124 for upper. Treat the range as Destination, and click 'Next' to continue.
  6. Provide a filter name and click 'Finish'.

Filter 4

  1. Click the blue plus icon to add a filter. This will launch the wizard. Click 'Next' on the introduction screen.
  2. Choose the options TCP and Outgoing, and click 'Next'.
  3. Select the option Address of the Altiris Notification Server, and make the address Destination. Click Next.
  4. Choose Range of ports and click 'Next'.
  5. Choose the option Manually type in the lower/upper boundary of the port range and enter in 50120 for lower, and 50124 for upper. Treat the range as Source, and click 'Next' to continue.
  6. Provide a filter name and click 'Finish'.
Note! The user interface for this editor has a serious oversight. If you edit the file in any way, whether editing understand what the changes mean.

Deliver Software Task

So what does this add to the Task Server when the System Defense Network Filter is applied? If you are familiar with Altiris Software Delivery Solution, it simply allows you to choose a Package and Program to send and execute on the local client system, just like a standard Software Delivery Task. Adding this ability when a network filter is enforced opens up a myriad of remediation possibilities. Exiting, adding, or removing filters, if you do not click the 'SAVE' icon your changes will not be saved, and no prompt will be made. See the screenshot for how to save it. Save often!

Click to view.

Attached to this article is a completed filter file for convenience, though it is recommended to walk through the creation to better Note the following screenshot that shows the Deliver Software Task type.

Click to view.

Note that the Deliver Software Task is under the 'Client Tasks' tree node. This means that the following items must be installed for this function to work on destination machines:

  • Altiris Agent
  • Altiris Client Task Agent
  • Altiris Software Delivery Agent for Task Server

The following types of Software Delivery Tasks can be executed on a system that has this System Defense Network filter applied:

  1. Application Install, Repair, or Modify
  2. Anti-Virus Install, Repair, or Modify
  3. Script execution, VBS, BAT, etc
  4. Uses include data gathering (for example to discover what definition version or files is located on the system)
  5. Anything a script can do, Software Delivery can do, too!
  6. Registry editing for removal (of malicious programs) or addition of registry keys and values

The beauty comes from the ability to conduct all these operations, including downloads of any scripts, files, or applications while the System Defense filter is in place. Only the Notification Server or the Altiris Agent on the affected machine are connected, effectively quarantining the system from all other network resources. In the case of a threat situation, this will allow remediation to take place while rendering the threat impotent.

Software Delivery could be considered a catch-all addition to Task Server. Because of its execution and file delivery capability, scripts, service controls, WMI executions, registry edits, application installs, File fixes, .config, .xml, .ini, file modifications, and almost anything else you can think of can be accomplished. Even without scripting knowledge the interface allows a robust configuration for standard application execution.

Since scripting is powerful, consider learning how to use the Wise Script Utility. While I haven't worked with it exclusively, those who have say it allows those of us without scripting ability to build scripts through an intuitive UI to do most actions common to scripts.

Conclusion

Truly this opens up a new realm of possibilities for the power of using Altiris with Intel's System Defense technology. Part of the purpose of this and part 6 of this article series was to also demonstrate how the configuration works. Hopefully by reading the explanation notes and walking through the process you'll gain an understanding of how the filters are configured and thus be able to generate your own based on needs in the environment.

If anyone has created other successful filters that would be useful in common environments (and perhaps not so common) please help by either posting here or creating your own article to add to the library of System Defense Network Filters.

License: AJSL
By clicking the download link below, you agree to the terms and conditions in the Altiris Juice Software License
Support: User-contributed tools on the Juice are not supported by Altiris Technical Support. If you have questions about a tool, please communicate directly with the author by visiting their profile page and clicking the 'contact' tab.

Utilizing Intel vPro AMT Technology with Task Server - Part 6: Using Network Filtering with Task Server

+1 (1 vote)