NOTE: If you have not read parts 1 through 4, please read these before reading this part as this is a continuation of the story begun in the previous sections. Altiris and Intel vPro Use Cases

Learning from previous mistakes, CSO Dan Williams discusses what they can do to better secure the powerful AMT functionality. Since the human factor is the biggest weakness, what can they do to strengthen this? Obviously they can't remove it altogether; might as well shut the company down. In Intel vPro the human factor can be minimized due to available strong security technologies. AMT can be made more secure, but the continuing threats are emphasized when a computer is hijacked. What can be done to regain control?

Mighty Modern Marketing HQ - Boston, Massachusetts

Bright sunlight filtered through the distant windows , overshadowing the bland fluorescent lights lit above. Jessica Langley watched the distant pedestrians seen in a narrow view near the street moving past with varying degrees of enthusiasm. The hot summer held to the south temporarily by a low pressure that brought in the cool Atlantic breezes. She imagined being able to hear the conversations of those passing, wondering what they spoke of, and if any of them had as crazy a life as her.

"Ah, this is the life," Tevita said as he leaned back. He placed his hands behind his head and stretched out his legs, pushing his office chair as far back as possible. With what looked like a deliberately casual gesture he tossed his headset onto his desk.

"You should be worried," Jessica commented dryly.

"Worried? Why?"

Jessica gestured sharply at her phone. "No one can call us with the phones down, so our work is just piling up while we sit here."

"Hey, we have our mobile phones. If it's not important enough for them to look up our numbers, then why worry about it?"

"You know that's not how it'll happen. As soon as the phones get up... WHAM! We're here until the sun drops below the trees in the west."

Tevita's smile lessened, but only a little. "They've been down for two hours. Perhaps they'll be down all day, and we can leave early."

"Right."

The Tongan shrugged, and Jessica briefly envied his ability to shove aside problems when they weren't directly in front of him. He could have two amazingly nasty issues to work on, and he'd easily concentrate on one at a time as if the other issue didn't exist. She wished she could compartmentalize in that manner, but when she had two critical issues to work on they hung over her like a dark shroud. Usually the one she wasn't currently working pressed down as if to accuse her of negligence, but she couldn't do two things at once. It wasn't like knitting while watching TV.

Like now, when she knew issues piled up while their phones remained down. She reached down and pulled up her mobile phone in case she'd missed an incoming call, but nothing showed. She sighed, standing up and stretching. Tevita frowned at her.

"You aren't going to bug the phone people again, are you?" he asked, as if accusing her of turning him in for some crime.

"No," she said. "Daniel Williams wanted to talk to me today so I'm heading up to his office."

"Good. Don't mention the phone issue to the CSO..."

She rolled his eyes at him, but he only smiled, large hands moving deftly across the keyboard. Without phone call interruptions Tevita would clear out the email queue in no time.

She took the stairs, hoping to work off the donut she'd eaten earlier that morning. It seemed no matter how resolute she thought she was to eat healthier, as soon as someone brought in free goodies her willpower vanished and she indulged. She doubted the climb from the first floor to the third made any real difference, but at least her husband wouldn't get on her case about taking the elevator when she had two perfectly working legs.

The door to Daniels office sat closed, and she peeked into the glass valance to the side. Daniel stared at his computer screen, his brows drawn low. He didn't touch the keyboard and mouse, eyes moving across his monitor as if trying to puzzle something out. He just reached for the mouse when she knocked quietly on the window.

He turned, a smile easing his expression. He waved her in, and she quickly hurried through the door."

"You wanted to see me?" she inquired.

"Yes, please sit down," he said, gesturing to one of the empty chairs across his desk. She sat while he turned back to his computer.

"Please watch," he said as he launched Internet Explorer. "I'm going to talk you through what I'm doing, and I don't want you to interrupt until I'm done. Okay?"

Jessica felt a twinge of uneasiness stiffen her spine. "Of course," she responded, trying to instill confidence in her voice. "What are you doing?"

He only smiled. "First, I've discovered what password I can use to access AMT on all our vPro enabled computers..."

She stood up. "What...?"

He held up his hand, not unkindly. "Please humor me."

She sat back down, her unease blooming. She clasped her hands in her lap so she wouldn't fidget, usually in the form of smoothing down her already crisp and wrinkle-free dress jacket. She couldn't sit completely still, and found herself tapping her toe. Fortunately the carpet, however uninviting bland, muffled the sound.

"Okay," Daniel continued. "I don't have access to Altiris though I have tried to gain it, unofficially of course."

"Of course," she said, and quickly clamped her teeth together before she asked another question.

Daniel continued, "In light of that I've done some Googling and found that AMT has a web-interface that anyone can access using a browser. I haven't figured out how yet, but I don't think it'll take me long. Let's see... how to access AMT via a browser... This first hit talks about someone who is unable to access it."

Url: (http://softwarecommunity.intel.com/isn/Community/en-US/forums/thread/30249624.aspx).

"Ah, in his post he says, "When I try to access the Web Interface (localhost:16992 or name:16992)... that means I can access my test in the same manner. Let's watch."

Jessica bit her lip to keep from saying anything, determined to keep quiet until he'd finished his demonstration. She really wanted to ask him how he acquired the password, but she supposed she should wait until he validated that claim first. Plus, he'd asked her to keep quiet, and she didn't want the CSO annoyed with her.

Daniel clicked on the address bar, deleting the current address. He then typed in MMMAMT0043:16992 in the address bar. When he hit Enter the page refreshed, showing him the initial AMT login screen. He clicked the ‘Log On' button, which provided a standard Windows security prompt. He entered in Admin as the username, and then typed in a password. Jessica's stomach dropped. She didn't see exactly what he put it, but it did look like he put in the right password.

The Intel Active Management Technology web interface appeared, giving Daniel full access to the system. Jessica reached up and rubbed at her eyes.

"Please tell me you simply asked Tevita for it," she said when he turned to her.

"No, but no need for you or Tevita to worry about that," he said with what Jessica assumed was a reassuring smile. It didn't help. "I believe I used the same methods our traitorous employee working in cahoots with Nifty Networks used to gain these powerful credentials. I'll be conducting security training for our employees soon to try and plug that method."

"So how did you do it?"

Daniel nodded. "Good question, but the better question I'm posing to you is this: how can we better secure the AMT technology? See here under Remote Control? I can remotely reboot this person's system and boot it up into an application I can use to wreak havoc. Nifty, no?"

She swallowed hard. "No, not nifty."

"Good. You see the issue. I'm tempted to not tell you how I did it. Mystery lends me an air of the supernatural, or at least my uber-geekness. Why reveal how? That's like a magician revealing his secrets. Once the how is known, it isn't so magical anymore. Okay, so I'm taking far too much pleasure out of this. I simply watched you and Tevita closely and caught you entering the password. It took several tries before I finally got it right."

The beginning of a migraine colored Jessica's vision. "Great. I thought we had that password locked down..."

"As I said before, don't worry about it. Everyone is too trusting when entering passwords. I'll address that in our upcoming security meeting. What I want to discuss is how we can rectify this situation? Specifically I want to remedy the fact that anyone who does a smidgen of research will know that the administrative username for AMT is admin. We've handed any potential hacker one half of the credential equation."

Jessica nodded. "Yes, I see your point. Luckily I already know how to fix that. It's as simple as making the admin password random on each system and using Kerberos to use our Domain credentials for access."

"Good. The second point is I noticed that I can use a non-secure web address to access this. Can you get SSL enabled for all AMT communication?"

Jessica nodded again. "Yes, specifically AMT uses TLC, the successor to SSL. I believe I saw an article on how to enable that on Symantec Juice."

"Even better. Get those measures in place, and let me know when it's completed."

She nodded, shaking his hand when he offered it. She left his office and headed back down, taking the stairs despite the throbbing in her head. When she reached her cube she noted that Tevita had his headset on, his previous smile absent from his face. She gave him a grin when he glanced over, and this time he rolled his eyes. She should get onto the phones, but she wanted to get those changes implemented as soon as possible so that even Daniel couldn't crack the system... as long as Tevita and she carefully entered their passwords so others couldn't eyeball them.

She sat down and pulled up the Altiris Console. Both of her actions required a new vPro Profile to be pushed down to all the AMT systems, but that was the easy part. She started by enabling TLS on the server. Until she pushed down the new profile the AMT functions would not work. She leaned over to Tevita, and he glanced at her as she rolled closer in her chair.

"AMT will be available for a time," she said.

Tevita reached up and muted his headset. "Why?"

"I'm enabling TLS. You know, encryption. When I enable it on the server side the clients will not be able to communicate back with the server until I update the profile and they have the right certificates."

He shivered. "Is that such a good idea? Certificates are tricky... we could easily mess up the whole thing and have no AMT access..."

"Tevita, it isn't that complicated. I have all the Altiris documentation on how to do it. Besides, there's a specific article on how to do it after the installation, here: http://juice.altiris.com/article/2737/how-enable-tls-within-out-band-management-after-install. Piece of cake."

"If you say so..."

"Trust me. If we had a hierarchal structure of certificate authorities, it might get a bit dodgy, but I'm just setting up the one root."

"Yeah, and the flux capacitor needs just such and such gigawatts of power..."

"Just read up on it! It's not that hard."

Tevita spoke for a moment into his headset, and took it off. "I don't know anyone who understands it all that well."

She planted her hands on her hips. "It's really simple. We give the root CA, aka the King, the credentials that are acceptable. Secondly, the Altiris server gets the credentials so it can work with the CA and the clients. We then load the matching credentials on the clients via the Provisioning Profile. Now everyone has the credentials."

He smiled. "What about client-side and server-side certificates?"

"Again, simple. Communication is unidirectional for a given parent/child certificate set. With basic TLS in vPro, all the clients have server certificates. The Altiris Server uses a client certificate to authenticate with the client so that the client machine will accept the AMT commands sent it."

"Alright. That sounds simple enough, but what about the CA? What's that for?"

Jessica looked at him, her eyes narrowing. "What's with the third degree? 'Tell me Master Qui-Gon. What are midichlorians'?"

Tevita burst out laughing. "Am I that transparent? I didn't know you liked Starwars..."

"I don't. Like that movie quote, your questions are contrived..."

"Hehe, yeah. I'm just trying to prove a point. It's not that simple..."

"But it isn't that complex, either. The CA tells the server-side component (the AMT Client) if the client connection (from the Altiris Server) is to be trusted. I know having the AMT clients act as the server seems a bit backwards, but since we want AMT functionality to be secure, it makes sense. The Altiris Server that tells AMT what to do needs to prove itself. This ensures a rogue server can't just initiate any AMT functionality without having the proper certificate. So the server provides a client certificate, which the AMT system authenticates with the CA before allowing the Altiris Server ‘in'."

"Okay, okay. That sounds simple enough. I'll be sure to avoid AMT until next week when you get TLS finally working... kidding! Take it easy, I'm just joking."

She wanted to keep the stern look on her face, but a smile cracked through. "You just watch it, Mister."

Jessica turned her attention back to the Altiris Console. She opened up a browser on her second monitor and pulled up the Juice article she'd shown Tevita. She walked through the steps, sometimes checking back on the Altiris Administrator's Guide for Out of Band Management, found at http://www.altiris.com/Support/Documentation.aspx. She finished the processes except for updating the profile since she needed to also update the Admin password settings.

She browsed in the Altiris Console under View, Solutions, Out of Band Management, Configuration, Provisioning, Configuration Service Settings, and clicked on Provision Profiles. She highlighted her active profile and clicked the pencil icon in the icon bar to edit it. Under the General tab, to the right of the window, she changed the Intel® AMT 2.0 password: setting from Manual to Random creation. She then clicked on the TLS tab and, using the previous directions, enabled TLS within the profile.

She sat back as she clicked OK. Now that the Altiris Server was setup properly, she needed to push the new profile out. From her place in the console she backed up into the Provisioning folder, and then expanded the Intel AMT Systems folder and highlighted the Intel AMT Systems node. All Intel AMT Systems showed within the right pane. She clicked on the top one, scrolled down, and, while holding shift, clicked on the bottom one. She right-clicked and selected the ‘reprovision' option.

With a sly smile she glanced over at Tevita. He wore his headset again, though he looked less stressed than before. She rolled over and wrote on his whiteboard "AMT back up in a few hours". For the time being they could rely on the Runtime Profile for authentication. Since Altiris knew all the random passwords for the Admin account, via Altiris they should have no problems with security. However she needed to quickly implement AD integration with Kerberos authentication just in case.

She got up to take a quick break. She stretched, looking out over the cubes. She froze in mid stretch for a moment, before quickly pulling down her arms, her eyes widening. Two men in blue jumpsuits walked nonchalantly through the building, one holding a sheaf of what looked like generic forms and the other with a nondescript box. Despite their "non"-threatening postures, something about them bothered her. At first she simply watched them, trying to figure it out.

The man in front emanated confidence like a shiny sword and shield, his smile infectious and full of perfectly white and straight teeth. His strong features seemed chiseled from brilliant marble, as if he'd been carved amid the statues of Rome. Not one of the rich brown hairs on his head stood out of place, his hazel eyes roving over the office as if memorizing all the details. He didn't act suspicious, but his very manner belied the blue-collar worker outfit he wore.

Right behind him strode the other man. He wore a beard, a hat pulled low over his eyes. She squinted, hunching down a little so she didn't rise so high above the cube walls. He carried the box, his muscles tensed. He walked jerkily, each step seeming just a little unsteady. Sweat beaded on what little she could see of his forehead.

"Tevita," she whispered. "Does that guy look familiar to you?"

He appeared beside her. "Who? Those two delivery guys?"

"Yes. The one carrying the box."

Tevita turned to stare at her. "It's the ninja!"

She shook her head, though the sudden clenching in her stomach belied the action. "No way, he's in jail, right?"

"Probably not. He didn't threaten anyone or do any actual damage, and the price of the hard drives he tried to steal doesn't equal enough to be a felony, especially since he claims he was only after the hardware..."

"But why come back here? We know who he is..."

He just shrugged. "Maybe he's turning a new leaf..."

She gestured at the other man just as they disappeared into the stairwell. "Maybe, but that other guy gives me the creeps. I wouldn't be surprised if his name happens to be Lex Luther."

Tevita nodded. "Let's follow them."

She shook her head. "No way! Let's just call security and let them deal with it."

The Tongan only shook his head slowly. "The security company might be too slow to respond. Heck, they took forever to show up when our ninja friend showed up the first time. You go tell Bobby and I'll shadow these two shifty guys."

Before she could respond he hurried away, surprisingly quiet for his bulky, muscled size. She clenched her teeth together, torn by indecision for a few precious seconds. She then turned and hurried towards the server rooms, hopping Tevita wouldn't get himself into too much trouble.

END Part 5

This concludes Part 5. This cliff-hanger will be continued in an even more unbelievable conclusion, Part 6. Now that the competitor has breached the office once again, can Might Modern Marketing's IT staff protect their infrastructure, data, and themselves from this all out attack?

I often get questions about the Intel AMT serial port. Ever since the DTK started to make heavy use of it, serial-over-LAN has gotten a lot of attention. First, how do you change the COM port number of the Intel AMT serial port? The COM number (COM3: for example) is assigned by the operating system, so you don’t see that is any AMT/BIOS/MEBx option. You have to go into Microsoft Windows Device Manager, go to the properties of the “Intel(R) Active Management Technology – SOL” port. Then go into the “Port Settings” tab and press the advanced button. There, you can change the COM port.

Also, it’s often useful for application to be able to automatically detect the AMT serial port. In Intel AMT Outpost, I scan the device drivers looking for the “Intel(R) Active Management Technology – SOL” device and read the COM port number that follows in that string. Sofar, it seems to work great, even in non-English countries, something I am always worried about.

The Intel AMT serial port is much like any other serial port, but it has a PCI device identifier that is not normally known to Microsoft Windows and so, Windows does not know what to do with this device. On Intel’s web site, there is an SOL driver available. The serial driver itself is just a small .INF that tells Microsoft Windows to load and use the standard serial driver. In fact, one can manually force the standard Windows serial driver to be used for this device. You need to go in the device manager and pick a driver from the list, select Microsoft as the manufacturer and you will see it. Even if it’s possible, I don’t recommend it because the DTK code will no longer recognize that COM port as being the AMT port, it’s going to work but will have the wrong name for auto-detection.

Lastly, if someone needed to know if a computer is AMT enabled without having to load any drivers, one way to do it would be to detect the presence of the Intel AMT serial port. It is always present even when AMT is un-provisioned, and it can’t be turned off, unless AMT is disabled entirely in MEBx. This can be a good way to figure out if you need to start considering a computer for AMT setup.

Ylian

(Intel AMT Blog)

Sophia the intern doing my first blog, where I was asked to learn and communicate to you guys in a multi-part series about a product that is made by Intel called vPro.

• what it is?

• what it is used for?

• why I should personally use vPro?

• what is it meant to do?

• what benefits do I get out of having vPro?

• why the v in vPro?

To boil it down, I just want to know all about it?!?

To start my journey, I researched vPro, gathered feedback about vPro in both questions and comments, which gave me the first few topics to study and write about in my blog series. My goal in the series is simple - become an expert about vPro, and share my journey with you along the way. I want to know so much about it, that my head is going to explode. I plan to try to accomplish this in about 9 weeks.

On this particular blog, I am going to figure out what vPro is... What did I do to figure this out? I did what every college student does, I Googled it - how easy! Well, it stated me in a good direction, but at the same time it hurt me by having so much information I didn't even know where to start. Yet, I started to figure out the definition of vPro.

Intel described it in their website as:

Remotely manage both wired and wireless PCs from the same IT console for increased security and simplified system management.

A new generation of notebook and desktop PCs enables proactive security, enhanced maintenance, and improved remote management:

• Intel® Centrino® with vPro^TM technology-based notebooks

• Intel® Core^TM2 processor with vPro^TM technology-based desktop PCs

These PCs deliver down-the-wire security and manageability capabilities- even if hardware (such as a hard drive) has failed, the operating system (OS) is unresponsive, software agents are disabled, the desktop PC is powered off, or the notebook's management agents have been disabled. Desktop PCs also include support for virtual appliances that allow IT managers to isolate and protect critical security and management applications in a more secure, trusted environment. In addition, the new generation of notebook and desktop systems delivers significantly improved 64-bit performance for compute-intensive tasks -including fully integrated 64-bit graphics support - all in a power-efficient package that is Microsoft Windows Vista* ready.

This looks all pretty easy to understand, so far, but in future entries I plan to dissect this verbiage, and maybe be able to put it into thoughts that even I can understand. I want to also dive into vPro's future. The following verbiage look like great candidates for more clarity and understanding:

• Simplified system management (is it really simple?)

• Proactive security (what makes it proactive?)

• Enhanced maintenance (how do you enhance it?)

• Improved remote management (does this mean my boss can manage me from home? Yikes!!!)

• Down-the-wire security & manageability (down what wire?)

• Virtual appliances (virtual refrigerators and toasters?!?)

• Really - this stuff works when the computer is powered off?!?

• Trusted environment (I have found the environment at Intel to be very trusting J).

For this entry I just wanted a platform on where to start. As I said previously, and I really do mean it, I encourage feedback on what direction I should go with this project or even points of view on what I am writing. I am a big girl, I can take it - give me your ideas on topics and I will do my best to figure them out!!!

Stay with me - chapter 2 coming soon with more clarity (I hope)!

-Sophia "The Intern" Stalliviere

If you have not read Part 1 in this article series, please refer to it as this is a continuation of the story begun there:

http://juice.altiris.com/article/4367/altiris-and-intel-vpro-use-cases-part-1-the-setup

Antivirus is a must for any IT infrastructure. Without it productivity is quickly reduced as viruses run rampant in the environment. Keeping Antivirus installed and up to date is vital to ensure continuity of business services. In Part 2 the IT team for Mighty Modern Marketing is put up to the challenge of protecting their network from viral attacks. Using Symantec End Point Protection, Altiris and the Intel vPro technology, they work to ensure that the viral attack and subsequent virus attempts fall ineffective.

Mighty Modern Marketing HQ - Boston, Massachusetts

The commuter rail stretched out across the Charles River, but Jessica Langley didn't notice. Her eyes remained fixed upon the screen of her smartphone, scrolling through the emails that continued to pour in. The subject lines all contained the same word. Her shoulders hunched, feeling like a tremendous weight settled on them. She closed her eyes briefly, rubbing at them with her left hand, the PDA held forlornly in the right.

When she opened her eyes the word jumped up at her.

Virus.

This wasn't the first time this had happened at Mighty Modern Marketing. Viruses routinely showed up as email links or attachments, and it didn't matter how often she or Tevita sent out stern emails reminding people to leave email attachments and links alone unless they were expecting them. People continued to click that link to see the latest movie trailer, or to run the fun and exciting application their aunt or long-lost friend mysteriously sent them from out of the blue.

This time was worse. She'd painted a large red X on her by pushing the Intel vPro technology, and now it seemed everyone stared at her when anything ill befell the network.

She jumped to her feet the moment the train stopped, snatching up her purse and bolting for the nearest door. As she ran down the platform towards the exit of North Station, others gave her curious looks. She smiled briefly. Normally people ran towards the train to avoid missing it. She often saw them frantically running in high-heels or other dress shoes towards a departing train when the work day was over. Who wanted to run into work?

As she staggered into the main lobby at work, glad for the cool air that greeted her, she vowed to start exercising. She hurried through the building.

"I'm glad you're here early," Tevita said in his deep voice as she fell into her chair. "We're in trouble."

"I noticed," she said in-between deep breaths. "What's the situation?"

"I'm not sure, but somehow a virus was planted on a new system as it came online. It appears deliberate."

"But... we have Symantec End Point Protection (SEP). It should keep everything out..."

Tevita smiled, though his eyes shifted to his own monitor, his shoulders shrugging uncomfortably. "Yes... about that. You see, the base image hasn't been updated yet to include that..."

Jessica stared at him.

He waved a hand at her. "I know, no need to look at me like that. That's what I've been doing; recreating the image so it's there from the get-go."

She tried not to groan. "So how widespread is it?"

He laughed, though no humor made it into his tones. "All over the place. They used a vulnerability in one of Bobby's applets to spread it. Of course the first thing it did was disable the antivirus. If SEP had been installed it has protection against... Anyway, those systems without SEP are all hit."

Tevita's eyes glanced up, and widened. Jessica whirled to see Bobby walking up, his hands shoved in his jean pockets. He stared at the floor, his mouth moving as if he counted his steps.

"Bobby?" she inquired.

He looked up, looking like a boy lost out in the desert.

"It got through my firewall!" he exclaimed, extracting his hands so he could ball his fingers into fists. "It shouldn't have been able to do that. I can't even use IM."

Tevita gestured to an empty chair. "Have a seat."

Bobby slumped into the chair. "Whoever sent us this thing knew what they were doing," he said with a scowl. "The cursed thing used UNC to move about the network. Only someone with intimate knowledge of our network could do that. It has to be New Nifty Networks!"

"Do you really think...?" Tevita began.

"Bobby," Jessica said quickly. "Have you fixed the vulnerability?"

"How can I?" he lamented. "It jumped from computer to computer, and with mine infected I quickly turned it off. I need your to help me get that virus off so I can patch the applet."

Tevita smiled. "You actually walked over here."

Bobby looked up, his frown deepening. "Yeah? So?"

"It's unprecedented... You usually stay in your cave, even during power outages. Does it make you nervous to enter the world of real people?"

A flush bloomed on Bobby's sunken cheeks. "Not everyone's as social as you."

"You should stop by more often so..."

"So you can ridicule me?" he retorted.

"Guys," Jessica said, rolling her eyes. "Focus here. Bobby, do you have one of the new vPro systems?"

"Yes, of course," he responded, "I always get the latest hardware from procurement."

"Hey, why don't I see any of it?" Tevita blurted.

Jessica ignored him. "Good," she responded to Bobby as she turned back to her computer. She launched the Altiris Console. "If you have one, it should already be provisioned. Let's check the All Provisioned Computers collection... is this yours?"

"No, my computer is named Superman."

Tevita laughed, and Bobby managed to turn an even more alarming shade of red. Jessica kept her expression passive despite the twitch in her lips from a potential laugh. The computer name Superman showed in the list, and she double-clicked on it. She clicked on the Real-Time tab, entered her credentials, and loaded the Hardware Management page under the Real-Time System Manager, Administrative Tasks folders.

"I have a boot ISO of Symantec's Antivirus scan," Jessica explained as the hardware management page loaded. "I'll just turn on your machine but use IDE Redirect (IDER) to load the antivirus disk. We'll wipe the virus, and turn the system off."

"That's great," Bobby said as he shrugged his bony shoulders," except the minute you bring it back up the virus will propagate again."

Jessica smiled. "Not if I invoke a Network Filter."

"What's that?" Tevita asked, as if on cue.

"Tevita, we've covered this. It's the Intel System Defense. You know, block all traffic except to certain ports and IP Addresses. If you want to read up on it I'll email you the URL. (http://69.93.2.147/article/2645/hold-mf-utilizing-intel-vpro-amt-technology-task-server-part-5-system-defense-tasks)."

"System Defense!" Bobby exclaimed. "I read up on that technology. I created a script that provides a text interface where you can specify which ports you want to allow. I call the API's provided by Intel's SDK. It's great stuff."

"RTSM and Task Server already have it configured to only use communication to them," Jessica said, trying not to smile.

"Oh." Bobby cleared his throat as he pushed himself up onto his feet. "That sounds good. Do you need me to stick around...?"

She gave him a grin. "Just for a minute while I do this."

Bobby sat back down, but leaned forward, staring at her monitor. Tevita slid over, looking on with interest. She said a quick silent prayer that it would all work like she theorized it would.

She choose the ‘Power on' radial option, and under the Redirection options checked the ‘Perform boot from' checkbox. She also checked the ‘Display task progress and remotely control computer' option. Under the device drop down she left it at CD image, and then click ‘browse' and located the Symantec ISO. She lastly clicked ‘Run Task Now'.

A new window popped up, showing the computer boot. It loaded the CD and a textual menu showed up giving her scan options. She initiated the scan.

"Looks like it's working," Tevita said.

Bobby nodded. "I had my doubts since I've been unable to ever get Wake-On-LAN to work across my router..."

"Wake-On-LAN packets don't get by any of our switches are routers," the Tongan responded. "I believe you're the one who recommended the network security scheme we use."

"I know, but Altiris did have an Altiris Agent mechanism to try and deal with it, but I couldn't get it to work in my environment. This vPro stuff sure made that easy. I didn't have to touch the router."

"That's the point," Jessica said with just a hint of exasperation in her voice. "Were both of you sleeping when I gave my presentation on vPro last month?"

Tevita smiled, tugging at his collar. "Have I ever mentioned I don't like PowerPoint?"

"Only twice daily. But I showed demos... oh who am I kidding? That's the last time I supply lunch before a presentation."

The two men exchanged glances with sheepish grins, and then focused back on the screen. She looked back to the scan. It finished quickly, showing the virus as detected and quarantined. She closed the remote window and clicked on the Network Filtering node under Administrative Tasks in the Real-Time Console. She checked the ‘Override default solution settings' checkbox and changed the radial selection to ‘Filter network traffic other than to and from the Notification Server'. She clicked Apply. When the page finished refreshing it contained the message, "Machine was successfully moved into quarantine".

"Alright Bobby. I'll use the Power Control to boot your machine up so you can Patch your applet and install SEP. You head back and get it done ASAP. Once it's patched I'm going to mass-remediate all the vPro systems doing the same actions we just did except on a mass scale with Task Server."

Bobby jumped to his feet. "Sounds good. IM me if you need anything..."

"Except IM won't make it through the Network Filter," she responded dryly.

"Ah... yes. Well... you know where I am."

"Quick question, how long will it take you?"

"Less than an hour."

As Bobby walked away Tevita smiled hugely, some of his natural humor finally flowing back into his features. "He's a real gem."

"You should cut him some slack," she scolded.

"Bobby? I'm holding back, really I am. It's just too much of a temptation. He's classic nerd. But he is a master at what he does, so I'll be sure to keep it friendly."

"I'm reassured," she said, rolling her eyes for the third time that day. She then gave him a sly smile.

"What?" he said, his smile drooping. "You have that look."

"Regardless of blame, even though you should have updated the image weeks ago to include Symantec Endpoint Protection so I blame you for this mess, I need you to create a CD out of the Antivirus boot ISO and load SEP on a flash drive so you can manually remediate those systems without vPro."

Tevita swallowed. "Hey, we've had a pretty busy workload..."

She softened her look. "I know, sorry. Anyway... when you get to each system, yank the network cable, use the ISO to clean the virus, then load SEP, and then put the cable back in. I'd even suggest making several copies so you can do a handful at a time. And here's a printout of all non-vPro systems."

Tevita took the printout and nodded. "I'm on it."

Jessica focused back on the Altiris Console after Tevita left clutching ten copies of the ISO and SEP installer. She browsed under Manage, Jobs, Tasks and Jobs, right-clicked on Jobs, and choose ‘New Folder'. She right-clicked on the new folder and choose ‘New > Task/Job'. In the resulting window she choose ‘Server Job' under the ‘Jobs' folder. The first element popped up a message from a VB script stating that an emergency procedure would fire in 60 seconds, and instructing the user to save all data. Her second task was a ‘Boot Redirection Task' that booted up a modified ISO that automatically ran the scan and took any appropriate actions against detected threats. The third task invoked the Network Filter, allowing only NS and Task Server communication capability with the system. For the fourth Task she located the SEP install Tevita had made with Altiris Software Delivery Solution and put it into a Task Server Deliver Software Task. Finally she created the fifth and sixth tasks that removed the filter and invoked a reboot to finish the process.

She saved the job and selected her own system to test it.

"Mrs. Langley," a familiar voice prompted. Normally she caught movement in the mirror mounted on her flat panel monitor when someone walked up to her, but she'd been so focused that this time she started almost violently in surprise, whirling around in her chair.

Edgar Watts stood behind her, his hands conspicuously empty of printouts. Her first impulse was to point to her screen and tell him she had a plan with vPro to take care of the virus in a timely manner.

She rose to her feet, trying to place a polite and not strained smile on her face. "Hello Mr. Watts."

"Since my computer is down, I've been using my laptop to research the impact of viruses to corporations, specifically impacts to finances."

He frowned, briefly rubbing a forefinger along his jaw. He didn't immediately continue, his vexed expression seeming to say he was seeing those numbers again and loathing what he saw.

"We're working on it," she said, trying not to sound defensive.

"I know," he responded. "I'm astounded at the amount of this company's hard-heard cash flow flowing down the drain."

"We'll have your and all vPro enabled systems up within the hour," she said, forcing that smile to remain on her face."

"One hour?" he responded, looking down at his watch as his brow drew low over his eyes, almost like a thundercloud.

She braced for some kind of outburst, feeling sour in the pit of her stomach. It seemed like her stomach wanted to remain clenched, and she couldn't relax the muscles in her shoulders. What more could she do? She often woke in the middle of the night, her sleep-clouded mind immediately whirling through all the issues she needed to address immediately. She needed to prove vPro, identify and eliminate any threat from their nefarious competitor, keep Edgar's expense-cutting knives away from her department, and still find enough time to enjoy time with her husband. Lying awake at night, trying to will herself to sleep, got old fast. Two days ago her husband had recommended quitting.

That seemed wrong. She'd never given up on anything in the past, and she didn't want to give up on this now, especially when all of Mighty Modern Marketing needed her at this critical time.

When Edgar looked back up from his watch he smiled, a rare sight that stilled her thoughts, her breath catching in her throat.

"All vPro capable systems, you say?" he asked.

"Yes sir," she responded after a moment of stunned silence.

"I came down to wish you luck, but perhaps you don't need that luck after all. Good day, Jessica."

He turned around and walked away, and she stood and stared at him. She almost chuckled, but she still felt too emotionally invested and she just might break down and tear up. She slowly sat back down, staring at the Altiris Console. With renewed vigor she tested her job, made a few tweaks to the command-line of the rollout job, and then brought up a Run Now window, selecting All Provisioned Systems. Her mouse hovered over the Run Now button.

"Come on Bobby," she whispered. The few minutes before the IM popped up declaring "Applet is patched" seemed like an eternity.

She clicked the Run Now button.

She got up and took a quick water break, grabbing a drink and throwing it down as if a shot in a drinking contest. She didn't want to return to her desk. What if it failed on most systems, especially the executive team's? What if she hadn't accounted for different hardware platforms in her job? What if?

She squared her shoulders, throwing off the ‘what if' game. She walked resolutely back to her desk and sat down, refreshing the job.

Ninety percent success rate brought a smile to her lips.

For the next few hours she used RTSM to connect to and patch those systems where the Task Server job failed for whatever reason. Most she could figure out the issue by using RTSM, aided by the article, http://69.93.2.147/article/4075/troubleshooting-altiris-manageability-toolkit-vpro-technology-part-5-real-time-console-, since RTCI was the component that executed most Task Server and RTSM commands against AMT.

Toward the end of the business day she leaned back. All vPro capable systems, a good 75% of the environment, was patched. Just as she shut down her computer Tevita showed up. His natural good humor managed to put a smile on his face. His long-sleeved dress shirt had the sleeves rolled up, his tie loose and top button of his collar undone. Sweat glistened on his forehead, remnants of computer dust bunnies streaked on his hands and forearms.

"Hi!" she said, unable to keep from smiling in amusement at him.

"Let me guess," he said, his smile twisting a little, "you've managed to patch all vPro systems."

"Yes," she responded, putting her purse back down on her desk. "How's the other systems coming?"

"I'm... uh... half done."

She nodded, picking up her phone. "Tevita, give me just a moment. Hi, Rob? I'm fine, though it looks like I'll be here a while. It's mostly under control, but we have a few more systems to fix. I know, I'm sorry. I'll see you later tonight, honey. Love you too, bye."

"What are you doing?" Tevita asked, frowning.

"We need to finish up, right?"

"Well... yes. But you don't really have to..."

"I'm thinking your wife wants to see you at least some time tonight. I'll take the third floor, you finish up the second, and the last one done has to bring donuts tomorrow."

Tevita looked relieved. "Deal. Thanks, Jessica."

Bobby walked up, a laptop case in his hands. "I'm heading out. Thanks for getting me back up so fast."

Jessica turned to him, her smile growing. "Bobby, we need your help," she said without preamble. "We have a few more systems to remediate..."

Bobby shook his head, his expression tightening. "No way, I have a Halo 3 party..."

"Bobby, you can't abandon us..."

Bobby looked down at the case in his hands. "Ah nuts! You don't know what this does to me. I'll lose my leader spot..."

"You'll make it up," Tevita said confidently. "If we get this done quickly imagine how impressed they'll be when you join late and still take the top spot."

Bobby's stricken look abated. "Yes. Yes, that would be impressive. Ok, I'll help."

Hours later Jessica left the building, running towards North Station to catch one of the late trains home, her shoulders feeling much lighter than when she'd rode in.

End Part II

Having minimized the damage of the first attack, the IT staff will continue to prepare in anticipation of more cyber attacks.

At Intel, we're always looking for feedback on the way IT should be. Therefore, at the recent MMS 2008 Conference, we had Intel customers, partners, and technical experts from Microsoft and Intel tell us their meaning of IT Utopia.

]]>

To see more videos from MMS 08, go to http://www.intel.com/go/mms/

As many of you may know, there are two ways of contacting Intel AMT: The remote network interface and the local LMS/HECI interface. These interfaces are very different; the remote interface that is available thru the wired and sometimes wireless Ethernet and is rich with features while the local Intel AMT interface is very limited. Intel AMT was designed this way from the start for security. Intel AMT acting as an IT agent on desktops and laptops could not be allowed to be meddled with by the local user or local applications that could try to use or deactivate Intel AMT. That at least was the original design intent.

Times have changed it seems and many users of Intel AMT don’t see local users and applications as being always hostile. There are many reasons why it would be very interesting to access all of the features of Intel AMT locally. For example

• If the user changes the name of the computer is the OS, it would be nice to have a local agent sync up the Intel AMT network with the OS name automatically. This way, when the computer goes to sleep next, Intel AMT will report the correct new name.

• Circuit breaker policies could be used as a local firewall implemented in hardware. Set it once and the gigabit network chip does all the filtering and counters at gigabit speeds.

• On a mobile platform, wireless profiles could also be synched up automatically. The user adds a new wireless profile with a WPA key and this profile is automatically added to Intel AMT.

• Enterprise provisioning of Intel AMT could be done entirely locally using local software removing the need for complicated centralized servers.

Instead of seeing the local user as hostile, the local application now cooperate to setup Intel AMT so that if something goes wrong, it’s ready to be used to recover the computer. All this and more would be possible if Intel AMT allows the local applications full access to all the remote interface features.

A local application can’t simply connect to TCP port 16992 or 16993 and access all of the Intel AMT features since the traffic has to flow thru the gigabit network interface. Connecting to 127.0.0.1 will not work, that will access the more limited local interface.

A solution is to use a reflection application like Intel DTK Network Reflector found in the Intel AMT DTK. This tool runs on a central always on server and simply reflects back all TCP connections back to the source on ports 16992 to 16995. Using this tool an Intel AMT console or even a web browser can connect to "http://reflector:16992" and log into its own Intel AMT remote services. However, there are issues with this solution: You need this reflector tool running and know where on the network it is running. Also, a rogue application could log into the remote interface and put an annoying circuit breaker policy to drop all packets, etc.

In the future, Intel AMT itself could be modified to allow all services on the local interface removing the need for the reflector. There are security considerations of course, but feedback from users of Intel AMT on this idea would be appreciated.

Ylian (Intel AMT Blog)

Last week Intel sent me to Israel for an Intel only gathering of engineers, architects and specialists that work on Intel AMT. I was honored to attend and also to be a speaker taking about the progress made with the DTK. First of all, I want to thank all of the people in Intel Israel for making this trip a great success. I also got to hear about many DTK success stories and it all of the hard work worth it. I was especially surprised with the DTK’s success in Asia, but also all over the world. I am still not sure if it’s the tutorial videos, the translations or what.

In addition to the meetings, we had a great time visiting the old city of Jerusalem, the Dead Sea and later on my own the city of Elat and Petra in Jordan. I got some of the most wonderful pictures and uploaded some on Google servers here:

http://picasaweb.google.com/ysainthilaire/Israel200802

These pictures cover the 10 days of my trip, starting with the old city then me playing in the mud and floating in the Dead Sea and finishing with my visit to Jordan. Jordan was probably this highlight of this trip, there is something just odd about traveling in this vast desert and realizing that I was in the country that had a common border with Iraq. For most of us in the US, it seems so distant. The city of Petra in Jordon has unique sand stone carvings in the walls. Some people will also notice that the Indiana Jones movie was filmed at this location. Petra was named one of the new 7 wonders of the world and as a result got a surge in tourism. It’s a wonderful place, hot and laid back.

Most people travel by air from Jerusalem to Elat and Jordan, but I opted to take the bus. It’s a 4 and a half hour trip thru amazing scenery. It’s also inexpensive, about 12 to 15$ and much more convenient than by airplane. I will say that except for the bus, everything was very expensive in US dollars. It’s a shame the dollar is so weak, I don’t except to make many of these trips.

Last week was the holocaust memorial day in Israel and I happened to visit the Wailing Wall with some of my Intel co-workers just as 1000’s of people where attending a ceremony that was being broadcast live on TV. One of my pictures shows all the people at the wall.

The Dead Sea was really amazing, it’s so saturated with salt that you simply float. This sea is the lowest point on Earth I am told, it’s 1,378 feet below sea level. Your ears pop on the way there as the air pressure increases. As pressure increases so does the temperature which will often be 10 degrees hotter than Jerusalem. The Dead Sea is well known for the Dead Sea salts used as skin treatment. It also gave me a great excuse to play in the mud! You let it dry and wash it off to wonderful skin… but it’s also just loads of fun.

To sum it up, this 10 day trip was simply amazing. In addition to meeting many people who use the DTK, I also got to see and experience some unique places I will never forget.

Ylian (Intel AMT Blog)