Home > Intel Communities > Open Port IT Community > Intel® vPro™ Expert Center > Blog > Tags > intel_vpro
Up to Blog Posts in Intel® vPro™ Expert Center

Intel vPro Expert Center Blog

6 Posts tagged with the intel_vpro tag
Liesa Harkness
1

Murphy's Law states that just when you think you have shared all you have to give in a document you find a juicy tidbit that should have been included.  Therefore, I have updated the Intel® AMT™ Add-On for SMS from V3.3 to V5.0 Upgrade OverviewPDF. 

 

I discovered a batch file that is included in the default installation directory, C:\SMSAMTInstallation\iAMT addon for SMS\IAMTSMSSettingsExport.bat.  Within it contains the command line to export the registry settings for your currently installed version of the Add-on.

1 Comments Permalink Tags: intel_vpro, client_manageablity, microsoft, vpro, liesa_harkness, eds, iamtsmssettingsexport.bat, upgrade, intel_amt, sms
Liesa Harkness
0

Before you upgrade the IIntel® AMT™ Add-On for SMS to the Intel® Client Manageability Add-On for Microsoft* SMS 2003 version 5.0 check out my document about the process and some things to keep in mind befor you begin..  Thanks! Intel® AMT™ Add-On for SMS from V3.3 to V5.0 Upgrade Overview

0 Comments Permalink Tags: liesa_harkness, intel_vpro, upgrade, sms, client_manageablity, eds, microsoft, intel_amt, vpro
Abhilasha Bhargav-Spantzel
3

The new generation of notebook PCs with Intel vPro technology includes Intel Anti-Theft Technology PC Protection (Intel AT-p). Intel AT-p offers you the option of activating hardware-based client-side intelligence to secure the PC and data if a notebook is lost or stolen. Because the technology is built into PC hardware, it provides local, tamper-resistant defense that works even if the OS is re-imaged, a new hard-drive is installed, or the notebook is not connected to the network.

For a good introduction of the Intel® AT-p Technology please visit - http://communities.intel.com/community/openportit/vproexpert/blog/2008/12/04/anti-theft-technology-has-arrived

In the following we describe an example of how this technology is deployed and used in the life of a typical employee working for a security conscious company. Consider a user Jane who is a new employee of a company called SecureBank. SecureBank wants all its employees laptops to be protected against theft and is therefore utilizing the Intel® vPro Anti-Theft Technology for Asset Protection (AT-p) with Absolute ISV.

In particular Jane has two (rather adventurous) days –

-         Day 1: IT admin receives a new laptop and sets it up for Jane. Jane uses the new laptop for the day when she receives her new laptop and manages to loose it to a thief!

-         Day 2: the thief is unable to use the laptop due to the poison pill sent as a feature of the AT-p technology. The thief therefore gives up on it and leaves it in a coffee shop. The laptop is subsequently recovered by SecureBank, made functional again and is ready to be handed over to Jane.

Below are the details –

(Check out the video uploaded at youtube –

http://www.youtube.com/watch?v=bnTggBxhOVk&feature=email)

Day 1:

(1) Initial Setup by IT Admin:

The IT admin receives a new laptop and creates the SecureBank IT image on the laptop. This includes the Absolute agent which would be used for AT-p. The Absolute Client Windows Installer is a part of the IT image. The two key steps are undertaken -

-         Enrollment: The IT admin runs the Absolute Client Windows Installer which installs the Absolute agent on the client. As part of the installation this client is enrolled with the Absolute server. Enrollment consists of the following steps –

1.      The Absolute Agent checks the local platform to ensure that the platform is eligible for Intel® AT-p.

2.      The Agent requests permission of activate AT-p with the ISV Server i.e. the Absolute Server.

3.      The ISV Server takes this unique client request and sends it (along with a license key) to the Intel permit signing server.

4.      Once the Intel signing server has validated this request, an AT-p permit is generated for that unique client. The client system is now ready to validate signed messages from the ISV server.

Once the machine is enrolled it shows up on the administrator console. The machine is identified using a unique identifier generated by the Absolute server, Detected Full Computer Name and Detected Serial Number. At this point a default policy for the client machine is also applied.

-         Policy Setup: The IT admin can also fine tune the policy for Jane. Examples of Attributes he can set include:

 

Policy Attribute

Example Value

Meaning

AT-p Timer Value

48 hours

The machine’s disablement timer (time after which the machine is disabled if it does not connect with the server) is 48 hours.

AT-p Timer Action

Immediate Lock

The action a machine performs once the AT-p Timer has expired. In this case, the machine will shut down immediately (even if OS was up and running) and not allow the boot process to be carried out.

AT-p Theft Action

Immediate Lock

The action a machine performs once the machine is marked stolen when connecting with the server. In this case, the machine will shut down immediately, same as above.

AT-p Password

“StRongP@ssw0rd”

Admin Password used to recover the machine when it is disabled or locked.

AT-pState

Active

Marks whether AT-p is currently active or not on a machine. When it has a legitimate working user then it is marked as active.

Theft Status

Secure

Marks whether the machine is stolen or secure. In this case, the machine is not stolen.



Once the IT admin has set the above policy he is ready to hand over the laptop to Jane.

(2) Normal Usage:

On receiving her new Laptop, Jane logs in with her domain credentials and uses it seamlessly (as if there were no AT-p). The rendezvous may occur without any active participation of Jane. As such the rendezvous happens in the background and is transparent to Jane.

- Rendezvous (Machine Not Stolen)
The Absolute solution has a rendezvous timer of 24.5 hours. After this time the following steps would occur –

1.      As the Rendezvous Timer (24.5 hours) expires the ISV Client Agent initializes a rendezvous.

2.      The ISV Server’s response is relayed to the Intel Management Engine (in the firmware) through the ISV Client Agent. Any new settings are relayed.

3.      Acknowledgments are generated for any message received.

4.      Once finished, the Disablement Timer (or AT-p Timer) reset message is sent to the Intel Management Engine.

(3) Theft:

After a good first day of work, Jane’s colleagues take her out for a dinner. She leaves her laptop in the car and heads to the restaurant. To Jane’s bad luck her car is broken into and the notorious thief steals her laptop.

- Malicious Usage: The thief has a hacking tool that allows bypassing the windows login/password challenge and can use the laptop. He feels he can make a good fortune by selling this laptop in the black-market.

- Theft Reporting: When Jane returns to the car, she is shocked to see her car broken into and her laptop stolen. She immediately calls the IT admin helpdesk and reports the theft. The IT admin sets the Theft Status to Stolen. Next time the laptop checks in with the Absolute server, the Theft Action, which is Immediate Lock, will take place.

Day 2:

(4) Poison Pill:

The attacker logs in again using his hacking tool. Since it is past 24.5 hours (i.e. the rendezvous timer has expired) the agent initiates a rendezvous. At this time the following steps happen -

- Rendezvous (Machine Stolen)

  1. As the rendezvous timer expires the ISV Client Agent initializes a rendezvous.
  2. The server has marked the system as stolen, and sends an AssertStolen message (“Poison Pill”) to the system.
  3. The local system takes action based on the current policy.

As the action is to immediately lock, the thief to his surprise observes that the machine just shuts down. When he tries to power on the machine he sees a pre-boot authentication screen which requests him to insert admin credentials. The thief’s hacker tools are not able to bypass this screen as the same OS (which is potentially more vulnerable) as the pre-boot environment serves as an extension of the boot firmware and guarantees a secure, tamper-proof environment external to the operating system as a trusted authentication layer. Brute force attacks in this environment are also much harder as the tamperproof firmware reboots the machine after a threshold time or number of attempts to login has expired.

To the thief’s dismay, he cannot really use the laptop and leaves it in the coffee shop where he logged in from.

(5) Asset Recovery:

The IT admin of SecureBank was able to get the IP of the location where the thief last logged in from and contacts the coffee shop. SecureBank officials pick up the laptop and bring it back to the IT admin desk for recovery. To recover the platform the IT admin carries out the following steps –

  1. The IT admin (re)sets the Theft Status to be Secure (from Stolen).
  2. Upon boot, the admin is presented with a “system locked” message in the pre-boot environment.
  3. The admin recovery passphrase must be entered before a given time (say 2 minutes). The admin immediately inputs his admin passphrase for the given machine.
  4. When the admin credentials and theft status have been verified, the AT-p timer is reset and the client platform is unlocked. The platform then boots to the OS. 

Once this is done, the IT admin is ready to return this machine back to Jane without loosing any time. Thus we can see that AT-p solution not only provides a way to secure machines against theft and continued malicious use, but also ensures efficient recovery and continued use of the recovered machine!


3 Comments Permalink Tags: vpro_anti-theft_technology, case_study, vpro_expert_center, absolue, asset_protection, tools, security, intel_vpro, troubleshoot, at-p, vpro
Joel Smith
0

Installing Multiple Intel SCS components for a large Notification Server environment

Some Notification Servers carry huge loads of managed systems. I've seen Notification Servers managing 10,000, 15,000, and even 20,000 plus systems. For Out of Band Management with the Intel SCS Component, a multiple-service install may be required to handle large loads of provisioning or maintenance requests into the Intel SCS Component. This article covers how to setup such an environment.

 

Introduction

Normally in a simple Notification Server environment when the install for Out of Band Management is initiated, all the necessary pieces, including the Intel SCS Component, install automatically and silently. In more complex environments the automatic install of the SCS Component often throws an exception and provides a message indicating the install should be conducted manually. This manual process is what will be used when installing the components on the subordinate servers who will share the load for the Intel SCS Component.

 

Installing Out of Band Management

The first step is to install Out of Band Management and the primary Intel SCS Component on the Notification Server. This will setup the IntelAMT database that will be used with every install of the Intel SCS Component. The following process details the install methods for Out of Band and the Intel SCS Component.

 

Simple NS environment

For a simple NS environment where the Application Identity for Notification Server has full rights to both the Notification Server system and SQL Server, the initial install is simple. Note that this process should be used for Simple and Complex environments to lay down the essential components on the NS.

 

  1. In the Altiris Console, browse View > Configuration > Install/Upgrade additional solutions.

  2. Under available solutions, click the ‘Segments' button.

  3. Expand the Partner Solutions section and locate the Altiris Manageability Toolkit for Intel vPro Technology.
    !SolCtrvPro.jpg!

  4. Click the link to launch the install.

  5. NOTE: This will install the following primary components, all of which tie into aspects of Out of Band Management and Real-Time System Manager:

    1. Task Server and supporting installs

    2. Real-Time System Manager

    3. Real-Time Console Infrastructure

    4. Out of Band Management Solution

    5. Our of Band Setup and Configuration (AKA the Intel SCS Component)

    6. Network Discovery

  6. The install will commence. Note that if the Intel SCS Component is unable to be successfully installed you will receive a message indicating it needs to be installed manually. If this is the case, see the next section entitled ‘Complex NS Environment'.

  7. If no errors are shown, the Intel SCS Component with the IntelAMT database should have been installed and created successfully.

Complex NS Environment

Despite the name of this section, sometimes the steps here need because of a minor security issue when the automatic install was attempted. The following steps detail the process of install the Intel SCS Component manually.

 

  1. Run through the install as detailed under the ‘Simple NS Environment' section above. This will put all the typical components in place, and likely the automatic install of Intel SCS will fail, requiring the next series of steps to be completed.

  2. It's recommended to log into the Notification Server as the Application Identity user.

  3. Browse to the following path on the NS: install_path\Program Files\Altiris\Notification Server\NSCap\Bin\Win32\X86\OOB\IntelSCS\

  4. Launch the EXE AMTConfServer.exe.

  5. Click ‘Next' on the Welcome screen and accept the license agreement and click ‘Next'.

  6. Choose ‘Complete' as the type of setup and click ‘Next'.

  7. In the User name and Password fields put in the Application Identity for the NS.

  8. Check the Web details.

  9. Leave ‘Force Secure Connections (HTTPS)' checked if you will use TLS to encrypt AMT traffic, or uncheck it if you will not be using TLS. Click ‘Next'.

  10. Under ‘Database Server' select the database name and instance (if applicable) to use. It is recommended to use Windows Authentication, but if the SQL setup requires a SQL account, choose that option. Click ‘Next'.

  11. The next details should be left as is. Click ‘Next'.

  12. Click the ‘Install' button to proceed with the install using the parameters set.

  13. At the Complete screen, leave the ‘Start Intel® AMT Config Service' checked and click ‘Finish'.

Subsequent SCS Installs

Now that NS has all the required components, and the IntelAMT database has been created, the following details cover how to install a subordinate install of the Intel SCS Component. Note the following prerequisites for this type of install:

 

  • Windows 2000 Server, Windows 2003 Server

  • Internet Information Services (IIS)

  • Microsoft .NET 2.0

 

Run through the following steps to install Intel SCS.

 

  1. Log onto the system as the Application Identity user for Notification Server.

  2. Browse to the following path on the NS:
    <NS_Name>\NSCap\Bin\Win32\X86\OOB\IntelSCS\

  3. Launch the EXE AMTConfServer.exe.

  4. Click ‘Next' on the Welcome screen and accept the license agreement and click ‘Next'.

  5. Choose ‘Complete' as the type of setup and click ‘Next'.

  6. In the User name and Password fields put in the Application Identity for the NS. If this is not possible the user should have full access to the SQL Server. This will also be the user set on the Service AMTConfig.

  7. Check the Web details.

  8. Leave ‘Force Secure Connections (HTTPS)' checked if you will use TLS to encrypt AMT traffic, or uncheck it if you will not be using TLS. Click ‘Next'.

  9. Under ‘Database Server' select the database name and instance (if applicable) to use. This should be the SQL Server used to install the IntelAMT database in previous steps.

  10. The database details . Click ‘Next'.

  11. Click the ‘Install' button to proceed with the install using the parameters set.

  12. You'll receive a notice saying that the database IntelAMT already exists. Make sure to click ‘Yes' so it uses the existing one.

  13. At the Complete screen, leave the ‘Start Intel® AMT Config Service' checked and click ‘Finish'

  14. From the Notification Server, at this location: , copy the file oobprov.exe to the same path on the subordinate install (default will be C:\Program Files\Altiris\OOBSC\).

  15. NOTE! You must use the same path that it used on the Notification Server, this is a limitation of this implementation.

  16. Copy to the same folder the attached file Interop.AeXClient.dll.
    !RemoteSCS.JPG!

  17. Normally the script (oobprov.exe) is properly registered to the correct path, but if it is not, we must manually change it.

  18. Open SQL Query Analyzer or SQL Enterprise Manager. Run the following query:

    1. USE IntelAMT
      SELECT Props_script_path, use_props_script
      FROM csti_Configuration

  19. Check the path and make sure it matches the remote and local Intel SCS install. Also verify that the use_props_script is set to 1, which means ‘True' (0 means ‘False'). Now run the following query if they need to be updated, but take note to change the path to match your environment:

    1. UPDATE csti_configuration
      SET props_script_path = ‘C:\Program Files\Altiris\OOBSC\oobprov.exe'
      SET use_props_script = 1
      WHERE configuration_id = 1

  20. Everything should now be in place for both the primary and secondary Intel SCS install to work with systems being Provisioned, including subsequent maintenance or reconfiguration functions, sharing the load.

Confirm Registration

The next step is to confirm that the install has successfully registered in the IntelAMT database and is running. Use the following steps to make the checks:

 

  1. First, let's check that the Secondary SCS Server has properly registered in the IntelAMT database. On the SQL Server where the IntelAMT database is housed, open SQL Query Analyzer or SQL Enterprise Manager. Run the following query:

    1. USE IntelAMT
      SELECT * FROM csto_servers

  2. You should have one entry for every Intel SCS install you've completed.

  3. On the secondary Intel SCS Server, go to Start > Administrative Tools > and click on ‘Services'.

  4. Locate the Service ‘AMTConfig'. Ensure the following settings:

    • Status = Started

    • Startup Type = Automatic

    • Log On As = NS Application ID

Adjust Queue Settings

The last part is to adjust the general settings to account for the added resources.

 

  1. In the Altiris Console browse to View > Solutions > Out of Band Management > Configuration > Provisioning > and click on ‘General'.

  2. Look under the ‘Service Maintenance' section. See the screenshot, followed by the recommended settings:
    !OOBGenSettings.jpg!

    • Max queue size: 2000 for one instance, add 1000 per secondary server

    • Worker threads: 10 for one instance, add 5 per secondary server. Same for the Slow worker threads

  3. The above values are recommendations. Since thorough testing has not been performed, it is recommended to change these in small increments if performance is a problem.

  4. Make sure to ‘Apply' the changes once they've been made. This should allow the SCS infrastructure to handle larger loads of incoming requests.

Conclusion

The subordinate Intel SCS install process should be repeated for each Intel SCS install desired in the environment. This will help distribute the load of incoming requests from Intel AMT vPro systems. Moving forward Symantec and Intel will be testing this scenario further. In the interim this article can be used to increase the resource power of the SCS infrastructure.

0 Comments 9 References Permalink Tags: intel_vpro, out_of_band_management, altiris, symantec, provisioning, intel_scs
Josh Hilliker
0

Are you the Pro-est of Pro's? Are you an IT Evangelist? We are looking for your biggest IT challenge or what Intel® vPro™ technology Use Case will change your world. You could win a free Intel® Centrino® Pro™ processor technology machine from either Lenovo* or Hewlett Packard*.

 

Full Contest Details

 

Contest Rules (Legal said I had to)

 

 

I'm looking forward to seeing what you have.. Please reply with your submissions to the full contest details link above.

0 Comments Permalink Tags: intel_vpro, vpro_expert_center, rock_your_world, centrinopro, free_centrinopro, proest_of_pros, open_port
Josh Hilliker
6

Short Version with Audio

 

 

 

 

 

FULL VERSION

 

If you would like to have more information on how we created the ISO image that copied the hal.dll file please let me know and I will post that information.

 

Or if you would like to see a certain feature shown how to use on the Intel System Defense Utility please let me know.

6 Comments Permalink Tags: vpro_expert_center, jerry_wheeler, intel_vpro, vpro, isdu, management_console, vpro_humor

Popular Blog Posts