Intel vPro Expert Center Blog

Altiris and Intel vPro Use Cases - Part 5 - Tightening AMT Security

joelsmith — Mon, 11 Aug 2008 16:01:21 GMT

NOTE: If you have not read parts 1 through 4, please read these before reading this part as this is a continuation of the story begun in the previous sections. Altiris and Intel vPro Use Cases

Learning from previous mistakes, CSO Dan Williams discusses what they can do to better secure the powerful AMT functionality. Since the human factor is the biggest weakness, what can they do to strengthen this? Obviously they can't remove it altogether; might as well shut the company down. In Intel vPro the human factor can be minimized due to available strong security technologies. AMT can be made more secure, but the continuing threats are emphasized when a computer is hijacked. What can be done to regain control?

Mighty Modern Marketing HQ - Boston, Massachusetts

Bright sunlight filtered through the distant windows , overshadowing the bland fluorescent lights lit above. Jessica Langley watched the distant pedestrians seen in a narrow view near the street moving past with varying degrees of enthusiasm. The hot summer held to the south temporarily by a low pressure that brought in the cool Atlantic breezes. She imagined being able to hear the conversations of those passing, wondering what they spoke of, and if any of them had as crazy a life as her.

"Ah, this is the life," Tevita said as he leaned back. He placed his hands behind his head and stretched out his legs, pushing his office chair as far back as possible. With what looked like a deliberately casual gesture he tossed his headset onto his desk.

"You should be worried," Jessica commented dryly.

"Worried? Why?"

Jessica gestured sharply at her phone. "No one can call us with the phones down, so our work is just piling up while we sit here."

"Hey, we have our mobile phones. If it's not important enough for them to look up our numbers, then why worry about it?"

"You know that's not how it'll happen. As soon as the phones get up... WHAM! We're here until the sun drops below the trees in the west."

Tevita's smile lessened, but only a little. "They've been down for two hours. Perhaps they'll be down all day, and we can leave early."

"Right."

The Tongan shrugged, and Jessica briefly envied his ability to shove aside problems when they weren't directly in front of him. He could have two amazingly nasty issues to work on, and he'd easily concentrate on one at a time as if the other issue didn't exist. She wished she could compartmentalize in that manner, but when she had two critical issues to work on they hung over her like a dark shroud. Usually the one she wasn't currently working pressed down as if to accuse her of negligence, but she couldn't do two things at once. It wasn't like knitting while watching TV.

Like now, when she knew issues piled up while their phones remained down. She reached down and pulled up her mobile phone in case she'd missed an incoming call, but nothing showed. She sighed, standing up and stretching. Tevita frowned at her.

"You aren't going to bug the phone people again, are you?" he asked, as if accusing her of turning him in for some crime.

"No," she said. "Daniel Williams wanted to talk to me today so I'm heading up to his office."

"Good. Don't mention the phone issue to the CSO..."

She rolled his eyes at him, but he only smiled, large hands moving deftly across the keyboard. Without phone call interruptions Tevita would clear out the email queue in no time.

She took the stairs, hoping to work off the donut she'd eaten earlier that morning. It seemed no matter how resolute she thought she was to eat healthier, as soon as someone brought in free goodies her willpower vanished and she indulged. She doubted the climb from the first floor to the third made any real difference, but at least her husband wouldn't get on her case about taking the elevator when she had two perfectly working legs.

The door to Daniels office sat closed, and she peeked into the glass valance to the side. Daniel stared at his computer screen, his brows drawn low. He didn't touch the keyboard and mouse, eyes moving across his monitor as if trying to puzzle something out. He just reached for the mouse when she knocked quietly on the window.

He turned, a smile easing his expression. He waved her in, and she quickly hurried through the door."

"You wanted to see me?" she inquired.

"Yes, please sit down," he said, gesturing to one of the empty chairs across his desk. She sat while he turned back to his computer.

"Please watch," he said as he launched Internet Explorer. "I'm going to talk you through what I'm doing, and I don't want you to interrupt until I'm done. Okay?"
Jessica felt a twinge of uneasiness stiffen her spine. "Of course," she responded, trying to instill confidence in her voice. "What are you doing?"

He only smiled. "First, I've discovered what password I can use to access AMT on all our vPro enabled computers..."

She stood up. "What...?"

He held up his hand, not unkindly. "Please humor me."

She sat back down, her unease blooming. She clasped her hands in her lap so she wouldn't fidget, usually in the form of smoothing down her already crisp and wrinkle-free dress jacket. She couldn't sit completely still, and found herself tapping her toe. Fortunately the carpet, however uninviting bland, muffled the sound.

"Okay," Daniel continued. "I don't have access to Altiris though I have tried to gain it, unofficially of course."

"Of course," she said, and quickly clamped her teeth together before she asked another question.

Daniel continued, "In light of that I've done some Googling and found that AMT has a web-interface that anyone can access using a browser. I haven't figured out how yet, but I don't think it'll take me long. Let's see... how to access AMT via a browser... This first hit talks about someone who is unable to access it."

Url: (http://softwarecommunity.intel.com/isn/Community/en-US/forums/thread/30249624.aspx).

"Ah, in his post he says, "When I try to access the Web Interface (localhost:16992 or name:16992)... that means I can access my test in the same manner. Let's watch."

Jessica bit her lip to keep from saying anything, determined to keep quiet until he'd finished his demonstration. She really wanted to ask him how he acquired the password, but she supposed she should wait until he validated that claim first. Plus, he'd asked her to keep quiet, and she didn't want the CSO annoyed with her.

Daniel clicked on the address bar, deleting the current address. He then typed in MMMAMT0043:16992 in the address bar. When he hit Enter the page refreshed, showing him the initial AMT login screen. He clicked the ‘Log On' button, which provided a standard Windows security prompt. He entered in Admin as the username, and then typed in a password. Jessica's stomach dropped. She didn't see exactly what he put it, but it did look like he put in the right password.

The Intel Active Management Technology web interface appeared, giving Daniel full access to the system. Jessica reached up and rubbed at her eyes.

"Please tell me you simply asked Tevita for it," she said when he turned to her.

"No, but no need for you or Tevita to worry about that," he said with what Jessica assumed was a reassuring smile. It didn't help. "I believe I used the same methods our traitorous employee working in cahoots with Nifty Networks used to gain these powerful credentials. I'll be conducting security training for our employees soon to try and plug that method."

"So how did you do it?"

Daniel nodded. "Good question, but the better question I'm posing to you is this: how can we better secure the AMT technology? See here under Remote Control? I can remotely reboot this person's system and boot it up into an application I can use to wreak havoc. Nifty, no?"

She swallowed hard. "No, not nifty."

"Good. You see the issue. I'm tempted to not tell you how I did it. Mystery lends me an air of the supernatural, or at least my uber-geekness. Why reveal how? That's like a magician revealing his secrets. Once the how is known, it isn't so magical anymore. Okay, so I'm taking far too much pleasure out of this. I simply watched you and Tevita closely and caught you entering the password. It took several tries before I finally got it right."

The beginning of a migraine colored Jessica's vision. "Great. I thought we had that password locked down..."

"As I said before, don't worry about it. Everyone is too trusting when entering passwords. I'll address that in our upcoming security meeting. What I want to discuss is how we can rectify this situation? Specifically I want to remedy the fact that anyone who does a smidgen of research will know that the administrative username for AMT is admin. We've handed any potential hacker one half of the credential equation."

Jessica nodded. "Yes, I see your point. Luckily I already know how to fix that. It's as simple as making the admin password random on each system and using Kerberos to use our Domain credentials for access."

"Good. The second point is I noticed that I can use a non-secure web address to access this. Can you get SSL enabled for all AMT communication?"

Jessica nodded again. "Yes, specifically AMT uses TLC, the successor to SSL. I believe I saw an article on how to enable that on Symantec Juice."

"Even better. Get those measures in place, and let me know when it's completed."

She nodded, shaking his hand when he offered it. She left his office and headed back down, taking the stairs despite the throbbing in her head. When she reached her cube she noted that Tevita had his headset on, his previous smile absent from his face. She gave him a grin when he glanced over, and this time he rolled his eyes. She should get onto the phones, but she wanted to get those changes implemented as soon as possible so that even Daniel couldn't crack the system... as long as Tevita and she carefully entered their passwords so others couldn't eyeball them.

She sat down and pulled up the Altiris Console. Both of her actions required a new vPro Profile to be pushed down to all the AMT systems, but that was the easy part. She started by enabling TLS on the server. Until she pushed down the new profile the AMT functions would not work. She leaned over to Tevita, and he glanced at her as she rolled closer in her chair.

"AMT will be available for a time," she said.

Tevita reached up and muted his headset. "Why?"

"I'm enabling TLS. You know, encryption. When I enable it on the server side the clients will not be able to communicate back with the server until I update the profile and they have the right certificates."

He shivered. "Is that such a good idea? Certificates are tricky... we could easily mess up the whole thing and have no AMT access..."

"Tevita, it isn't that complicated. I have all the Altiris documentation on how to do it. Besides, there's a specific article on how to do it after the installation, here: http://juice.altiris.com/article/2737/how-enable-tls-within-out-band-management-after-install. Piece of cake."

"If you say so..."

"Trust me. If we had a hierarchal structure of certificate authorities, it might get a bit dodgy, but I'm just setting up the one root."

"Yeah, and the flux capacitor needs just such and such gigawatts of power..."

"Just read up on it! It's not that hard."

Tevita spoke for a moment into his headset, and took it off. "I don't know anyone who understands it all that well."

She planted her hands on her hips. "It's really simple. We give the root CA, aka the King, the credentials that are acceptable. Secondly, the Altiris server gets the credentials so it can work with the CA and the clients. We then load the matching credentials on the clients via the Provisioning Profile. Now everyone has the credentials."
He smiled. "What about client-side and server-side certificates?"

"Again, simple. Communication is unidirectional for a given parent/child certificate set. With basic TLS in vPro, all the clients have server certificates. The Altiris Server uses a client certificate to authenticate with the client so that the client machine will accept the AMT commands sent it."

"Alright. That sounds simple enough, but what about the CA? What's that for?"

Jessica looked at him, her eyes narrowing. "What's with the third degree? 'Tell me Master Qui-Gon. What are midichlorians'?"

Tevita burst out laughing. "Am I that transparent? I didn't know you liked Starwars..."

"I don't. Like that movie quote, your questions are contrived..."

"Hehe, yeah. I'm just trying to prove a point. It's not that simple..."

"But it isn't that complex, either. The CA tells the server-side component (the AMT Client) if the client connection (from the Altiris Server) is to be trusted. I know having the AMT clients act as the server seems a bit backwards, but since we want AMT functionality to be secure, it makes sense. The Altiris Server that tells AMT what to do needs to prove itself. This ensures a rogue server can't just initiate any AMT functionality without having the proper certificate. So the server provides a client certificate, which the AMT system authenticates with the CA before allowing the Altiris Server ‘in'."

"Okay, okay. That sounds simple enough. I'll be sure to avoid AMT until next week when you get TLS finally working... kidding! Take it easy, I'm just joking."

She wanted to keep the stern look on her face, but a smile cracked through. "You just watch it, Mister."

Jessica turned her attention back to the Altiris Console. She opened up a browser on her second monitor and pulled up the Juice article she'd shown Tevita. She walked through the steps, sometimes checking back on the Altiris Administrator's Guide for Out of Band Management, found at http://www.altiris.com/Support/Documentation.aspx. She finished the processes except for updating the profile since she needed to also update the Admin password settings.

She browsed in the Altiris Console under View, Solutions, Out of Band Management, Configuration, Provisioning, Configuration Service Settings, and clicked on Provision Profiles. She highlighted her active profile and clicked the pencil icon in the icon bar to edit it. Under the General tab, to the right of the window, she changed the Intel® AMT 2.0 password: setting from Manual to Random creation. She then clicked on the TLS tab and, using the previous directions, enabled TLS within the profile.

She sat back as she clicked OK. Now that the Altiris Server was setup properly, she needed to push the new profile out. From her place in the console she backed up into the Provisioning folder, and then expanded the Intel AMT Systems folder and highlighted the Intel AMT Systems node. All Intel AMT Systems showed within the right pane. She clicked on the top one, scrolled down, and, while holding shift, clicked on the bottom one. She right-clicked and selected the ‘reprovision' option.

With a sly smile she glanced over at Tevita. He wore his headset again, though he looked less stressed than before. She rolled over and wrote on his whiteboard "AMT back up in a few hours". For the time being they could rely on the Runtime Profile for authentication. Since Altiris knew all the random passwords for the Admin account, via Altiris they should have no problems with security. However she needed to quickly implement AD integration with Kerberos authentication just in case.

She got up to take a quick break. She stretched, looking out over the cubes. She froze in mid stretch for a moment, before quickly pulling down her arms, her eyes widening. Two men in blue jumpsuits walked nonchalantly through the building, one holding a sheaf of what looked like generic forms and the other with a nondescript box. Despite their "non"-threatening postures, something about them bothered her. At first she simply watched them, trying to figure it out.

The man in front emanated confidence like a shiny sword and shield, his smile infectious and full of perfectly white and straight teeth. His strong features seemed chiseled from brilliant marble, as if he'd been carved amid the statues of Rome. Not one of the rich brown hairs on his head stood out of place, his hazel eyes roving over the office as if memorizing all the details. He didn't act suspicious, but his very manner belied the blue-collar worker outfit he wore.

Right behind him strode the other man. He wore a beard, a hat pulled low over his eyes. She squinted, hunching down a little so she didn't rise so high above the cube walls. He carried the box, his muscles tensed. He walked jerkily, each step seeming just a little unsteady. Sweat beaded on what little she could see of his forehead.

"Tevita," she whispered. "Does that guy look familiar to you?"

He appeared beside her. "Who? Those two delivery guys?"

"Yes. The one carrying the box."

Tevita turned to stare at her. "It's the ninja!"

She shook her head, though the sudden clenching in her stomach belied the action. "No way, he's in jail, right?"

"Probably not. He didn't threaten anyone or do any actual damage, and the price of the hard drives he tried to steal doesn't equal enough to be a felony, especially since he claims he was only after the hardware..."

"But why come back here? We know who he is..."

He just shrugged. "Maybe he's turning a new leaf..."

She gestured at the other man just as they disappeared into the stairwell. "Maybe, but that other guy gives me the creeps. I wouldn't be surprised if his name happens to be Lex Luther."

Tevita nodded. "Let's follow them."

She shook her head. "No way! Let's just call security and let them deal with it."

The Tongan only shook his head slowly. "The security company might be too slow to respond. Heck, they took forever to show up when our ninja friend showed up the first time. You go tell Bobby and I'll shadow these two shifty guys."

Before she could respond he hurried away, surprisingly quiet for his bulky, muscled size. She clenched her teeth together, torn by indecision for a few precious seconds. She then turned and hurried towards the server rooms, hopping Tevita wouldn't get himself into too much trouble.

END Part 5

This concludes Part 5. This cliff-hanger will be continued in an even more unbelievable conclusion, Part 6. Now that the competitor has breached the office once again, can Might Modern Marketing's IT staff protect their infrastructure, data, and themselves from this all out attack?

Altiris and Intel vPro Use Cases - Part 4 - Auditing and Software Remediation

joelsmith — Tue, 08 Jul 2008 15:05:24 GMT

NOTE: If you have not read parts 1 through 3, please read these before reading this part as this is a continuation of the story begun in the previous sections. Altiris and Intel vPro Use Cases

Security is only as tight as the weakest link in your environment. More often than not it's internally where the security holes are created, either inadvertently from carelessness or intentionally from a disgruntled or disillusioned employee. The hardware and software security can be top of the line, but if the human factor doesn't adhere to policy, it may not make any difference. This part follows the IT team for Mighty Modern Marketing as they try to track down a security hole where productivity is taken down through the very tools used to defend and manage the network.

Mighty Modern Marketing HQ - Boston, Massachusetts

Somehow the air inside the building congealed hotter than the heavy, humid swelter wallowing outside. Tevita, sweat running down the sides of his face, fanned himself with an empty binder. He stared at his screen, the image thereon frozen.

"I think one of the servers seized up," he said. Jessica Langley glanced at her Remote Desktop window. The previously blinking text icon in the script she edited no longer blinked, and as she watched the disconnected icon appeared, the remote screen graying-out. She closed it with a quick click of the white on red X.

She took a long drink of water. "If they don't fix the AC soon, I'm going home," she announced.

"They'll have it up soon. Besides, it's never been so quiet here. I only have one system running, and I think I'm approaching something like Zen. Either that or I'm about to pass out."

"Any more missing application tickets?"

Tevita groaned. "Oh yeah. Five so far today. It's like the uninstall faerie ran around randomly touching computers with her magic star-wand. I've taken care of it."

Jessica stood, feeling sodden. "Thanks. I'll check on Bobby to make sure he hasn't suffered from heat stroke."

The server room actually felt cooler despite the cacophony of running servers that reminded her of the sound and feel of a jet engine escalating towards takeoff. Somehow Bobby had created a wind tunnel with large fans, and she felt her hair whip away from her as she stepped directly in the wind's path. She shielded her eyes and walked to the developer's cube area. The pull of the moving air seemed to try and yank her off her feet by her dress-suit jacket. She folded her arms as she stepped into the relative stillness of the cube.

Bobby looked like a wilted plant. He looked up, and sighed. "What, IM down again?"

"Of course not," she responded with a smile. "You holding up in here?"

He shrugged. "I'll survive, though it reminds me of Phoenix, Arizona, except here it's like standing in front of a vat of boiling water. Phoenix is like standing in front of the open door to a blast furnace."

"The SQL Server locked again."

Bobby nodded. "I did a hard reset just a minute ago. I had to open the case and point a fan right at the CPUs. I think it'll stay up this time."

"Good."

Bobby shrugged again. He looked back at his screen, then back up at her. "You need something else?"

"Not really. You want to go to lunch with Tevita and I? The local Italian place has great AC."

"No, I'm good. My lunch cooked itself in this heat, so I ate already."

"Alright. See you later."

When she returned Tevita still sat in front of his computer, sweating profusely. He looked up as she passed by, a frown on his face.

"The facilities guy just passed by," he said as she sat down. "He says someone deliberately messed with the AC. He's fixed and says it'll be up and running any time now."

"Someone sabotaged the AC?" she inquired.

"Yep."

She sighed. "Just when I thought we were done with the underhanded antics."

Tevita nodded. "The AC guy put thick padlocks on all the control panel cases. Too bad we don't have any way to track who goes in and out of that room. A magnetic badge reader would work."

The next hour passed in receding misery as the AC kicked on and began liberating the employees in Might Modern Marketing's Headquarters from oppressive heat. Jessica checked the Altiris Notification Server Logs, ignoring the SQL errors for the times the SQL server seized up. Except for an occasional error where an event arrived for a package already deleted from the Notification Server, the logs looked clean.

"Mrs. Langley," Edgar's dry tones greeted.

Right on cue, she thought. Despite the heat things had been going too smoothly. She turned around and stood.

"Hello Edgar."

"I wanted to let you know that the budget we set aside for the mess with New Nifty Networks is on target, thanks to everyone's diligence," he said, eyes briefly moving down to the papers clasped in his hands. "We've even been able to devote some resources to Legal. It won't be long before we can put this whole ordeal behind us."

Tevita rolled over in his chair. "What, and I've done nothing?" The expression on his face and tone of his voice took away any sting of the words.

"Both of you have performed exceptionally," Edgar said, shuffling the papers in his hands. "Though it's not official, I believe you will both receive a merit increases for your performances."

"You're kidding!"

"I do not kid, Mr. Tatafu."

"So be honest, was it hard to allow that through?"

The barest hint of a smile touched the corners of Edgar's thin lips. "Yes, adding my approval felt much like pulling out stitches. Now don't you both have work to do?"

He shuffled away, his posture a little bent.

Tevita gave Jessica a thumbs up. "Ha! So some good is coming from this whole competition nightmare."

"Perhaps," she said noncommittally, having trouble suppressing a smile. "It's not over yet, not until this school-friend of Mr. Johnson's finally gives up. I'm hoping it happens soon so we can go back to normal."

"Normal?" countered Tevita. "When is IT work normal? It changes faster than the seasons."

She opened her mouth to respond when her telephone rang. The caller ID noted Johnson. She quickly picked up the handset.

"Mighty Modern Marketing, this is Jessica," she greeted as cheerily as she could.

"Jessica, this is Mr. Johnson," greeted the CEO. "Can you please come up to my office immediately? We have a sensitive matter to discuss."

"Of course. I'll be up right away."

"Please have Tevita join us as well. See you in a minute."

"Will do. Thanks. Bye."

When she looked up Tevita had his day planner in one hand, the other locking his computers.

"Ready for lunch?" he inquired.

"Change of plans," she said, rising. "Mr. Johnson wants to see us in his office immediately."

Tevita stared at her for a moment, then tossed in planner onto his chair, a wry smile twisting his mouth. "Wonderful. Somehow even though everything he says sounds enthusiastic and wonderful, we end up with a pile of work."

"Job security," she responded.

The CEO's office, remarkably, looked very much like the other offices in the entire building. She glanced through the window on the door, then knocked politely. Mr. Johnson, looking as refreshed and lively as ever, waved her in. The building continued to cool, but still hovered near eighty degrees. Though she felt sweaty and rumpled, Mr. Johnson appeared completely unaffected by the heat, his hair perfectly combed and his clothing pressed and clean. He smiled warmly as they sat down in the two chairs set before his desk.

A man sat next to him, and though she knew she should know who he was, she couldn't place his face in her memory.

"Thank you for coming up so quickly," he said, rising to shake their hands. "This is Dan Williams, Chief Security Officer."

She said hello, shaking Dan's hand. Funny how she knew the name so well from countless emails and conference calls. She felt she knew him despite only seeing him on rare occasions, all from electronic or audio correspondence. Somehow she'd never put that voice with this face.

"Jessica, Tevita," he said in way of greeting in that familiar voice. "We need to meet more often, especially with how much I depend on both of you."

"Definitely," Tevita responded as he sat down.

Jessica had trouble controlling a laugh that threatened to escape. "Mr. Williams, you don't look like I imagined."

Dan smiled, amusement dancing in his eyes. "What did you think I looked like?"

She blushed. "Well... you sound like Chuck Norris. But you're more like..."

Mr. Johnson started. "Chuck...?" He burst into laughter. Tevita's booming laughter joined in as Dan's smile grew wry. Jessica wondered if someone could faint from embarrassment, and imagined she looked as red as a tomato.

"Sorry, I like yoga, but not much of a martial arts guy," Dan said, trying not to laugh.

"Alright," Johnson said with a deep calming breath. "Without further preamble, I'll let Dan discuss the situation."

Dan nodded. "As you are well aware of our situation with our friends over at New Nifty Networks, what I'm about to show you shouldn't come as much of a surprise. We have a plant."

"A plant?" Tevita inquired. "Like a house plant?"

Jessica covertly elbowed him in the ribs as he chuckled.

Dan continued, undaunted. "Someone here is feeding information to our competitor. We're tracking this using email, etc, but the trail is long and convoluted. We think this spy, for lack of a better term, is also sabotaging our business here. While we're pretty sure he or she disabled the air conditioning, we don't have enough data to even begin to narrow down who it could be. There are other things happening that I believe you'll be able to help us with.

"You see, we believe he's somehow obtain access to your management tools. We've had increased cases where vital software has been mysteriously uninstalled from systems."

Jessica exchanged a look with Tevita. "We have had a large amount of emergency software deployment tickets," she said.

"The tickets always say the shortcut is missing," Tevita added.

"Exactly," Dan continued. "Depending on the user, this can severely hamper our productivity. Since some of the computers are locked behind office doors I'm assuming they're using management software to accomplish this. Is Altiris capable of this?"

"Yes," Jessica answered. "However you need rights to do anything."

"And that will be to our advantage. Please look through any auditing or logging done by Altiris and see if you can figure out how this individual is uninstalling applications, what credentials he or she is using. Any evidence or data you capture please forward to me."

"We will," Tevita responded.

Back at her desk, Jessica pulled up the Altiris Console. Events would allow her to see if any Software Delivery or similar jobs had been schedule to run on the affected systems. They had uninstall-programs setup for most of their managed applications. She browsed in the Altiris Console under View, Solutions, Software Delivery, Tasks, Windows, Software Delivery Tasks. The first task she choose uninstalled their accounting software, one application the spy or whatever he or she was liked to target. She did a quick scan to ensure no new tasks showed up.

She clicked on the Status tab. Once the tab loaded she used the dropdown labeled, "Display computers on which this task ran:" to set it to "All". Once the grid loaded she clicked on the top of the "Attempt Time" column to sort by date, and looked at the last week's runs. Only three showed up, and all of them had been scheduled by either her or Tevita.

"Any luck?" Tevita asked, his head rising above his cube's wall.

"Nothing yet. I guess it's possible they created a task and then deleted it after each execution."

"Yeah, but there's an ItemDeleted table that we can look at to see if that's occurred."

He walked into her cube and sat down on the spare chair. He used her secondary system to open SQL Enterprise Manager and launch a query window. He used the query:

SELECT ItemName FROM ItemDeleted

WHERE ItemName LIKE ‘%Accounting%'

AND ItemClassGuid = ‘D922981C-B8E7-40EE-B6BD-1E6CB354C9FE'

"This class-guid here represents Software Delivery Tasks," Tevita explained as he ran the query. "Nope, nothing. Let me try one more query, this one more generic..."

SELECT * FROM ItemDeleted

WHERE ItemClassGuid = ‘D922981C-B8E7-40EE-B6BD-1E6CB354C9FE'

ORDER BY DeletedDate

"Okay," he continued. "I don't think he used Software Delivery. I don't see any Tasks deleted recently enough to account for all the uninstalls reported."

Jessica nodded. "Hmm. If he didn't use this, then the only other two options I can think of are Deployment Server and Task Server."

Tevita smiled. "No chance with Deployment Server. I've changed the management credentials recently and blocked everyone else out. Since only you and I use it, I figured with all the security stuff going on I'd better be safe, not sorry."

She blinked. "I didn't know you'd locked... I guess DS is your baby."

"You know it. So, do you think Task Server could really be it? Wouldn't he need to know scripting?"

"Not necessarily. There's a ‘Deliver Software' task available that can run any Package-Program we have available in Software Delivery. Let me look through here... I don't see any Jobs or Task Server tasks that reference the uninstall program. The ItemDeleted would have deletions if he'd done that. But you used the standard Software Delivery Tasks, right? Can you do one for Task Server Tasks?"

Tevita scratched his chin. "I think so. In fact we don't delete things that often. Let's try this..."

SELECT * FROM ItemDeleted

ORDER BY DeletedDate

"Okay. A few deletions, but they all look straight-forward. Computers purged, a couple of Software Portal Requests... but nothing that looks like a Task Server task. Wait... what's this? Bobby deleted a task named WOfW? This was last week. If I didn't know better, I'd say he's been playing with Software Delivery and Worlds Of Warcraft."

Jessica grinned. "You think he wants to roll it out company-wide? I can see it now. ‘Productivity hits an all-time low, though the average level of Mighty Modern Marketing exceeds fifty'!"

Tevita laughed, pointing at her. "I didn't know you knew enough about gaming to make a joke like that!"

"Right. Like you don't bring it up every week. It was bound to rub off on me at least a little."

"This looks clean. That doesn't make sense. Perhaps Dan's wrong, and whoever's responsible for this isn't using Altiris."

Jessica shook her head. "He's right, I don't think this could be done at this rate any other way. Either they're using a different method, or they have intimate knowledge of Altiris."

Tevita leaned back, looking up at the ceiling. Jessica placed a fingertip on her lips, thinking furiously. If Software Delivery and Task Server wasn't used, and the evidence suggested such, what other method could you use to remove software? They planned on using PC Anywhere for remote control, but it wasn't up and running yet in the Altiris environment. Tevita used the simple Remote Control feature in Deployment Server, and she still used Carbon Copy. She'd disabled access to it in Altiris and used the stand-alone product that only existed on her system for security reasons. Could they have a rogue copy of Carbon Copy installed...?

"What about vPro?" Tevita inquired abruptly, interrupting her thoughts.

"Serial-Over-LAN doesn't work in Windows currently," she responded. "No other remote application abilities... it's really considered an out of band management interface."

"Yeah, but if you built a remote tool into an ISO, using IDER, couldn't you use that?"

"In theory, yes... In fact if you ran an IDE redirect with something like that you could do whatever you wanted to the system."

"Exactly."

Jessica smiled. "And we have an actual activity log."

In the Altiris Console she browed in View, Solutions, Real-Time Console Infrastructure, Tools, and clicked on "Activity Log". She scanned down the entries.

"Well, well," Tevita said, leaning forward. "Our friend has been busy."

The icon showing a redirection session appears like two plugs plugged together. The other pertinent columns appeared as "client": showing what computer by IP Address is being accessed, "user": what credentials were used to execute the action, Host: as in the hostname of the destination computer, Description: showing the path to the ISO, and lastly Technology showing what method was used. Multiple RTSM sessions showed a redirection to an ISO labeled: RemoteControl.iso. The path led to a UNC share.

Jessica pulled up the contents. "Jackpot."

Tevita shook his head. "Too easy. If they know how to create ISOs of that nature and use RTSM to deploy them, did they actually think there wouldn't be some sort of logging?"

"I don't know. RTSM is unique in that it isn't dependent on an agent at all, so there is no logging client-side. Still... perhaps whoever's doing this didn't create the ISOs and is just in charge of running it. And we aren't done yet. Note that the User is all listed as admin. This means he or she is using the AMT credentials available on all systems."

"Oh. Can't exactly blame the invisible AMT admin..."

"No, but we can change the password easily. Before I do that, I'll send Dan the information on the share. That share should have some sort of user footprint his team can get to."

She quickly sent the email with all the information. She explained that she would change the admin password so that this rogue user could no longer use this method. After sending it she browsed in the Altiris Console to View, Solutions, Out of Band Management, Configuration, Provisioning, Configuration Service Settings, and selected Provision Profiles. She double-clicked on the profile they used for all systems. Under the Administrator Credentials section to the right, she changed the password under the Manual radial option. She clicked OK to save the changes.

Next she browsed back up to Provisioning, and into Intel AMT Systems, selecting the node Intel AMT Systems. When the frame loaded, she clicked on the icon on the icon bar that looked like a system with refresh green arrows surrounding it, labeled: Re-provision. She hadn't selected any systems so she selected the only live option, "All systems". She clicked OK to execute.

"That should do it," she said aloud.

"A re-provision?" Tevita asked.

"It's a simple way to send down the changes in a profile to the systems. It'll take some time to cycle through all the systems, but soon all systems will have the new AMT admin password set."

Tevita leaned back. "So we're done?"

"For now, unless you have any ideas for further tracking this guy...?"

The rest of the day proceeded smoothly, with only one more reinstall helpdesk ticket coming in. By the next day no new tickets had developed, and things had settled down to normal. Dan said he had enough to identify the perpetrator, but said no more on the subject.

He did say one thing very firmly. "All the security we can muster is worthless if those with the right privileges are not careful with their credentials."

Further, he requested they review their procedures concerning the AMT admin password. Was it written down anywhere? Did they ever say it out-loud? Though neither knew how the password got originally stolen, the increased care with which they handled passwords became a driving program within the company. Security was everyone's job.

At the end of the week, as Jessica headed away from Boston on the Redline Commuter Train, she hoped they'd seen the end of the targeted attacks, but in her mind she already looked through her current policies and processes to see where she could increase security.

End Part IV

Altiris provided not only an audit trail to track potential rogue usage of RTSM, but it also provided a very quick and efficient way to change security within AMT when somehow the credentials are compromised. Is this the end of the threats against Mighty Modern Marketing? Only time will tell.

Troubleshooting the Altiris Manageability Toolkit for vPro Technology - Part 6 - Real-Time System Manager

joelsmith — Wed, 07 May 2008 18:18:23 GMT

Formerly known as Web Admin for Windows, Real-Time System Manager provides a powerful set of functions for IT specialists. In part 5 of this article series we covered the main points for Real-Time Console Infrastructure troubleshooting. As a natural extension of RTCI, Real-Time System Manager troubleshooting is covered in this article as part 6. With an emphasis on credentials and connection methods, this article provides information to overcome the most common issues seen when using the Real-Time tab for direct, one-to-one computer interaction.

Introduction

Real-Time System Manager provides a powerful tool for directly connecting to a system agentlessly with functionality available through WMI and Intel AMT. This article covers the issues associated with general functions seen with both technologies but with emphasis on the AMT functions. The following sections cover areas of troubleshooting:

Connection Issues
Authentication Issues
IDE Redirect (IDER)
Network Filtering

Connection Issues

Under the current architecture the FQDN is the primary method for connecting and authenticating to AMT on remote systems. If the FQDN the Real-Time tab is using does not resolve in DNS, then AMT connectivity and thus functionality will not be available. FQDN connectivity issues are the number one issues we see with RTSM connections to AMT.

Invalid FQDN

To view what FQDN the Real-Time is using, use the ‘Hardware Management' node in the RTSM tree. The following screenshot shows what AMT is using:

In this example my system is in a workgroup and reported only the hostname as the FQDN, which DNS had no trouble resolving. If this fqdn is not reachable via DNS, we won't be able to connect to the AMT functionality.

NOTE: We use several methods, including IP address, for WMI. WMI functionality may show correctly when AMT is absent in this situation

Use these steps to see the FQDN is the issue:

Open the Real-Time tab for the AMT system you are managing.
Once the tree loads, open the Real-Time System manager folder, open Administrative Tasks, and click on ‘Hardware Management'.
Once the page loads, if AMT is missing as an available technology, take note of the name displayed as in the screenshot above.
Go to Start, Run, type in cmd, and click OK.
Type in nslookup <name displayed>. In the above example it would read:
1. Nslookup dellvpro
Can DNS resolve this address? If no, we'll need to fix the issue in one of the following ways.
FIX DNS and/or the Altiris record: If DNS can be fixed, this is the preferred method. The difficulty is finding out why the Altiris Agent reported the incorrect record. Once DNS is fixed, have the Altiris Agent run Basic Inventory. The table location we pull this out of for management in RTSM is Inv_AeX_AC_Location, column: Fully Qualified Domain Name.
Use the ‘Manage' node available in RTSM (see the below screenshot): By putting in the IP address of the system, we'll use the IP to lookup the FQDN and not make any assumptions.
Update the Servers HOSTS or LMHOSTS files to contain the mapping to the invalid name. For example find the LMHOSTS file, edit it and add a line <IP ADDRESS> <FQDN>, as in this example:
1. 10.10.10.1 Dellvpro

Real-Time unable to connect

If WMI and AMT functions are unavailable, you'll get a message when you click on the Real-Time tab indicating that the functionality isn't available. See the following screenshot:

Note: If you use another product such as Dell or HP's plug-ins to this tab, you'll simply not have the ‘Real-Time System Manager' node underneath Real-Time Consoles.

The number one reason this occurs is due to a firewall being engaged. Firewalls need to allow AMT traffic through. If a firewall is enabled, use the following details to resolve the AMT issue:

Create an inclusion in the firewall properties.
Allow the following ports, based off your environment:
1. 16992 - For non-TLS encrypted traffic - if you are not using TLS this is the port that will be used for communication
2. 16993 - For TLS-enabled, encrypted AMT traffic - If https is required for communication with AMT, this port will be used
3. 16994 - For a note, AMT provisioning uses this port for sending out the ‘hello' packet during the configuration process - this will be used if you initiate a reprovision from RTSM
Another options is to disable the firewall when you need to manage the system via RTSM.
Unfortunately WMI has a known issue with the Windows firewall where the dynamic ports WMI uses after initiation will be blocked. It's a bug in WMI that has been addressed in Vista. Previous Operating Systems do not have a resolution at this time.

The other issue we've seen is where the system is simply unavailable for one reason or another. AMT is available if the system is off but still connected to the network, but WMI or if the system is unplugged from power or off the network RTSM obviously cannot function. Verify that the system is available if nothing resolves this issue.

Authentication Issues

Another common issue concerns authentication to the system via the Real-Time tab. First, let me discuss the methods RTSM uses to authenticate to a target system.

Authentication Methods

Runtime Profile - The Runtime profile contains he following information:

All known good credentials used to connect via RTSM to a system
The Intel SCS AMT password sent to systems when provisioning occurs
Previously successfully used credentials from past RTSM sessions

User-defined Profiles - Profiles can be created that specifically provide credentials for the four types of technologies:

WMI digest or Domain account
AMT digest or Kerberos-authenticated user
ASF digest or Domain account
SNMP community strings

Manually entered credentials - When RTSM tries to connect, if the default profile set in the RTCI configuration fails to authenticate, the left-hand tree will still load but each node will prompt the user for credentials. A user can put in an AMT account, Domain user, or digest user that has rights on the target system. When authentication succeeds, these credentials are then stored in the Runtime Profile for the target system.

Troubleshooting Authentication

The following method will help identify issues and offer ways to work-around and solutions. These have been compiled through experience when troubleshooting issues with failed authentication with RTSM.

In the Altiris Console browse to View > Solutions > Real-Time Console Infrastructure > Configuration > select Manage Credentials Profiles.
Where does the green checkmark fall? This is the default profile that will be used when connecting via the Real-Time tab.
Create a new profile by clicking the blue + on the icon bar in the right-hand pane.
Under the Intel® AMT tab check the box ‘Enable this technology in the profile'.
Supply the admin user credentials set when the managed vPro systems were provisioned.
Under the WMI tab also check the box as above and provide a user that has admin privileges to the target system.
Give the profile a name and then save it.
Back at the main screen check the box under the ‘Default' column until the green check-mark uses your new Profile.
Test to see if this new profile is successful. Note that you'll need to launch IE fresh to use the new settings.
If it is not, try entering credentials in manually when you hit the system under the Real-Time tab. See the screenshot below for the connection icon to switch between WMI and AMT authentication. If two show in this area, both technologies are available but not authenticated.
In one case we supplied only AMT credentials in the Profile which allowed it to authenticate to AMT while a multiple protocol authentication profile failed.
Check the collection you are launching Resource Explorer from. Sometimes the identity of the system is incorrect. For AMT you can launch RTSM from the Provisioned collections populated with the Resource Synchronization.

IDE Redirect (IDER)

IDE Redirect allows a system to be remotely booted to a file, drive, or virtual disc. There are a number of potential issues to be aware of when working with IDER in a vPro environment. The below items include well-known issues and their resolutions.

Redirection Invalid Parameter

When initiating an IDER (IDE Redirect) session to an external source such as an .iso file, the following error appears in the console:

Power management operation failed.
Redirection session start has failed. See logs for more details.

The Notification Server log shows the following error:

Log File Name: C:\Program Files\Altiris\Notification Server\Logs\a.log
Priority: 2
Date: 3/9/2007 2:51:05 PM
Tick Count: 10617218
Host Name: <>
Process: w3wp.exe (2436)
Thread ID: 5412
Module: AltirisNativeHelper.dll
Source: RTCI.Trace
Description: RedirectionProvider::StartIDER - RedirectionProvider::StartIDER - IMR_IDEROpenTCPSession: IMR_RES_INVALID_PARAMETER

This is caused by Intel's redirection library requiring a correct floppy device to initiate an IDER session (either floppy image or real removable device). Real-Time System Manager 6.2 can work around this. If you put floppy.img file into Program Files\Altiris\RTSM\UIData folder, then the issue will not occur.

IDER or SOL Disabled

In some instances Intel vPro systems are arriving from the OEM with IDER and SOL disabled in the BIOS. When disabled, neither of these functions work from any management engine, including RTSM. Correcting this oversight is not easy, especially if the OEMs do not offer a solution by a firmware or BIOS update. Use the following method to resolve the issue:

Go to the Support site for the OEM for the systems.
Browse to the drivers and downloads section for the exact model (note that sometimes the model will differ based on possessing or not possessing vPro technology).
Check the firmware updates for a new BIOS.
Check the documentation for any new BIOS versions that include vPro to see if they've corrected this.
Contact your OEM if they have not and request a status!
The only other recourse is to develop an update yourself or manually update the settings by visiting the system.

Conclusion

This should account for the most common issues we've seen, and allow you to successfully use RTSM with AMT technology, avoiding those issues.

Altiris and Intel vPro Use Cases - Introduction

joelsmith — Fri, 11 Jan 2008 22:44:26 GMT

The big question after successfully provisioning a vPro/Symantec-Altiris environment comes in the simple form of "Now what"? The article series: Utilizing Intel® vPro AMT Technology with Task Server covers a lot of the functionality directly (LINK: http://juice.altiris.com/book-page/2201/utilizing-intel-vpro-amt-technology-with-task-server). This article series takes it a few steps further, with real-world examples and use cases for taking advantage of Intel® vPro technology through Symantec/Altiris Notification Server.

Introduction

There are two components for directly interfacing the AMT vPro technology. The first is Real-Time System Manager, the second Task Server. Both components utilize much of the same functionality, however RTSM provides a one to one interface, while Task Server allows a one to many task or job to execute against a group of vPro systems.

To understand how all the components work together, this Introduction walks through the basics of the components that will be used throughout the use cases. The list of solutions, or applications, that utilize Intel vPro technology is listed here along with a description:

Real-Time Console Infrastructure - This component is generally invisible when working directly with vPro AMT Systems. The Configuration of how to connect to systems and what credentials will be used can be found in the configuration pages for this product. It supports both the Real-Time tab and the Task Server vPro AMT tasks available.
Real-Time System Manager - The Real-Time tab functionality that directly interfaces with vPro AMT on a system per system basis provides a live tool for directly invoking vPro AMT functions as part of troubleshooting or maintaining a system directly. This is useful for troubleshooting problems with a specific system.
Out of Band Management - Out of Band Management will only lightly be covered in this article series. For the most part this solution is part of the setup and configuration of Intel vPro AMT systems so that vPro AMT functionality can be used. There are some maintenance and profile items that can be used as part of ongoing use of vPro AMT.
Task Server - Task Server is the engine used for a one to many task or job where specific vPro AMT functions, along with functions from a myriad of other Solutions, can be executed or scheduled to execute against a collection or list of systems. This is the integration framework that allows AMT to become part of a much larger Altiris functionality portfolio.

See the following diagram for a representation of how the two main functional engines work:

This series will focus on these two pieces (RTSM and Task Server) since they are the delivery mechanism for the vPro AMT functionality. Other Symantec Solutions can and will be used through the use cases.

Real-Time Console Infrastructure

Consider this the core underlining infrastructure for the Symantec use of Intel vPro AMT. All solutions that make use of this component will install it if it is not already installed. The primary products are Out of Band Management and Real-Time System Manager. Other Notification Server Partner solutions, such as HPCM and Dell Openview, will need RTCI installed in order to make use of the vPro AMT functions. The console pages available for this solution center around the configuration of the vPro AMT functions.

The configuration page for RTCI is found in the Altiris Console. In the Altiris Console 6.5, browse under View > Solutions > Real Time Console Infrastructure. Under the Configuration folder, the following nodes are available:

Configuration - Includes settings for vPro AMT Connections, such as Transport Level Security, Redirection Security, and other settings such as the connection timeout value. It also includes a page to configure where SNMP vPro AMT alerts are sent, and allows a default configuration for the System Defense filter (default is to ‘Allow all network traffic').
Edit Network Filters - This page is only available if the ENF utility has been installed (see article http://juice.altiris.com/article/2645/hold-mf-utilizing-intel-vpro-amt-technology-task-server-part-5-system-defense-tasks for more information). If you do not have this node, install it so that you can configure what is allowed through the System Defense filter.
Manage Credentials Profiles - This node is vital for setting up connection profiles when using RTSM. It includes credentials for WMI and vPro AMT. Users who do not have rights to vPro AMT will need to use a profile that has a user configured with rights. This also includes the Run-Time profiles which is used by both Task Server and RTSM to use known good credentials when functioning against specific vPro AMT systems.
Manage Views - Views are
Purge Policy - This page is used to configure how often and how much residual data RTCI purges. For large environments this will help keep the database size down to improve performance.

The Reports, Resources, and Tasks section contain the typical items for Altiris Solutions. Tasks include all the vPro tasks available through Task Server. See the subsequent Task Server section for more details.

The Tools folder is also found under the Real-Time System Manager section (it ties into the same data so the duplication is only visual). For vPro AMT, the two applicable nodes are:

Activity Log - This logs all functions executed while in a Real-Time session. This is useful to look at what operations have been run, one which computers, by whom, and utilizing what technology (WMI versus vPro AMT).
Manage - This node allows an IP address to be entered in directly for a launch of the Real-Time tab. This is especially useful for systems that are not in the Altiris database. This also allows a host-name to be entered, but keep in mind that if there is a DNS issue this may fail.

Real-Time System Manager

To simplify things, we'll simply define this product as ‘The Real-Time tab within Resource Manager'. There are Partner Solutions for HP, Dell, and others that will add items to the left-hand tree, but the Real-Time System Manager node provides all functionality including all vPro AMT functionality available. See the following screenshot for details:

NOTE: Only the vPro AMT functions are shown above as my Symantec Client Firewall is enabled! Since vPro AMT is a trusted technology my Symantec firewall does not block vPro AMT traffic.

The console is a direct connection to the machine listed under ‘Managing Resource'. As such this is a one to one implementation and is useful when troubleshooting a specific vPro AMT system. In the Use Cases where the use defines the target as one machine, often RTSM will be utilized.

Out of Band Management

Since Out of Band is primarily a Provisioning Solution, only a few of its functions will be used in the use-cases provided in this article series. The functions that apply are:

Maintenance - For security purposes, OOBM can be setup to run maintenance tasks against managed vPro AMT systems. The vPro AMT administrator password for a particular machine can be randomly changed. A re-provision, which reassigns the profile assign to it, will help keep vPro AMT systems up to date with profile settings and password information.
Profiles - In the profile setup while configuring an vPro AMT system users can be defined for having certain vPro AMT rights. This allows administrators to limit what type of worker can execute what vPro AMT functions.

Task Server

Task Server is a sequencing engine, and RTCI provides vPro AMT targeted tasks that can be employed singly or jobs that can run a large variety of tasks or actions against a target collection of machines. In the preface to this article a link provided access to a series focusing on how vPro tasks can be utilized into Task Server, with articles covering additional Altiris/Symantec Solutions for further integration. Before walking through the Use Cases, it will help a great deal to understand how we're integrating the functionality and how Task Server functions in general.

The vPro AMT tasks themselves are provided by RTCI, including the engine that connects and executes functions against a vPro capable system. Task Server handles all the rest, including integrating other Solution functionality within Jobs.

Most automated processes to be executed against one or more vPro AMT systems will fall under Task Server. Task Server Jobs can be scheduled, or executed on demand. Notification Server Collections or individually picked vPro AMT systems can be targeted per Task or Job, allowing a large number of systems to execute at a time (Note: for large environments multiple Task Servers are recommended).

Conclusion

Before any of the Use Cases can be tested, all target AMT systems must be provisioned in one of the provisioning modes: Small Business (Low security), Enterprise Mode, Enterprise Mode with TLS. Once provisioned, Symantec, via RTSM and Task Server, can then work directly with the machines via vPro AMT.

I hope to cover common scenarios in this article series that can be of use to many environments. Most of the testing will be against a limited lab environment so results may vary and additional configuration may be required, all depending on the complexity and configuration of the environment. Since the hardware and software worlds introduce many levels of complexity and configuration, additional steps may be required to create workable jobs and functions. Having said that, hopefully these provide enough information to move forward.