Intel vPro Expert Center Blog

Altiris and Intel vPro Use Cases - Part 4 - Auditing and Software Remediation

joelsmith — Tue, 08 Jul 2008 15:05:24 GMT

NOTE: If you have not read parts 1 through 3, please read these before reading this part as this is a continuation of the story begun in the previous sections. Altiris and Intel vPro Use Cases

Security is only as tight as the weakest link in your environment. More often than not it's internally where the security holes are created, either inadvertently from carelessness or intentionally from a disgruntled or disillusioned employee. The hardware and software security can be top of the line, but if the human factor doesn't adhere to policy, it may not make any difference. This part follows the IT team for Mighty Modern Marketing as they try to track down a security hole where productivity is taken down through the very tools used to defend and manage the network.

Mighty Modern Marketing HQ - Boston, Massachusetts

Somehow the air inside the building congealed hotter than the heavy, humid swelter wallowing outside. Tevita, sweat running down the sides of his face, fanned himself with an empty binder. He stared at his screen, the image thereon frozen.

"I think one of the servers seized up," he said. Jessica Langley glanced at her Remote Desktop window. The previously blinking text icon in the script she edited no longer blinked, and as she watched the disconnected icon appeared, the remote screen graying-out. She closed it with a quick click of the white on red X.

She took a long drink of water. "If they don't fix the AC soon, I'm going home," she announced.

"They'll have it up soon. Besides, it's never been so quiet here. I only have one system running, and I think I'm approaching something like Zen. Either that or I'm about to pass out."

"Any more missing application tickets?"

Tevita groaned. "Oh yeah. Five so far today. It's like the uninstall faerie ran around randomly touching computers with her magic star-wand. I've taken care of it."

Jessica stood, feeling sodden. "Thanks. I'll check on Bobby to make sure he hasn't suffered from heat stroke."

The server room actually felt cooler despite the cacophony of running servers that reminded her of the sound and feel of a jet engine escalating towards takeoff. Somehow Bobby had created a wind tunnel with large fans, and she felt her hair whip away from her as she stepped directly in the wind's path. She shielded her eyes and walked to the developer's cube area. The pull of the moving air seemed to try and yank her off her feet by her dress-suit jacket. She folded her arms as she stepped into the relative stillness of the cube.

Bobby looked like a wilted plant. He looked up, and sighed. "What, IM down again?"

"Of course not," she responded with a smile. "You holding up in here?"

He shrugged. "I'll survive, though it reminds me of Phoenix, Arizona, except here it's like standing in front of a vat of boiling water. Phoenix is like standing in front of the open door to a blast furnace."

"The SQL Server locked again."

Bobby nodded. "I did a hard reset just a minute ago. I had to open the case and point a fan right at the CPUs. I think it'll stay up this time."

"Good."

Bobby shrugged again. He looked back at his screen, then back up at her. "You need something else?"

"Not really. You want to go to lunch with Tevita and I? The local Italian place has great AC."

"No, I'm good. My lunch cooked itself in this heat, so I ate already."

"Alright. See you later."

When she returned Tevita still sat in front of his computer, sweating profusely. He looked up as she passed by, a frown on his face.

"The facilities guy just passed by," he said as she sat down. "He says someone deliberately messed with the AC. He's fixed and says it'll be up and running any time now."

"Someone sabotaged the AC?" she inquired.

"Yep."

She sighed. "Just when I thought we were done with the underhanded antics."

Tevita nodded. "The AC guy put thick padlocks on all the control panel cases. Too bad we don't have any way to track who goes in and out of that room. A magnetic badge reader would work."

The next hour passed in receding misery as the AC kicked on and began liberating the employees in Might Modern Marketing's Headquarters from oppressive heat. Jessica checked the Altiris Notification Server Logs, ignoring the SQL errors for the times the SQL server seized up. Except for an occasional error where an event arrived for a package already deleted from the Notification Server, the logs looked clean.

"Mrs. Langley," Edgar's dry tones greeted.

Right on cue, she thought. Despite the heat things had been going too smoothly. She turned around and stood.

"Hello Edgar."

"I wanted to let you know that the budget we set aside for the mess with New Nifty Networks is on target, thanks to everyone's diligence," he said, eyes briefly moving down to the papers clasped in his hands. "We've even been able to devote some resources to Legal. It won't be long before we can put this whole ordeal behind us."

Tevita rolled over in his chair. "What, and I've done nothing?" The expression on his face and tone of his voice took away any sting of the words.

"Both of you have performed exceptionally," Edgar said, shuffling the papers in his hands. "Though it's not official, I believe you will both receive a merit increases for your performances."

"You're kidding!"

"I do not kid, Mr. Tatafu."

"So be honest, was it hard to allow that through?"

The barest hint of a smile touched the corners of Edgar's thin lips. "Yes, adding my approval felt much like pulling out stitches. Now don't you both have work to do?"

He shuffled away, his posture a little bent.

Tevita gave Jessica a thumbs up. "Ha! So some good is coming from this whole competition nightmare."

"Perhaps," she said noncommittally, having trouble suppressing a smile. "It's not over yet, not until this school-friend of Mr. Johnson's finally gives up. I'm hoping it happens soon so we can go back to normal."

"Normal?" countered Tevita. "When is IT work normal? It changes faster than the seasons."

She opened her mouth to respond when her telephone rang. The caller ID noted Johnson. She quickly picked up the handset.

"Mighty Modern Marketing, this is Jessica," she greeted as cheerily as she could.

"Jessica, this is Mr. Johnson," greeted the CEO. "Can you please come up to my office immediately? We have a sensitive matter to discuss."

"Of course. I'll be up right away."

"Please have Tevita join us as well. See you in a minute."

"Will do. Thanks. Bye."

When she looked up Tevita had his day planner in one hand, the other locking his computers.

"Ready for lunch?" he inquired.

"Change of plans," she said, rising. "Mr. Johnson wants to see us in his office immediately."

Tevita stared at her for a moment, then tossed in planner onto his chair, a wry smile twisting his mouth. "Wonderful. Somehow even though everything he says sounds enthusiastic and wonderful, we end up with a pile of work."

"Job security," she responded.

The CEO's office, remarkably, looked very much like the other offices in the entire building. She glanced through the window on the door, then knocked politely. Mr. Johnson, looking as refreshed and lively as ever, waved her in. The building continued to cool, but still hovered near eighty degrees. Though she felt sweaty and rumpled, Mr. Johnson appeared completely unaffected by the heat, his hair perfectly combed and his clothing pressed and clean. He smiled warmly as they sat down in the two chairs set before his desk.

A man sat next to him, and though she knew she should know who he was, she couldn't place his face in her memory.

"Thank you for coming up so quickly," he said, rising to shake their hands. "This is Dan Williams, Chief Security Officer."

She said hello, shaking Dan's hand. Funny how she knew the name so well from countless emails and conference calls. She felt she knew him despite only seeing him on rare occasions, all from electronic or audio correspondence. Somehow she'd never put that voice with this face.

"Jessica, Tevita," he said in way of greeting in that familiar voice. "We need to meet more often, especially with how much I depend on both of you."

"Definitely," Tevita responded as he sat down.

Jessica had trouble controlling a laugh that threatened to escape. "Mr. Williams, you don't look like I imagined."

Dan smiled, amusement dancing in his eyes. "What did you think I looked like?"

She blushed. "Well... you sound like Chuck Norris. But you're more like..."

Mr. Johnson started. "Chuck...?" He burst into laughter. Tevita's booming laughter joined in as Dan's smile grew wry. Jessica wondered if someone could faint from embarrassment, and imagined she looked as red as a tomato.

"Sorry, I like yoga, but not much of a martial arts guy," Dan said, trying not to laugh.

"Alright," Johnson said with a deep calming breath. "Without further preamble, I'll let Dan discuss the situation."

Dan nodded. "As you are well aware of our situation with our friends over at New Nifty Networks, what I'm about to show you shouldn't come as much of a surprise. We have a plant."

"A plant?" Tevita inquired. "Like a house plant?"

Jessica covertly elbowed him in the ribs as he chuckled.

Dan continued, undaunted. "Someone here is feeding information to our competitor. We're tracking this using email, etc, but the trail is long and convoluted. We think this spy, for lack of a better term, is also sabotaging our business here. While we're pretty sure he or she disabled the air conditioning, we don't have enough data to even begin to narrow down who it could be. There are other things happening that I believe you'll be able to help us with.

"You see, we believe he's somehow obtain access to your management tools. We've had increased cases where vital software has been mysteriously uninstalled from systems."

Jessica exchanged a look with Tevita. "We have had a large amount of emergency software deployment tickets," she said.

"The tickets always say the shortcut is missing," Tevita added.

"Exactly," Dan continued. "Depending on the user, this can severely hamper our productivity. Since some of the computers are locked behind office doors I'm assuming they're using management software to accomplish this. Is Altiris capable of this?"

"Yes," Jessica answered. "However you need rights to do anything."

"And that will be to our advantage. Please look through any auditing or logging done by Altiris and see if you can figure out how this individual is uninstalling applications, what credentials he or she is using. Any evidence or data you capture please forward to me."

"We will," Tevita responded.

Back at her desk, Jessica pulled up the Altiris Console. Events would allow her to see if any Software Delivery or similar jobs had been schedule to run on the affected systems. They had uninstall-programs setup for most of their managed applications. She browsed in the Altiris Console under View, Solutions, Software Delivery, Tasks, Windows, Software Delivery Tasks. The first task she choose uninstalled their accounting software, one application the spy or whatever he or she was liked to target. She did a quick scan to ensure no new tasks showed up.

She clicked on the Status tab. Once the tab loaded she used the dropdown labeled, "Display computers on which this task ran:" to set it to "All". Once the grid loaded she clicked on the top of the "Attempt Time" column to sort by date, and looked at the last week's runs. Only three showed up, and all of them had been scheduled by either her or Tevita.

"Any luck?" Tevita asked, his head rising above his cube's wall.

"Nothing yet. I guess it's possible they created a task and then deleted it after each execution."

"Yeah, but there's an ItemDeleted table that we can look at to see if that's occurred."

He walked into her cube and sat down on the spare chair. He used her secondary system to open SQL Enterprise Manager and launch a query window. He used the query:

SELECT ItemName FROM ItemDeleted

WHERE ItemName LIKE ‘%Accounting%'

AND ItemClassGuid = ‘D922981C-B8E7-40EE-B6BD-1E6CB354C9FE'

"This class-guid here represents Software Delivery Tasks," Tevita explained as he ran the query. "Nope, nothing. Let me try one more query, this one more generic..."

SELECT * FROM ItemDeleted

WHERE ItemClassGuid = ‘D922981C-B8E7-40EE-B6BD-1E6CB354C9FE'

ORDER BY DeletedDate

"Okay," he continued. "I don't think he used Software Delivery. I don't see any Tasks deleted recently enough to account for all the uninstalls reported."

Jessica nodded. "Hmm. If he didn't use this, then the only other two options I can think of are Deployment Server and Task Server."

Tevita smiled. "No chance with Deployment Server. I've changed the management credentials recently and blocked everyone else out. Since only you and I use it, I figured with all the security stuff going on I'd better be safe, not sorry."

She blinked. "I didn't know you'd locked... I guess DS is your baby."

"You know it. So, do you think Task Server could really be it? Wouldn't he need to know scripting?"

"Not necessarily. There's a ‘Deliver Software' task available that can run any Package-Program we have available in Software Delivery. Let me look through here... I don't see any Jobs or Task Server tasks that reference the uninstall program. The ItemDeleted would have deletions if he'd done that. But you used the standard Software Delivery Tasks, right? Can you do one for Task Server Tasks?"

Tevita scratched his chin. "I think so. In fact we don't delete things that often. Let's try this..."

SELECT * FROM ItemDeleted

ORDER BY DeletedDate

"Okay. A few deletions, but they all look straight-forward. Computers purged, a couple of Software Portal Requests... but nothing that looks like a Task Server task. Wait... what's this? Bobby deleted a task named WOfW? This was last week. If I didn't know better, I'd say he's been playing with Software Delivery and Worlds Of Warcraft."

Jessica grinned. "You think he wants to roll it out company-wide? I can see it now. ‘Productivity hits an all-time low, though the average level of Mighty Modern Marketing exceeds fifty'!"

Tevita laughed, pointing at her. "I didn't know you knew enough about gaming to make a joke like that!"

"Right. Like you don't bring it up every week. It was bound to rub off on me at least a little."

"This looks clean. That doesn't make sense. Perhaps Dan's wrong, and whoever's responsible for this isn't using Altiris."

Jessica shook her head. "He's right, I don't think this could be done at this rate any other way. Either they're using a different method, or they have intimate knowledge of Altiris."

Tevita leaned back, looking up at the ceiling. Jessica placed a fingertip on her lips, thinking furiously. If Software Delivery and Task Server wasn't used, and the evidence suggested such, what other method could you use to remove software? They planned on using PC Anywhere for remote control, but it wasn't up and running yet in the Altiris environment. Tevita used the simple Remote Control feature in Deployment Server, and she still used Carbon Copy. She'd disabled access to it in Altiris and used the stand-alone product that only existed on her system for security reasons. Could they have a rogue copy of Carbon Copy installed...?

"What about vPro?" Tevita inquired abruptly, interrupting her thoughts.

"Serial-Over-LAN doesn't work in Windows currently," she responded. "No other remote application abilities... it's really considered an out of band management interface."

"Yeah, but if you built a remote tool into an ISO, using IDER, couldn't you use that?"

"In theory, yes... In fact if you ran an IDE redirect with something like that you could do whatever you wanted to the system."

"Exactly."

Jessica smiled. "And we have an actual activity log."

In the Altiris Console she browed in View, Solutions, Real-Time Console Infrastructure, Tools, and clicked on "Activity Log". She scanned down the entries.

"Well, well," Tevita said, leaning forward. "Our friend has been busy."

The icon showing a redirection session appears like two plugs plugged together. The other pertinent columns appeared as "client": showing what computer by IP Address is being accessed, "user": what credentials were used to execute the action, Host: as in the hostname of the destination computer, Description: showing the path to the ISO, and lastly Technology showing what method was used. Multiple RTSM sessions showed a redirection to an ISO labeled: RemoteControl.iso. The path led to a UNC share.

Jessica pulled up the contents. "Jackpot."

Tevita shook his head. "Too easy. If they know how to create ISOs of that nature and use RTSM to deploy them, did they actually think there wouldn't be some sort of logging?"

"I don't know. RTSM is unique in that it isn't dependent on an agent at all, so there is no logging client-side. Still... perhaps whoever's doing this didn't create the ISOs and is just in charge of running it. And we aren't done yet. Note that the User is all listed as admin. This means he or she is using the AMT credentials available on all systems."

"Oh. Can't exactly blame the invisible AMT admin..."

"No, but we can change the password easily. Before I do that, I'll send Dan the information on the share. That share should have some sort of user footprint his team can get to."

She quickly sent the email with all the information. She explained that she would change the admin password so that this rogue user could no longer use this method. After sending it she browsed in the Altiris Console to View, Solutions, Out of Band Management, Configuration, Provisioning, Configuration Service Settings, and selected Provision Profiles. She double-clicked on the profile they used for all systems. Under the Administrator Credentials section to the right, she changed the password under the Manual radial option. She clicked OK to save the changes.

Next she browsed back up to Provisioning, and into Intel AMT Systems, selecting the node Intel AMT Systems. When the frame loaded, she clicked on the icon on the icon bar that looked like a system with refresh green arrows surrounding it, labeled: Re-provision. She hadn't selected any systems so she selected the only live option, "All systems". She clicked OK to execute.

"That should do it," she said aloud.

"A re-provision?" Tevita asked.

"It's a simple way to send down the changes in a profile to the systems. It'll take some time to cycle through all the systems, but soon all systems will have the new AMT admin password set."

Tevita leaned back. "So we're done?"

"For now, unless you have any ideas for further tracking this guy...?"

The rest of the day proceeded smoothly, with only one more reinstall helpdesk ticket coming in. By the next day no new tickets had developed, and things had settled down to normal. Dan said he had enough to identify the perpetrator, but said no more on the subject.

He did say one thing very firmly. "All the security we can muster is worthless if those with the right privileges are not careful with their credentials."

Further, he requested they review their procedures concerning the AMT admin password. Was it written down anywhere? Did they ever say it out-loud? Though neither knew how the password got originally stolen, the increased care with which they handled passwords became a driving program within the company. Security was everyone's job.

At the end of the week, as Jessica headed away from Boston on the Redline Commuter Train, she hoped they'd seen the end of the targeted attacks, but in her mind she already looked through her current policies and processes to see where she could increase security.

End Part IV

Altiris provided not only an audit trail to track potential rogue usage of RTSM, but it also provided a very quick and efficient way to change security within AMT when somehow the credentials are compromised. Is this the end of the threats against Mighty Modern Marketing? Only time will tell.

Altiris and Intel vPro Use Cases - Part 3 - Hardware

joelsmith — Wed, 02 Jul 2008 22:26:36 GMT

If you have not read parts 1 and 2, please read these before reading this part as this is a continuation of the story begun previously.

http://juice.altiris.com/book/4687/altiris-and-intel-vpro-use-cases

From the OS level vPro has tools to help quarantine and remediate compromised systems as demonstrated in part 2. This section explores the capabilities at the hardware layer, completely below the OS and any related dependencies. Can the IT staff continue to respond well to threats and avoid outages and threats to the businesses wellbeing? When the gloves come off sometimes even the most secure networks are vulnerable to threats.

Mighty Modern Marketing HQ - Boston, Massachusetts

"This is Jessica, how can I help you?"

The voice that spoke through the headset caused her to flinch, and she moved the earpiece two inches away from her ear.

"This can't be happening now!" the voice exclaimed loudly.

"What's the problem?" she responded calmly, hoping the user would match her volume.

He didn't. "The timing is the worst possible, since the end of quarter is only two days away! I need my computer up and running two hours ago!"

"Let me see... I'm speaking to Mitch Cavanaugh, correct?"

"Yes," he responded, his voice dropping a trifle. "My computer isn't booting, and I have sales to approve and record. If I don't get this up quick, we may not be able to add this revenue this quarter!"

"I understand," she said as she used the Altiris Console under the All Computers Collection to find his computer. She double-clicked on it, bring up Resource Manager.

"I see you're using an HP 7800..." she began.

"I need this problem fixed pronto," he interrupted.

"Of course," she said, clicking on the ‘Real-Time' tab. "Give me just a moment."

She smiled, feeling a warmth from the fact that she'd made sure those with the most business critical functions got the vPro systems first. The Real-time tab loaded, revealing the function tree in the left-hand pane. She noted immediately that only the AMT functions loaded, and that the system's powerstate was on.

"I can see," she said when she heard a sound of irritation on the other line, "that while there is power to your computer, the operating system is not loading."

A pause followed her comment. "Really?" Mitch responded, the edge on his voice disappearing. "You can tell me that already? Usually I have to tell you IT people everything... that's great. So do you know what's going on?"

"Give me another moment," she said in her most pleasant voice. She clicked on the Hardware Management node in the left tree. After the page loaded, she choose the reboot radial under the Remote power management section. Under Redirection options she check the box, "Display task progress and remotely control computer". Next she clicked "Run Task Now". When the page began to refresh a new window popped up, showing her the boot of the computer.

"Wait, my computer just rebooted..." Mitch said, sounding suspicious.

"Yes, I just initiated a reboot," she responded. "I'm going to watch the boot from here."

"You can do that? I thought I had to be in Windows for that to work."

When the boot verified devices on the system she noticed that no hard drive was detected. The message "No boot device" appeared.

"Okay Mitch, the computer isn't recognizing the hard drive for some reason. Give me a moment to check a few more things."

"Is that fixable?" Mitch inquired.

"I don't know yet. Give me a moment."

She rebooted again, but also added the "Enter BIOS on startup" option by checking the box. The remote window reappeared, this time entering the BIOS. She looked under the IDE channels, but no hard drive was listed.

"Okay Mitch, I've determined that your hard drive isn't being detected at all by the computer. Since you have critical work to perform, we'll immediately image and restore your data to a backup system using Deployment Server and Symantec's Backup Exec. It should take about 30 minutes. Tevita Tatafu will bring it by then. It's about lunchtime. Can you take a short break?"

"Well... it is a little early for lunch, but that should work."

"Alright Mitch. Anything else?"

"No... I just hope the backup had all my files on it."

"It should."

"Thanks."

She leaned back as she hung her headset by the phone. "Tevita?"

He swung out of his cube, a huge smile on his face. "Mr. Cavanaugh having problems?"

"Yeah," she responded.

"He's such a joy. Did you know he was the one who got impatient waiting in line at the vending machine so he ran to the nearest Dunkin Donuts, opening the door fast enough to knock Edgar flat on his back?"

"You be nice," scolded Jessica with a stern look. "He may have anxiety issues, but he's a spot on accountant."

Tevita laughed richly. "Spot on, eh? And what do you know about Accounting?"

"I got a Masters from University of Chicago's Graduate School of Business, in Accounting."

"You did?"

"Yes. Now don't make me a liar and get that machine to Mitch ‘pronto'."

Tevita laughed, but got up and headed to the equipment room. Jessica sorted through her email. She wanted to clear out her inbox but only halfway through the process Tevita returned, no longer smiling. His mouth bent down in a frown she rarely saw, and usually only when he was about to explode with anger. His eyes didn't seethe, but looked down at a computer in his hands. He sat down and rolled his chair over towards her cube.

"It really is missing the hard drive," he said, expertly using the buttons on the side to open the case. He pointed to an empty bay. "It should be in here, but... well... the IDE cable was cut, right here. Seems stupid, since they had to unscrew the drive, but..."

She stared at the empty bay. "Someone stole his hard drive?"

Tevita nodded. "It looks that way. Mitch said he only left to take a restroom break, and when he came back the system was off and wouldn't boot."

"This isn't good..." Jessica started to say.

"Guys!" Bobby said loudly, his voice piercing through the area like a gunshot. They both stood up, staring at the gangly developer loping towards them from the door to the server room.

"The sky must be falling," Tevita said, but despite the amusement in his voice his mouth only twitched once in an upward smile.

"What's wrong?" Jessica asked.

Bobby took a deep breath. "It's a ninja. I swear by my grandma's heirloom earrings that a ninja just showed up in the server room!"

"A ninja!!?" Jessica exclaimed.

Tevita looked down a the computer he held. "Bobby, that's not funny..."

Bobby threw his hands up. "You know I don't have an imagination, or much of a sense of humor. Didn't you used to call me Cardboard Boy?"

"Yeah, but I stopped after you randomly locked out my user account at the worst possible moments..."

"I'm not kidding."

Jessica, feeling like she'd just stepped off a rollercoaster, reached out and put a hand on the wall. "Bobby, you mean to tell me there's a ninja loose in the building?"

"Well.. no. He's lying unconscious in the server room."

Tevita gave her a quick look, then bee-lined towards the door to the server room. Jessica wanted to run the other way, but Bobby gave her a helpful shove on the back towards the room. She glanced behind at him, and he blushed.

"Sorry, but the more witnesses the better."

The figure sprawled out on the floor clutched a hard drive in his back-gloved hands. He didn't look like a real ninja, but a black ski mask that looked similar to a ninja wrap covered his face. A goose-egg on his forehead the size of a golf ball, halfway hidden by the mask, seemed to say loudly why he wasn't conscious. Jessica found herself staring, her mouth hanging open and her hand moving up to cover it.

"Oh my gosh," she said, her voice embarrassingly high-pitched. Her heart hammered in her chest as if she'd just jumped off a cliff

Tevita gave Bobby a searching look. "Do you know martial arts or something?" he asked.

"No. I thought I heard something while I was bringing back the two new demo laptops, so I went to check it out. When I saw him, I just reacted."

"What did you do?"

"Well... I had a MacBook Air in my left hand, and a Panasonic Toughbook in the right. The MacBook might be thin enough to decapitate a ninja, but more likely it would have bounced off his skull without slowing him down, so I threw the Toughbook."

Tevita reached out with his toe and nudged the intruder.

"We should leave and call the police," Jessica said, edging towards the door.

"He's out cold," Tevita said, reaching down to pick up the Toughbook. The screen gleamed beautifully, no sign of damage despite being used as a blunt weapon. "Too bad these aren't vPro yet," he said.

"I called the police," Bobby said. "They should be here soon."

The next half-hour moved as if in a dream. Jessica felt like she'd stepped out of the real world and into some crazy movie. Slowly the facts of the intruder came to light, and like wiping away the mist on a foggy window things didn't seem as ridiculous as they first seemed.

The man had been hired to steal a specific hard drive. He was fully cooperative with police, apologetic for getting caught and worrying everyone. He indicated he wore the mask not as an intimidation method, but to remain incognito to security cameras. The policy cuffed him and off he went, leaving everyone standing there in disbelief.

"Is that Mitch's hard drive?" she finally asked Tevita, who had retrieved the hard drive the "ninja" held.

Tevita pointed to connector of a cut IDE cable sticking out the back. "It looks like it..."

Bobby took the drive, hefting it, his small eyes squinting. "No, this is a RAID drive. He ‘raided' a server..."

Jessica stared at him as he chuckled. Tevita stared for a moment, and broke into a wide grin.

"And you say you have no sense of humor," he said with a laugh.

"My Dad told me puns don't count," Bobby responded.

"What about the data on Mitch's hard drive?" Jessica inquired. "I know he had confidential, sensitive information on it."

Bobby shrugged. "Nothing we can do about it unless we can find it. It wouldn't be the first time."

She shook her head. "Too bad vPro doesn't have disk encryption yet. I know they're working on it."

Bobby's head perked up. "vPro with disk encryption? Nice."

The receptionist motioned to Jessica, and she walked over.

"Mr. Johnson has called a meeting in the executive briefing room," she explained, a phone held between her ear and her raised shoulder. "He says it's urgent, but not to worry."

"Not to worry," she echoed, feeling a surreal sense of amusement at the statement. "Right."

She rounded up Tevita and Bobby and they headed upstairs. The executive briefing room flooded with light, with the impeccable CEO standing by the floor to ceiling window showing the bottom half of the skyline to downtown Boston. He smiled casually, his hands clasped behind his back. When they'd all entered and sat down, he turned around, his smiling increasing.

"The mighty defenders arrive," he said. "I had a call from Mitch Cavanaugh concerning your ability to quickly resolve the theft of his hard drive. I commend you on a lightning-fast response. I can tell by your expressions that you're a bit shaken."

He paused, the smile abating. "Let me assure you that we are permanently stepping up our security. I blame myself for not taking steps against blatant thievery. I guess I'd hoped my former colleague had gotten past that type of criminality."

Bobby raised his hand, and Mr. Johnson gestured at him. He cleared his throat, folding his skinny arms.

"So don't we have enough evident now to get the police involved?"

Mr. Johnson shook his head. "No, and even with the thief in hand I doubt they'll be able to link this to New Nifty Networks. For all we know this isn't related to them, though our situation and the probability point in that direction. No, we won't be making any effort to link the thief with Nifty. Your job is to continue tightening our security.

"First, let me commend you, Tevita, for your mastery of providing mirror systems to people when theft occurs. Second, I commend you, Bobby, for always delivering when issues arrive. Lastly, I commend you, Jessica, for your insistence on vPro. I know Edgar and others have given you are hard time about it, but it seems you prove it's worth daily."

"Thank you," she said.

"Our next step is to find out if any other systems have had their hard drives stolen. I'll leave this task in your capable hands. If you have any questions or concerns, please come see me in my office."

As quickly as the meeting started, it ended.

When they reached their cube area, Tevita didn't sit down at his, but followed her into hers. He stared at the Altiris Console idling on her screen, his arms folded and his expression pinched in thought. She sat down, eyeing him, as she reached for her keyboard.
"Let me guess," Tevita said, "you already have a plan?"

She let her hands fall into her lap. "Well... yeah. It shouldn't difficult to find out which systems no longer have HDDs even if the systems have been off for a while. I just..."

Her voice faded away. She stared at Tevita, trying to sort through her emotions.

"You're freaked," Tevita offered.

"No... well... yeah. I kind of am. Cyber attacks are one thing, but Bobby's ninja..."

Tevita retrieved his chair from his cube, sitting down and leaning back at the entrance of her cube. "With computers thieves usually only break into places for the hardware. Some of the servers Bobby runs cost more than a new BMW. Stealing the hard drives means they're after data. It's really no different, except we're using software to block software attacks, and we use guards, locks, and other such things for the hardware attacks. You heard Johnson. I don't think you have to worry."

She sighed. "We should get occupational hazard pay. I'll get over it, though I may bring pepper spray tomorrow."

"That'll work."

She cracked her knuckles by clasping her fingers and pushing her arms out. "Let's get into this. First off, we can't rely on Inventory Solution to know if the hard drive is there or not, since the OS obviously has to be up and running to get an updated Inventory. We might be able to use the Altiris Agent's last check-in time to note those systems that are no longer reporting, but that won't tell us if those machines are simply off or something similar."

Tevita nodded. "Fun. Without the hard drive we have no manageability capability."

"Except for the one thing that runs outside of the hard drive."

"Intel vPro."

"Exactly. All capabilities are still available even when the hard drive's been yanked."

"So we can use RTSM to remote into those systems not responding in Altiris using Serial-Over-LAN to see if the hard drive is there, like you did for Mitch."

Jessica nodded, smiling. "That would work, but I have a faster, much easier way."

Tevita rolled closer as she put her hand on the mouse and started using the Altiris Console, his eyes focused on the screen. "I like easy," he said.

She browsed under Manage and clicked on Jobs. When the left-pane tree loaded, she browsed under Tasks and Jobs, Server Tasks, Real-Time Console Infrastructure, and clicked on ‘Get Intel® AMT Inventory'. She clicked the Run Now button.

On the resulting window that popped up she gave the Run name: Ninja stolen hard drive, and clicked on the ‘Select computers' link. Within the ‘Select Computers' dialog in the left-most pane, she browsed in the tree from Collections, Out of Band Management, Provisioning, and double-clicked on ‘Provisioned Intel® AMT Computers. The middle pane showed a list of all vPro capable systems in the environment, and the right-most pane showed the Provisioned collection she'd selected. She clicked OK. She then clicked the Run Now button.

"That's it," she said, leaning back. "In the next minute or two we should have inventory from all vPro capable systems."

The Tongan shook his head. "You're going to outsmart us all out of a job," he said.

She raised an eyebrow at him. "Are you kidding? We might, just might, get to all the stuff on our plates we normally leave forever on the backburner."

She browsed in the Altiris Console under View, Reports, Incident Management, Real-Time Console Infrastructure, and selected Intel® AMT Hardware Inventory. When the report home page loaded, she clicked the Run this report link. For the parameters she left ‘System' to ~~Any~~, and changed ‘Hardware Type' to ‘Media'. She clicked the ‘Refresh' button to load the report.

"Okay, this shows us all systems that have a hard drive reported with AMT Inventory. We could manually compare the list, but why not create a new report that shows us systems that do not have anything in the Media table?"

She right-clicked on the ‘Real-Time Console Infrastructure' folder and choose New, Report. She gave it the name: Intel vPro Computers Without a Hard Drive. She choose ‘Enter SQL Directly' and then rolled back from her desk.

"Alright SQL guru, I'll give you what I need and you can figure out the query."

He scooted around her, reaching for the keyboard. "Alright. Shoot."

"Okay, we need to have a list of all computers that either do not have an entry within the table Inv_AMT_Media_Device. That's it."

"That's it? That's easy enough..."

Tevita entered in the SQL, and saved the report. When they ran it, only two systems showed up.

Jessica looked at the names of the computers. "These are both from accounting, but Joe is in New York doing his accounting work on his laptop, and this other... he's here, but hasn't reported anything yet.

Tevita stood, dragging his chair back to his cube. "I'll take care of these two. Why don't you go home?"

"And leave you here..."

He laughed. "I'll be fine. It's almost five, and you probably want to take a nice relaxing evening trying not to think about thieves and ninjas."

"Thanks for that," she commented dryly, but with no conviction. "Only if you're sure..."

"I'm sure. I'll see you tomorrow."

"Thanks. Have a good evening."

End Part III

Recognizing the need for better physical security, and using vPro to minimize the effects of theft, the IT team continue to rise to meet the challenges facing them.

Altiris and Intel vPro Use Cases - Part 2 - Antivirus

joelsmith — Thu, 19 Jun 2008 20:59:44 GMT

If you have not read Part 1 in this article series, please refer to it as this is a continuation of the story begun there:

http://juice.altiris.com/article/4367/altiris-and-intel-vpro-use-cases-part-1-the-setup

Antivirus is a must for any IT infrastructure. Without it productivity is quickly reduced as viruses run rampant in the environment. Keeping Antivirus installed and up to date is vital to ensure continuity of business services. In Part 2 the IT team for Mighty Modern Marketing is put up to the challenge of protecting their network from viral attacks. Using Symantec End Point Protection, Altiris and the Intel vPro technology, they work to ensure that the viral attack and subsequent virus attempts fall ineffective.

Mighty Modern Marketing HQ - Boston, Massachusetts

The commuter rail stretched out across the Charles River, but Jessica Langley didn't notice. Her eyes remained fixed upon the screen of her smartphone, scrolling through the emails that continued to pour in. The subject lines all contained the same word. Her shoulders hunched, feeling like a tremendous weight settled on them. She closed her eyes briefly, rubbing at them with her left hand, the PDA held forlornly in the right.

When she opened her eyes the word jumped up at her.

Virus.

This wasn't the first time this had happened at Mighty Modern Marketing. Viruses routinely showed up as email links or attachments, and it didn't matter how often she or Tevita sent out stern emails reminding people to leave email attachments and links alone unless they were expecting them. People continued to click that link to see the latest movie trailer, or to run the fun and exciting application their aunt or long-lost friend mysteriously sent them from out of the blue.

This time was worse. She'd painted a large red X on her by pushing the Intel vPro technology, and now it seemed everyone stared at her when anything ill befell the network.

She jumped to her feet the moment the train stopped, snatching up her purse and bolting for the nearest door. As she ran down the platform towards the exit of North Station, others gave her curious looks. She smiled briefly. Normally people ran towards the train to avoid missing it. She often saw them frantically running in high-heels or other dress shoes towards a departing train when the work day was over. Who wanted to run into work?

As she staggered into the main lobby at work, glad for the cool air that greeted her, she vowed to start exercising. She hurried through the building.

"I'm glad you're here early," Tevita said in his deep voice as she fell into her chair. "We're in trouble."

"I noticed," she said in-between deep breaths. "What's the situation?"

"I'm not sure, but somehow a virus was planted on a new system as it came online. It appears deliberate."

"But... we have Symantec End Point Protection (SEP). It should keep everything out..."

Tevita smiled, though his eyes shifted to his own monitor, his shoulders shrugging uncomfortably. "Yes... about that. You see, the base image hasn't been updated yet to include that..."

Jessica stared at him.

He waved a hand at her. "I know, no need to look at me like that. That's what I've been doing; recreating the image so it's there from the get-go."

She tried not to groan. "So how widespread is it?"

He laughed, though no humor made it into his tones. "All over the place. They used a vulnerability in one of Bobby's applets to spread it. Of course the first thing it did was disable the antivirus. If SEP had been installed it has protection against... Anyway, those systems without SEP are all hit."

Tevita's eyes glanced up, and widened. Jessica whirled to see Bobby walking up, his hands shoved in his jean pockets. He stared at the floor, his mouth moving as if he counted his steps.

"Bobby?" she inquired.

He looked up, looking like a boy lost out in the desert.

"It got through my firewall!" he exclaimed, extracting his hands so he could ball his fingers into fists. "It shouldn't have been able to do that. I can't even use IM."

Tevita gestured to an empty chair. "Have a seat."

Bobby slumped into the chair. "Whoever sent us this thing knew what they were doing," he said with a scowl. "The cursed thing used UNC to move about the network. Only someone with intimate knowledge of our network could do that. It has to be New Nifty Networks!"

"Do you really think...?" Tevita began.

"Bobby," Jessica said quickly. "Have you fixed the vulnerability?"

"How can I?" he lamented. "It jumped from computer to computer, and with mine infected I quickly turned it off. I need your to help me get that virus off so I can patch the applet."

Tevita smiled. "You actually walked over here."

Bobby looked up, his frown deepening. "Yeah? So?"

"It's unprecedented... You usually stay in your cave, even during power outages. Does it make you nervous to enter the world of real people?"

A flush bloomed on Bobby's sunken cheeks. "Not everyone's as social as you."

"You should stop by more often so..."

"So you can ridicule me?" he retorted.

"Guys," Jessica said, rolling her eyes. "Focus here. Bobby, do you have one of the new vPro systems?"

"Yes, of course," he responded, "I always get the latest hardware from procurement."

"Hey, why don't I see any of it?" Tevita blurted.

Jessica ignored him. "Good," she responded to Bobby as she turned back to her computer. She launched the Altiris Console. "If you have one, it should already be provisioned. Let's check the All Provisioned Computers collection... is this yours?"

"No, my computer is named Superman."

Tevita laughed, and Bobby managed to turn an even more alarming shade of red. Jessica kept her expression passive despite the twitch in her lips from a potential laugh. The computer name Superman showed in the list, and she double-clicked on it. She clicked on the Real-Time tab, entered her credentials, and loaded the Hardware Management page under the Real-Time System Manager, Administrative Tasks folders.

"I have a boot ISO of Symantec's Antivirus scan," Jessica explained as the hardware management page loaded. "I'll just turn on your machine but use IDE Redirect (IDER) to load the antivirus disk. We'll wipe the virus, and turn the system off."

"That's great," Bobby said as he shrugged his bony shoulders," except the minute you bring it back up the virus will propagate again."

Jessica smiled. "Not if I invoke a Network Filter."

"What's that?" Tevita asked, as if on cue.

"Tevita, we've covered this. It's the Intel System Defense. You know, block all traffic except to certain ports and IP Addresses. If you want to read up on it I'll email you the URL. (http://69.93.2.147/article/2645/hold-mf-utilizing-intel-vpro-amt-technology-task-server-part-5-system-defense-tasks)."

"System Defense!" Bobby exclaimed. "I read up on that technology. I created a script that provides a text interface where you can specify which ports you want to allow. I call the API's provided by Intel's SDK. It's great stuff."

"RTSM and Task Server already have it configured to only use communication to them," Jessica said, trying not to smile.

"Oh." Bobby cleared his throat as he pushed himself up onto his feet. "That sounds good. Do you need me to stick around...?"

She gave him a grin. "Just for a minute while I do this."

Bobby sat back down, but leaned forward, staring at her monitor. Tevita slid over, looking on with interest. She said a quick silent prayer that it would all work like she theorized it would.

She choose the ‘Power on' radial option, and under the Redirection options checked the ‘Perform boot from' checkbox. She also checked the ‘Display task progress and remotely control computer' option. Under the device drop down she left it at CD image, and then click ‘browse' and located the Symantec ISO. She lastly clicked ‘Run Task Now'.

A new window popped up, showing the computer boot. It loaded the CD and a textual menu showed up giving her scan options. She initiated the scan.

"Looks like it's working," Tevita said.

Bobby nodded. "I had my doubts since I've been unable to ever get Wake-On-LAN to work across my router..."

"Wake-On-LAN packets don't get by any of our switches are routers," the Tongan responded. "I believe you're the one who recommended the network security scheme we use."

"I know, but Altiris did have an Altiris Agent mechanism to try and deal with it, but I couldn't get it to work in my environment. This vPro stuff sure made that easy. I didn't have to touch the router."

"That's the point," Jessica said with just a hint of exasperation in her voice. "Were both of you sleeping when I gave my presentation on vPro last month?"

Tevita smiled, tugging at his collar. "Have I ever mentioned I don't like PowerPoint?"

"Only twice daily. But I showed demos... oh who am I kidding? That's the last time I supply lunch before a presentation."

The two men exchanged glances with sheepish grins, and then focused back on the screen. She looked back to the scan. It finished quickly, showing the virus as detected and quarantined. She closed the remote window and clicked on the Network Filtering node under Administrative Tasks in the Real-Time Console. She checked the ‘Override default solution settings' checkbox and changed the radial selection to ‘Filter network traffic other than to and from the Notification Server'. She clicked Apply. When the page finished refreshing it contained the message, "Machine was successfully moved into quarantine".

"Alright Bobby. I'll use the Power Control to boot your machine up so you can Patch your applet and install SEP. You head back and get it done ASAP. Once it's patched I'm going to mass-remediate all the vPro systems doing the same actions we just did except on a mass scale with Task Server."

Bobby jumped to his feet. "Sounds good. IM me if you need anything..."

"Except IM won't make it through the Network Filter," she responded dryly.

"Ah... yes. Well... you know where I am."

"Quick question, how long will it take you?"

"Less than an hour."

As Bobby walked away Tevita smiled hugely, some of his natural humor finally flowing back into his features. "He's a real gem."

"You should cut him some slack," she scolded.

"Bobby? I'm holding back, really I am. It's just too much of a temptation. He's classic nerd. But he is a master at what he does, so I'll be sure to keep it friendly."

"I'm reassured," she said, rolling her eyes for the third time that day. She then gave him a sly smile.

"What?" he said, his smile drooping. "You have that look."

"Regardless of blame, even though you should have updated the image weeks ago to include Symantec Endpoint Protection so I blame you for this mess, I need you to create a CD out of the Antivirus boot ISO and load SEP on a flash drive so you can manually remediate those systems without vPro."

Tevita swallowed. "Hey, we've had a pretty busy workload..."

She softened her look. "I know, sorry. Anyway... when you get to each system, yank the network cable, use the ISO to clean the virus, then load SEP, and then put the cable back in. I'd even suggest making several copies so you can do a handful at a time. And here's a printout of all non-vPro systems."

Tevita took the printout and nodded. "I'm on it."

Jessica focused back on the Altiris Console after Tevita left clutching ten copies of the ISO and SEP installer. She browsed under Manage, Jobs, Tasks and Jobs, right-clicked on Jobs, and choose ‘New Folder'. She right-clicked on the new folder and choose ‘New > Task/Job'. In the resulting window she choose ‘Server Job' under the ‘Jobs' folder. The first element popped up a message from a VB script stating that an emergency procedure would fire in 60 seconds, and instructing the user to save all data. Her second task was a ‘Boot Redirection Task' that booted up a modified ISO that automatically ran the scan and took any appropriate actions against detected threats. The third task invoked the Network Filter, allowing only NS and Task Server communication capability with the system. For the fourth Task she located the SEP install Tevita had made with Altiris Software Delivery Solution and put it into a Task Server Deliver Software Task. Finally she created the fifth and sixth tasks that removed the filter and invoked a reboot to finish the process.

She saved the job and selected her own system to test it.

"Mrs. Langley," a familiar voice prompted. Normally she caught movement in the mirror mounted on her flat panel monitor when someone walked up to her, but she'd been so focused that this time she started almost violently in surprise, whirling around in her chair.

Edgar Watts stood behind her, his hands conspicuously empty of printouts. Her first impulse was to point to her screen and tell him she had a plan with vPro to take care of the virus in a timely manner.

She rose to her feet, trying to place a polite and not strained smile on her face. "Hello Mr. Watts."

"Since my computer is down, I've been using my laptop to research the impact of viruses to corporations, specifically impacts to finances."

He frowned, briefly rubbing a forefinger along his jaw. He didn't immediately continue, his vexed expression seeming to say he was seeing those numbers again and loathing what he saw.

"We're working on it," she said, trying not to sound defensive.

"I know," he responded. "I'm astounded at the amount of this company's hard-heard cash flow flowing down the drain."

"We'll have your and all vPro enabled systems up within the hour," she said, forcing that smile to remain on her face."

"One hour?" he responded, looking down at his watch as his brow drew low over his eyes, almost like a thundercloud.

She braced for some kind of outburst, feeling sour in the pit of her stomach. It seemed like her stomach wanted to remain clenched, and she couldn't relax the muscles in her shoulders. What more could she do? She often woke in the middle of the night, her sleep-clouded mind immediately whirling through all the issues she needed to address immediately. She needed to prove vPro, identify and eliminate any threat from their nefarious competitor, keep Edgar's expense-cutting knives away from her department, and still find enough time to enjoy time with her husband. Lying awake at night, trying to will herself to sleep, got old fast. Two days ago her husband had recommended quitting.

That seemed wrong. She'd never given up on anything in the past, and she didn't want to give up on this now, especially when all of Mighty Modern Marketing needed her at this critical time.

When Edgar looked back up from his watch he smiled, a rare sight that stilled her thoughts, her breath catching in her throat.

"All vPro capable systems, you say?" he asked.

"Yes sir," she responded after a moment of stunned silence.

"I came down to wish you luck, but perhaps you don't need that luck after all. Good day, Jessica."

He turned around and walked away, and she stood and stared at him. She almost chuckled, but she still felt too emotionally invested and she just might break down and tear up. She slowly sat back down, staring at the Altiris Console. With renewed vigor she tested her job, made a few tweaks to the command-line of the rollout job, and then brought up a Run Now window, selecting All Provisioned Systems. Her mouse hovered over the Run Now button.

"Come on Bobby," she whispered. The few minutes before the IM popped up declaring "Applet is patched" seemed like an eternity.

She clicked the Run Now button.

She got up and took a quick water break, grabbing a drink and throwing it down as if a shot in a drinking contest. She didn't want to return to her desk. What if it failed on most systems, especially the executive team's? What if she hadn't accounted for different hardware platforms in her job? What if?

She squared her shoulders, throwing off the ‘what if' game. She walked resolutely back to her desk and sat down, refreshing the job.

Ninety percent success rate brought a smile to her lips.

For the next few hours she used RTSM to connect to and patch those systems where the Task Server job failed for whatever reason. Most she could figure out the issue by using RTSM, aided by the article, http://69.93.2.147/article/4075/troubleshooting-altiris-manageability-toolkit-vpro-technology-part-5-real-time-console-, since RTCI was the component that executed most Task Server and RTSM commands against AMT.

Toward the end of the business day she leaned back. All vPro capable systems, a good 75% of the environment, was patched. Just as she shut down her computer Tevita showed up. His natural good humor managed to put a smile on his face. His long-sleeved dress shirt had the sleeves rolled up, his tie loose and top button of his collar undone. Sweat glistened on his forehead, remnants of computer dust bunnies streaked on his hands and forearms.

"Hi!" she said, unable to keep from smiling in amusement at him.

"Let me guess," he said, his smile twisting a little, "you've managed to patch all vPro systems."

"Yes," she responded, putting her purse back down on her desk. "How's the other systems coming?"

"I'm... uh... half done."

She nodded, picking up her phone. "Tevita, give me just a moment. Hi, Rob? I'm fine, though it looks like I'll be here a while. It's mostly under control, but we have a few more systems to fix. I know, I'm sorry. I'll see you later tonight, honey. Love you too, bye."

"What are you doing?" Tevita asked, frowning.

"We need to finish up, right?"

"Well... yes. But you don't really have to..."

"I'm thinking your wife wants to see you at least some time tonight. I'll take the third floor, you finish up the second, and the last one done has to bring donuts tomorrow."

Tevita looked relieved. "Deal. Thanks, Jessica."

Bobby walked up, a laptop case in his hands. "I'm heading out. Thanks for getting me back up so fast."

Jessica turned to him, her smile growing. "Bobby, we need your help," she said without preamble. "We have a few more systems to remediate..."

Bobby shook his head, his expression tightening. "No way, I have a Halo 3 party..."

"Bobby, you can't abandon us..."

Bobby looked down at the case in his hands. "Ah nuts! You don't know what this does to me. I'll lose my leader spot..."

"You'll make it up," Tevita said confidently. "If we get this done quickly imagine how impressed they'll be when you join late and still take the top spot."

Bobby's stricken look abated. "Yes. Yes, that would be impressive. Ok, I'll help."

Hours later Jessica left the building, running towards North Station to catch one of the late trains home, her shoulders feeling much lighter than when she'd rode in.

End Part II

Having minimized the damage of the first attack, the IT staff will continue to prepare in anticipation of more cyber attacks.

Troubleshooting the Altiris Manageability Toolkit for vPro Technology - Part 6 - Real-Time System Manager

joelsmith — Wed, 07 May 2008 18:18:23 GMT

Formerly known as Web Admin for Windows, Real-Time System Manager provides a powerful set of functions for IT specialists. In part 5 of this article series we covered the main points for Real-Time Console Infrastructure troubleshooting. As a natural extension of RTCI, Real-Time System Manager troubleshooting is covered in this article as part 6. With an emphasis on credentials and connection methods, this article provides information to overcome the most common issues seen when using the Real-Time tab for direct, one-to-one computer interaction.

Introduction

Real-Time System Manager provides a powerful tool for directly connecting to a system agentlessly with functionality available through WMI and Intel AMT. This article covers the issues associated with general functions seen with both technologies but with emphasis on the AMT functions. The following sections cover areas of troubleshooting:

Connection Issues
Authentication Issues
IDE Redirect (IDER)
Network Filtering

Connection Issues

Under the current architecture the FQDN is the primary method for connecting and authenticating to AMT on remote systems. If the FQDN the Real-Time tab is using does not resolve in DNS, then AMT connectivity and thus functionality will not be available. FQDN connectivity issues are the number one issues we see with RTSM connections to AMT.

Invalid FQDN

To view what FQDN the Real-Time is using, use the ‘Hardware Management' node in the RTSM tree. The following screenshot shows what AMT is using:

In this example my system is in a workgroup and reported only the hostname as the FQDN, which DNS had no trouble resolving. If this fqdn is not reachable via DNS, we won't be able to connect to the AMT functionality.

NOTE: We use several methods, including IP address, for WMI. WMI functionality may show correctly when AMT is absent in this situation

Use these steps to see the FQDN is the issue:

Open the Real-Time tab for the AMT system you are managing.
Once the tree loads, open the Real-Time System manager folder, open Administrative Tasks, and click on ‘Hardware Management'.
Once the page loads, if AMT is missing as an available technology, take note of the name displayed as in the screenshot above.
Go to Start, Run, type in cmd, and click OK.
Type in nslookup <name displayed>. In the above example it would read:
1. Nslookup dellvpro
Can DNS resolve this address? If no, we'll need to fix the issue in one of the following ways.
FIX DNS and/or the Altiris record: If DNS can be fixed, this is the preferred method. The difficulty is finding out why the Altiris Agent reported the incorrect record. Once DNS is fixed, have the Altiris Agent run Basic Inventory. The table location we pull this out of for management in RTSM is Inv_AeX_AC_Location, column: Fully Qualified Domain Name.
Use the ‘Manage' node available in RTSM (see the below screenshot): By putting in the IP address of the system, we'll use the IP to lookup the FQDN and not make any assumptions.
Update the Servers HOSTS or LMHOSTS files to contain the mapping to the invalid name. For example find the LMHOSTS file, edit it and add a line <IP ADDRESS> <FQDN>, as in this example:
1. 10.10.10.1 Dellvpro

Real-Time unable to connect

If WMI and AMT functions are unavailable, you'll get a message when you click on the Real-Time tab indicating that the functionality isn't available. See the following screenshot:

Note: If you use another product such as Dell or HP's plug-ins to this tab, you'll simply not have the ‘Real-Time System Manager' node underneath Real-Time Consoles.

The number one reason this occurs is due to a firewall being engaged. Firewalls need to allow AMT traffic through. If a firewall is enabled, use the following details to resolve the AMT issue:

Create an inclusion in the firewall properties.
Allow the following ports, based off your environment:
1. 16992 - For non-TLS encrypted traffic - if you are not using TLS this is the port that will be used for communication
2. 16993 - For TLS-enabled, encrypted AMT traffic - If https is required for communication with AMT, this port will be used
3. 16994 - For a note, AMT provisioning uses this port for sending out the ‘hello' packet during the configuration process - this will be used if you initiate a reprovision from RTSM
Another options is to disable the firewall when you need to manage the system via RTSM.
Unfortunately WMI has a known issue with the Windows firewall where the dynamic ports WMI uses after initiation will be blocked. It's a bug in WMI that has been addressed in Vista. Previous Operating Systems do not have a resolution at this time.

The other issue we've seen is where the system is simply unavailable for one reason or another. AMT is available if the system is off but still connected to the network, but WMI or if the system is unplugged from power or off the network RTSM obviously cannot function. Verify that the system is available if nothing resolves this issue.

Authentication Issues

Another common issue concerns authentication to the system via the Real-Time tab. First, let me discuss the methods RTSM uses to authenticate to a target system.

Authentication Methods

Runtime Profile - The Runtime profile contains he following information:

All known good credentials used to connect via RTSM to a system
The Intel SCS AMT password sent to systems when provisioning occurs
Previously successfully used credentials from past RTSM sessions

User-defined Profiles - Profiles can be created that specifically provide credentials for the four types of technologies:

WMI digest or Domain account
AMT digest or Kerberos-authenticated user
ASF digest or Domain account
SNMP community strings

Manually entered credentials - When RTSM tries to connect, if the default profile set in the RTCI configuration fails to authenticate, the left-hand tree will still load but each node will prompt the user for credentials. A user can put in an AMT account, Domain user, or digest user that has rights on the target system. When authentication succeeds, these credentials are then stored in the Runtime Profile for the target system.

Troubleshooting Authentication

The following method will help identify issues and offer ways to work-around and solutions. These have been compiled through experience when troubleshooting issues with failed authentication with RTSM.

In the Altiris Console browse to View > Solutions > Real-Time Console Infrastructure > Configuration > select Manage Credentials Profiles.
Where does the green checkmark fall? This is the default profile that will be used when connecting via the Real-Time tab.
Create a new profile by clicking the blue + on the icon bar in the right-hand pane.
Under the Intel® AMT tab check the box ‘Enable this technology in the profile'.
Supply the admin user credentials set when the managed vPro systems were provisioned.
Under the WMI tab also check the box as above and provide a user that has admin privileges to the target system.
Give the profile a name and then save it.
Back at the main screen check the box under the ‘Default' column until the green check-mark uses your new Profile.
Test to see if this new profile is successful. Note that you'll need to launch IE fresh to use the new settings.
If it is not, try entering credentials in manually when you hit the system under the Real-Time tab. See the screenshot below for the connection icon to switch between WMI and AMT authentication. If two show in this area, both technologies are available but not authenticated.
In one case we supplied only AMT credentials in the Profile which allowed it to authenticate to AMT while a multiple protocol authentication profile failed.
Check the collection you are launching Resource Explorer from. Sometimes the identity of the system is incorrect. For AMT you can launch RTSM from the Provisioned collections populated with the Resource Synchronization.

IDE Redirect (IDER)

IDE Redirect allows a system to be remotely booted to a file, drive, or virtual disc. There are a number of potential issues to be aware of when working with IDER in a vPro environment. The below items include well-known issues and their resolutions.

Redirection Invalid Parameter

When initiating an IDER (IDE Redirect) session to an external source such as an .iso file, the following error appears in the console:

Power management operation failed.
Redirection session start has failed. See logs for more details.

The Notification Server log shows the following error:

Log File Name: C:\Program Files\Altiris\Notification Server\Logs\a.log
Priority: 2
Date: 3/9/2007 2:51:05 PM
Tick Count: 10617218
Host Name: <>
Process: w3wp.exe (2436)
Thread ID: 5412
Module: AltirisNativeHelper.dll
Source: RTCI.Trace
Description: RedirectionProvider::StartIDER - RedirectionProvider::StartIDER - IMR_IDEROpenTCPSession: IMR_RES_INVALID_PARAMETER

This is caused by Intel's redirection library requiring a correct floppy device to initiate an IDER session (either floppy image or real removable device). Real-Time System Manager 6.2 can work around this. If you put floppy.img file into Program Files\Altiris\RTSM\UIData folder, then the issue will not occur.

IDER or SOL Disabled

In some instances Intel vPro systems are arriving from the OEM with IDER and SOL disabled in the BIOS. When disabled, neither of these functions work from any management engine, including RTSM. Correcting this oversight is not easy, especially if the OEMs do not offer a solution by a firmware or BIOS update. Use the following method to resolve the issue:

Go to the Support site for the OEM for the systems.
Browse to the drivers and downloads section for the exact model (note that sometimes the model will differ based on possessing or not possessing vPro technology).
Check the firmware updates for a new BIOS.
Check the documentation for any new BIOS versions that include vPro to see if they've corrected this.
Contact your OEM if they have not and request a status!
The only other recourse is to develop an update yourself or manually update the settings by visiting the system.

Conclusion

This should account for the most common issues we've seen, and allow you to successfully use RTSM with AMT technology, avoiding those issues.

How to Configure Security to add or limit access to the Real-Time tab in RTSM for Intel AMT technology and WMI access

joelsmith — Thu, 24 Apr 2008 16:39:44 GMT

The ability to provide access to the Real-Time tab of Resource Manager will enable administrators to provide this valuable tool to IT specialists or Helpdesk workers. Furthermore the ability to configure access to certain functions within the console will allow administrators to grant or restrict what users can do with Real-Time System Manager. This includes WMI functionality as well as powerful AMT functionality.

Introduction

Your environment will likely have a unique set of requirements on who can access what in Real-Time System Manager. It can be as simple as two levels of workers, from an administrator to an IT Specialist, to a complex system of access rights in a multi-tiered environment tightly controlled. No matter the environment, this article provides the details to customize access to the Real-Time tab, including WMI and AMT access rights.

RTSM contains limited functionality to configure access via WMI. AMT, on the other hand, can be configured at a function-granular level. Whether you're simply trying to give users full access to RTSM, or to provide access to only certain functions, this document assists to achieve this.

NS Role Security

The first item that must be enabled is creating a role or modifying an existing role to have rights to Real-Time System Manager at the general level. Without assignment to such a role, a user cannot gain access to RTSM.

Overview

Briefly I'll explain how NS Role and Scope security work together in Notification Server. Roles give feature access rights. For example in Software Delivery Solution there's a role object labeled ‘Item Tasks - Software Delivery Wizard'. The two options allow use of the Simple or Advanced Software Delivery Wizard. Without this right, the user cannot launch the Software Delivery Wizard, regardless if they have scope rights to the Wizard and Status node in the console.

Scope security is much like the Windows File-System security model. In the Altiris Console the left-hand tree can be accessed like the file system, applying security to folders or to nodes, as opposed to folders and files. Inherence allows security to be inherited from the containing folder, on up the chain until the root node is reached.

Role Configuration

The following steps show how to create a user with RTSM permissions.

In the Altiris Console, browse to View > Configuration > Server Settings > Notification Server Settings > Security Roles.
Select an existing Role or Right-click on the Security Roles folder and choose to create a new Role.
Under Privileges, find the following categories and check the indicated option. After the screenshot the items are details with description of the option:
1. Altiris System Privileges - Use Real-Time System Management - This is the ability to use the product at the most basic and general level.
2. Altiris Console Privileges - View Resources Tab - For this example I'm providing the user the ability to see collections so he or she can launch Resource Manager and use the Real-Time tab.
3. Altiris Console Privileges - View Tasks Tab - Access to the ‘Manage' node allowing launch of Resource Manager requires this privilege.
4. Item Tasks - Real-Time System Manager - Manage - This is access to the main tree for RTSM. Most functions are covered by this option.
5. Item Tasks - Real-Time System Manager - Password Reset - Because of the nature of this function, it has been separated out as a single security role object in Notification Server but belongs to the Real-Time tree.
6. Item Tasks - Real-Time System Manager - Port Check - The Port Check feature is normally accessed as a separate contextual item in the right-click menu, or launch from an icon under the Real-Time tab.
7. Item Tasks - Real-Time System Manager - Trace Route - This is treated in the same way as Port Check.
8. Item Tasks - Real-Time System Manager - Hardware Management - This is one of the objects in the tree that provides basic hardware function, which is greatly extended if the system is Intel vPro capable and Provisioned.
Click the Membership tab.
Use the blue + icon to add users and/or groups to the Role. These can be digest users or local computer groups, or Domain users or groups.
Click Apply to save the Role.

Note: The users will not have access yet to the Altiris Console as the scope-level security has not been set for the new Role. Complete the below NS Scope Security section to give access to the Altiris Console

NS Scope Security

Altiris Console

For Altiris Console access, scope security must be configured before a Role can access or login to the console. The security window is the same for any node, be it a folder or otherwise. The two screenshots below show the security window and the permission selection screens:

Note: Depending on the object type, the available permissions may differ

To allow access to the ‘Manage' Real-Time Console Infrastructure Task, follow these steps:

In the Altiris Console, browse under View > Tasks > Incident Resolution > Tools.
Right-click on the node ‘Manage' and choose Properties.
Click on the Security tab.
Click the ‘Add' button.
Select from the list Role ~~name of your role~~ (+ie:+ Role RTSM Workers) and click the ‘Select' button.
Check the option for ‘Full Control' and click ‘Select'.
Note: Full Control does not give the user the ability to delete or otherwise manipulate the Manage node. This node can only be accessed for the function alone.
Click ‘Apply' to save the security changes made.

To access Collections so the users of the role can view collections so they can use the RTSM right-click contextual menu options for a listed resource, follow these steps:

In the Altiris Console, browse to View > Resources > Collections.
Depending on what collections you want to give the user access to, browse to a containing folder or an individual collection.
Right-click on the folder or collection and choose Properties.
Click on the Security tab.
Click the ‘Add' button.
Select from the list Role ~~name of your role~~ (+ie:+ Role RTSM Workers) and click the ‘Select' button.
Check the following options:
1. Altiris System Permissions - Read
2. Altiris Resource Management Permissions - Read Resource Data
3. Altiris Resource Management Permissions - Read Resource Association
Click Select, and then click Apply on the permissions window.

Now we have allowed the user access to certain parts of the Altiris Console so they can execute Real-Time System Manager on managed systems. To restrict access to certain parts of the RTSM console, see the previous Role section for what options are available to you.

AMT Permissions

RTSM takes advantage of powerful functionality available in Intel vPro, AMT technology. Once a user has access to RTSM, their user account, if permitted, is used to connect to the remote system by WMI. An AMT connection can either use Kerberos integration or an inputted digest user when prompted. The credentials must be specified in the destination system's AMT Profile, otherwise authentication will fail.

To configure who has rights to AMT, follow these steps:

In the Altiris Console, browse to View > Solutions > Out of Band Management > Configuration > Provisioning > Configuration Service Settings > Provision Profiles.
Double-click on an existing profile, or create a new one.
Click on the ACL tab.
Click Add to add either a digest user or to use Domain users and groups with Kerberos integration.
Once a user is inputted, the ‘Realms' section allows or disallows access to different AMT functions. The boxes that are of importance to RTSM are:
1. Circuit Breaker - Now known as System Defense, or Network Filtering
2. Hardware Asset - For power management capabilities
3. Redirection - To allow IDE Redirection
4. Remote Control - Allows Serial Over LAN (SOL) remote connection
5. Event Manager - Allows viewing of AMT logs
6. General Info - Allows viewing of AMT data on the system
The ‘Access Permission' dropdown should be used to select either Network Access or Any. The Local Access option gives that user rights to log into the Intel ME locally when the system boots and isn't needed for RTSM function, however if you wish to allow the user to have access to both, choose ‘Any'.
Click OK to save the changes.

To apply the updated or new profile to an AMT system Provisioning must occurred. If the system was already provisioned with this same profile previously, a reprovision will update the profile.

This will not limit access to see the functions available in the Real-Time tab for AMT, but will throw a not authorized message if an applicable function is attempted with a user who does not have the rights to execute it.

Conclusion

The Real-Time tab, a one-to-one solution for system access, data gathering, or troubleshooting, provides a powerful tool to IT administrators and IT professionals alike. Providing this ability to users you do not want to have full access to Altiris is essential for any secure environment. With the additional ability to configure granular AMT rights for vPro capable and configured systems, an administrator has the ability to get very specific on what users or groups of what rights.

Altiris and Intel vPro Use Cases - Introduction

joelsmith — Fri, 11 Jan 2008 22:44:26 GMT

The big question after successfully provisioning a vPro/Symantec-Altiris environment comes in the simple form of "Now what"? The article series: Utilizing Intel® vPro AMT Technology with Task Server covers a lot of the functionality directly (LINK: http://juice.altiris.com/book-page/2201/utilizing-intel-vpro-amt-technology-with-task-server). This article series takes it a few steps further, with real-world examples and use cases for taking advantage of Intel® vPro technology through Symantec/Altiris Notification Server.

Introduction

There are two components for directly interfacing the AMT vPro technology. The first is Real-Time System Manager, the second Task Server. Both components utilize much of the same functionality, however RTSM provides a one to one interface, while Task Server allows a one to many task or job to execute against a group of vPro systems.

To understand how all the components work together, this Introduction walks through the basics of the components that will be used throughout the use cases. The list of solutions, or applications, that utilize Intel vPro technology is listed here along with a description:

Real-Time Console Infrastructure - This component is generally invisible when working directly with vPro AMT Systems. The Configuration of how to connect to systems and what credentials will be used can be found in the configuration pages for this product. It supports both the Real-Time tab and the Task Server vPro AMT tasks available.
Real-Time System Manager - The Real-Time tab functionality that directly interfaces with vPro AMT on a system per system basis provides a live tool for directly invoking vPro AMT functions as part of troubleshooting or maintaining a system directly. This is useful for troubleshooting problems with a specific system.
Out of Band Management - Out of Band Management will only lightly be covered in this article series. For the most part this solution is part of the setup and configuration of Intel vPro AMT systems so that vPro AMT functionality can be used. There are some maintenance and profile items that can be used as part of ongoing use of vPro AMT.
Task Server - Task Server is the engine used for a one to many task or job where specific vPro AMT functions, along with functions from a myriad of other Solutions, can be executed or scheduled to execute against a collection or list of systems. This is the integration framework that allows AMT to become part of a much larger Altiris functionality portfolio.

See the following diagram for a representation of how the two main functional engines work:

This series will focus on these two pieces (RTSM and Task Server) since they are the delivery mechanism for the vPro AMT functionality. Other Symantec Solutions can and will be used through the use cases.

Real-Time Console Infrastructure

Consider this the core underlining infrastructure for the Symantec use of Intel vPro AMT. All solutions that make use of this component will install it if it is not already installed. The primary products are Out of Band Management and Real-Time System Manager. Other Notification Server Partner solutions, such as HPCM and Dell Openview, will need RTCI installed in order to make use of the vPro AMT functions. The console pages available for this solution center around the configuration of the vPro AMT functions.

The configuration page for RTCI is found in the Altiris Console. In the Altiris Console 6.5, browse under View > Solutions > Real Time Console Infrastructure. Under the Configuration folder, the following nodes are available:

Configuration - Includes settings for vPro AMT Connections, such as Transport Level Security, Redirection Security, and other settings such as the connection timeout value. It also includes a page to configure where SNMP vPro AMT alerts are sent, and allows a default configuration for the System Defense filter (default is to ‘Allow all network traffic').
Edit Network Filters - This page is only available if the ENF utility has been installed (see article http://juice.altiris.com/article/2645/hold-mf-utilizing-intel-vpro-amt-technology-task-server-part-5-system-defense-tasks for more information). If you do not have this node, install it so that you can configure what is allowed through the System Defense filter.
Manage Credentials Profiles - This node is vital for setting up connection profiles when using RTSM. It includes credentials for WMI and vPro AMT. Users who do not have rights to vPro AMT will need to use a profile that has a user configured with rights. This also includes the Run-Time profiles which is used by both Task Server and RTSM to use known good credentials when functioning against specific vPro AMT systems.
Manage Views - Views are
Purge Policy - This page is used to configure how often and how much residual data RTCI purges. For large environments this will help keep the database size down to improve performance.

The Reports, Resources, and Tasks section contain the typical items for Altiris Solutions. Tasks include all the vPro tasks available through Task Server. See the subsequent Task Server section for more details.

The Tools folder is also found under the Real-Time System Manager section (it ties into the same data so the duplication is only visual). For vPro AMT, the two applicable nodes are:

Activity Log - This logs all functions executed while in a Real-Time session. This is useful to look at what operations have been run, one which computers, by whom, and utilizing what technology (WMI versus vPro AMT).
Manage - This node allows an IP address to be entered in directly for a launch of the Real-Time tab. This is especially useful for systems that are not in the Altiris database. This also allows a host-name to be entered, but keep in mind that if there is a DNS issue this may fail.

Real-Time System Manager

To simplify things, we'll simply define this product as ‘The Real-Time tab within Resource Manager'. There are Partner Solutions for HP, Dell, and others that will add items to the left-hand tree, but the Real-Time System Manager node provides all functionality including all vPro AMT functionality available. See the following screenshot for details:

NOTE: Only the vPro AMT functions are shown above as my Symantec Client Firewall is enabled! Since vPro AMT is a trusted technology my Symantec firewall does not block vPro AMT traffic.

The console is a direct connection to the machine listed under ‘Managing Resource'. As such this is a one to one implementation and is useful when troubleshooting a specific vPro AMT system. In the Use Cases where the use defines the target as one machine, often RTSM will be utilized.

Out of Band Management

Since Out of Band is primarily a Provisioning Solution, only a few of its functions will be used in the use-cases provided in this article series. The functions that apply are:

Maintenance - For security purposes, OOBM can be setup to run maintenance tasks against managed vPro AMT systems. The vPro AMT administrator password for a particular machine can be randomly changed. A re-provision, which reassigns the profile assign to it, will help keep vPro AMT systems up to date with profile settings and password information.
Profiles - In the profile setup while configuring an vPro AMT system users can be defined for having certain vPro AMT rights. This allows administrators to limit what type of worker can execute what vPro AMT functions.

Task Server

Task Server is a sequencing engine, and RTCI provides vPro AMT targeted tasks that can be employed singly or jobs that can run a large variety of tasks or actions against a target collection of machines. In the preface to this article a link provided access to a series focusing on how vPro tasks can be utilized into Task Server, with articles covering additional Altiris/Symantec Solutions for further integration. Before walking through the Use Cases, it will help a great deal to understand how we're integrating the functionality and how Task Server functions in general.

The vPro AMT tasks themselves are provided by RTCI, including the engine that connects and executes functions against a vPro capable system. Task Server handles all the rest, including integrating other Solution functionality within Jobs.

Most automated processes to be executed against one or more vPro AMT systems will fall under Task Server. Task Server Jobs can be scheduled, or executed on demand. Notification Server Collections or individually picked vPro AMT systems can be targeted per Task or Job, allowing a large number of systems to execute at a time (Note: for large environments multiple Task Servers are recommended).

Conclusion

Before any of the Use Cases can be tested, all target AMT systems must be provisioned in one of the provisioning modes: Small Business (Low security), Enterprise Mode, Enterprise Mode with TLS. Once provisioned, Symantec, via RTSM and Task Server, can then work directly with the machines via vPro AMT.

I hope to cover common scenarios in this article series that can be of use to many environments. Most of the testing will be against a limited lab environment so results may vary and additional configuration may be required, all depending on the complexity and configuration of the environment. Since the hardware and software worlds introduce many levels of complexity and configuration, additional steps may be required to create workable jobs and functions. Having said that, hopefully these provide enough information to move forward.