1 2 Previous Next

Intel vPro Expert Center Blog

28 Posts authored by: joelsmith

New Troubleshooting guide for vPro integration in Symantec Management Platform 7.0 available:

http://communities.intel.com/docs/DOC-5754

 

This guide covers the following Symantec technologies for both setup and configuration, and usage for vPro (AMT):

 

  • Notification Server
  • Task Server
  • Out of Band Management
  • Credential Manager
  • Pluggable Protocol Architecture
  • Real-Time Console Infrastructure
  • Real-Time System Manager

Whether you are planning to implement a Vendor TLS Certificate in the future, or you are having trouble applying a certificate you’ve already obtained, this article walks through the best practices.  The details include all the steps to properly install the right items and resolve issues we’ve encountered up to this point.  This article applies to Out of Band Management Solution 7.0, included with Client Management Suite 7.0.  Since certificates introduce tight encryption security, if the right items and steps are not in place or followed, it can break the ability of AMT systems to provision with Remote Configuration.

Introduction

Why is Configuring a vPro capable system important?  Without setup and configuration, the functionality provided by vPro is not accessible within your Symantec Client Management Suite environment.  Out of Band Management Solution allows setup and configuration to occur automatically using Remote Configuration.

Using Remote Configuration to setup and configure your Intel AMT vPro capable computers takes the work out of the process, after some initial setup.  AMT systems that come preconfigured with versions 2.2, 2.6, 3.0+, 4.0+, and 5.0+ will automatically use Remote Configuration to setup and configure with a valid Provisioning Server.  Out of Band Management provides such a server.  The hashes from vendors (AMT 3.0 includes Verisign, GoDaddy, Comodo) are already configured in the firmware, and upon connection to power and the network, will begin to send out requests for configuration.  Thus in this way the managed vPro systems are already prepared to be configured without any intervention by the IT staff.

Usually the issues we see with the Remote Configuration process originate on the server-side process of adding a certificate from the before mentioned vendors.  Obtaining and installing a vendor TLS Remote Configuration certificate needs to be done the correct way so that authentication can succeed.  Once in place, provisioning will roll forward without any further intervention as long as the certificate remains valid.  This article focuses on applying the server-side certificate so that setup and configuration can move forward automatically.

Obtaining a Remote Configuration Certificate

This subject has been covered previously.  I wanted to lightly touch upon this as there is a vital step that should be taken so that if anything goes wrong we can correct it.  First, the following article covers how to properly obtain a certificate:

Note that part of obtaining a Remote Configuration is submitting the request from the Server you plan to install the certificate onto.  This process creates the private key for the server-side certificate, and this item will not be available until partway through the application of the crt (or cer) file obtained from the vendor.  The specific step that provides the full key, both private and public, is when the certificate is exported into a PFX format after the initial import, checking the option to export the private key will give you a complete backup of the full certificate in case it is needed in the future.  If something happens, or if the application doesn’t go right, we’ll need both, so it’s essential to export this as soon as possible.

During the steps to install the certificate emphasis will be given on the step where the export should take place.

Certificate Authority (CA)

In order to use Remote Configuration with Out of Band Management the Microsoft Certificate Authority services must be installed on the Notification Server or the OOB Site Server.  Use the following steps to install if it is not installed:

  1. Go to Start > Administrative Tools > and click on Add or Remove Programs.
  2. In the left-side button bar click the button Add/Remove Windows Components.
  3. Check the option labeled Certificate Services.  See this screenshot for details:
    CAInstall.jpg
  4. You’ll receive the pop-up:
    After installation Certificate Services, the machine name and domain membership may not be changed due to the binding of the machine name to CA information stored in the Active Directory.  Changing the machine name or domain membership would invalidate the certificates issues from the CA.  Please ensure the proper machine name and domain membership are configured before installing Certificate Services. Do you want to continue?
  5. Click Yes to continue once your system has the intended identity.  Click Next.
  6. Choose what type of CA to create.  If you are not installing a hierarchy of CAs you can leave the stand-alone root CA option selected.  Click Next.
  7. Input the name the CA will be known by.  This must match what is in the hierarchy or by what the Remote Configuration certificate name will be known by.
  8. The Distinguished Name is generated automatically in an AD Environment and will be the suffix of the system.
  9. Click through the rest of the options, noting where the services data files are stored.
  10. You will be prompted to restart IIS.  This is required during the installation.
  11. Click Finish to complete the installation.
  12. Done!  The NS or Site Server is now prepared to handle certificates in the Remote Configuration process.

Installing the Certificate

The recommended application for a Remote Configuration certificate is to let the certificate dictate where to be installed.  However this process has sometimes resulted with the certificate installed to an incorrect place.  When this occurred we’ve had headaches trying to clean up the system to properly install the certificate.  Why this occurs is unclear.  For reference I’m including the process of adding a certificate automatically here:

  1. Save the acquired cer or crt file from the vendor onto the Notification Server or the Site Server for Out of Band Management.
  2. Right-click on the file and choose Install Certificate.
  3. Click next on the Welcome screen.
  4. Leave the radial option on ‘Automatically select the certificate store based on the type of certificate’ and click Next.
  5. Click Finish to complete the installation.  You’ll receive a confirmation pop-up that the certificate installed successfully.

While I won’t advise against using this method, the below steps uses the manual installation method to ensure the certificate is installed to the correct place.

I’ve condensed the steps required into the following list.  This process works for all vendors once you’ve obtained a certificate.  Note that these steps are provided to consolidate both recommended steps and documentation into one whole.

  1. Go to Start > Run > type mmc > and click OK.
  2. In the resulting console click under File and choose Add/Remove Snap-ins…
  3. Near the bottom of the resulting window click the Add button.
  4. From the list that appears select Certificates and then click the Add button.
  5. Leave the radial button selected on ‘My user account’ and click Finish.
  6. From the same list select Certificates again and click the Add button.
  7. From the resulting window change the radial select to ‘Computer account’ and click Next.
  8. Leave the selection at ‘Local computer: (the computer this console is running on) and click Finish.
  9. Click the Close button in the window offering you the list of available snap-ins.
  10. At the original add/remove snap-in screen verify that you have two entries:
    1. Certificates – Current User
    2. Certificates (Local Computer)
  11. Click OK.
  12. Expand both trees in the left-hand pane within the console.  You should see the full certificate stores as shown in this screenshot:
    CertificateStores.jpg
  13. Right-click on the Personal folder under the Current User certificate store and highlight ‘All Tasks’ and click on ‘Import’ in the pop-out menu.
  14. Click Next on the Welcome page of the Certificate Import Wizard and click the Browse button.
  15. Browse to the cer or crt file provided by the vendor, highlight it, and click Open.
  16. Click Next, and leave the radial option on ‘Place all certificates in the following store’, which should be set to ‘Personal’.  Click Next.
  17. Under the Completing section of the wizard, Click Finish.  You should receive a pop-up indicating the certificate was successfully installed.
  18. NOTE!  This is the vital step mentioned previously in the article.  We will now export the certificate with both public and private keys, which will give us the full set and allow us to remove and reapply if necessary.  In the MMC select the newly imported certificate > right-click > and choose All Tasks > Export…
  19. Click Next on the Welcome screen.  In the resulting list you should have an active option for ‘Personal Information Exchange – PKCS #12 (.PFX)’.  If this option is not available (grayed out as shown in this screenshot), there is a problem with the certificate and the private key is not accessible:
    ExportDial.jpg
    If this occurs please note the following items:
    1. The application of the public key, or cer/crt file, must be done on the server where the key was requested. 
    2. If this is not your Provisioning Server you’ll need to contact the Vendor of the certificate to resolve the discrepancy.
    3. If you did request this certificate from the server you are operating on, you’ll also need to contact the vendor to explain that the private key is not found when exporting the certificate after initial application.
  20. Follow the wizard, and ensure you select the option ‘Yes, export the private key’.  When saving the file, it will prompt you to set a password to protect the private key (this is recommended for security reasons).  The export should leave you a PFX file.  Keep this in a safe place, preferably in line with your company’s encryption certificate backup policy.
  21. Next we need to import the full key into the Computer store.  Start back in the MMC > under the Local Computer certificate store > right-click on the Personal folder > select All Tasks > Import…
  22. Click Next on the Welcome screen and click the Browse button on the subsequent screen.
  23. Browse to the newly exported PFX file.  Note that you will need to change the ‘Files of type’ to include the PFX format.  Click Next.
  24. The Password screen prompts for the password you set when you exported the key in step #20, as shown in the following screenshot.  Enter the password and click Next.
    CertPassword.jpg
  25. Choose or leave the select to ‘Place all certificates in the following store’.  The value should be Personal.  Click Next.
  26. Click Finish on the end details page to complete the import.
  27. Done!

NOTE: In Out of Band Management 6.x, with Intel SCS 3.x or earlier, a separate utility was required to load certificates into Intel SCS so the Provision Server was aware of them.  This is no longer required as Intel SCS 5.x possesses intelligence to automatically acquire all installed Intel vPro Remote Configuration encryption certificates.

Reinstalling the Certificate

If you need to reinstall the certificate and you have a PFX file, you can do so by opening both certificate stores (User and Local Computer) as outlined in the previous steps.  Browse through the certificate stores and delete any instance of the vendor certificate.   This will remove any associations and allow a clean application of the certificate to occur.  Look for the following:

  • The name matching the name of the cer or crt file obtained from the vendor
  • The vendor’s certificate (the entry will contain the vendor name).

NOTE: Be careful when removing vendor certificates as they may not be part of the Remote Configuration.  The best example is Verisign, which may have many entries.  If unsure, leave the certificate in place, or export it before deleting it so you can restore it if necessary.

Enabling Remote Configuration

To ensure that Out of Band Management is setup to use Remote Configuration as a valid setup and configuration method, follow these steps:

  1. In the Symantec Management Console browse under Home > Remote Management > and click on Out of Band Management.
  2. In the left-hand tree browse under Configuration > Configuration Service Settings > and select General.
  3. In the resulting page ensure that the option labeled Allow Remote Configuration is checked.  If it is not, check it.  See this screenshot for an example:
    EnableRemoteConfig.jpg
  4. If you needed to check the option, be sure to click Save Changes to register the change.

That should do it for the certificates.  You’ve now completed the steps required to install and enable Remote Configuration in the Out of Band Management Environment.  However you are not done yet!  Certain infrastructure components are required to make this process seamless.  Proceed to the next section for details.

Other Setup Requirements

The following items will be used to automate the setup and configuration process.  Remote Configuration will use these to locate and communicate with the Provisioning Server (Out of Band Management).

ProvisionServer

Each zone within DNS should have a ProvisionServer entry to ensure that Remote Configuration requests are properly routed to the Server.  This will also help properly resolve names during the authentication process.  Use the following steps to add ProvisionServer to DNS:

  1. Go to Start > Run > type mmc > and click OK.
  2. In the resulting console click under File and choose Add/Remove Snap-ins…
  3. Near the bottom of the resulting window click the Add button.
  4. From the list that appears select DNS and click Add and click Close.
  5. Click OK in the next Window.
  6. Browse in the tree to the Forward Lookup Zones.
  7. Right-click the entry for the Notification Server computer and choose New Alias.
  8. Type ProvisionServer as the Alias name, in this manner:
    ProvisionServer
  9. Done! 

Though simple, this is the key to directing the automatic Remote Configuration hello packets from enabled vPro systems to the Notification Server or Site Server.  Without this step no setup and configuration of vPro systems will occur.

To test, log onto a system on the subnet you’re trying to conduct Remote Configuration from.  Run a command prompt and use the following command:

  • ping ProvisionServer

We should see the responding IP Address by the IP Address of the Notification Server, or, if you’ve set it up this way, the Intel SCS Server conducting provisioning.  Another test you can try is to run the following command:

  • nslookup ProvisionServer

We should get the data on the Notification Server’s Fully Qualified Domain Name (FQDN).

DNS Zones

In a multiple domain structure this is especially important, but all environments need to have the right data in DNS to properly pass and authenticate in a TLS environment.  The DNS Primary Zone should be set to the Domain path contained within the certificate.  For example, if the certificate name is MyNSServer_My1Domain_local, the DNS Primary Zone should be My1Domain.local.  Without this, authentication can fail as the FQDN is used during authentication, and if the name being transmitted across the wire doesn’t match what’s in the certificate, authentication will fail.  Here is another example:

  • Certificate: MyNSServer_My1Domain_local.crt
  • DNS Primary lookup Zone: My1Domain.local

DHCP Option

Another Network related requirement may be DHCP Option 15.  While I’m not sure why this has proven to be required in some environments and not others, creating this option has resolved failed authentication issues within Remote Configuration.

In DNS, create an entry for Option 15, with the value of the domain path.  This will often be the same as what is located in the DNS Primary Zone.  The following details are an example:

  • Certificate: MyNSServer_My1Domain_local.crt
  • DNS Primary lookup Zone: My1Domain.local
  • DHCP Option 15: My1Domain.local

Conclusion

Following the above procedure should allow remote configuration to occur without problems.  Once in place, the configuration will move forward with automatic setup and configuration for all vPro enabled systems that support Remote Configuration.

Updating the firmware for systems with Intel vPro technology often yields significant results when configuring and using vPro functions.  For example certain Dell laptops shipped with both Serial over LAN (SOL) and IDE Redirect (IDER) disabled in the BIOS.  A new firmware update to the BIOS enables them.  Another example is a desktop running AMT 2.1 firmware can be upgraded to AMT 2.2, which enables Remote Configuration.  No matter the reason, often a firmware upgrade will be beneficial to vPro systems and the Symantec Management Platform 7, and this article covers how to deploy firmware updates using Altiris Software Management Solution 7.

Introduction

Software Management Solution has the ability to deliver and execute any module or installer made for Windows.  This includes Windows capable Firmware updates.  Both the BIOS updates and Intel ME firmware updates, that are windows capable, available from HP, Dell, Lenovo, and any other computer manufacturer that supports vPro that are windows capable can be sent down and executed through Software Management Solution to upgrade firmware.  This document covers how to setup and configure these updates, and hopefully provide you information on caveats and other potential trouble spots.

Why Update Firmware?

The first thing you need to determine is what type of firmware update do you require?  The two typical updates are the Intel Management Engine (ME) firmware and the standard BIOS firmware.  How these two interact is dependent on the Manufacturer.  Some manufacturers will combine the BIOS and firmware updates into a single executable.  However the configuration, the updates can be delivered via Symantec’s Software Management Solution.

Examples and Reasons

For example HP has a BIOS option to enable or disable Intel AMT, and if it is disabled in the BIOS the Intel ME will not be available.  Another example is the Dell laptop model Lattitude 620 Centrino vPro capable.  The BIOS contains a setting to enable or disable the Serial Over LAN (SOL) and IDE Redirection (IDER) capabilities, and by default these came from the manufacturer disabled.  This and other reasons for firmware updates are detailed in this list:

  • Dell Lattitude 620 SOL IDER disabled in the BIOS – The update to automatically enable these features without having to physical update each BIOS manually is a BIOS firmware upgrade that set these as enabled, among other fixes/updates.
  • Upgrading AMT 2.1 to 2.2 – Desktop models of AMT version 2.1 can be upgraded to support Remote Configuration (certificate-based zero-touch provisioning) by upgrading the Intel ME firmware to version 2.2.
  • Upgrading AMT 2.5 to 2.6 – Notebook models of AMT version 2.5 can be upgraded to support Remote Configuration by upgrading the Intel ME firmware to version 2.6.
  • Upgrading AMT 2.0 to 2.1 – Some major fixes were incorporated between versions 2.0 and 2.1 of AMT.
  • UUID reset fix for HP Compaq 6910p – This fixed a flaw in the firmware where sometimes Intel ME returned the UUID of all zeroes or a default UUID set in the firmware, causing duplicates.  This update patches the firmware for Intel ME on these laptop models.
  • Upgrading Intel AMT 4.0 to 4.1 – On the newer version of AMT for laptops, fixes have been provided via version 4.1 and is available from most manufacturers.
  • Miscellaneous fixes to Intel ME – Other fixes have been incorporated in ME firmware updates

Obtaining the Right Firmware Update

For all BIOS updates, the manufacturer’s website should be consulted.  For each vPro model you wish to update BIOS firmware with, use the following basic steps:

  1. Go to the Manufacturer’s main site.  For this example, we’ll use Dell.  www.dell.com.
  2. Choose the Support icon and click ‘Download and Drivers’.
    Dellcom.JPG
  3. An applet will appear where you can choose the system through several options:
    1. Model
    2. Service tag
    3. Log in to choose from a list of systems
  4. Once you have the right system listed, there will be a list where you can click the plus + next to ‘BIOS’.
  5. From the provided list choose the applicable update by clicking the ‘Download Now’ link to the right.  The download will usually be in the form of an EXE.

While Intel manages the basic firmware for the Intel ME, the manufacturer packages it for deployment, including changes that may be required for specific models of vPro capable systems.  It is advised that you only use the manufacturer’s Intel ME firmware updates on your vPro systems.  The following walkthrough will hopefully help you identify what updates are available.  For this example we’re using HP’s website.

  1. Go to www.hp.com.
  2. Click on the ‘Support and Drivers’ tab.
  3. Choose the option Download drivers and software (and firmware) for Step 1 and put in the Model number of the vPro system type you wish the update for, in Step 2.
  4. Press Enter to go to the main page for the system.
  5. Though it prompts for what Windows you’re running, the updates are OS independent so choose any.
  6. For the Intel ME firmware updates, the categories differ.  For HP it’s under simply ‘Firmware’.  Other potential categories include:
    1. Firmware
    2. System Firmware
    3. Chipsets
  7. Click Download to the right of the applicable ME update.
    HPfirmware.jpg
  8. Once the EXE is downloaded, move on to the next section.

Rolling out the Firmware Update

Once you’ve obtained the EXE, it’s time to configure a Software Management Solution Software Resource, Package, associated Command lines, and create a task to roll it out with.  It’s important to understand how, depending on how the manufacturer packaged the EXE, the rollout can be accomplished silently without user interaction.  Typically administrators do not want users to interfere with the rollout, or to even be aware of it.  The following walkthrough considers this the desired result; however the configuration can be changed as so noted where applicable below.

Creating a Software Package/Program

  1. On the Notification Server place the EXE you downloaded for the firmware update into a self-contained folder.  The folder and everything in it will become a “package” for the Software Resource, thus it is recommended to have only the needed file therein.
    Note: You can use another storage location if you prefer, such as UNC or URL.  Simply adapt these steps to fit your preferred source method
  2. In the Symantec Management Console browse under Manage > and choose Software.
  3. In the left-hand tree browse under Software Catalog > Deliverable Software > and select Updates and Service Packs.
  4. In the resulting right-hand pane, click the Add button and choose Software Update.
  5. Above the configuration tabs provide a name for the Update.  In this example we’ll use an HP 6930p laptop firmware update of the Intel ME to version 4.1.1.1028.
  6. Click on the Package tab.
  7. Click the Add package button.
  8. Provide a name for the package and browse to the location referred to in step 1.  The name we’ll use in this example is AMT 4.1 Firmware EXE(Windows) for HP 6930p.  See this screenshot for an example:
    AMT4.1Firmware.jpg
  9. Click OK to save the Package details.
  10. Click on the Add command button.
  11. Provide a Name for the command-line.  For this example we’ll use: Apply AMT 4.1 Firmware Update silently.
  12. Check the option labeled Command line requires a package and ensure that the Package you created previously is selected.
  13. Under Installation file type choose the option labeled EXE Software Installation File.
  14. Change the Command type to Install.
  15. Provide a silent command line under the Command line field (this is the potentially difficult part.  The update I tested with had no documentation on silent installs and I had to tinker to find the –s command-line that ran it silently.   ie: “sp42026.exe” –s).
    NOTE: Due to the nature of firmware updates, it is possible the EXE will want to reboot the system.  It is recommended to test the execution and adjust the command-line to suppress the reboot so no user is interrupted in their work.
    See the below screenshot for an example:
    AMT4.1cmdline.jpg
  16. Click Save changes to complete the Software Resource creation.

Creating a rollout Task

The next step is to create a Quick Delivery Task that pushes out the update.  While a Manage Delivery Job may be used, because of the nature of firmware updates reapplying an update may have unintended consequences so for this example we’ll use a Quick Delivery Task. Follow these steps to create the Task:

  1. In the Symantec Management Console browse under Manage > and click Jobs and Tasks.
  2. In the left-hand tree browse down through System Jobs and Tasks > Software > and select Quick Delivery.
  3. Right-click on the Quick Delivery folder > choose New > and click on Job or Task.
  4. Within the resulting window choose Quick Delivery from the left-hand tree.
  5. Provide a name for the task.  In this example we’ll use AMT 4.1 Firmware Update for 6930p Rollout.
  6. Under the Software resource dropdown choose the name of the Software Resource you created.  In this example it is AMT 4.1 Firmware Update for HP 6930p.
    NOTE: The dropdown is also a type field so you can start typing AMT 4.1 to have the selected software found and displayed in the dropdown.
  7. Ensure that the Command line and Package in the two subsequent dropdowns correctly show the Command-line and Package you created.  For our example they are Apply AMT 4.1 Firmware Update silently and AMT 4.1 Firmware EXE(Windows) for HP 6930p respectively.
  8. Click the Advanced button.
  9. Under the Download Options typically what is configured at the Altiris Agent level should be sufficient for your needs.  Click the Run Options tab.
  10. This is your execution environment.  Due to the nature of firmware updates, it is advisable to use the option labeled Altiris Agent credential.
    NOTE: Specific user can be used if you wish to provide an account that has Administrator rights on the target systems directly.
  11. Under User run conditions check the option labeled Allow user interaction.  We have found that this option improves success rate due to loading a fuller user stack.
  12. Change the Display window to Hidden.  See this screenshot for an example:
    AMT4.1Task.jpg
  13. Click OK to save the Advanced options and Click OK on the main Task configuration page to save the details of the Quick Delivery Task.
  14. You can use the Quick Run under the Task Status section to test the rollout.  Please see the section following labeled ‘Test the Rollout’.  It is vital to properly test the rollout so any corrections can be made before rolling it out generally.
  15. Set a schedule.  You can choose Now or set a specific scheduled time if needed.
  16. For the next step under Input you’ll need to manually add devices for this firmware update to be run on or select a target.  Step 17 covers how to create a target for the example we’re using in this sequence.  If you are only adding machines manually step 17 is not required.  Move to step 19.
  17. To create a target based off of Inventory Solution data that automatically targets the HP Compaq 6930p laptops, follow these steps:
    1. In the Symantec Management Console browse under Manage > and click on Filters.
    2. Browse under Computer Filters and select or create a folder to create the filter in.
    3. Right-click on the folder and choose New > Filter.
    4. Name the Filter.  In our example we’ll use All HP 6930p Laptop Computers.
    5. Under the Filter Definition dropdown choose the option Query Mode: Query Builder.  You’ll receive a notice: You are about to switch to the other query editing mode.  This cannot be undone after save.  Click OK to continue.
    6. Expand the Filter Definition section by clicking on the down-arrow to the far right.
    7. Under the query section, select the tree item ‘Resource’ and click the red X delete icon.
    8. When the page refreshes on the right you’ll see a Base Resource Type.  Choose Computer.  When prompted, choose to continue.
    9. Under the actions section to the right, click the link labeled Use Fields & Data Class Attributes.
    10. In the resulting picker type in or choose from the dropdown the data class and column you wish to reference.  For our example choose [Logical Device].[Model] and click OK.
    11. Click the Filter Expressions tab.
    12. Click the Add Condition button and choose one of the options (for a first filter it doesn’t matter).
    13. Type the same data class and column selected previously.  In our example type [Logical into the If: field and then select [Logical Device].[Model] from the dropdown.
    14. Choose Like in the next dropdown to the right (or if you know the exact value you’re looking for, use Equals).
    15. In the last field type the model number.  In our example type %6930p%.  See this screenshot for an example:
      AMT4.1Filter.jpg
    16. Click the Save Changes to complete the Filter.
  18. To add the Filter to the schedule, go through the following steps:
    1. Under the Task Status click the button New Schedule
    2. Set the schedule as desired.
    3. Under Input click Add and choose Target.
    4. Click the Add rule button in the resulting window.
    5. In the first dropdown choose the option labeled exclude the resources not in.
    6. Leave Filter as the option in the second dropdown.
    7. In the third dropdown type in the first words of the filter you created in the previous step.  In our example type All HP and click the dropdown arrow.  Select the appropriate collection from the list.
    8. Click OK to save the Target.
  19. Click Schedule to apply the Task to the selected systems.
  20. Done!  This Task type will use Task Server to push out the task.  For systems already online they should receive the task within minutes based off of being active on the network.  For systems not on, the next time they come online and check for Tasks, Task Server will push out the Task at that time.

Test the Rollout

The most important part of this process is to test the rollout.  This will allow you to make corrections to the command line or execution environment should the first attempt fail.  By testing the rollout you can ensure it is ready for the greater environment.  In testing, you should:

  1. Target a system that matches your Production Environment as closely as possible
  2. Test the command-line to ensure it successfully and silently rolls out the firmware update.  You can accomplish this by copying the files over and running the command line manually from a command prompt or from Start > Run.
  3. Check the BIOS or Intel AMT for versioning change.
    Note: the ME version may not be synched with the AMT version.  A good test is to try executing the update again manually to see if you receive a message indicating the version is already up to the latest version.

Conclusion

Using this process, you should be able to remotely update any firmware required for successful use of Intel vPro Systems both with Setup and Configuration using Out of Band Management, and vPro functionality use within any Job and Task in the Symantec Management Platform.

What are the Best Practices for configuring or provisioning Intel vPro capable systems within the Symantec Management Platform 7.0 ?  More specifically how can I use Out of Band Management 7.0 to reliably enable my vPro systems for use within the infrastructure?

For those who understand vPro technology and the Altiris/Symantec implementation will recognize that there are multiple ways to configure AMT systems.  Not all methods are created equal, and experience has revealed which ways are best.  Using this article you can avoid many of the pitfalls and difficulties surrounding such a securely robust architecture.

Introduction

With different options available for configuring an Intel vPro system, this document is a must.  Since so many components tie into the vPro supported architecture sometimes results will vary.  Some methods have revealed inherent problems in how the Altiris Infrastructure handles a computer resource’s identity.  To avoid any potential issues, this method has proven to be the most reliable.  Keep in mind that as newer versions of AMT, vPro, Intel SCS, and Out of Band Management are released, these details may change.  Symantec is working to resolve configuration issues to allow more reliable choices for configuring the vPro enabled systems.

Infrastructure Items

The best methods for setting up the infrastructure are provided here.  The manual configuration method is not covered as it’s a manual pain and alphanumeric nightmare.  The first segment covers the universal ProvisionServer DNS record required for the hands-off approach in AMT versions 2 through 5.  Subsequently two other infrastructure components are covered so that the subsequent steps covered later will have all necessary infrastructure items in place.

DNS Configuration

Everyone loves automatic procedures that don’t require the eyes and hands of an overworked IT Professional to complete.  The DNS configuration is utmost to achieving the no-touch, hands-off automated approach available with AMT provisioning.  The following steps show how to set this up:

  1. Launch DNS Management.
  2. Expand the Forward Look-up Zones tree.
  3. Right-click on the Domain that will be used for Provisioning and choose to create a CNAME record.
  4. In the Alias field type in: ProvisionServer
  5. In the Fully Qualified Domain Name field put the full name of the Notification Server (IE: MyServer.mydomain.com).

Now that this Alias is created, when the AMT systems send out the ‘hello’ message targeting the name ‘ProvisionServer’, DNS will properly route that message to the Notification Server/Intel SCS Provisioning Server.  To test that this is working properly, follow this procedure:

  1. In the Symantec Management Console, browse under Home > Remote Management > and click Out of Band Management.
  2. In the left-hand pane, browse under Configuration > Configure Service Settings > and select DNS Configuration.
  3. In the right-hand pane click the ‘Test’ button found about halfway down the text of the page.
  4. Under the Resolved “ProvisionServer” IP:, you should see the IP address of your Notification Server.  If it fails, the NS cannot resolve the name “ProvisionServer” on the network.  See this screenshot for an example:
    DNSConfig.jpg

General Items – Remote Configuration

Note that the Remote Configuration option is not available on all versions of AMT.  As of the creation of the document, versions 2.2, 2.6, 3.0, 3.1, 4.0, 5.0 support Remote Configuration.  All AMT Systems with these versions have pre-configured certificates loaded into the firmware.  Examples are GoDaddy, VeriSign, and Comodo (others may be provided.  Please check Intel or the computer manufacturer’s documentation for a full list).  The systems come from the manufacturer already prepared to find the Provisioning Server and initiate the Configuration process.

The following infrastructure items need to be in place for Remote Configuration:

  1. Obtain a valid certificate from the appropriate vendor (GoDaddy, VeriSign, Comodo, etc.).
  2. Install the certificate on the Notification Server and register it with the Provision Server.  Details on how to do this are best covered in the following article.  This details not only the best practices but also how to troubleshoot issues with the remote configuration certificate application:

https://www-secure.symantec.com/connect/articles/remote-configuration-certificate-application-best-practices-intel-vpro-systems

  1. Enable the CNAME option for ProvisionServer as detailed previously if this has not been completed yet.  This is essential to make a Remote Configuration process seamless and to make it hands free.
  2. Enable Resource Synchronization.  Use these steps to complete it:
    1. In the  Symantec Management Console browse under Home > Remote Management > Out of Band Management.
    2. In the left-hand tree browse under Configuration > Intel AMT Systems > and select Resource Synchronization.
    3. On the title bar to the right click the button next to ‘Off’ and select ‘On’.
    4. Make sure the option ‘Use DNS IP resolution to find FQDN when assigning profiles is NOT checked.
      NOTE: This option should only be used in environments where DNS is reliable for obtaining a system’s identity.  Since DNS usually isn’t, this option is highly not recommended.
    5. Set an appropriate schedule (do not run this too often as it does take time to process).
    6. Click Save changes if any options needed to be changed, especially to turn the policy on.
  3. For the steps on how to proceed with Configuration for these systems please see the subsequent section in this article labeled Discovering and Configuring new vPro systems: Remote Configuration.

General Items – One-Touch to No-Touch PSK Provisioning

This option is available for all AMT versions 2.0 and beyond.  The one-touch option requires security keys to be generated within the Symantec Management Console and configured on the target systems using One-Touch provisioning.  The manufacturers offer a service to have pre-configured keys already setup on purchased vPro target systems.  This allows a no-touch provisioning method using the PSK (pre-shared keys) model.

The following infrastructure items need to be in place for PSK Configuration.  The first half of the steps is for no-touch PSK provisioning:

  1. Please see steps 3 and 4 in the Remote Configuration section above as they, too, apply to PSK Configuring.
  2. Have the Manufacturer pre-configure all purchased systems to already have the PID and PPS (TLS-PSK) configured (this is optional but is required for a no-touch configuration model).
  3. The manufacturer will provide the keys in a file to be imported into the Notification Server.  NOTE: it is recommended to have the file broken down into smaller parts if exceeding 1000 key pairs, or systems to be configured.  This allows an easier time importing those keys.  For version 7 there are no known limitations on the number of key-pairs unlike the 6.x versions.
  4. Import the file using these steps:
    1. In the Symantec Management Console browse under Home > Remote Management > Out Of Band Management.
    2. In the left-hand tree browse under Configuration > Configuration Service Settings > and select Security Keys.
    3. Click the ‘Import security keys’ icon (blue arrow pointing down-right on blank paper).
    4. Click the browse button and browse to the location you’ve stored the key-file provided by the manufacturer.
    5. Click Import.
    6. Ensure that the appropriate keys appear in the key list after the screen refreshes.
  5. If you are using the one-touch method, use the icon labeled ‘Generate’ to create a series of keys (it is recommended to keep the number of keys to 1000 per USB flash drive to improve performance when out configuring systems).  Click OK when done configuring the keys to generate.  See this screenshot for an example:
    GenerateKeys.jpg
  6. Highlight a group of keys (1000 max recommended) and use the export button.  This will allow the keys to be put into a Setup.bin file.  The USB key will be used later as part of the configuration process. Place this file on a USB flash drive with the following configuration:
    • FAT 16 File System
    • Setup.bin needs to be the first file on the drive
  7. Enable the CNAME option for ProvisionServer as detailed previously if this has not been completed yet.

Discovering and Configuring new vPro systems

Now that the Infrastructure items are in place, the process for configuring Intel AMT vPro capable systems needs to be defined.

The Altiris Agent

The key sequence in the configuration process actually doesn’t directly involve the AMT provisioning piece.  The Altiris Agent should be installed to the client system before the system is discovered to the core NS through other discovery processes, due to issues with resource integration between discovery methods.  If you plan to manage the system with the Altiris Agent, It needs to be installed first.  The steps for this are covered in each methodology.

NOTE: Due to the requirement of having the right computer identity at the time of Configuration, this step is considered crucial to a successful Configuration process for vPro systems.  The Altiris Agent will provide all the proper identification items (Fully Qualified Domain Name, or FQDN, and the UUID).

Remote Configuration

The following steps show how to configure the system in Remote Configuration mode.  Note that the steps are written to show the proper sequence, though some of the items may have been completed previous to its sequence in the list:

  1. Install the Altiris Agent on the target computer.  This can be done with a push or a pull.

PUSH

  1. For the push method, browse in the Symantec Management Console under Actions > Agents/Plug-ins > and select Push Altiris Agent. 
  2. You can individually enter in the computer names or IP addresses of the target systems, or you can use the blue lettered link ‘Discover Computers’ to discover the systems automatically on the network. 
  3. Once systems are selected, click the ‘Install Altiris Agent’ button below the list.
  4. Provide the required details to install the Altiris Agent to the target systems (including the correct Admin account, install path, etc…).
  5. An alternate method is to use the ‘Schedule Push to Computers’ option after you have discovered the machines using the discover computers option to schedule the push for another time.
  6. To set the proper settings for the scheduled push click the button ‘Installation Settings’ and set the options as required.

PULL

1.       For the pull method, browse in the Symantec Management Console under Actions > Agents/Plug-ins > and select Push Altiris Agent.

2.       Under ‘URL of download page’ a link is provided.

3.       On the target system, pull up a webpage and paste in the URL obtained from step #2.  This link can also be sent out via Email, or posted on a Web Page for users to access.

  1. Verify that the Altiris Agent has successfully sent Basic Inventory and obtain a Configuration from the Notification Server.  Right-click on the Altiris Agent icon and choose ‘Altiris Agent Settings’.  As long as valid dates are under the following headings, the system is prepared for synchronization:
    1. Configuration

                                                               i.      Requested

                                                             ii.      Changed

  1. Basic Inventory

                                                               i.      Sent

  1. Make sure that after an initial Basic Inventory sending that the Configuration is again requested as the Notification Server will have populated the computer into collections based on the Basic Inventory sent it.
  2. Run an Out of Band Discovery on the target system.  This will be an automatic step after the Altiris Agent is installed, yet it needs to be initially setup.  Use the following steps to set it up:
    1. In the Symantec Management Console browse under Home > Remote Management > and click on Out of Band Management.
    2. In the left-hand tree browse under Out of Band Agent Install > and select Out of Band Discovery.  See this screenshot for an example of the Task:
      OOBDiscovery.jpg
    3. To the right of the title bar there’s an On Off switch.  Click the red-colored light and change it to On.
    4. By default this is set to only ever run once.  This is sufficient when systems will only ever be provisioned once.  One fail-safe is to set this to a reoccurring schedule so we have up to date information on a system if needed.
    5. The current collection is usually sufficient, but if systems are not getting the Out of Band Discovery job, try adding a more general collection such as All Windows Computers.
  3. Setup and Configuration will occur automatically.  The above items may occur after the initial “hello” packet is send from a system since systems already come configured to use Remote Configuration, but without the Altiris Agent Intel SCS will be unable to provision until the Altiris Agent has been installed and Out of Band Discovery has run.
  4. The Configuration will occur from this point, yet if you want your system to show up in the vPro or AMT specific collections, next manually launch the Resource Synchronization.  As we’ve already touched this policy it should be setup to run automatically, but to run it now follow these steps:
    1. In the Symantec Management Console browse under Home > Remote Management > and select Out of Band Management.
    2. In the left-hand tree browse under Configuration > Intel AMT Systems > and select Resource Synchronization.
    3. Under the ‘Last synchronization statistics’ section, click the ‘Run now’ button to force the synchronization.
  5. When synchronization completes, the system will show up in the Out of Band and AMT specific collections (Note, this is not required to use vPro functions but only affects what collections the systems show up in).

The following diagram represents the basic steps used for this method of configuration:

RemoteConfigDiagBP.JPG

PSK Provisioning

Depending on the method, the following steps will show the best way to configure the system with One-Touch or PSK mode:

  1. Install the Altiris Agent on the target computer.  This can be done with a push or a pull.

PUSH

a.       For the push method, browse in the Symantec Management Console under Actions > Agents/Plug-ins > and select Push Altiris Agent. 

b.      You can individually enter in the computer names or IP addresses of the target systems, or you can use the blue lettered link ‘Discover Computers’ to discover the systems automatically on the network. 

c.       Once systems are selected, click the ‘Install Altiris Agent’ button below the list.

d.      Provide the required details to install the Altiris Agent to the target systems (including the correct Admin account, install path, etc…).

e.      An alternate method is to use the ‘Schedule Push to Computers’ option after you have discovered the machines using the discover computers option to schedule the push for another time.

f.        To set the proper settings for the scheduled push click the button ‘Installation Settings’ and set the options as required.

PULL

a.       For the pull method, browse in the Symantec Management Console under Actions > Agents/Plug-ins > and select Push Altiris Agent.

b.      Under ‘URL of download page’ a link is provided.

c.       On the target system, pull up a webpage and paste in the URL obtained from step #2.  This link can also be sent out via Email, or posted on a Web Page for users to access.

  1. Verify that the Altiris Agent has successfully sent Basic Inventory and obtain a Configuration from the Notification Server.  Right-click on the Altiris Agent icon and choose ‘Altiris Agent Settings’.  As long as valid dates are under the following headings, the system is prepared for synchronization:
  1. Configuration

                                                               i.      Requested

                                                             ii.      Changed

  1. Basic Inventory

                                                               i.      Sent

  1. Make sure that after an initial Basic Inventory sending that the Configuration is again requested as the Notification Server will have populated the computer into collections based on the Basic Inventory sent it.
  2. Run an Out of Band Discovery on the target system.  This will be an automatic step after the Altiris Agent is installed, yet it needs to be initially setup.  Use the following steps to set it up:
  1. In the Symantec Management Console browse under Home > Remote Management > and click on Out of Band Management.
  2. In the left-hand tree browse under Out of Band Agent Install > and select Out of Band Discovery.  See this screenshot for an example of the Task:
    OOBDiscovery.jpg
  3. To the right of the title bar there’s an On Off switch.  Click the red-colored light and change it to On.
  4. By default this is set to only ever run once.  This is sufficient when systems will only ever be provisioned once.  One fail-safe is to set this to a reoccurring schedule so we have up to date information on a system if needed.
  5. The current collection is usually sufficient, but if systems are not getting the Out of Band Discovery job, try adding a more general collection such as All Windows Computers.
  1. If using USB One-touch, insert the prepared USB flash drive into a USB slot on the vPro system.  Reboot or turn on the system.  A prompt will appear asking if the machine should be configured.  Follow the prompts until it requests the USB drive be removed and the system rebooted.  The system is now ready and will be sending out ‘hello’ messages.
  2. If the systems are preconfigured, Configuration will occur automatically. The above items may occur after the initial “hello” packet is send from a system since systems already come configured to use Remote Configuration, but without the Altiris Agent Intel SCS will be unable to provision until the Altiris Agent has been installed and Out of Band Discovery has run.
  3. Next manually launch the Synchronization (note that this step will occur per the default schedule at 2AM the following day).   In the Altiris Console browse to View > Solutions > Out of Band Management > Configuration > Provisioning > Intel AMT Systems > and select Resource Synchronization.  Under the ‘Last synchronization statistics’ section, click the ‘Run now’ button to force the synchronization.
  4. When synchronization completes, the system will now show up in the OOB and AMT collections.

The following diagram represents the basic steps used for this method of configuration:

OneTouchDiagBP.JPG

Conclusion

By implementing a process that adheres to the above guidelines, and having the right infrastructure pieces in place and proper configured will take the complexity out of setting up and configuring vPro enabled systems.  This document was based off of the 6.x Best Practices document, with changes for the new 7.0 version and additional clarification or steps to improve success.

The release of the Notification Server 7.0 platform will provide a new design and infrastructure.  Out of Band Management will also provide a new release with this platform.  First I’ll provide a brief description of what Out of Band Management is used for.  This article will also cover the differences between the 6.2 version of Out of Band and version 7.0.  The changes include UI improvements, relabeling to be in line with current Intel terms, and the addition of limited Dash support.

INTRODUCTION

Out of Band Management 7.0 allows an administrator or IT Professional to setup and configure several protocol technologies for use in the greater Notification Server infrastructure, or even any other solution that supports the protocols handled by Out of Band Management.  The supported technologies are:

  • Intel AMT (Active Management Technology) or vPro
  • ASF (Alerts Standard Format) primarily from Broadcom
  • DASH technology support (open architecture)

The greater focus is on Intel’s AMT technology.  Using the provided configuration pieces with Out of Band, systems with the above technologies can be configured to respond to functions called from either the RTSM interface or via Task Server.  Once configured, the Notification Server is a trusted entity to the local systems and all available functions are available.

More information can be found by browsing through the articles generated on Out of Band Management 6.x at http://www.symantec.com/community/intel.

Terms/Term changes

It’s important to understand the changes in terminology and labeling so the transition from 6.2 to 7.0 Out of Band Management goes smoothly.  This section will also help explain the naming scheme for Out of Band Management.  The following list provides the term, and the previous label (if different), and a brief description:

  1. Configuration, AKA Setup and Configuration – Previous term: Provisioning – Intel has standardized on using Configuration as the term for activating a vPro system.  This more aligns with what is occurring and avoids confusion with basic industry understanding of what provisioning means (putting an OS on the system). 
    NOTE: Since this word is used throughout documentation for 6.x it is important to understand the change!
  2. TLS – Transport Layer Security can be considered the next generation of SSL (Secure Sockets Layer).  It’s used in 2 sections of Configuration: Remote Configuration authentication, and TLS within the Configuration Profile.
  3. Remote Configuration – This specifically means the process for automatic Configuration via the handshake with a TLS certificate, usually purchased from Verisign, GoDaddy, Comodo.

Out of Band Portal

Out of Band Management now has a Portal page that provides access to most function from a user-friendly UI.  It’s accessed in the Symantec Management Console by going to Home > Remote Management > and click on Out of Band Management.  The following screenshot shows a view of the portal:

OOBPortal.jpg

The upper left-hand pane shows a list of setting groups that will enable a user to go through those steps necessary to enable or complete Out of Band setup and configurations.  Please note the following items and what they can be used for:

  • Configuration Service Settings – This provides all the nodes that are used in the Setup and Configuration process for AMT.
  • Basic Configuration (without TLS) – This takes you through the process of setting up Configuration where TLS will not be used in the Configuration Profile (not to be confused with Remote Configuration TLS).  See this screenshot for the way the steps are setup:
    AMTConfigSteps.jpg
  • Enable Remote Configuration – This walks you through setting up the Notification Server to accept Configuration requests using TLS certificates.  Note that 2.6, 3.0+ AMT systems are automatically configured to send out requests using this method.
  • Enable Security (TLS) – This walks you through setting up the Notification Server to use TLS when managing AMT systems.
  • Intel AMT Tasks – This is a quick area that reveals the Task Server tasks that directly utilize AMT.
  • Configure Site Server – This is a link that opens the Site Server Configuration page as part of the Notification Server Platform.  This is available here because OOB has a Site Service that can be deployed to Site Servers.

As a note, Site Servers allow distribution of Out of Band functions across the environment, and helps alleviate any problems with large rollouts involving a large amount of Configuration.  This brings us closer to having true hierarchy support with Out of Band Management.

UI Changes

Those who are familiar with Out of Band Management 6.2 can use this section to find corresponding functions, configuration pages, and utilities when upgrading to Out of Band 7.0.  If you are unfamiliar with this version skip to the next section.

Out of Band Management looks much the same as it did in 6.2, with some notable exceptions.  The following items cover the differences between the two.  The method used to reach the console area for Out of Band Management is as follows: Browse down through Settings > All Settings > in the left-hand tree browse down through Remote Management > Out of Band Management.  The three subfolders are by the same name as they were in 6.2, lacking the fourth folder: Delayed Provisioning.

  1. *Provisioning > Configuration – I called this out previously in this article but with my experience the double-exposure is necessary.  In reference to managing vPro AMT systems, consider the previously used term Provisioning to now be Configuring, or Provision to now be Configuration.  If you’re like me and have the word provisioning ingrained in your mind, it will take some getting used to.
  2. Auxiliary Profiles – Three new nodes have been added to this folder.  They are described below:
    1. Management Presence Server – (MPS) This is the secure gateway CIRA technology will use to connect securely with the network where the NS resides for remote management from anywhere on the Internet.
    2. Remote Access Policies – In relation to the above MPS, this policy dictates how CIRA connections are handled by the Notification Server.
    3. Trusted Root Certificates – Also in relation to MPS, these are required to establish so that trust can be formed from the calling AMT system, the MPS, and the Notification Server.
  3. Configuration Profiles – Formerly known as Provision Profiles.  The following items have been added as tabs within the profile configuration.  Descriptions of the items are supplied as well:
    1. Domains – Allows the ability to configure AMT to operate in more than one Domain.
    2. Remote Access – This ties directly to the Remote Access Policies found under the Auxiliary Profiles node.  Edits here will take effect in both places.
  4. The remaining nodes under the Configuration Service Settings folder are the same between versions 6.2 and 7.0.
  5. Delayed Setup and Configuration – Formerly known as Delayed Provisioning, this has been renamed to fit the proper naming convention.  It also no longer has its own folder, but can be found under the Intel® AMT Systems folder above the Intel AMT Systems node.
  6. The following screenshot shows the layout of the console:
    ConfigConsole.jpg

Intel SCS

The component that Out of Band Management plugs into has not changed between versions.  Intel SCS (Setup and Configuration Services) is still the backbone of Out of Band, and handles all the transactions between the server and the remote Intel AMT clients during the Configuration process.  Please note that management functions of AMT are NOT handled by Intel SCS.  SCS stands for only the Configuration process, including maintenance and reconfiguration tasks (for example for profile updates) as part of maintaining the configured state.

Out of Band Management 6.2 used Intel SCS version 3.0 (or 3.2.1 per the Knowledgebase article found at this location: https://kb.altiris.com/article.asp?article=40076&p=1).  Intel SCS version 5.0 ships with Out of Band Management.  While the UI does not reveal all the additional capabilities, SCS 5.0 comes with a tool called Activator.  This utility can handle a number of scenarios that were sticky points in the previous versions of Out of Band and Intel SCS.  The abilities include the following:

  1. FQDN Name Change – The Activator, when run on the local AMT system, can tell AMT to send updated information to Intel SCS on its FQDN.  This is especially important if the FQDN has changed in Windows, thus changing the identity of the machine.
    • The problems associated with this are the failure of AMT systems to authenticate using TLS due to FQDN sensitivity if enabled, and also the inability of Intel SCS to contact back a system whose FQDN has changed.
  2. Resending of Hello Packets – While the 3.0 version of Out of Band had the ability to send Hello packets using the Delayed Provisioning (AKA Delayed Configuration) task, it did not have the ability to send PSK (pre shared keys) packets if the 24 hour cycle of the hello packets sequence expires.  This functionality was also added to verison 3.2.1 of Intel SCS.
    • The problems associated with this are when systems are not configured within that 24-hour cycle they need to be acted upon to get the needed information to the server for configuration.

The above two functions can be utilized by sending Activator down using a Delivery Software job in the Software Management Solution.

Conclusion

Hopefully this introduction will help those familiar with Intel vPro, and especially familiar with Out of Band Management in the Notification Server 6.0 infrastructure, to understand the changes and functions in version 7.0 of Out of Band Management.  In depth articles will be generated in the future to cover some of the new features such as the MPS and CIRA functionality.

 

Whether you are planning to implement a Vendor TLS Certificate in the future, or you are having trouble applying a certificate you've already obtained, this article walks through the best practices. The details include all the steps to properly install the right items and resolve issues we've encountered up until this point. This article applies to Out of Band Management Solution 6.2. Since certificates introduce tight encryption security, if the right items and steps are not in place or followed, it can break the ability of AMT systems to provision with Remote Configuration.

 

 

 

 

Introduction

Using Remote Configuration to Provision your Intel AMT vPro capable computers takes the work out of the progress. All 2.6, 3.0+ AMT systems come preconfigured to automatically use Remote Configuration to provision with a valid Provisioning Server. The hashes from vendors (AMT 3.0 includes Verisign, GoDaddy, Comodo) are already configured in the firmware, and upon connection to power and the network, will begin to send out requests for provisioning. Thus in this way the managed vPro systems are already prepared to be provisioned without any needed intervention by the IT staff.

 

 

 

 

 

The issues we see then arise from the server-side application of a certificate that matches the hashes already loaded. Obtaining and installing a vendor TLS Remote Configuration certificate needs to be done the right way so that authentication can succeed. Once in place, provisioning will roll forward without any further intervention. This article focuses on applying the server-side certificate so that provisioning can move forward automatically.

 

 

 

 

Obtaining a Remote Configuration Certificate

This subject has been covered previously. I wanted to lightly touch upon this as there is a vital step that should be taken so that if anything goes wrong we can correct it. First, the following article covers how to properly obtain a certificate:

 

 

 

 

 

Note that part of obtaining a Remote Configuration is submitting the request from the Server you plan to install the certificate onto. This process creates the private key for the server-side certificate, and this piece will not be available until partway through the application of the crt (or cer) file obtained from the vendor. The specific step that provides the full key, both private and public, is when the certificate is exported after the initial import into a PFX format, checking the option to export the private key will give you a complete backup of the full certificate. If something happens, or if the application didn't go right, we'll need both, so it's essential to export this as soon as possible.

 

 

 

 

 

 

During the steps to install the certificate emphasis will be given on the step where the export should take place.

 

 

 

 

Installing the Certificate

I've condensed the steps required into the following list. This process works for all vendors once you've obtained a certificate. Note that these steps are provided to consolidate both recommended steps and documentation into one whole.

 

  1. Go to Start > Run > type mmc > and click OK.

  2. In the resulting console click under File and choose Add/Remove Snap-in...

  3. Near the bottom of the resulting window click the Add button.

  4. From the list that appears select Certificates and then click the Add button.

  5. Leave the radial button selected on ‘My user account' and click Finish.

  6. From the same list select Certificates again and click the Add button.

  7. From the resulting window change the radial select to ‘Computer account' and click Next.

  8. Leave the selection at ‘Local computer: (the computer this console is running on) and click Finish.

  9. Click the Close button in the window offering you the list of available snap-ins.

  10. At the original add/remove snap-in screen verify that you have two entries:

    1. Certificates - Current User

    2. Certificates (Local Computer)

  11. Click OK.

  12. Expand both trees in the left-hand pane within the console. You should see the full certificate stores.

  13. Right-click on the Personal folder under the Current User certificate store and highlight ‘All Tasks' and click on ‘Import' in the pop-out menu.

  14. Click Next on the Welcome page of the Certificate Import Wizard and click the Browse button.

  15. Browse to the cer or crt file provided by the vendor, highlight it, and click Open.

  16. Click Next, and leave the radial option on ‘Place all certificates in the following store', which should be set to ‘Personal'. Click Next.

  17. Under the Completing section of the wizard, Click Finish. You should receive a pop-up .

  18. NOTE! This is the vital step mentioned previously in the article. We will now export the certificate with both public and private keys, which will give us the full set and allow us to remove and reapply if necessary. In the MMC select the newly imported certificate > right-click > and choose All Tasks > Export...

  19. Click Next on the Welcome screen. In the resulting list you should have an active option for ‘Personal Information Exchange - PKCS #12 (.PFX)'. If this option is not available there is a problem with the certificate and the private key is not accessible.

  20. Follow the wizard, and ensure you select the option ‘Yes, export the private key'. When saving the file, it will prompt you to set a password to protect the private key (this is recommended for security reasons). The export should leave you a PFX file. Keep this in a safe place, and back it up just in case.

  21. Next we need to import the full key into the Computer store. Start back in the MMC, under the Local Computer certificate store, right-click on the Personal folder, select All Tasks > Import...

  22. Click Next on the Welcome screen and click the Browse button on the subsequent screen.

  23. Browse to the newly exported PFX file. Note that you will need to change the ‘Files of type' to include the PFX format. Click Next.

  24. The Password screen prompts for the password you set when you exported the key in step #20. Enter the password and click Next.

  25. Choose or leave the select to ‘Place all certificates in the following store'. The value should be Personal. Click Next.

  26. Click Finish on the end details page to complete the import.

  27. Next, we need to load the certificate into Intel SCS so it can properly authenticate with the AMT systems requesting Remote Configuration. Browse to the following location: \Program Files\Intel\AMTConfServer\Tools.

  28. Execute the file loadcert.exe.

  29. Press Y and Enter.

  30. A ‘Select Certificate' popup will appear. Select the name of the cer or crt file you received from the vendor and click OK. The window will disappear.

  31. Now both Personal certificate stores and Intel SCS should have all the needed certificates to successfully work with Remote Configuration. However, we are not done as other steps may be needed.

 

Reinstalling the Certificate

If you need to reinstall the certificate and have a PFX file, you can do so by opening both certificate stores (User and Local Computer) as outlined in the previous steps. Browse through the certificate stores and delete any instance of the vendor certificate. This will remove any associations and allow a clean application of the certificate to occur. Look for the following:

 

  • The name matching the name of the cer or crt file obtained from the vendor

  • The vendor's certificate (the entry will contain the vendor name).

 

NOTE: Be careful when removing vendor certificates as they may not be part of the Remote Configuration. The best example is Verisign, which may have many entries. If unsure, leave the certificate in place, or export it before deleting it so you can restore it if necessary.

 

 

 

Other Setup Requirements

The following items may be required, depending on the environment.

 

 

 

ProvisionServer

Each zone within DNS should have a ProvisionServer entry to ensure that Remote Configuration requests are properly routed. This will also help properly resolve names during the authentication process. To test, log onto a system on the subnet you're trying to conduct Remote Configuration from. Run a command prompt and use the following command:

 

  • ping ProvisionServer

 

 

 

 

We should see the responding IP Address by the IP Address of the Notification Server, or, if you've set it up this way, the Intel SCS Server conducting provisioning. Another test you can try is to run the following command:

 

 

  • nslookup ProvisionServer

 

 

 

 

We should get the data on the Notification Server's name.

 

 

 

 

DNS Zones

In a multiple domain structure this is especially important, but all environments need to have the right data in DNS to properly pass and authenticate in a TLS environment. The DNS Primary Zone should be set to the Domain path contained within the certificate. For example, if the certificate name is MyNSServer_My1Domain_local, the DNS Primary Zone should be My1Domain.local. Without this, authentication can fail as the FQDN is used during authentication, and if the name being transmitted across the wire doesn't match what's in the certificate, authentication will fail. Here is another example:

 

  • Certificate: MyNSServer_My1Domain_local.crt

  • DNS Primary lookup Zone: My1Domain.local

 

DHCP Option

Another Network related requirement may be DHCP Option 15. While I'm not sure why this has proven to be required in some environments and not others, creating this option has resolved failed authentication issues within Remote Configuration.

 

 

 

 

 

In DNS, create an entry for Option 15, with the value of the domain path. This will often be the same as what is located in the DNS Primary Zone. The following details are an example:

 

 

  • Certificate: MyNSServer_My1Domain_local.crt

  • DNS Primary lookup Zone: My1Domain.local

  • DHCP Option 15: My1Domain.local

 

Conclusion

Following the above procedure should allow remote configuration to occur without problems. Once in place, the configuration will move forward with automatically provisioning systems that support Remote Configuration.

 

Through trial and error I've come across a working method for installing Intel's Setup and Configuration Service (SCS) on a server that does not have Notification Server, and thus Out of Band Management, installed. When NS is installed, all rights, etc, are already assumed by logging in as the Application Identity. Intel SCS installs fine this way, but when on a separate server certain prerequisites and configurations need to be met before the installed SCS will function properly.

 

 

 

 

Introduction

For the best results, the prerequisites should be met before hand. If SCS has already been installed, the necessary components can be added or configuration changed to support it properly. The first section of this article I'll assume we'll do the install from scratch, while with the second I'll cover how to reconfigure SCS if it has already been installed so it works successfully. This is with version 6.2 of Out of Band Management Solution.

 

 

 

New SCS Installation

NOTE: This is for an Intel SCS installation that is not on an existing Notification Server with Out of Band Management installed.

 

First, we need to prep the system for the actual install of Intel SCS. The following components are required for Intel SCS to function normally:

 

 

  • Windows 2000 Server, Windows 2003 Server

  • Internet Information Services (IIS)

  • Microsoft .NET 2.0

 

 

 

 

Run through the following steps to install Intel SCS. I've assumed the above prerequisites have already been met.

 

 

  1. Log onto the system as the Application Identity user for Notification Server.

  2. Using the ‘Pull' method, install the Altiris Agent from the Server that houses Out of Band Management:

    1. Typically the URL is formatted as: http://%3cnsname%3e/Altiris/NS/Agent/AltirisAgentDownload.aspx.

    2. Use the resulting page to download and install the Altiris Agent. Typically it takes a few minutes to complete the process of installing and registering with the Notification Server.

  3. If needed, provide the App ID account local administrator rights on this Server. In one case this was not the case, and the service was unable to connect to the NS.

  4. Browse to the following path on the NS:
    <NS_Name>\NSCap\Bin\Win32\X86\OOB\IntelSCS\

  5. Launch the EXE AMTConfServer.exe.

  6. Click ‘Next' on the Welcome screen and accept the license agreement and click ‘Next'.

  7. Choose ‘Complete' as the type of setup and click ‘Next'.

  8. In the User name and Password fields put in the Application Identity for the NS.

  9. Check the Web details.

  10. Leave ‘Force Secure Connections (HTTPS)' checked if you will use TLS to encrypt AMT traffic, or uncheck it if you will not be using TLS. Click ‘Next'.

  11. Under ‘Database Server' select the database name and instance to use. This should be the SQL Server used to install the IntelAMT database when OOB was originally installed on the notification Server, or if the database was never created, this should be the same server and SQL Instance where the Altiris database that hosts Out of Band Management is installed.

  12. Check the database details. Click ‘Next'.

  13. Click the ‘Install' button to proceed with the install using the parameters set.

  14. If the IntelAMT database was previously created, you'll receive a notice saying that the database IntelAMT already exists. Make sure to click ‘Yes' so it uses the existing one. This is especially important if you have provisioned systems already in the database. If no database exists by name IntelAMT, a new one will automatically be created and no prompt will appear.

  15. At the Complete screen, leave the ‘Start Intel® AMT Config Service' checked and click ‘Finish'

  16. From the Notification Server, at this location:
    <NS_Name>\c$\Program Files\Altiris\OOBSC\, copy the file oobprov.exe to the same path on the SCS Server (default will be C:\Program Files\Altiris\OOBSC\).

  17. NOTE! You must use the same path that it used on the Notification Server, this is a limitation with our implementation at this time.

  18. Copy to the same folder the attached file Interop.AeXClient.dll.

 

 

  1. Normally the script (oobprov.exe) is properly registered to the correct path, but if it is not, we must manually change it.
         NOTE: Using this option to install SCS on a different server than the NS often leaves the csti_configuration table poorly configured. If this is the case, the following two steps must be done to fix the problem.

  2. Open SQL Query Analyzer or SQL Enterprise Manager. Run the following query:

    1. USE IntelAMT
                SELECT Props_script_path, use_props_script
                FROM csti_Configuration

  3. Check the path and make sure it matches the remote and local Intel SCS install. Also verify that the use_props_script is set to 1, which means ‘True' (0 means ‘False'). Now run the following query if they need to be updated, but take note to change the path to match your environment:

    1. UPDATE csti_configuration
                SET props_script_path = ‘C:\Program Files\Altiris\OOBSC\oobprov.exe'
                SET use_props_script = 1
                WHERE configuration_id = 1

  4. Everything should now be in place for the new Intel SCS install to work with systems being provisioned, including all maintenance and post-provisioning actions.

  5. As one last check, let's ensure the Intel SCS installation registered itself in the IntelAMT database. If this part has failed the service AMTConfig will not be able to start, throwing an exception about database connection in the Application Event Log.

  6. On the Database Server, run the following query:
         USE IntelAMT
         SELECT * FROM csto_servers

  7. You should have one entry for every Intel SCS install you've completed, even the original OOB install if you also installed Intel SCS originally on the NS. Note the server_name column to contain the name of the server you installed Intel SCS onto. If it is not here the problem generally stems from SQL database access rights on the SQL Server. Please ensure the account you are using has rights to create a new database, or update an existing one.

 

Fixing a Previous SCS Install

If you've already install SCS, and provisioning is not occurring (see the following article group for troubleshooting steps: http://juice.altiris.com/book/3699/troubleshooting-altiris-manageability-toolkit-vpro-technology), we need to go through the steps to provide the remote Intel SCS Install the necessary configuration to properly work with the remote IntelAMT database and Notification Server.

 

 

 

 

 

The following steps provide the right changes to ensure everything is setup correctly:

 

 

  1. Log onto the Server with the NS Application ID.

  2. Uninstall the Altiris Agent from the system. If it is not installed simply continue through the steps.

  3. Check to ensure the account that is running the Intel SCS service, AMTConfig, has admin rights to the NS. If it does not, add the user to the Admin group on the Notification Server.

  4. Check to ensure the Application ID has local administrative rights to the server Intel SCS is installed on.

  5. Install or reinstall the Altiris Agent, ensuring it is pointing to the NS where Out of Band Management is hosted.

  6. Once the five preceding steps are completed successfully, move to Database server and launch SQL Enterprise Manager against the IntelAMT database.

  7. Run the following query:
         USE IntelAMT
         SELECT Props_script_path, use_props_script
         FROM csti_Configuration
    !csti_configuration.jpg!

  8. Please note the following details from the resulting line:

    • use_props_script - This column needs to be set to TRUE (1). If this is set to 0 no provisioning attempts will even be executed. I've seen this set to 0 at times.

    • props_script_path - This value is passed to the Intel SCS service that's available to run oobprov.exe. This must be the same location on both the NS and the remote server.

    • props_script_timeout - This timeout should be set at 180.

  9. If the values are not set right, use the following query to update the table to have the correct values (note that the props_script_path may be different in your environment. If so, change the query to match your installation setup):
         UPDATE csti_configuration
         SET props_script_path = ‘C:\Program Files\Altiris\OOBSC\oobprov.exe'
         SET use_props_script = 1
         SET prop_script_timeout = 180
         WHERE configuration_id = 1

  10. Once the above changes have been made, restart the AMTConfig service on the local Intel SCS Server to have all cached items dropped so the changes are filtered down properly.

 

Functional Intel SCS

The immediate question after installing and/or fixing an existing install of Intel SCS is are things working correctly? Time will definitely tell, but if you want to know immediately you can use the following process to check the workability of the install:

 

  1. On the Intel SCS server, go into the Services Manager within Administrative Tools. Is the AMTConfig service running? If not, try to start it. Also check the Event Log for failures. If it stays running, it can successfully start and then connect to the IntelAMT database. Note that if it starts but then stops a minute or two later, the database is likely unreachable by the service.

  2. On the Notification Server, browse in the Altiris Console from View > Solutions > Out of Band Management > Configuration > Provisioning > Logs > Actions Status. Do you see any successful Provisioning requests since the time you finished configuring the Intel SCS install?

  3. If possible, manually configure a system to provision and see if it goes through. The reason the existing ones trying to provision may not work is due to IP Address changes that make it impossible or SCS to connect back to the system. New Hello Packets will remedy this situation in the long-term.

 

Conclusion

These processes should allow you to properly install and configure Intel SCS on a server that is not where the Notification Server and Out of Band Management are installed and running.

 

NOTE: If you have not read parts 1 through 5, please read these before reading this part as this is a continuation of the story begun in the previous sections. http://juice.altiris.com/book/4687/altiris-and-intel-vpro-use-cases

 

 

 

 

 

 

The Might Modern Marketing IT team has just seen two suspected competitors encroach on the home turf. What can they do in light of this brazen intrusion? Can Altiris and Intel's vPro help them gain the upper hand when the opposition brings the fight to the very top? In this part of the story we'll learn the final outcome of their major competitor's struggle to gain the majority share of the market through fierce competition and unscrupulous IT sabotage.

 

 

 

 

Mighty Modern Marketing HQ - Boston, Massachusetts

"Bobby!" Jessica Langley whispered loudly. Or, more accurately, she said loudly to just pierce the cacophony of fans filling the server room. She turned the corner and saw Bobby perched at his desk. His hands rested on his keyboard, as if posed to begin coding at an instant's notice. He seemed to be looking intently at his monitor.

 

"Bobby?" she urged, stepping closer. He didn't respond, and as she watched his head tipped forward. He jerked, a loud snort escaping his nose. He glanced around, blinking bleary eyes, before his eyelids seemed to close of their own volition. He settled back into his chair, hands still poised.

 

 

Jessica tapped him on the shoulder. He didn't respond. She tapped harder, and he shrugged, but his eyes remained closed. She shook the back of his chair, and he jumped, hand flailing out to grab the sides of his desk. He whirled around, staring at her with wide, reddened eyes.

 

 

"Jessica!" he said, blinking rapidly. "Something wrong?"

 

 

She folded her arms. "Yes, something's wrong," she responded tersely. "We're under attack."

 

 

He wiped at his face with his long-fingered hands. "A virus?"

 

 

"No, something a bit more direct. I saw that ninja guy again, and some smooth-slick character with him. He might be Jake, the New Nifty Network CEO."

 

 

"The ninja? The guy I thumped with the laptop??"

 

 

"Yes."

 

 

Bobby looked at her wide-eyed. His eyes darted about, and he finally picked up a power strip, gripping the plug and cord. He twirled a few times, and Jessica backed away.

 

 

"What are you doing?" she demanded.

 

 

"I need something in case he comes after me for revenge!"

 

 

"Is that supposed to be a ball and chain?"

 

 

He glanced down at the strip, the empty black slots seeming to stare back up at him forlornly.

 

 

"Yes. No. Maybe... I don't know!"

 

 

She reached out and took it from him. "Tevita's following them, but we need to lock things down."

 

 

Bobby rubbed his hands together, his expression tightening a little. "I always have things locked down," he said. "You're insulting my..."

 

 

"No time for that. Lock up all the servers, and backup all databases right now. If possible bring non essential applications down until we get these guys out of here. And call security."

 

 

Bobby nodded. "There's a ton of locks. Can you help while I call?"

 

 

As Jessica set locks on the server's chassis and covers, she watched the door leading into the server room. She couldn't seem to keep her eyes away from it, half expecting one of the suspects to barge in waving a bat around and demanding their most sensitive data. Halfway through the process Bobby gave her a large key ring full of small metal keys with short-stubby teeth.

 

 

"Go check the server racks and lock any covers that are open with those," he instructed.

 

 

She stared at him. "There are a hundred keys here, and none of them are labeled!"

 

 

"I know. I keep meaning to get around to label them, but... well... how fun would that be?"

 

 

"Yeah, how fun?" she mumbled as she headed around the corner. She started down the row, checking the front of the cases. She made it almost halfway around before she found one that opened. She looked down at the mass of keys and sighed.

 

 

She only had inserted about thirty keys, all without budging the lock, when her mobile phone rang. She quickly fished it out of her jacket pocket, glancing at the number before putting it to her ear as she pushed the answer button.

 

 

"Tevita?" she prompted.

 

 

"Jessica! They're up here on the executive level!" he said in a loud whisper, and she had to press her phone hard against her ear to hear.

 

 

"Bobby called security..."

 

 

"These guys are really delivering packages as if they're legit, but that taller guy, the slick one, keeps looking around as if expecting to see something."

 

 

"Why don't you go tell Mr. Johnson? I think that's Jake Wells."

 

 

"That's a good idea. I'll call back if I need anything..."

 

 

"Just be careful..." she started to say when the line dropped. She locked the keypad and slipped the phone back in her pocket. She stared down at the keys on her other hand, and finally decided she had better things she could do. She walked quickly to Bobby's office. He started intently at his screen, his fingers flying over the keyboard so fast they seemed to blur in her vision. She placed the key ring on his desk and he looked up.

 

 

"The first half of them are secure," she said, not mentioned she hadn't needed the keys for any of those.

 

 

"That was fast..."

 

 

"I got a call from Tevita. I think I need to secure some of the more vital PCs in the office, here. Did you ever finish those network filters I asked for?"

Bobby nodded. "I did. I still need to test the last one..."

 

 

"But the accounting and executive filters are ready?"

 

 

He nodded again. "Yes. I'll email them to you now. It wasn't easy, what with the limitation on how many filters I can apply, but I weeded out the nonessentials. Instant Messenger won't work, nor will standard Internet Explorer stuff, but all the applications the two groups will use respectively are available."

 

 

"Email?"

 

 

"I think so... it's not reliable..."

 

 

She shrugged. "Better than nothing. Thanks!"

 

 

She hurried out the door. Her eyes looked around the office as she walked tensely back towards her desk. She expected to see signs of stress or something, but everyone acted normally. Several even said hi, and she managed to smile back, though the smile felt stiff on her face. Why couldn't she have a normal IT job where emergencies consisted of no coffee in the break room, or typical, non-intentional application crashes? Couldn't someone simply forget their domain password for the highlight of the day? That kind of stress she could handle without her stomach tying itself into knots.

 

 

She sat down as a new email came in from Bobby. She opened the email, and downloaded the attachments to a share on the Notification Server. She quickly initiated a Remote Desktop to the Notification Server. When she clicked connect, she received a message indicating the max number of session had been reached. She stared at the screen.

 

 

"No way," she muttered as she jumped to her feet. She hurried over to Tevita's desk, but he'd locked all his systems. Definitely wise, but If he had sessions open she'd be unable to close them. She hurried back and launched the Altiris Console on her own desktop. She'd wanted to add the filters in the right places on the drive of the server, but it wasn't necessary. The console came up, and she browsed through Manage, clicked on Jobs, browsed through Tasks and Jobs, Server Tasks, Real-Time System Manager, and clicked on Network Filtering Task.

 

 

Jessica right-clicked on the Task and choose "Clone". She named it "Accounting Network Filtering Task" and clicked OK. The new filtering task appeared, the task configuration loading in the right pane. She clicked the Edit button on the icon bar with the small pencil symbol. Under the section ‘Filter network traffic other than to and from the Notification Server' she changed the radial selection to ‘Import network filtering settings from the custom XML file'. Under the section ‘Location of the file to import from:' she clicked the Browse button. In the subsequent window she browsed to the share she'd copied the custom files Bobby had created and selected the Accounting one. She clicked Open which returned her to the Settings page.

 

 

At the bottom of the right-pane she clicked the Apply button. Next, she clicked on the ‘Run Now' button on the icon bar. Within the pop-up window that appeared she set the ‘Run name' field as ‘Accounting Lockdown SOS'. Under the ‘Connection credentials settings' section she clicked on the hyperlink labeled: Runtime Profile. From the list she selected the list of credentials containing her Domain credentials that had full rights to all AMT systems. When she'd committed the changes she then clicked the hyperlink under the Resources heading labeled ‘Select computers'. The Task Server resource selection window appeared.

 

 

In the left most pane she expanded the Computer Collections folder and the My Collections folder. Under this section she highlighted the collection labeled: All Accounting Computers. By double-clicking on this collection the picker added it to the right most pane, labeled Selected Items. She clicked OK to add the collection to the Task. On the main Run Task screen she hovered the mouse-pointer over the ‘Run Now' button. She wondered if both words were capitalized to emphasis the finality of the button! She believed the filter would work since she had faith in Bobby's skills, but if something went wrong...

 

 

For just a moment she paused, taking her hand off the mouse. Over reacting might save the day if these two interlopers really came with Mighty Modern Marketing's determent in mind, but if she'd jumped to the wrong conclusions she might just create a huge mess for no reason at all.

 

 

Another thought, one she'd had previously, surfaced in her mind. If Bobby hadn't verified the filter worked, and it somehow invoked a filter that did NOT give access to the systems via Notification Server, she might just decapitate every single one of the Accounting department's computers with a single click. She shuddered as she imagined Tevita and her running from computer to computer in a desperate effort to manually disengage the network filter using their credentials. There was a reason Bobby tested all the filters he created, and that same reason applied as to why she and Tevita each independently tested them again.

 

 

So far Bobby always got it right, at least from the Notification Server aspect. Sometimes the other filter items didn't work properly, but she'd still be able to quickly remove the filter from all the systems. She sat up straighter in her chair, her lips pressed into a firm line, and took hold of the mouse again. With only the briefest of hesitations she slicked the ‘Run Now' button.

 

 

She waited a minute, then refreshed the status display. So far so good. She quickly ran through the same procedure, but this time setting the Task to quarantine, this time for the system's own protection, the Executive systems. She paused before running it, then quickly picked up the phone and dialed Mr. Johnson's number.

 

 

"Mr. Johnson's office," a young voice greeted.

 

 

She paused. She didn't recognize the voice, but didn't attribute it to the two she'd seen. "Uh, yes, this is Jessica Langley down in the IT department. Is Mr. Johnson available?"

 

 

"No, ma'am. He's currently in a meeting. Can I take a message?"

 

 

"When did he get a secretary?"

 

 

She heard a chuckle. "I'm not a secretary, I'm his son, Roger. It's ‘Go to Work With Mom or Dad' day at school. I'd rather be here than school, so... here I am."

 

 

"Okay... Can you tell him this is urgent?"

 

 

"I would, except he left for the meeting and I don't know where."

 

 

She sighed. "Thanks Roger." As she hung up the phone she clicked the ‘Run Now' button.

 

 

Leaning back in her seat, she folded her arms, eyes on the Altiris Console. Having applied the filters she did feel a little better, but she still couldn't sit still. She stood and walked to the drinking fountain, trying to think what next she needed to do to ensure whatever their competitors planned didn't cripple the business. Her eyes roved over the immediate area. It seemed everyone moved calmly, with occasional conversations heard above the hum of computers. She fished in her pocket and removed her cell phone, staring at the display as it lighted up. If Tevita was hiding somewhere, calling him might give him away. But surely he'd have placed in phone on vibrate...? She hated not knowing where and what Tevita did, and what the interlopers meant to do.

 

 

She found herself facing the stairs. Part of her wanted to run up there and blow the whole thing wide open so that the sheer number of Might Modern Marketing's employees would stop whatever they planned. Of course if it ended up being an innocent visit... she threw that thought aside. They'd shown up looking like delivery guys, and the furtive glances from the "ninja" seemed to proclaim their guilt. She reached up and rubbed at her eyes, trying to decide what to do next.

 

 

They'd locked down the servers, taking down nonessential applications, and employed filters against critical systems. She squared her shoulders and entered the stairwell, hurrying up the two flights to the third floor. When she reached the door at the top she stopped, taking out her cell phone again. She dialed Tevita's number and pressed the send button. The phone rang several times before his voicemail started playing. She hung up the phone, fidgeting with it for a few moments before slipping it back into her pocket.

 

 

She tried to square her shoulders again, but somehow the thought of heading through the door started her stomach doing flips. She pressed a hand against her middle, trying to physical calm her nerves. It wasn't like these guys were armed... were they? So far the incidents had all been non-violent, but had desperation driven them to take extreme measures? Thinking about her job description, the security and protection for the intellectual property of Might Modern Marketing fell under her job description. These rubes from New Nifty Networks certainly qualified as a threat, but where should she draw the line?

 

 

She smiled wryly, decided she didn't like the spineless turn of her thoughts. True, there could be real danger on the floor, but most of the people up here she knew well and trusted. She opened the door and stepped through.

 

 

To the left sat the accounting team, most in closed-door offices to help with keeping sensitive data from wandering eyes. She saw one of them exit his office, a frown on his face. She walked towards him, intending to head through towards the executive staff area, when he looked up.

 

 

"Hi Jessica," he said, the tight expression on his face easing. "Can you help? I'm having internet problems right now."

 

 

"I know," she responded with what she hoped was a firm but friendly smile. "We have a security issue I'm dealing with and we've locked most systems. You should still be able to run the Accounting software... Balance Act. Have you had any problems with it?"

 

 

"No... I just... well... do you know when we'll get it back?"

 

 

"Hopefully soon. I'll send out a notice when it's back up."

 

 

"Okay. Thanks..."

 

 

She nodded and continued on her way. She heard him behind her start talking to another of the accountants, and he sounded a little annoyed, but she thought that better than any wrath had the critical application Balance Act gone down. She smiled, hoping someone would try to strip the data from the application and try to send it out, only to find that they couldn't make a connection to anything. She hoped they stewed over it, trying to figure out why the computer wouldn't connect to anywhere despite showing a network connection.

 

 

She tried to look casual as she raced towards the executive area. What would she find? By the look of people on the floor, no one had any inkling that two unwanted people prowled the hallways. As she turned the corner, her eyes followed the line of doors, most of them open. The sound of conversations floated out of a few, all sounding normal and unhurried. She noticed that Mr. Johnson's door remained closed. She walked on her tiptoes for a few steps, trying to look down into the cubes opposite the CEO's office. The first two stood empty, while the next two held their normal occupants, none looking more harried than normal.

 

 

She reached his door and glanced through the side window set to the left of the door. She noticed a young man sitting at the computer. He slouched back in the office chair, right hand moving around the mouse, his hair spiky and bleached blond. She assumed this was Roger, and moved on. She fished her phone out of her pocket and dialed Tevita gain. For the second time he didn't answer and she reached his voicemail. This time she left a short, terse message asking him to call her, and hung up.

 

 

She looked either way down the hall, her stomach slowly turning over. So far everything looked fine, except that Mr. Johnson wasn't at his office and Tevita wouldn't answer his phone. Many possibilities as to why held nothing malicious, and probably nothing amiss had happened. Somehow she couldn't convince her body of that, and found herself walking stiffly down the hall towards the set of conference rooms at the end. She couldn't unlock her knees, as if her joints had seized up. She wrung her hands in a gesture she'd long ago overcome, and forced her arms to swing normally at her side. Even that gesture felt forced, and she shook herself, trying to loosen up her tense muscles.

 

 

One of the conference room doors held shut, the other room's doors open and the lights out. Light streamed under the door and through the indoor window of the occupied conference room. She sidled up to it, trying to peer in without showing her face. She caught of glimpse of Tevita, standing against the wall. His normal smiley features pulled down in a frown, his arms folded tightly across his chest. She knew he only folded his arms like that when angry. Not just a little angry, but very angry. She quickly backtracked to approach the door from the other side.

 

 

The first person she saw held a sly smile on his face, his slick features seeming to hold confidence to overflowing. He spoke, his mouth quirking at the corner as if he had trouble keeping a secret. He pointed at a laptop plugged into one of the network cables snaking out of the middle of the large oval conference table. It looked like one of their field laptops meant for Sales Engineers or Consultants. She even saw the telltale barcode they stuck on all laptops before shipping them out, but also noted it was vPro capable. She glanced around, but in the dead-end hallway no one paid her any mind. She ducked down and put her ear against the door, trying to hear inside.

 

 

"...really think you're as spineless as that, old man." The voice reminded Jessica of a new car salesman who knew he could really sell cars.

 

 

Mr. Johnson's voice sounded as measured and confident as always. "You know that's not true, Jake."

 

 

"I do have to give you credit, Mr. Unflappable. You act like you aren't phased, but I've seen your employees run around like chickens with their heads cut off from time to time. I was hoping to reach an agreement today, to avoid future... incidents."

 

 

"We're not afraid of you," Tevita said hotly, the words loud enough to cause her to flinch.

 

 

She could just imagine Mr. Johnson holding up a placating hand to Tevita. "Why do we need an agreement? You've seen the projected numbers, I assume. You've done no real harm."

 

 

"Oh? You seem to forget I have access to your network, as this laptop proves. I know everything, including pending projects, budget allotment, fiscal year targets, and actual revenue both real and pending."

 

 

"You love the threat," Mr. Johnson said, a hint of mocking in his tone. "Did you think I'd be impressed that you'd have the gall to walk in here and make ludicrous demands?"

 

 

"You'll notice that security hasn't stopped me yet. If you need proof, let me show you..."

 

 

Jessica glanced through the window, her eyes trying to focus on the number printed below the barcode. If she knew which machine this was, she might be able to control it. She quickly pulled out her cell phone and punched in the number. She then quickly retreated, heading back quickly towards the stairs. She scampered down them, only to almost fall as the heel on her left shoe broke off. She skidded down the last few steps, barely catching the rail to stop a certain face plant. She quickly slipped both shoes off, hurrying down to the first floor.

 

 

She reached her cube, glad she'd left the Altiris Console up. She used the barcode in Asset Management to find the name of the system. She browsed in the console under View, Solutions, Real-Time Console Infrastructure, Tools, and clicked on the Manage node. She quickly typed in the name and clicked OK. A window appeared, giving her the RTSM interface. A grim smile slipped on her lips as the tree loaded, giving her all of the Real-Time System Manager functionality. In the left-hand pane she browsed down into Real-Time Consoles, Real-Time System Manager, Administrative Tasks, and selected Hardware management.

 

 

With her hand hovering over the mouse, her mind whirled through the possibilities. With vPro, she had a lot more power. Taking control of the system wouldn't do much since she could only access a non-graphical interface with Serial Over LAN. Anything else she might do would only alert them to what was occurring. She needed to do something fast. She selected to reboot the system, checking the option under Redirection options labeled, Perform boot from: and Display task progress and remotely control computer. She selected to provide a CD image, browsing to a utility for disk formatting. The utility had the ability to quickly write zeroes to the drive. This essentially cleared the hard drive of all data.

 

 

It was a good first step, and she initiated the reboot, redirection. She wished she could see the snide smile vanish as the computer abruptly turned off without any warning. She knew the laptops had reasonable boot times, but it seemed to take an eternity to load the utility. She half expected the laptop to be removed from the network, the SOL session dropping, but eventually the utility's interface appeared. She glanced at her watch. It took forty seconds, though she swore it had to be at least five fretful minutes.

 

 

She quickly selected the option to wipe the drive, quickly pressing through the double-warning that all data would be lost as quickly as she could. With luck the two dimwits wouldn't realize what was happening until it was too late.

 

 

Now what had he said about security? Bobby said he'd called them, so why hadn't anyone responded? She pushed to her feet as she locked her computer, hurrying towards the front desk area. When she reached the front desk she found it unoccupied. A visitor stood at the front of the desk, looking around with a frown and lines creasing his forehead.

 

 

"It's about time," the man said, visibly trying to smooth his expression. "I have an interview and need a temp badge."

 

 

Jessica shook her head. "Sorry, I'm not with security," she said hurriedly as she picked up the phone.

 

 

"If you're an employee, you can escort me," he said with the words forceful. She paused, looking him over quickly. He carried a thin folder under his left arm, with his arms held closely to his sides, his legs shoulder-length apart. His dark eyes watched her far too intently, hardly a blink to disrupt his scrutiny. Despite his oversized short, she could see the honed muscles tensed underneath.

 

 

She swallowed the lump that formed in her throat. If she hadn't failed Drama in high school she wouldn't be as worried as she tried to smooth her expression.

 

 

"It's against policy," she said, grateful the words came out firmly. "Without a badge... I'm sure security will return shortly."

 

 

The man's lips thinned. "You don't understand..."

 

 

She dialed the phone as if she wasn't two millimeters away from bolting back into the secured section of the building. The wide desk might give her enough lead time to get through before this suspicious man grabbed her. If he chased her, would she try to force the door closed behind her, or simply start screaming? Her face felt cold, but she still found the whole situation absurdly funny.

 

 

Bobby answered his phone. "What, IM broken again?"

 

 

"Hi, this is Jess. I came up to talk to the front desk folk, but nobody's here. Can you page them?"

 

 

The man standing in front of the desk scowled. "Look, I can't wait any longer..."

 

 

"Really? I called and told them the situation."

 

 

"I know. I need to take care of the power problem to the servers we discussed earlier, and need someone from facilities here, now. Can you try again?"

 

 

"Power...? Oh. I see. I'll get right on it."

 

 

"Thanks."

 

 

She hung up the phone. She contemplated calling the police, but she wondered if the two stooges upstairs had actually broken any laws. If they hadn't, what would the police think? She knew something had to be illegal, but did police get involved in this kind of thing? She continued to watch the man carefully. He stood stiff, visibly trying to keep his face smooth.

 

 

"Sorry," she said. "I can't help you, but someone should be here soon."

 

 

"That might be too late," the man said, throwing his free hand up into the air, almost dropping the folder with the other. "I'm supposed to do sneaky about this, but it's been too long. I'm Detective Cassidy from the Boston Police Department and believe some criminal activity is being conducted in this facility."

 

 

He reached back into his pocket and produced a wallet. He flipped it open, revealing a gleaming badge.

 

 

She stared at him, mouth open for a moment. "You're with the police?" she managed to say.

 

 

"Yes, now get me into that building unless you want to be held culpable as well!"

 

 

"Culpable? No, by all means! Please, come in."

 

 

She walked over to the main door, pulling her badge up to the magnetic reader. Her heart hammered in her chest, relief flowing through her limbs until she felt almost weak. She held the door open for the detective. He walked in, eyeing her suspiciously.

 

 

"I'm Jessica Langley," she offered. "I'm on the IT staff."

 

 

"Jessica... I'm surprised you'd offer your name so freely," he said, eyes moving over the collection of cubes.

 

 

"Why? Whatever you've heard, you'll see the truth soon enough."

 

 

"The truth, eh?" he said with a hint of a dry smile. "Okay. Lead on."

 

 

They quickly headed up the stairs, through the marketing section, past the executive offices, to finally reach the one closed door in the conference area.

 

 

"That guy there, Jake Wells I believe is his name, is the CEO of New Nifty Networks."

 

 

Cassidy peered in.

 

 

"Fix it!" Jake demanded with his face an unhealthy shade of red. The "ninja", still sporting his delivery guy outfit, fussed with the computer.

 

 

"It's dead..." he said. "Somehow I can't boot to the hard drive."

 

 

Mr. Johnson sighed. "Are we done here? I have a business to run."

 

 

"No!" Jake exclaimed. "I don't know how you did it, but this isn't the only laptop of yours I have, of course. I can access everything, even your accounting software..."

 

 

Cassidy stepped back, fingering his chin. "Well. This is certainly odd. But a few unanswered facts are now coming into focus."

 

 

Jessica gestured towards the door. "So you came here thinking we're doing something illegal?"

 

 

"No, according to the evidence presented to us, you were doing illegal stuff. This all but confirms the counter-theory that Jake Wells, a well-known business criminal, was in fact setting you guys up. Alright, don't tell him I came here as I need to get the right evidence in place before arresting him..."

 

 

"What if he gets violent?" Jessica asked as Detective Cassidy began hurrying away.

 

 

"Violent? Not likely, but if so, I'll have an officer waiting outside the building. Now if you'll excuse me..."

 

 

The man practically ran away, hurrying down the stairs. Jessica watched him disappear, and then heard the door behind her open. She turned around to face Jake Wells.

 

 

"Hello," Jake said with his broad smile just a little strained.

 

 

"Uh, hi," she responded, stepping to the side. She half-expected him to see right through her wary expression, but he simply walked on past, his cohort the ninja following behind, carrying the now defective laptop behind him.

 

 

Later Tevita, Jessica, Bobby, Edgar, and Daniel the CSO sat in Mr. Johnson's office. The CEO smiled, a look of relief cracking his normally stoic demeanor.

 

 

"Perfect," he said, standing up to offer his hand to Jessica. She blushed furiously as she rose and accepted the hand shake.

 

 

"Was nothing," she mumbled.

 

 

"Nonsense. You not only stole his thunder, that which he enjoys the most, but you unmasked his entire operation to the police. His sly and underhanded method to use the police to clear out our own security in his plans was ingenious, I must admit, but it certainly backfired. Bobby. Thank you for digging through the servers to find which stolen laptops made the illicit connections to our network to fudge our accounting procedures. Tevita. Well done identifying and cutting off access for those computers and those accounts on them. By removing that potential threat we've finished securing ourselves against any current threat, and with Jake Wells back under the watchful eye of the police, we will likely have a good respite."

 

 

"You're welcome," several said at the same time.

 

 

He smiled again. "Take the rest of the day off. Expect a bonus soon for all your troubles, but most of all, I'm letting half of you take next week off, and the other half the following week, and you won't have to use your accrued vacation days."

 

 

Jessica smiled. Vacation. She hadn't been able to think about it for months now with the ongoing threat, and the idea almost put her to sleep on the spot. She yawned, then offered a nod of thanks.

 

 

She didn't really believe things would suddenly become easy as sliding across a newly iced hockey rink, but surely things couldn't be as bad as they'd been?

 

 

As she traveled home on the early metro commuter train, a thought struck her hard. She'd said to Tevita that things should be easier. Knowing fate, and her own unlucky streak, she'd just opened herself up to an even harder, scarier situation; one that would probably arise on the first day of her vacation. She considered throwing her mobile phone out the window, but as she raised her arm she stopped. That would be drastic; besides, fate wasn't really against her, was it? And if it was, wouldn't the arsenal provided by Intel's vPro, Altiris Manageability Platform, and tighter security policies stop it?

 

 

She didn't throw the phone out the window, but she did turn it off, vowing to turn it back on only when Sunday arrived before she was to return.

 

 

 

 

The End of Part 6

 

 

 

 

This concludes this story arc. I hope you enjoyed reading as much as I enjoyed writing this. I hope also that some of the value of vPro has been properly communicated through this story, highlighting some of the features that could be used in a security situation.

 

 

For those who have Provisioned Intel AMT Systems, you may wonder what takes place in the background. This article is for you! The process has often been covered at a high level, but here the technical details are provided. Hopefully this helps you understand the inner workings, and provide you information when troubleshooting Provisioning issues. And for those of you who are technically minded, it's also neat to know! This information was compiled working on issues and running through provisioning processes from Symantec Support.

 

 

 

Introduction

Often the Provisioning process for Intel vPro systems has been described as complex. This comes from the fact that the Provisioning process was designed with high security in mind. Since the initial release we have improved success rates by working with Intel to make the process more user friendly without compromising the high level of security. To this end this document will explain the process of Provisioning from a technical level, providing an unfiltered view of the process, also without compromising its security.

 

 

 

Provisioning Flow

The following process assumes that Altiris Out of Band Management and Intel SCS are install, configured, and ready to go. This process follows the flow of Provisioning and what data points, technologies, and methods are used. The level of details is meant to be a resource when working with Provisioning or troubleshooting Provisioning issues, so not all details are available for this process. Note the following points before moving through the process:

 

  • The console items in the Altiris Console under View > Solutions > Out of Band Management > Provisioning are not tied to the Altiris database like most of the rest of the Altiris Console. They connect through a virtual Website (AMTSCS under the Default Website of the SCS Server) to the IntelAMT database.

  • Data from two databases (IntelAMT and Altiris) are used during the Provisioning process.

 

 

 

 

The following articles can assist if you need information on these:

 

 

 

 

 

  1. The server is loaded with a security key or certificate. See the following two items for how these keys are loaded:

    1. For a PID PPS, either keys are randomly generated or imported into the IntelAMT database. Specifically they reside in the table csti_pid_map. Once created/imported, they are available for verifying authentication from an incoming provisioning request from AMT.

    2. For TLS-PKI (certificate-based Remote Configuration) a certificate is loaded onto the server. See this article for details: http://juice.altiris.com/article/4496/obtaining-and-applying-a-verisign-remote-configuration-certificate.

  2. The clients need the matching keys loaded onto them. This is done differently depending on the type:

    1. For PID PPS the keys are set by one of the following methods: the OEM sets it, it's entered manually into the Intel ME, or inputted via a one-touch USB flash drive. The PID and PPS are written into the firmware to be used as the authentication credentials when it looks for a provisioning server.

    2. For Remote Configuration (TLS-PKI) at the factory predefined hashes are burned into the firmware for the following certificate vendors (more to come in subsequent versions of AMT). This means AMT already has authentication keys to begin the provisioning process direct from the factory.

  • VeriSign

  • Komodo

  • GoDaddy

  1. The client machine, once it has it's keys and has been connected to the network and power, uses one of two methods to find the Provisioning Server:

    1. The IP address of the server can be manually put into the Intel ME, including what port the SCS listener is configured for (default 9971). When this is done, the AMT client will transmit its Hello message directly to the IP Address and port.

    2. The client will transmit its message on port 9971 to the name of ‘ProvisionServer'. If Out of Band Management, Intel SCS, and DNS have been properly setup DNS will route the packet to the Notification Server.

  2. The Notification Server is set to listen for AMT Provisioning traffic on port 9971, but can be configured to use a different port if so desired in the Altiris Console under View > Solutions > Out of Band Management > Configuration > Provisioning > Configuration Service Settings > General. The top options labeled: ‘Listen port:".|
    !ListenPort.jpg!

  3. When SCS, via the service AMTConfig (process AMTConfigWinService.exe) receives the incoming "hello" packet, it initiates an authentication request with the client to complete the authentication process, the beginning of which was stored in the packet. Once authentication completes successfully, the process moves on.

  4. The service, AMTConfig, catches the incoming packet and logs the data in the IntelAMT database, in the table csti_amts. This table contains all the relevant data for this system's identity.
    !csti_amts.jpg!

  5. Once the system has been logged into the IntelAMT database, Intel SCS uses the database entries under csti_configuration to initiate what's known as the props script. This script is what will assist in the provisioning process. In Altiris case, it is oobprov.exe, located by default at C:\Program Files\Altiris\OOBSC\oobprov.exe. For an example of how Intel SCS knows about this, see this data snippet from the csti_configuration table:
    !csti_configuration.jpg!

  6. On a busy SCS server you can look at Task Manager and see multiple instances of oobprov.exe running. The default settings allow 10 threads to work on provisioning requests at any given time. These threads will interface with the Altiris Database via the Altiris Agent on the local server system. In a standard setup the local system is also the Notification Server.

  7. OOBPROV runs a SQL query to fetch the Fully Qualified Domain Name (FQDN) for the system it is to provision. The query is based off the following data points:

    1. UUID passed to it via Intel SCS, Source is as follows: Database: IntelAMT, Table: csti_amts, Data Source: "Hello" packet from AMT system, Values used: uuid

    2. Database: Altiris, Data-class: OOB Capability, Table: Inv_OOB_Capability, Data Source: Out of Band Discovery Task, Values used: _ResourceGuid - UUID

    3. Database: Altiris, Data-class: AeX AC Location, Table: Inv_AeX_AC_Location, Data Source: Basic Inventory Agent, whether from Basic Inventory function or Hardware Inventory from Inventory Solution, Values used: _ResourceGuid - Fully Qualified Domain Name

  8. The Query accomplishes the following: It takes the UUID from csti_amts, uuid and looks for a match in Inv OOB Capability, uuid. If a match is made, it takes the _ResourceGuid from the same table and makes a match of the same columns name to AeX AC Location. With the match it then reads the values stored under Fully Qualified Domain Name (I'm not sure why they didn't just label this column FQDN...).

  9. Next, oobprov.exe hands back the FQDN it's read from AeX AC Location, Fully Qualified Domain Name and passes it to SCS. SCS takes this value and inserts it into the IntelAMT database at csti_amts, fqdn for the matching resource.

  10. Next, oobprov.exe fetches the automatic profile set within Out of Band Management Solution. This is done in the Altiris Console under View > Solutions > Out of Band Management > Configuration > Provisioning > Intel AMT Systems > Resource Synchronization. This policy needs to be enabled for this step to work, and a default profile configured and selected under the dropdown labeled ‘Intel AMT 2.0+ to profile:'.

  11. The profile provides the operational data for management of the AMT system. After AMT accepts the profile, the Provisioning process is now complete. Before this step, AMT functionality is not available on this system, and after this step only properly authenticated functions will be able to use Intel vPro on the target provisioned systems.

 

Troubleshooting

The following items can be considered break points for this process. If you've done provisioning you may have run into the symptoms produced by the following items. These are compiled as common areas of trouble in this process.

 

  • The "Hello" packets only transmit for 24 hours, on a back-off schedule, before stopping altogether. If the Server is unable to provision in that time, with IP refreshes becoming more frequent, the system can be in a limbo state. See this article for steps to rectify: http://juice.altiris.com/article/3612/using-intels-rct-tool-restart-amt-hello-packets-enterprise-provisioning

  • IP Address changes, refreshes within DHCP during a system's build process can leave SCS with an out of date IP Address for a system that needs provisioning. Coupled with the preceding issue this can leave the system in an unprovisioned state, leaving no ability of the SCS to contact the system to finish the process.

  • Remote Configuration certificate is not properly installed on the server, producing authentication failure messages in the AMT logs.

  • Oobprov.exe is unable to fetch the FQDN. The AMT system needs the Altiris Agent installed, have sent Basic Inventory when it had a valid FQDN (for example a system in the process of being built might not have a valid FQDN yet), OOB Discovery Task downloaded and executed, and data populated into the OOB Capability data class from the task in order for oobprov.exe to be able to fetch the FQDN. Conversely you can use the option in Resource Synchronization labeled, ‘Use DNS IP resolution to find FQDN when assigning profiles'.

 

 

 

 

A good resource for troubleshooting issues can be found here:

 

 

 

Conclusion

Knowing the underline mechanisms can help when troubleshooting or even when planning your environment. While not all details are provided here, the most essential are.

NOTE: If you have not read parts 1 through 4, please read these before reading this part as this is a continuation of the story begun in the previous sections. Altiris and Intel vPro Use Cases

 

 

 

 

 

Learning from previous mistakes, CSO Dan Williams discusses what they can do to better secure the powerful AMT functionality. Since the human factor is the biggest weakness, what can they do to strengthen this? Obviously they can't remove it altogether; might as well shut the company down. In Intel vPro the human factor can be minimized due to available strong security technologies. AMT can be made more secure, but the continuing threats are emphasized when a computer is hijacked. What can be done to regain control?

 

 

 

 

Mighty Modern Marketing HQ - Boston, Massachusetts

Bright sunlight filtered through the distant windows , overshadowing the bland fluorescent lights lit above. Jessica Langley watched the distant pedestrians seen in a narrow view near the street moving past with varying degrees of enthusiasm. The hot summer held to the south temporarily by a low pressure that brought in the cool Atlantic breezes. She imagined being able to hear the conversations of those passing, wondering what they spoke of, and if any of them had as crazy a life as her.

 

"Ah, this is the life," Tevita said as he leaned back. He placed his hands behind his head and stretched out his legs, pushing his office chair as far back as possible. With what looked like a deliberately casual gesture he tossed his headset onto his desk.

 

 

"You should be worried," Jessica commented dryly.

 

 

"Worried? Why?"

 

 

Jessica gestured sharply at her phone. "No one can call us with the phones down, so our work is just piling up while we sit here."

 

 

"Hey, we have our mobile phones. If it's not important enough for them to look up our numbers, then why worry about it?"

 

 

"You know that's not how it'll happen. As soon as the phones get up... WHAM! We're here until the sun drops below the trees in the west."

 

 

Tevita's smile lessened, but only a little. "They've been down for two hours. Perhaps they'll be down all day, and we can leave early."

 

 

"Right."

 

 

The Tongan shrugged, and Jessica briefly envied his ability to shove aside problems when they weren't directly in front of him. He could have two amazingly nasty issues to work on, and he'd easily concentrate on one at a time as if the other issue didn't exist. She wished she could compartmentalize in that manner, but when she had two critical issues to work on they hung over her like a dark shroud. Usually the one she wasn't currently working pressed down as if to accuse her of negligence, but she couldn't do two things at once. It wasn't like knitting while watching TV.

 

 

Like now, when she knew issues piled up while their phones remained down. She reached down and pulled up her mobile phone in case she'd missed an incoming call, but nothing showed. She sighed, standing up and stretching. Tevita frowned at her.

 

 

"You aren't going to bug the phone people again, are you?" he asked, as if accusing her of turning him in for some crime.

 

 

"No," she said. "Daniel Williams wanted to talk to me today so I'm heading up to his office."

 

 

"Good. Don't mention the phone issue to the CSO..."

 

 

She rolled his eyes at him, but he only smiled, large hands moving deftly across the keyboard. Without phone call interruptions Tevita would clear out the email queue in no time.

 

 

She took the stairs, hoping to work off the donut she'd eaten earlier that morning. It seemed no matter how resolute she thought she was to eat healthier, as soon as someone brought in free goodies her willpower vanished and she indulged. She doubted the climb from the first floor to the third made any real difference, but at least her husband wouldn't get on her case about taking the elevator when she had two perfectly working legs.

 

 

The door to Daniels office sat closed, and she peeked into the glass valance to the side. Daniel stared at his computer screen, his brows drawn low. He didn't touch the keyboard and mouse, eyes moving across his monitor as if trying to puzzle something out. He just reached for the mouse when she knocked quietly on the window.

 

 

He turned, a smile easing his expression. He waved her in, and she quickly hurried through the door."

 

 

"You wanted to see me?" she inquired.

 

 

"Yes, please sit down," he said, gesturing to one of the empty chairs across his desk. She sat while he turned back to his computer.

 

 

"Please watch," he said as he launched Internet Explorer. "I'm going to talk you through what I'm doing, and I don't want you to interrupt until I'm done. Okay?"

Jessica felt a twinge of uneasiness stiffen her spine. "Of course," she responded, trying to instill confidence in her voice. "What are you doing?"

 

 

He only smiled. "First, I've discovered what password I can use to access AMT on all our vPro enabled computers..."

 

 

She stood up. "What...?"

 

 

He held up his hand, not unkindly. "Please humor me."

 

 

She sat back down, her unease blooming. She clasped her hands in her lap so she wouldn't fidget, usually in the form of smoothing down her already crisp and wrinkle-free dress jacket. She couldn't sit completely still, and found herself tapping her toe. Fortunately the carpet, however uninviting bland, muffled the sound.

 

 

"Okay," Daniel continued. "I don't have access to Altiris though I have tried to gain it, unofficially of course."

 

 

"Of course," she said, and quickly clamped her teeth together before she asked another question.

 

 

Daniel continued, "In light of that I've done some Googling and found that AMT has a web-interface that anyone can access using a browser. I haven't figured out how yet, but I don't think it'll take me long. Let's see... how to access AMT via a browser... This first hit talks about someone who is unable to access it."

 

 

Url: (http://softwarecommunity.intel.com/isn/Community/en-US/forums/thread/30249624.aspx).

 

 

"Ah, in his post he says, "When I try to access the Web Interface (localhost:16992 or name:16992)... that means I can access my test in the same manner. Let's watch."

 

 

Jessica bit her lip to keep from saying anything, determined to keep quiet until he'd finished his demonstration. She really wanted to ask him how he acquired the password, but she supposed she should wait until he validated that claim first. Plus, he'd asked her to keep quiet, and she didn't want the CSO annoyed with her.

 

 

Daniel clicked on the address bar, deleting the current address. He then typed in MMMAMT0043:16992 in the address bar. When he hit Enter the page refreshed, showing him the initial AMT login screen. He clicked the ‘Log On' button, which provided a standard Windows security prompt. He entered in Admin as the username, and then typed in a password. Jessica's stomach dropped. She didn't see exactly what he put it, but it did look like he put in the right password.

 

 

The Intel Active Management Technology web interface appeared, giving Daniel full access to the system. Jessica reached up and rubbed at her eyes.

 

 

"Please tell me you simply asked Tevita for it," she said when he turned to her.

 

 

"No, but no need for you or Tevita to worry about that," he said with what Jessica assumed was a reassuring smile. It didn't help. "I believe I used the same methods our traitorous employee working in cahoots with Nifty Networks used to gain these powerful credentials. I'll be conducting security training for our employees soon to try and plug that method."

 

 

"So how did you do it?"

 

 

Daniel nodded. "Good question, but the better question I'm posing to you is this: how can we better secure the AMT technology? See here under Remote Control? I can remotely reboot this person's system and boot it up into an application I can use to wreak havoc. Nifty, no?"

 

 

She swallowed hard. "No, not nifty."

 

 

"Good. You see the issue. I'm tempted to not tell you how I did it. Mystery lends me an air of the supernatural, or at least my uber-geekness. Why reveal how? That's like a magician revealing his secrets. Once the how is known, it isn't so magical anymore. Okay, so I'm taking far too much pleasure out of this. I simply watched you and Tevita closely and caught you entering the password. It took several tries before I finally got it right."

 

 

The beginning of a migraine colored Jessica's vision. "Great. I thought we had that password locked down..."

 

 

"As I said before, don't worry about it. Everyone is too trusting when entering passwords. I'll address that in our upcoming security meeting. What I want to discuss is how we can rectify this situation? Specifically I want to remedy the fact that anyone who does a smidgen of research will know that the administrative username for AMT is admin. We've handed any potential hacker one half of the credential equation."

 

 

Jessica nodded. "Yes, I see your point. Luckily I already know how to fix that. It's as simple as making the admin password random on each system and using Kerberos to use our Domain credentials for access."

 

 

"Good. The second point is I noticed that I can use a non-secure web address to access this. Can you get SSL enabled for all AMT communication?"

 

 

Jessica nodded again. "Yes, specifically AMT uses TLC, the successor to SSL. I believe I saw an article on how to enable that on Symantec Juice."

 

 

"Even better. Get those measures in place, and let me know when it's completed."

 

 

She nodded, shaking his hand when he offered it. She left his office and headed back down, taking the stairs despite the throbbing in her head. When she reached her cube she noted that Tevita had his headset on, his previous smile absent from his face. She gave him a grin when he glanced over, and this time he rolled his eyes. She should get onto the phones, but she wanted to get those changes implemented as soon as possible so that even Daniel couldn't crack the system... as long as Tevita and she carefully entered their passwords so others couldn't eyeball them.

 

 

She sat down and pulled up the Altiris Console. Both of her actions required a new vPro Profile to be pushed down to all the AMT systems, but that was the easy part. She started by enabling TLS on the server. Until she pushed down the new profile the AMT functions would not work. She leaned over to Tevita, and he glanced at her as she rolled closer in her chair.

 

 

"AMT will be available for a time," she said.

 

 

Tevita reached up and muted his headset. "Why?"

 

 

"I'm enabling TLS. You know, encryption. When I enable it on the server side the clients will not be able to communicate back with the server until I update the profile and they have the right certificates."

 

 

He shivered. "Is that such a good idea? Certificates are tricky... we could easily mess up the whole thing and have no AMT access..."

 

 

"Tevita, it isn't that complicated. I have all the Altiris documentation on how to do it. Besides, there's a specific article on how to do it after the installation, here: http://juice.altiris.com/article/2737/how-enable-tls-within-out-band-management-after-install. Piece of cake."

 

 

"If you say so..."

 

 

"Trust me. If we had a hierarchal structure of certificate authorities, it might get a bit dodgy, but I'm just setting up the one root."

 

 

"Yeah, and the flux capacitor needs just such and such gigawatts of power..."

 

 

"Just read up on it! It's not that hard."

 

 

Tevita spoke for a moment into his headset, and took it off. "I don't know anyone who understands it all that well."

 

 

She planted her hands on her hips. "It's really simple. We give the root CA, aka the King, the credentials that are acceptable. Secondly, the Altiris server gets the credentials so it can work with the CA and the clients. We then load the matching credentials on the clients via the Provisioning Profile. Now everyone has the credentials."

He smiled. "What about client-side and server-side certificates?"

 

 

"Again, simple. Communication is unidirectional for a given parent/child certificate set. With basic TLS in vPro, all the clients have server certificates. The Altiris Server uses a client certificate to authenticate with the client so that the client machine will accept the AMT commands sent it."

 

 

"Alright. That sounds simple enough, but what about the CA? What's that for?"

 

 

Jessica looked at him, her eyes narrowing. "What's with the third degree? 'Tell me Master Qui-Gon. What are midichlorians'?"

 

 

Tevita burst out laughing. "Am I that transparent? I didn't know you liked Starwars..."

 

 

"I don't. Like that movie quote, your questions are contrived..."

 

 

"Hehe, yeah. I'm just trying to prove a point. It's not that simple..."

 

 

"But it isn't that complex, either. The CA tells the server-side component (the AMT Client) if the client connection (from the Altiris Server) is to be trusted. I know having the AMT clients act as the server seems a bit backwards, but since we want AMT functionality to be secure, it makes sense. The Altiris Server that tells AMT what to do needs to prove itself. This ensures a rogue server can't just initiate any AMT functionality without having the proper certificate. So the server provides a client certificate, which the AMT system authenticates with the CA before allowing the Altiris Server ‘in'."

 

 

"Okay, okay. That sounds simple enough. I'll be sure to avoid AMT until next week when you get TLS finally working... kidding! Take it easy, I'm just joking."

 

 

She wanted to keep the stern look on her face, but a smile cracked through. "You just watch it, Mister."

 

 

Jessica turned her attention back to the Altiris Console. She opened up a browser on her second monitor and pulled up the Juice article she'd shown Tevita. She walked through the steps, sometimes checking back on the Altiris Administrator's Guide for Out of Band Management, found at http://www.altiris.com/Support/Documentation.aspx. She finished the processes except for updating the profile since she needed to also update the Admin password settings.

 

 

She browsed in the Altiris Console under View, Solutions, Out of Band Management, Configuration, Provisioning, Configuration Service Settings, and clicked on Provision Profiles. She highlighted her active profile and clicked the pencil icon in the icon bar to edit it. Under the General tab, to the right of the window, she changed the Intel® AMT 2.0 password: setting from Manual to Random creation. She then clicked on the TLS tab and, using the previous directions, enabled TLS within the profile.

 

 

She sat back as she clicked OK. Now that the Altiris Server was setup properly, she needed to push the new profile out. From her place in the console she backed up into the Provisioning folder, and then expanded the Intel AMT Systems folder and highlighted the Intel AMT Systems node. All Intel AMT Systems showed within the right pane. She clicked on the top one, scrolled down, and, while holding shift, clicked on the bottom one. She right-clicked and selected the ‘reprovision' option.

 

 

With a sly smile she glanced over at Tevita. He wore his headset again, though he looked less stressed than before. She rolled over and wrote on his whiteboard "AMT back up in a few hours". For the time being they could rely on the Runtime Profile for authentication. Since Altiris knew all the random passwords for the Admin account, via Altiris they should have no problems with security. However she needed to quickly implement AD integration with Kerberos authentication just in case.

 

 

She got up to take a quick break. She stretched, looking out over the cubes. She froze in mid stretch for a moment, before quickly pulling down her arms, her eyes widening. Two men in blue jumpsuits walked nonchalantly through the building, one holding a sheaf of what looked like generic forms and the other with a nondescript box. Despite their "non"-threatening postures, something about them bothered her. At first she simply watched them, trying to figure it out.

 

 

The man in front emanated confidence like a shiny sword and shield, his smile infectious and full of perfectly white and straight teeth. His strong features seemed chiseled from brilliant marble, as if he'd been carved amid the statues of Rome. Not one of the rich brown hairs on his head stood out of place, his hazel eyes roving over the office as if memorizing all the details. He didn't act suspicious, but his very manner belied the blue-collar worker outfit he wore.

 

 

Right behind him strode the other man. He wore a beard, a hat pulled low over his eyes. She squinted, hunching down a little so she didn't rise so high above the cube walls. He carried the box, his muscles tensed. He walked jerkily, each step seeming just a little unsteady. Sweat beaded on what little she could see of his forehead.

 

 

"Tevita," she whispered. "Does that guy look familiar to you?"

 

 

He appeared beside her. "Who? Those two delivery guys?"

 

 

"Yes. The one carrying the box."

 

 

Tevita turned to stare at her. "It's the ninja!"

 

 

She shook her head, though the sudden clenching in her stomach belied the action. "No way, he's in jail, right?"

 

 

"Probably not. He didn't threaten anyone or do any actual damage, and the price of the hard drives he tried to steal doesn't equal enough to be a felony, especially since he claims he was only after the hardware..."

 

 

"But why come back here? We know who he is..."

 

 

He just shrugged. "Maybe he's turning a new leaf..."

 

 

She gestured at the other man just as they disappeared into the stairwell. "Maybe, but that other guy gives me the creeps. I wouldn't be surprised if his name happens to be Lex Luther."

 

 

Tevita nodded. "Let's follow them."

 

 

She shook her head. "No way! Let's just call security and let them deal with it."

 

 

The Tongan only shook his head slowly. "The security company might be too slow to respond. Heck, they took forever to show up when our ninja friend showed up the first time. You go tell Bobby and I'll shadow these two shifty guys."

 

 

Before she could respond he hurried away, surprisingly quiet for his bulky, muscled size. She clenched her teeth together, torn by indecision for a few precious seconds. She then turned and hurried towards the server rooms, hopping Tevita wouldn't get himself into too much trouble.

 

 

 

 

END Part 5

This concludes Part 5. This cliff-hanger will be continued in an even more unbelievable conclusion, Part 6. Now that the competitor has breached the office once again, can Might Modern Marketing's IT staff protect their infrastructure, data, and themselves from this all out attack?

 

NOTE: If you have not read parts 1 through 3, please read these before reading this part as this is a continuation of the story begun in the previous sections. Altiris and Intel vPro Use Cases

 

 

 

 

 

 

Security is only as tight as the weakest link in your environment. More often than not it's internally where the security holes are created, either inadvertently from carelessness or intentionally from a disgruntled or disillusioned employee. The hardware and software security can be top of the line, but if the human factor doesn't adhere to policy, it may not make any difference. This part follows the IT team for Mighty Modern Marketing as they try to track down a security hole where productivity is taken down through the very tools used to defend and manage the network.

 

 

 

 

Mighty Modern Marketing HQ - Boston, Massachusetts

Somehow the air inside the building congealed hotter than the heavy, humid swelter wallowing outside. Tevita, sweat running down the sides of his face, fanned himself with an empty binder. He stared at his screen, the image thereon frozen.

 

"I think one of the servers seized up," he said. Jessica Langley glanced at her Remote Desktop window. The previously blinking text icon in the script she edited no longer blinked, and as she watched the disconnected icon appeared, the remote screen graying-out. She closed it with a quick click of the white on red X.

 

 

She took a long drink of water. "If they don't fix the AC soon, I'm going home," she announced.

 

 

"They'll have it up soon. Besides, it's never been so quiet here. I only have one system running, and I think I'm approaching something like Zen. Either that or I'm about to pass out."

 

 

"Any more missing application tickets?"

 

 

Tevita groaned. "Oh yeah. Five so far today. It's like the uninstall faerie ran around randomly touching computers with her magic star-wand. I've taken care of it."

 

 

Jessica stood, feeling sodden. "Thanks. I'll check on Bobby to make sure he hasn't suffered from heat stroke."

 

 

The server room actually felt cooler despite the cacophony of running servers that reminded her of the sound and feel of a jet engine escalating towards takeoff. Somehow Bobby had created a wind tunnel with large fans, and she felt her hair whip away from her as she stepped directly in the wind's path. She shielded her eyes and walked to the developer's cube area. The pull of the moving air seemed to try and yank her off her feet by her dress-suit jacket. She folded her arms as she stepped into the relative stillness of the cube.

 

 

Bobby looked like a wilted plant. He looked up, and sighed. "What, IM down again?"

 

 

"Of course not," she responded with a smile. "You holding up in here?"

 

 

He shrugged. "I'll survive, though it reminds me of Phoenix, Arizona, except here it's like standing in front of a vat of boiling water. Phoenix is like standing in front of the open door to a blast furnace."

 

 

"The SQL Server locked again."

 

 

Bobby nodded. "I did a hard reset just a minute ago. I had to open the case and point a fan right at the CPUs. I think it'll stay up this time."

 

 

"Good."

 

 

Bobby shrugged again. He looked back at his screen, then back up at her. "You need something else?"

 

 

"Not really. You want to go to lunch with Tevita and I? The local Italian place has great AC."

 

 

"No, I'm good. My lunch cooked itself in this heat, so I ate already."

 

 

"Alright. See you later."

 

 

When she returned Tevita still sat in front of his computer, sweating profusely. He looked up as she passed by, a frown on his face.

 

 

"The facilities guy just passed by," he said as she sat down. "He says someone deliberately messed with the AC. He's fixed and says it'll be up and running any time now."

 

 

"Someone sabotaged the AC?" she inquired.

 

 

"Yep."

 

 

She sighed. "Just when I thought we were done with the underhanded antics."

 

 

Tevita nodded. "The AC guy put thick padlocks on all the control panel cases. Too bad we don't have any way to track who goes in and out of that room. A magnetic badge reader would work."

 

 

The next hour passed in receding misery as the AC kicked on and began liberating the employees in Might Modern Marketing's Headquarters from oppressive heat. Jessica checked the Altiris Notification Server Logs, ignoring the SQL errors for the times the SQL server seized up. Except for an occasional error where an event arrived for a package already deleted from the Notification Server, the logs looked clean.

 

 

"Mrs. Langley," Edgar's dry tones greeted.

 

 

Right on cue, she thought. Despite the heat things had been going too smoothly. She turned around and stood.

 

 

"Hello Edgar."

 

 

"I wanted to let you know that the budget we set aside for the mess with New Nifty Networks is on target, thanks to everyone's diligence," he said, eyes briefly moving down to the papers clasped in his hands. "We've even been able to devote some resources to Legal. It won't be long before we can put this whole ordeal behind us."

 

 

Tevita rolled over in his chair. "What, and I've done nothing?" The expression on his face and tone of his voice took away any sting of the words.

 

 

"Both of you have performed exceptionally," Edgar said, shuffling the papers in his hands. "Though it's not official, I believe you will both receive a merit increases for your performances."

 

 

"You're kidding!"

 

 

"I do not kid, Mr. Tatafu."

 

 

"So be honest, was it hard to allow that through?"

 

 

The barest hint of a smile touched the corners of Edgar's thin lips. "Yes, adding my approval felt much like pulling out stitches. Now don't you both have work to do?"

 

 

He shuffled away, his posture a little bent.

 

 

Tevita gave Jessica a thumbs up. "Ha! So some good is coming from this whole competition nightmare."

 

 

"Perhaps," she said noncommittally, having trouble suppressing a smile. "It's not over yet, not until this school-friend of Mr. Johnson's finally gives up. I'm hoping it happens soon so we can go back to normal."

 

 

"Normal?" countered Tevita. "When is IT work normal? It changes faster than the seasons."

 

 

She opened her mouth to respond when her telephone rang. The caller ID noted Johnson. She quickly picked up the handset.

 

 

"Mighty Modern Marketing, this is Jessica," she greeted as cheerily as she could.

 

 

"Jessica, this is Mr. Johnson," greeted the CEO. "Can you please come up to my office immediately? We have a sensitive matter to discuss."

 

 

"Of course. I'll be up right away."

 

 

"Please have Tevita join us as well. See you in a minute."

 

 

"Will do. Thanks. Bye."

 

 

When she looked up Tevita had his day planner in one hand, the other locking his computers.

 

 

"Ready for lunch?" he inquired.

 

 

"Change of plans," she said, rising. "Mr. Johnson wants to see us in his office immediately."

 

 

Tevita stared at her for a moment, then tossed in planner onto his chair, a wry smile twisting his mouth. "Wonderful. Somehow even though everything he says sounds enthusiastic and wonderful, we end up with a pile of work."

 

 

"Job security," she responded.

 

 

The CEO's office, remarkably, looked very much like the other offices in the entire building. She glanced through the window on the door, then knocked politely. Mr. Johnson, looking as refreshed and lively as ever, waved her in. The building continued to cool, but still hovered near eighty degrees. Though she felt sweaty and rumpled, Mr. Johnson appeared completely unaffected by the heat, his hair perfectly combed and his clothing pressed and clean. He smiled warmly as they sat down in the two chairs set before his desk.

 

 

A man sat next to him, and though she knew she should know who he was, she couldn't place his face in her memory.

 

 

"Thank you for coming up so quickly," he said, rising to shake their hands. "This is Dan Williams, Chief Security Officer."

 

 

She said hello, shaking Dan's hand. Funny how she knew the name so well from countless emails and conference calls. She felt she knew him despite only seeing him on rare occasions, all from electronic or audio correspondence. Somehow she'd never put that voice with this face.

 

 

"Jessica, Tevita," he said in way of greeting in that familiar voice. "We need to meet more often, especially with how much I depend on both of you."

 

 

"Definitely," Tevita responded as he sat down.

 

 

Jessica had trouble controlling a laugh that threatened to escape. "Mr. Williams, you don't look like I imagined."

 

 

Dan smiled, amusement dancing in his eyes. "What did you think I looked like?"

 

 

She blushed. "Well... you sound like Chuck Norris. But you're more like..."

 

 

Mr. Johnson started. "Chuck...?" He burst into laughter. Tevita's booming laughter joined in as Dan's smile grew wry. Jessica wondered if someone could faint from embarrassment, and imagined she looked as red as a tomato.

 

 

"Sorry, I like yoga, but not much of a martial arts guy," Dan said, trying not to laugh.

 

 

"Alright," Johnson said with a deep calming breath. "Without further preamble, I'll let Dan discuss the situation."

 

 

Dan nodded. "As you are well aware of our situation with our friends over at New Nifty Networks, what I'm about to show you shouldn't come as much of a surprise. We have a plant."

 

 

"A plant?" Tevita inquired. "Like a house plant?"

 

 

Jessica covertly elbowed him in the ribs as he chuckled.

 

 

Dan continued, undaunted. "Someone here is feeding information to our competitor. We're tracking this using email, etc, but the trail is long and convoluted. We think this spy, for lack of a better term, is also sabotaging our business here. While we're pretty sure he or she disabled the air conditioning, we don't have enough data to even begin to narrow down who it could be. There are other things happening that I believe you'll be able to help us with.

 

 

"You see, we believe he's somehow obtain access to your management tools. We've had increased cases where vital software has been mysteriously uninstalled from systems."

 

 

Jessica exchanged a look with Tevita. "We have had a large amount of emergency software deployment tickets," she said.

 

 

"The tickets always say the shortcut is missing," Tevita added.

 

 

"Exactly," Dan continued. "Depending on the user, this can severely hamper our productivity. Since some of the computers are locked behind office doors I'm assuming they're using management software to accomplish this. Is Altiris capable of this?"

 

 

"Yes," Jessica answered. "However you need rights to do anything."

 

 

"And that will be to our advantage. Please look through any auditing or logging done by Altiris and see if you can figure out how this individual is uninstalling applications, what credentials he or she is using. Any evidence or data you capture please forward to me."

 

 

"We will," Tevita responded.

 

 

Back at her desk, Jessica pulled up the Altiris Console. Events would allow her to see if any Software Delivery or similar jobs had been schedule to run on the affected systems. They had uninstall-programs setup for most of their managed applications. She browsed in the Altiris Console under View, Solutions, Software Delivery, Tasks, Windows, Software Delivery Tasks. The first task she choose uninstalled their accounting software, one application the spy or whatever he or she was liked to target. She did a quick scan to ensure no new tasks showed up.

 

 

She clicked on the Status tab. Once the tab loaded she used the dropdown labeled, "Display computers on which this task ran:" to set it to "All". Once the grid loaded she clicked on the top of the "Attempt Time" column to sort by date, and looked at the last week's runs. Only three showed up, and all of them had been scheduled by either her or Tevita.

 

 

"Any luck?" Tevita asked, his head rising above his cube's wall.

 

 

"Nothing yet. I guess it's possible they created a task and then deleted it after each execution."

 

 

"Yeah, but there's an ItemDeleted table that we can look at to see if that's occurred."

 

 

He walked into her cube and sat down on the spare chair. He used her secondary system to open SQL Enterprise Manager and launch a query window. He used the query:

 

 

SELECT ItemName FROM ItemDeleted

 

 

WHERE ItemName LIKE ‘%Accounting%'

 

 

AND ItemClassGuid = ‘D922981C-B8E7-40EE-B6BD-1E6CB354C9FE'

 

 

"This class-guid here represents Software Delivery Tasks," Tevita explained as he ran the query. "Nope, nothing. Let me try one more query, this one more generic..."

 

 

SELECT * FROM ItemDeleted

 

 

WHERE ItemClassGuid = ‘D922981C-B8E7-40EE-B6BD-1E6CB354C9FE'

 

 

ORDER BY DeletedDate

 

 

"Okay," he continued. "I don't think he used Software Delivery. I don't see any Tasks deleted recently enough to account for all the uninstalls reported."

 

 

Jessica nodded. "Hmm. If he didn't use this, then the only other two options I can think of are Deployment Server and Task Server."

 

 

Tevita smiled. "No chance with Deployment Server. I've changed the management credentials recently and blocked everyone else out. Since only you and I use it, I figured with all the security stuff going on I'd better be safe, not sorry."

 

 

She blinked. "I didn't know you'd locked... I guess DS is your baby."

 

 

"You know it. So, do you think Task Server could really be it? Wouldn't he need to know scripting?"

 

 

"Not necessarily. There's a ‘Deliver Software' task available that can run any Package-Program we have available in Software Delivery. Let me look through here... I don't see any Jobs or Task Server tasks that reference the uninstall program. The ItemDeleted would have deletions if he'd done that. But you used the standard Software Delivery Tasks, right? Can you do one for Task Server Tasks?"

 

 

Tevita scratched his chin. "I think so. In fact we don't delete things that often. Let's try this..."

 

 

SELECT * FROM ItemDeleted

 

 

ORDER BY DeletedDate

 

 

"Okay. A few deletions, but they all look straight-forward. Computers purged, a couple of Software Portal Requests... but nothing that looks like a Task Server task. Wait... what's this? Bobby deleted a task named WOfW? This was last week. If I didn't know better, I'd say he's been playing with Software Delivery and Worlds Of Warcraft."

 

 

Jessica grinned. "You think he wants to roll it out company-wide? I can see it now. ‘Productivity hits an all-time low, though the average level of Mighty Modern Marketing exceeds fifty'!"

 

 

Tevita laughed, pointing at her. "I didn't know you knew enough about gaming to make a joke like that!"

 

 

"Right. Like you don't bring it up every week. It was bound to rub off on me at least a little."

 

 

"This looks clean. That doesn't make sense. Perhaps Dan's wrong, and whoever's responsible for this isn't using Altiris."

 

 

Jessica shook her head. "He's right, I don't think this could be done at this rate any other way. Either they're using a different method, or they have intimate knowledge of Altiris."

 

 

Tevita leaned back, looking up at the ceiling. Jessica placed a fingertip on her lips, thinking furiously. If Software Delivery and Task Server wasn't used, and the evidence suggested such, what other method could you use to remove software? They planned on using PC Anywhere for remote control, but it wasn't up and running yet in the Altiris environment. Tevita used the simple Remote Control feature in Deployment Server, and she still used Carbon Copy. She'd disabled access to it in Altiris and used the stand-alone product that only existed on her system for security reasons. Could they have a rogue copy of Carbon Copy installed...?

 

 

"What about vPro?" Tevita inquired abruptly, interrupting her thoughts.

 

 

"Serial-Over-LAN doesn't work in Windows currently," she responded. "No other remote application abilities... it's really considered an out of band management interface."

 

 

"Yeah, but if you built a remote tool into an ISO, using IDER, couldn't you use that?"

 

 

"In theory, yes... In fact if you ran an IDE redirect with something like that you could do whatever you wanted to the system."

 

 

"Exactly."

 

 

Jessica smiled. "And we have an actual activity log."

 

 

In the Altiris Console she browed in View, Solutions, Real-Time Console Infrastructure, Tools, and clicked on "Activity Log". She scanned down the entries.

 

 

"Well, well," Tevita said, leaning forward. "Our friend has been busy."

 

 

The icon showing a redirection session appears like two plugs plugged together. The other pertinent columns appeared as "client": showing what computer by IP Address is being accessed, "user": what credentials were used to execute the action, Host: as in the hostname of the destination computer, Description: showing the path to the ISO, and lastly Technology showing what method was used. Multiple RTSM sessions showed a redirection to an ISO labeled: RemoteControl.iso. The path led to a UNC share.

 

 

Jessica pulled up the contents. "Jackpot."

 

 

Tevita shook his head. "Too easy. If they know how to create ISOs of that nature and use RTSM to deploy them, did they actually think there wouldn't be some sort of logging?"

 

 

"I don't know. RTSM is unique in that it isn't dependent on an agent at all, so there is no logging client-side. Still... perhaps whoever's doing this didn't create the ISOs and is just in charge of running it. And we aren't done yet. Note that the User is all listed as admin. This means he or she is using the AMT credentials available on all systems."

 

 

"Oh. Can't exactly blame the invisible AMT admin..."

 

 

"No, but we can change the password easily. Before I do that, I'll send Dan the information on the share. That share should have some sort of user footprint his team can get to."

 

 

She quickly sent the email with all the information. She explained that she would change the admin password so that this rogue user could no longer use this method. After sending it she browsed in the Altiris Console to View, Solutions, Out of Band Management, Configuration, Provisioning, Configuration Service Settings, and selected Provision Profiles. She double-clicked on the profile they used for all systems. Under the Administrator Credentials section to the right, she changed the password under the Manual radial option. She clicked OK to save the changes.

 

 

Next she browsed back up to Provisioning, and into Intel AMT Systems, selecting the node Intel AMT Systems. When the frame loaded, she clicked on the icon on the icon bar that looked like a system with refresh green arrows surrounding it, labeled: Re-provision. She hadn't selected any systems so she selected the only live option, "All systems". She clicked OK to execute.

 

 

"That should do it," she said aloud.

 

 

"A re-provision?" Tevita asked.

 

 

"It's a simple way to send down the changes in a profile to the systems. It'll take some time to cycle through all the systems, but soon all systems will have the new AMT admin password set."

 

 

Tevita leaned back. "So we're done?"

 

 

"For now, unless you have any ideas for further tracking this guy...?"

 

 

The rest of the day proceeded smoothly, with only one more reinstall helpdesk ticket coming in. By the next day no new tickets had developed, and things had settled down to normal. Dan said he had enough to identify the perpetrator, but said no more on the subject.

 

 

He did say one thing very firmly. "All the security we can muster is worthless if those with the right privileges are not careful with their credentials."

 

 

Further, he requested they review their procedures concerning the AMT admin password. Was it written down anywhere? Did they ever say it out-loud? Though neither knew how the password got originally stolen, the increased care with which they handled passwords became a driving program within the company. Security was everyone's job.

 

 

At the end of the week, as Jessica headed away from Boston on the Redline Commuter Train, she hoped they'd seen the end of the targeted attacks, but in her mind she already looked through her current policies and processes to see where she could increase security.

 

 

 

 

End Part IV

Altiris provided not only an audit trail to track potential rogue usage of RTSM, but it also provided a very quick and efficient way to change security within AMT when somehow the credentials are compromised. Is this the end of the threats against Mighty Modern Marketing? Only time will tell.

 

If you have not read parts 1 and 2, please read these before reading this part as this is a continuation of the story begun previously.

 

 

 

 

 

 

http://juice.altiris.com/book/4687/altiris-and-intel-vpro-use-cases

 

 

 

 

 

 

From the OS level vPro has tools to help quarantine and remediate compromised systems as demonstrated in part 2. This section explores the capabilities at the hardware layer, completely below the OS and any related dependencies. Can the IT staff continue to respond well to threats and avoid outages and threats to the businesses wellbeing? When the gloves come off sometimes even the most secure networks are vulnerable to threats.

 

 

 

 

Mighty Modern Marketing HQ - Boston, Massachusetts

"This is Jessica, how can I help you?"

 

The voice that spoke through the headset caused her to flinch, and she moved the earpiece two inches away from her ear.

 

 

"This can't be happening now!" the voice exclaimed loudly.

 

 

"What's the problem?" she responded calmly, hoping the user would match her volume.

 

 

He didn't. "The timing is the worst possible, since the end of quarter is only two days away! I need my computer up and running two hours ago!"

 

 

"Let me see... I'm speaking to Mitch Cavanaugh, correct?"

 

 

"Yes," he responded, his voice dropping a trifle. "My computer isn't booting, and I have sales to approve and record. If I don't get this up quick, we may not be able to add this revenue this quarter!"

 

 

"I understand," she said as she used the Altiris Console under the All Computers Collection to find his computer. She double-clicked on it, bring up Resource Manager.

 

 

"I see you're using an HP 7800..." she began.

 

 

"I need this problem fixed pronto," he interrupted.

 

 

"Of course," she said, clicking on the ‘Real-Time' tab. "Give me just a moment."

 

 

She smiled, feeling a warmth from the fact that she'd made sure those with the most business critical functions got the vPro systems first. The Real-time tab loaded, revealing the function tree in the left-hand pane. She noted immediately that only the AMT functions loaded, and that the system's powerstate was on.

 

 

"I can see," she said when she heard a sound of irritation on the other line, "that while there is power to your computer, the operating system is not loading."

 

 

A pause followed her comment. "Really?" Mitch responded, the edge on his voice disappearing. "You can tell me that already? Usually I have to tell you IT people everything... that's great. So do you know what's going on?"

 

 

"Give me another moment," she said in her most pleasant voice. She clicked on the Hardware Management node in the left tree. After the page loaded, she choose the reboot radial under the Remote power management section. Under Redirection options she check the box, "Display task progress and remotely control computer". Next she clicked "Run Task Now". When the page began to refresh a new window popped up, showing her the boot of the computer.

 

 

"Wait, my computer just rebooted..." Mitch said, sounding suspicious.

 

 

"Yes, I just initiated a reboot," she responded. "I'm going to watch the boot from here."

 

 

"You can do that? I thought I had to be in Windows for that to work."

 

 

When the boot verified devices on the system she noticed that no hard drive was detected. The message "No boot device" appeared.

 

 

"Okay Mitch, the computer isn't recognizing the hard drive for some reason. Give me a moment to check a few more things."

 

 

"Is that fixable?" Mitch inquired.

 

 

"I don't know yet. Give me a moment."

 

 

She rebooted again, but also added the "Enter BIOS on startup" option by checking the box. The remote window reappeared, this time entering the BIOS. She looked under the IDE channels, but no hard drive was listed.

 

 

"Okay Mitch, I've determined that your hard drive isn't being detected at all by the computer. Since you have critical work to perform, we'll immediately image and restore your data to a backup system using Deployment Server and Symantec's Backup Exec. It should take about 30 minutes. Tevita Tatafu will bring it by then. It's about lunchtime. Can you take a short break?"

 

 

"Well... it is a little early for lunch, but that should work."

 

 

"Alright Mitch. Anything else?"

 

 

"No... I just hope the backup had all my files on it."

 

 

"It should."

 

 

"Thanks."

 

 

She leaned back as she hung her headset by the phone. "Tevita?"

 

 

He swung out of his cube, a huge smile on his face. "Mr. Cavanaugh having problems?"

 

 

"Yeah," she responded.

 

 

"He's such a joy. Did you know he was the one who got impatient waiting in line at the vending machine so he ran to the nearest Dunkin Donuts, opening the door fast enough to knock Edgar flat on his back?"

 

 

"You be nice," scolded Jessica with a stern look. "He may have anxiety issues, but he's a spot on accountant."

 

 

Tevita laughed richly. "Spot on, eh? And what do you know about Accounting?"

 

 

"I got a Masters from University of Chicago's Graduate School of Business, in Accounting."

 

 

"You did?"

 

 

"Yes. Now don't make me a liar and get that machine to Mitch ‘pronto'."

 

 

Tevita laughed, but got up and headed to the equipment room. Jessica sorted through her email. She wanted to clear out her inbox but only halfway through the process Tevita returned, no longer smiling. His mouth bent down in a frown she rarely saw, and usually only when he was about to explode with anger. His eyes didn't seethe, but looked down at a computer in his hands. He sat down and rolled his chair over towards her cube.

 

 

"It really is missing the hard drive," he said, expertly using the buttons on the side to open the case. He pointed to an empty bay. "It should be in here, but... well... the IDE cable was cut, right here. Seems stupid, since they had to unscrew the drive, but..."

 

 

She stared at the empty bay. "Someone stole his hard drive?"

 

 

Tevita nodded. "It looks that way. Mitch said he only left to take a restroom break, and when he came back the system was off and wouldn't boot."

 

 

"This isn't good..." Jessica started to say.

 

 

"Guys!" Bobby said loudly, his voice piercing through the area like a gunshot. They both stood up, staring at the gangly developer loping towards them from the door to the server room.

 

 

"The sky must be falling," Tevita said, but despite the amusement in his voice his mouth only twitched once in an upward smile.

 

 

"What's wrong?" Jessica asked.

 

 

Bobby took a deep breath. "It's a ninja. I swear by my grandma's heirloom earrings that a ninja just showed up in the server room!"

 

 

"A ninja!!?" Jessica exclaimed.

 

 

Tevita looked down a the computer he held. "Bobby, that's not funny..."

 

 

Bobby threw his hands up. "You know I don't have an imagination, or much of a sense of humor. Didn't you used to call me Cardboard Boy?"

 

 

"Yeah, but I stopped after you randomly locked out my user account at the worst possible moments..."

 

 

"I'm not kidding."

 

 

Jessica, feeling like she'd just stepped off a rollercoaster, reached out and put a hand on the wall. "Bobby, you mean to tell me there's a ninja loose in the building?"

 

 

"Well.. no. He's lying unconscious in the server room."

 

 

Tevita gave her a quick look, then bee-lined towards the door to the server room. Jessica wanted to run the other way, but Bobby gave her a helpful shove on the back towards the room. She glanced behind at him, and he blushed.

 

 

"Sorry, but the more witnesses the better."

 

 

The figure sprawled out on the floor clutched a hard drive in his back-gloved hands. He didn't look like a real ninja, but a black ski mask that looked similar to a ninja wrap covered his face. A goose-egg on his forehead the size of a golf ball, halfway hidden by the mask, seemed to say loudly why he wasn't conscious. Jessica found herself staring, her mouth hanging open and her hand moving up to cover it.

 

 

"Oh my gosh," she said, her voice embarrassingly high-pitched. Her heart hammered in her chest as if she'd just jumped off a cliff

 

 

Tevita gave Bobby a searching look. "Do you know martial arts or something?" he asked.

 

 

"No. I thought I heard something while I was bringing back the two new demo laptops, so I went to check it out. When I saw him, I just reacted."

 

 

"What did you do?"

 

 

"Well... I had a MacBook Air in my left hand, and a Panasonic Toughbook in the right. The MacBook might be thin enough to decapitate a ninja, but more likely it would have bounced off his skull without slowing him down, so I threw the Toughbook."

 

 

Tevita reached out with his toe and nudged the intruder.

 

 

"We should leave and call the police," Jessica said, edging towards the door.

 

 

"He's out cold," Tevita said, reaching down to pick up the Toughbook. The screen gleamed beautifully, no sign of damage despite being used as a blunt weapon. "Too bad these aren't vPro yet," he said.

 

 

"I called the police," Bobby said. "They should be here soon."

 

 

The next half-hour moved as if in a dream. Jessica felt like she'd stepped out of the real world and into some crazy movie. Slowly the facts of the intruder came to light, and like wiping away the mist on a foggy window things didn't seem as ridiculous as they first seemed.

 

 

The man had been hired to steal a specific hard drive. He was fully cooperative with police, apologetic for getting caught and worrying everyone. He indicated he wore the mask not as an intimidation method, but to remain incognito to security cameras. The policy cuffed him and off he went, leaving everyone standing there in disbelief.

 

 

"Is that Mitch's hard drive?" she finally asked Tevita, who had retrieved the hard drive the "ninja" held.

 

 

Tevita pointed to connector of a cut IDE cable sticking out the back. "It looks like it..."

 

 

Bobby took the drive, hefting it, his small eyes squinting. "No, this is a RAID drive. He ‘raided' a server..."

 

 

Jessica stared at him as he chuckled. Tevita stared for a moment, and broke into a wide grin.

 

 

"And you say you have no sense of humor," he said with a laugh.

 

 

"My Dad told me puns don't count," Bobby responded.

 

 

"What about the data on Mitch's hard drive?" Jessica inquired. "I know he had confidential, sensitive information on it."

 

 

Bobby shrugged. "Nothing we can do about it unless we can find it. It wouldn't be the first time."

 

 

She shook her head. "Too bad vPro doesn't have disk encryption yet. I know they're working on it."

 

 

Bobby's head perked up. "vPro with disk encryption? Nice."

 

 

The receptionist motioned to Jessica, and she walked over.

 

 

"Mr. Johnson has called a meeting in the executive briefing room," she explained, a phone held between her ear and her raised shoulder. "He says it's urgent, but not to worry."

 

 

"Not to worry," she echoed, feeling a surreal sense of amusement at the statement. "Right."

 

 

She rounded up Tevita and Bobby and they headed upstairs. The executive briefing room flooded with light, with the impeccable CEO standing by the floor to ceiling window showing the bottom half of the skyline to downtown Boston. He smiled casually, his hands clasped behind his back. When they'd all entered and sat down, he turned around, his smiling increasing.

 

 

"The mighty defenders arrive," he said. "I had a call from Mitch Cavanaugh concerning your ability to quickly resolve the theft of his hard drive. I commend you on a lightning-fast response. I can tell by your expressions that you're a bit shaken."

 

 

He paused, the smile abating. "Let me assure you that we are permanently stepping up our security. I blame myself for not taking steps against blatant thievery. I guess I'd hoped my former colleague had gotten past that type of criminality."

 

 

Bobby raised his hand, and Mr. Johnson gestured at him. He cleared his throat, folding his skinny arms.

 

 

"So don't we have enough evident now to get the police involved?"

 

 

Mr. Johnson shook his head. "No, and even with the thief in hand I doubt they'll be able to link this to New Nifty Networks. For all we know this isn't related to them, though our situation and the probability point in that direction. No, we won't be making any effort to link the thief with Nifty. Your job is to continue tightening our security.

 

 

"First, let me commend you, Tevita, for your mastery of providing mirror systems to people when theft occurs. Second, I commend you, Bobby, for always delivering when issues arrive. Lastly, I commend you, Jessica, for your insistence on vPro. I know Edgar and others have given you are hard time about it, but it seems you prove it's worth daily."

 

 

"Thank you," she said.

 

 

"Our next step is to find out if any other systems have had their hard drives stolen. I'll leave this task in your capable hands. If you have any questions or concerns, please come see me in my office."

 

 

As quickly as the meeting started, it ended.

 

 

When they reached their cube area, Tevita didn't sit down at his, but followed her into hers. He stared at the Altiris Console idling on her screen, his arms folded and his expression pinched in thought. She sat down, eyeing him, as she reached for her keyboard.

"Let me guess," Tevita said, "you already have a plan?"

 

 

She let her hands fall into her lap. "Well... yeah. It shouldn't difficult to find out which systems no longer have HDDs even if the systems have been off for a while. I just..."

 

 

Her voice faded away. She stared at Tevita, trying to sort through her emotions.

 

 

"You're freaked," Tevita offered.

 

 

"No... well... yeah. I kind of am. Cyber attacks are one thing, but Bobby's ninja..."

 

 

Tevita retrieved his chair from his cube, sitting down and leaning back at the entrance of her cube. "With computers thieves usually only break into places for the hardware. Some of the servers Bobby runs cost more than a new BMW. Stealing the hard drives means they're after data. It's really no different, except we're using software to block software attacks, and we use guards, locks, and other such things for the hardware attacks. You heard Johnson. I don't think you have to worry."

 

 

She sighed. "We should get occupational hazard pay. I'll get over it, though I may bring pepper spray tomorrow."

 

 

"That'll work."

 

 

She cracked her knuckles by clasping her fingers and pushing her arms out. "Let's get into this. First off, we can't rely on Inventory Solution to know if the hard drive is there or not, since the OS obviously has to be up and running to get an updated Inventory. We might be able to use the Altiris Agent's last check-in time to note those systems that are no longer reporting, but that won't tell us if those machines are simply off or something similar."

 

 

Tevita nodded. "Fun. Without the hard drive we have no manageability capability."

 

 

"Except for the one thing that runs outside of the hard drive."

 

 

"Intel vPro."

 

 

"Exactly. All capabilities are still available even when the hard drive's been yanked."

 

 

"So we can use RTSM to remote into those systems not responding in Altiris using Serial-Over-LAN to see if the hard drive is there, like you did for Mitch."

 

 

Jessica nodded, smiling. "That would work, but I have a faster, much easier way."

 

 

Tevita rolled closer as she put her hand on the mouse and started using the Altiris Console, his eyes focused on the screen. "I like easy," he said.

 

 

She browsed under Manage and clicked on Jobs. When the left-pane tree loaded, she browsed under Tasks and Jobs, Server Tasks, Real-Time Console Infrastructure, and clicked on ‘Get Intel® AMT Inventory'. She clicked the Run Now button.

 

 

On the resulting window that popped up she gave the Run name: Ninja stolen hard drive, and clicked on the ‘Select computers' link. Within the ‘Select Computers' dialog in the left-most pane, she browsed in the tree from Collections, Out of Band Management, Provisioning, and double-clicked on ‘Provisioned Intel® AMT Computers. The middle pane showed a list of all vPro capable systems in the environment, and the right-most pane showed the Provisioned collection she'd selected. She clicked OK. She then clicked the Run Now button.

 

 

"That's it," she said, leaning back. "In the next minute or two we should have inventory from all vPro capable systems."

 

 

The Tongan shook his head. "You're going to outsmart us all out of a job," he said.

 

 

She raised an eyebrow at him. "Are you kidding? We might, just might, get to all the stuff on our plates we normally leave forever on the backburner."

 

 

She browsed in the Altiris Console under View, Reports, Incident Management, Real-Time Console Infrastructure, and selected Intel® AMT Hardware Inventory. When the report home page loaded, she clicked the Run this report link. For the parameters she left ‘System' to Any, and changed ‘Hardware Type' to ‘Media'. She clicked the ‘Refresh' button to load the report.

 

 

"Okay, this shows us all systems that have a hard drive reported with AMT Inventory. We could manually compare the list, but why not create a new report that shows us systems that do not have anything in the Media table?"

 

 

She right-clicked on the ‘Real-Time Console Infrastructure' folder and choose New, Report. She gave it the name: Intel vPro Computers Without a Hard Drive. She choose ‘Enter SQL Directly' and then rolled back from her desk.

 

 

"Alright SQL guru, I'll give you what I need and you can figure out the query."

 

 

He scooted around her, reaching for the keyboard. "Alright. Shoot."

 

 

"Okay, we need to have a list of all computers that either do not have an entry within the table Inv_AMT_Media_Device. That's it."

 

 

"That's it? That's easy enough..."

 

 

Tevita entered in the SQL, and saved the report. When they ran it, only two systems showed up.

 

 

Jessica looked at the names of the computers. "These are both from accounting, but Joe is in New York doing his accounting work on his laptop, and this other... he's here, but hasn't reported anything yet.

 

 

Tevita stood, dragging his chair back to his cube. "I'll take care of these two. Why don't you go home?"

 

 

"And leave you here..."

 

 

He laughed. "I'll be fine. It's almost five, and you probably want to take a nice relaxing evening trying not to think about thieves and ninjas."

 

 

"Thanks for that," she commented dryly, but with no conviction. "Only if you're sure..."

 

 

"I'm sure. I'll see you tomorrow."

 

 

"Thanks. Have a good evening."

 

 

 

 

End Part III

Recognizing the need for better physical security, and using vPro to minimize the effects of theft, the IT team continue to rise to meet the challenges facing them.

If you have not read Part 1 in this article series, please refer to it as this is a continuation of the story begun there:

 

http://juice.altiris.com/article/4367/altiris-and-intel-vpro-use-cases-part-1-the-setup

 

 

 

 

 

 

Antivirus is a must for any IT infrastructure. Without it productivity is quickly reduced as viruses run rampant in the environment. Keeping Antivirus installed and up to date is vital to ensure continuity of business services. In Part 2 the IT team for Mighty Modern Marketing is put up to the challenge of protecting their network from viral attacks. Using Symantec End Point Protection, Altiris and the Intel vPro technology, they work to ensure that the viral attack and subsequent virus attempts fall ineffective.

 

 

 

 

Mighty Modern Marketing HQ - Boston, Massachusetts

The commuter rail stretched out across the Charles River, but Jessica Langley didn't notice. Her eyes remained fixed upon the screen of her smartphone, scrolling through the emails that continued to pour in. The subject lines all contained the same word. Her shoulders hunched, feeling like a tremendous weight settled on them. She closed her eyes briefly, rubbing at them with her left hand, the PDA held forlornly in the right.

 

When she opened her eyes the word jumped up at her.

 

 

Virus.

 

 

This wasn't the first time this had happened at Mighty Modern Marketing. Viruses routinely showed up as email links or attachments, and it didn't matter how often she or Tevita sent out stern emails reminding people to leave email attachments and links alone unless they were expecting them. People continued to click that link to see the latest movie trailer, or to run the fun and exciting application their aunt or long-lost friend mysteriously sent them from out of the blue.

 

 

This time was worse. She'd painted a large red X on her by pushing the Intel vPro technology, and now it seemed everyone stared at her when anything ill befell the network.

 

 

She jumped to her feet the moment the train stopped, snatching up her purse and bolting for the nearest door. As she ran down the platform towards the exit of North Station, others gave her curious looks. She smiled briefly. Normally people ran towards the train to avoid missing it. She often saw them frantically running in high-heels or other dress shoes towards a departing train when the work day was over. Who wanted to run into work?

 

 

As she staggered into the main lobby at work, glad for the cool air that greeted her, she vowed to start exercising. She hurried through the building.

 

 

"I'm glad you're here early," Tevita said in his deep voice as she fell into her chair. "We're in trouble."

 

 

"I noticed," she said in-between deep breaths. "What's the situation?"

 

 

"I'm not sure, but somehow a virus was planted on a new system as it came online. It appears deliberate."

 

 

"But... we have Symantec End Point Protection (SEP). It should keep everything out..."

 

 

Tevita smiled, though his eyes shifted to his own monitor, his shoulders shrugging uncomfortably. "Yes... about that. You see, the base image hasn't been updated yet to include that..."

 

 

Jessica stared at him.

 

 

He waved a hand at her. "I know, no need to look at me like that. That's what I've been doing; recreating the image so it's there from the get-go."

 

 

She tried not to groan. "So how widespread is it?"

 

 

He laughed, though no humor made it into his tones. "All over the place. They used a vulnerability in one of Bobby's applets to spread it. Of course the first thing it did was disable the antivirus. If SEP had been installed it has protection against... Anyway, those systems without SEP are all hit."

 

 

Tevita's eyes glanced up, and widened. Jessica whirled to see Bobby walking up, his hands shoved in his jean pockets. He stared at the floor, his mouth moving as if he counted his steps.

 

 

"Bobby?" she inquired.

 

 

He looked up, looking like a boy lost out in the desert.

 

 

"It got through my firewall!" he exclaimed, extracting his hands so he could ball his fingers into fists. "It shouldn't have been able to do that. I can't even use IM."

 

 

Tevita gestured to an empty chair. "Have a seat."

 

 

Bobby slumped into the chair. "Whoever sent us this thing knew what they were doing," he said with a scowl. "The cursed thing used UNC to move about the network. Only someone with intimate knowledge of our network could do that. It has to be New Nifty Networks!"

 

 

"Do you really think...?" Tevita began.

 

 

"Bobby," Jessica said quickly. "Have you fixed the vulnerability?"

 

 

"How can I?" he lamented. "It jumped from computer to computer, and with mine infected I quickly turned it off. I need your to help me get that virus off so I can patch the applet."

 

 

Tevita smiled. "You actually walked over here."

 

 

Bobby looked up, his frown deepening. "Yeah? So?"

 

 

"It's unprecedented... You usually stay in your cave, even during power outages. Does it make you nervous to enter the world of real people?"

 

 

A flush bloomed on Bobby's sunken cheeks. "Not everyone's as social as you."

 

 

"You should stop by more often so..."

 

 

"So you can ridicule me?" he retorted.

 

 

"Guys," Jessica said, rolling her eyes. "Focus here. Bobby, do you have one of the new vPro systems?"

 

 

"Yes, of course," he responded, "I always get the latest hardware from procurement."

 

 

"Hey, why don't I see any of it?" Tevita blurted.

 

 

Jessica ignored him. "Good," she responded to Bobby as she turned back to her computer. She launched the Altiris Console. "If you have one, it should already be provisioned. Let's check the All Provisioned Computers collection... is this yours?"

 

 

"No, my computer is named Superman."

 

 

Tevita laughed, and Bobby managed to turn an even more alarming shade of red. Jessica kept her expression passive despite the twitch in her lips from a potential laugh. The computer name Superman showed in the list, and she double-clicked on it. She clicked on the Real-Time tab, entered her credentials, and loaded the Hardware Management page under the Real-Time System Manager, Administrative Tasks folders.

 

 

"I have a boot ISO of Symantec's Antivirus scan," Jessica explained as the hardware management page loaded. "I'll just turn on your machine but use IDE Redirect (IDER) to load the antivirus disk. We'll wipe the virus, and turn the system off."

 

 

"That's great," Bobby said as he shrugged his bony shoulders," except the minute you bring it back up the virus will propagate again."

 

 

Jessica smiled. "Not if I invoke a Network Filter."

 

 

"What's that?" Tevita asked, as if on cue.

 

 

"Tevita, we've covered this. It's the Intel System Defense. You know, block all traffic except to certain ports and IP Addresses. If you want to read up on it I'll email you the URL. (http://69.93.2.147/article/2645/hold-mf-utilizing-intel-vpro-amt-technology-task-server-part-5-system-defense-tasks)."

 

 

"System Defense!" Bobby exclaimed. "I read up on that technology. I created a script that provides a text interface where you can specify which ports you want to allow. I call the API's provided by Intel's SDK. It's great stuff."

 

 

"RTSM and Task Server already have it configured to only use communication to them," Jessica said, trying not to smile.

 

 

"Oh." Bobby cleared his throat as he pushed himself up onto his feet. "That sounds good. Do you need me to stick around...?"

 

 

She gave him a grin. "Just for a minute while I do this."

 

 

Bobby sat back down, but leaned forward, staring at her monitor. Tevita slid over, looking on with interest. She said a quick silent prayer that it would all work like she theorized it would.

 

 

She choose the ‘Power on' radial option, and under the Redirection options checked the ‘Perform boot from' checkbox. She also checked the ‘Display task progress and remotely control computer' option. Under the device drop down she left it at CD image, and then click ‘browse' and located the Symantec ISO. She lastly clicked ‘Run Task Now'.

 

 

A new window popped up, showing the computer boot. It loaded the CD and a textual menu showed up giving her scan options. She initiated the scan.

 

 

"Looks like it's working," Tevita said.

 

 

Bobby nodded. "I had my doubts since I've been unable to ever get Wake-On-LAN to work across my router..."

 

 

"Wake-On-LAN packets don't get by any of our switches are routers," the Tongan responded. "I believe you're the one who recommended the network security scheme we use."

 

 

"I know, but Altiris did have an Altiris Agent mechanism to try and deal with it, but I couldn't get it to work in my environment. This vPro stuff sure made that easy. I didn't have to touch the router."

 

 

"That's the point," Jessica said with just a hint of exasperation in her voice. "Were both of you sleeping when I gave my presentation on vPro last month?"

 

 

Tevita smiled, tugging at his collar. "Have I ever mentioned I don't like PowerPoint?"

 

 

"Only twice daily. But I showed demos... oh who am I kidding? That's the last time I supply lunch before a presentation."

 

 

The two men exchanged glances with sheepish grins, and then focused back on the screen. She looked back to the scan. It finished quickly, showing the virus as detected and quarantined. She closed the remote window and clicked on the Network Filtering node under Administrative Tasks in the Real-Time Console. She checked the ‘Override default solution settings' checkbox and changed the radial selection to ‘Filter network traffic other than to and from the Notification Server'. She clicked Apply. When the page finished refreshing it contained the message, "Machine was successfully moved into quarantine".

 

 

"Alright Bobby. I'll use the Power Control to boot your machine up so you can Patch your applet and install SEP. You head back and get it done ASAP. Once it's patched I'm going to mass-remediate all the vPro systems doing the same actions we just did except on a mass scale with Task Server."

 

 

Bobby jumped to his feet. "Sounds good. IM me if you need anything..."

 

 

"Except IM won't make it through the Network Filter," she responded dryly.

 

 

"Ah... yes. Well... you know where I am."

 

 

"Quick question, how long will it take you?"

 

 

"Less than an hour."

 

 

As Bobby walked away Tevita smiled hugely, some of his natural humor finally flowing back into his features. "He's a real gem."

 

 

"You should cut him some slack," she scolded.

 

 

"Bobby? I'm holding back, really I am. It's just too much of a temptation. He's classic nerd. But he is a master at what he does, so I'll be sure to keep it friendly."

 

 

"I'm reassured," she said, rolling her eyes for the third time that day. She then gave him a sly smile.

 

 

"What?" he said, his smile drooping. "You have that look."

 

 

"Regardless of blame, even though you should have updated the image weeks ago to include Symantec Endpoint Protection so I blame you for this mess, I need you to create a CD out of the Antivirus boot ISO and load SEP on a flash drive so you can manually remediate those systems without vPro."

 

 

Tevita swallowed. "Hey, we've had a pretty busy workload..."

 

 

She softened her look. "I know, sorry. Anyway... when you get to each system, yank the network cable, use the ISO to clean the virus, then load SEP, and then put the cable back in. I'd even suggest making several copies so you can do a handful at a time. And here's a printout of all non-vPro systems."

 

 

Tevita took the printout and nodded. "I'm on it."

 

 

Jessica focused back on the Altiris Console after Tevita left clutching ten copies of the ISO and SEP installer. She browsed under Manage, Jobs, Tasks and Jobs, right-clicked on Jobs, and choose ‘New Folder'. She right-clicked on the new folder and choose ‘New > Task/Job'. In the resulting window she choose ‘Server Job' under the ‘Jobs' folder. The first element popped up a message from a VB script stating that an emergency procedure would fire in 60 seconds, and instructing the user to save all data. Her second task was a ‘Boot Redirection Task' that booted up a modified ISO that automatically ran the scan and took any appropriate actions against detected threats. The third task invoked the Network Filter, allowing only NS and Task Server communication capability with the system. For the fourth Task she located the SEP install Tevita had made with Altiris Software Delivery Solution and put it into a Task Server Deliver Software Task. Finally she created the fifth and sixth tasks that removed the filter and invoked a reboot to finish the process.

 

 

She saved the job and selected her own system to test it.

 

 

"Mrs. Langley," a familiar voice prompted. Normally she caught movement in the mirror mounted on her flat panel monitor when someone walked up to her, but she'd been so focused that this time she started almost violently in surprise, whirling around in her chair.

 

 

Edgar Watts stood behind her, his hands conspicuously empty of printouts. Her first impulse was to point to her screen and tell him she had a plan with vPro to take care of the virus in a timely manner.

 

 

She rose to her feet, trying to place a polite and not strained smile on her face. "Hello Mr. Watts."

 

 

"Since my computer is down, I've been using my laptop to research the impact of viruses to corporations, specifically impacts to finances."

 

 

He frowned, briefly rubbing a forefinger along his jaw. He didn't immediately continue, his vexed expression seeming to say he was seeing those numbers again and loathing what he saw.

 

 

"We're working on it," she said, trying not to sound defensive.

 

 

"I know," he responded. "I'm astounded at the amount of this company's hard-heard cash flow flowing down the drain."

 

 

"We'll have your and all vPro enabled systems up within the hour," she said, forcing that smile to remain on her face."

 

 

"One hour?" he responded, looking down at his watch as his brow drew low over his eyes, almost like a thundercloud.

 

 

She braced for some kind of outburst, feeling sour in the pit of her stomach. It seemed like her stomach wanted to remain clenched, and she couldn't relax the muscles in her shoulders. What more could she do? She often woke in the middle of the night, her sleep-clouded mind immediately whirling through all the issues she needed to address immediately. She needed to prove vPro, identify and eliminate any threat from their nefarious competitor, keep Edgar's expense-cutting knives away from her department, and still find enough time to enjoy time with her husband. Lying awake at night, trying to will herself to sleep, got old fast. Two days ago her husband had recommended quitting.

 

 

That seemed wrong. She'd never given up on anything in the past, and she didn't want to give up on this now, especially when all of Mighty Modern Marketing needed her at this critical time.

 

 

When Edgar looked back up from his watch he smiled, a rare sight that stilled her thoughts, her breath catching in her throat.

 

 

"All vPro capable systems, you say?" he asked.

 

 

"Yes sir," she responded after a moment of stunned silence.

 

 

"I came down to wish you luck, but perhaps you don't need that luck after all. Good day, Jessica."

 

 

He turned around and walked away, and she stood and stared at him. She almost chuckled, but she still felt too emotionally invested and she just might break down and tear up. She slowly sat back down, staring at the Altiris Console. With renewed vigor she tested her job, made a few tweaks to the command-line of the rollout job, and then brought up a Run Now window, selecting All Provisioned Systems. Her mouse hovered over the Run Now button.

 

 

"Come on Bobby," she whispered. The few minutes before the IM popped up declaring "Applet is patched" seemed like an eternity.

 

 

She clicked the Run Now button.

 

 

She got up and took a quick water break, grabbing a drink and throwing it down as if a shot in a drinking contest. She didn't want to return to her desk. What if it failed on most systems, especially the executive team's? What if she hadn't accounted for different hardware platforms in her job? What if?

 

 

She squared her shoulders, throwing off the ‘what if' game. She walked resolutely back to her desk and sat down, refreshing the job.

 

 

Ninety percent success rate brought a smile to her lips.

 

 

For the next few hours she used RTSM to connect to and patch those systems where the Task Server job failed for whatever reason. Most she could figure out the issue by using RTSM, aided by the article, http://69.93.2.147/article/4075/troubleshooting-altiris-manageability-toolkit-vpro-technology-part-5-real-time-console-, since RTCI was the component that executed most Task Server and RTSM commands against AMT.

 

 

Toward the end of the business day she leaned back. All vPro capable systems, a good 75% of the environment, was patched. Just as she shut down her computer Tevita showed up. His natural good humor managed to put a smile on his face. His long-sleeved dress shirt had the sleeves rolled up, his tie loose and top button of his collar undone. Sweat glistened on his forehead, remnants of computer dust bunnies streaked on his hands and forearms.

 

 

"Hi!" she said, unable to keep from smiling in amusement at him.

 

 

"Let me guess," he said, his smile twisting a little, "you've managed to patch all vPro systems."

 

 

"Yes," she responded, putting her purse back down on her desk. "How's the other systems coming?"

 

 

"I'm... uh... half done."

 

 

She nodded, picking up her phone. "Tevita, give me just a moment. Hi, Rob? I'm fine, though it looks like I'll be here a while. It's mostly under control, but we have a few more systems to fix. I know, I'm sorry. I'll see you later tonight, honey. Love you too, bye."

 

 

"What are you doing?" Tevita asked, frowning.

 

 

"We need to finish up, right?"

 

 

"Well... yes. But you don't really have to..."

 

 

"I'm thinking your wife wants to see you at least some time tonight. I'll take the third floor, you finish up the second, and the last one done has to bring donuts tomorrow."

 

 

Tevita looked relieved. "Deal. Thanks, Jessica."

 

 

Bobby walked up, a laptop case in his hands. "I'm heading out. Thanks for getting me back up so fast."

 

 

Jessica turned to him, her smile growing. "Bobby, we need your help," she said without preamble. "We have a few more systems to remediate..."

 

 

Bobby shook his head, his expression tightening. "No way, I have a Halo 3 party..."

 

 

"Bobby, you can't abandon us..."

 

 

Bobby looked down at the case in his hands. "Ah nuts! You don't know what this does to me. I'll lose my leader spot..."

 

 

"You'll make it up," Tevita said confidently. "If we get this done quickly imagine how impressed they'll be when you join late and still take the top spot."

 

 

Bobby's stricken look abated. "Yes. Yes, that would be impressive. Ok, I'll help."

 

 

Hours later Jessica left the building, running towards North Station to catch one of the late trains home, her shoulders feeling much lighter than when she'd rode in.

 

 

 

 

End Part II

Having minimized the damage of the first attack, the IT staff will continue to prepare in anticipation of more cyber attacks.

Introduction

I wanted to try something different with this article series. Since I'm an amateur author I thought I'd put that skill to use. Here's the attempt!

 

 

 

 

 

What would you do if highly skilled hackers hired by a competitor infiltrated your environment, planting information siphoning viruses? What would you do if those same hackers began systematically bringing down vital computers used by executives and other high-profile workers. What can you do? These questions are posed to the Players, a fictional group of IT professionals working for Mighty Modern Marketing. This article series will follow their trials and exploits as they face a myriad of threats and issues attempting to derail their position as leader in their particular market.

 

 

 

 

 

 

Part 1 introduces the key players in the story. All characters, events, and organizations in this story are fictitious, and any resemblance of characters, events, or organizations to real-life entities are purely coincidental.

 

 

 

 

 

 

NOTE: Part 1 primarily sets the stage for the use cases. Each subsequent part will cover functionality available through Altiris and Intel vPro technology

 

 

 

 

Mighty Modern Marketing HQ - Boston, Massachusetts

Jessica Langley used her badge to activate the door, and walked through. The warm air from the sunny streets of Boston gave way to the cool air inside the Mighty Modern Marketing main offices. She offered a greeting smile to the receptionist, who waved back, and quickly made her way past the rows of cubicles housing the Sales Support team. Most doors contained generous windows, allowing natural light and a wide view of the occupants, but the door she approached held no window, with a heavier doorknob and another badge reader set to the side. She swiped her badge and entered the IT center.

 

Right away she noticed a stooped man sitting in her chair. His thinning hair matched the sallow pallor of his skin, his gray eyes deeply lined with a perpetual frown, and he looked down at a stack of loose papers, his crooked finger tracing over the numbers thereon. He wore a brown suit from another decade, his tie plastered with paisleys.

 

 

"Hello Edgar," she greeted, trying to put a genuine smile on her face and failing, He looked up, squinting at her.

 

 

"Jessica," he said in a high-reedy voice. "I trust you have some time for me this morning?"

 

 

"Of course. You are the CFO."

 

 

"Well, yes." He shuffled through the papers. "I wanted to discuss the recent increase in your budget for asset acquirement."

 

 

"Okay," she said warily as he stood. Even standing he peered up at her. She quickly sat down in her chair to avoid the impression of her standing over him.

 

 

"I see an increase in price for each system we purchase, yet the base price for each system is the same. Care to explain?"

 

 

She nodded, swallowing. She thought he'd understood it all when she'd proposed the increase. For such a small man he exuded consternation like a hurricane, and she felt the full force of it as he stared at her, his right foot tapping as if counting up the dollars flitting away even as he stood talking with her.

 

 

"Of course. We're replacing our old equipment with new Intel vPro capable systems."

 

 

"vPro? Is that another of your cursed acronyms?"

 

 

"Yes. Well, no. I'm not sure. It does have a nice ring..."

 

 

"What is it?"

 

 

She swallowed again. She wondered if Edgar even had one small sliver of humor in his body or if he'd missed the humor allotment when born.

 

 

She cleared her throat. "vPro enables me to quickly, reliably, and remotely resolve a variety of issues. The feature set is impressive..."

 

 

"Jessica, I'm not interested in that. What I'm interested in is what value does it have for us?"

 

 

"The ROI? Sorry, I mean return on investment?"

 

 

He frowned. "I know what ROI means..."

 

 

"Of course," she responded hastily. "Potentially we can save hundreds per system by avoiding costly desk-side visits for remediation of issues, to mention one common cost-saving feature."

 

 

He nodded, but by the expression on his face she thought he meant to shake his head.

 

 

"It's all theory. I just don't see it yet on the books. The books don't lie, Jessica."

 

 

"I know, but we're just ramping up. The plan..."

 

 

"Let me be clear about this. I almost told the ordering rep to nix the vPro technology, but your explanation of the benefits stopped me, for now. You show me the value of this in the next few weeks or we're abandoning it. Understood?"

 

 

She wanted to stand up and tell him what she thought of that idea, that she knew the value was there. She also wanted to kick him in the shins, admittedly a childish impulse, but instead she simply pasted a smile on her face, nodding. When she knew she wouldn't growl at him, she added, "I understand."

 

 

Edgar nodded. "Good." He stood and turned, but stopped and added, "Have a good day," like an afterthought. He walked away, clutching his papers tightly.

 

 

She slumped when he passed out of sight, reaching up to rub at her temples where the start of a headache already tightened.

 

 

"Boy did Edgar look riled!" a deep booming voice said, a laugh hovering in his tones.

 

 

She looked up to see Tevita standing next to her. The Tongan stood like a solid oak, his broad shoulders and strong features exuding humor. She thought, not for the first time, that Edgar's allotment of humor must have been sent to Tevita instead.

 

 

"He's just crunching the numbers again," Jessica responded.

 

 

"I know. He asked me all about the vPro stuff."

 

 

She sat up straighter, her stomach clenching. "What did you tell him?"

 

 

"Don't look so worried. I actually just said it was your baby, and that he should ask you about it."

 

 

"Oh. Okay. I think... that's okay."

 

 

"You're welcome."

 

 

"He indicated he wanted to pull the technology."

 

 

"Uh-oh."

 

 

"I have a few weeks to prove myself."

 

 

Tevita smiled, though with not quite as much bluster. "Jessica, you're putting yourself out on a limb. The demos all look slick, but demos always do, right? You're sort of rocking the boat."

 

 

She frowned. "Tevita, I know you're trying to help, but I know this is what we need to do."

 

 

"No worries. Just let me know if you need any help. Oh, that reminds me. The Banner applet Bobby put together is acting wonky again. Can you let him know? It appears to be a server issue."

 

 

She nodded, and he smiled, walking over to sit down in his seat. She turned and looked at her computer. She hadn't even logged in yet and already she'd had two confrontations. She sighed as she signed in, opening her email. She read a few, but finally echoed her previous sigh and climbed to her feet. She walked over to another door that led to the server room.

 

 

The loud rumble of cooling fans filled the air until it felt like she had water in her ears. The rows of servers gleamed black, the soft glow of green indicator lights softening the severe edges. She walked past these, around a corner to another door leading to a small office tucked in the corner. She walked in, looking down at the top of Bobby Baxter's mop of unruly sandy-brown hair. His thick glasses perched on his skinny nose, his eyes squinting at the row of four LCD monitors in front of him. He sat in a plush chair like a throne, his skinny arms hovering over the mouse and keyboard.

 

 

"Bobby," she prompted.

 

 

He turned, a frown bending down his lips. "Jessica? What... Why can't you just use the Instant Messenger? Use the IM!"

 

 

"I like to stretch my legs," she retorted. "Did you know the banner app is acting up again?"

 

 

He hunched his shoulders, looking very much like a sulking child. "Yes, yes. I know. So you needn't have made the trip. I was just looking through the code."

 

 

"Well... this isn't the only reason I came over."

 

 

He minimized an application filled with source code, pushing his keyboard under his desk, the tray making a rather harsh grinding noise, and swiveled around to face her fully. He folded his arms, looking like she'd caught him pirating music.

 

 

"What?" he said warily.

 

 

"I need your recommendation for a service provider for the Intel vPro stuff. You hinted earlier that you thought you found the right one."

 

 

His petulant expression morphed quickly into a thoughtful one. "vPro, yes. I installed a few applications, like SMS, but then I noticed Altiris already has a solution for it. Since we own Altiris, I figured why not use what we already have in place? I already installed the modules into the Notification Server, so you can get at it. I'm impressed, I have to say."

 

 

Somehow having Bobby say those words caused the tension to drain out of her. "I'm glad to hear it."

 

 

"The Solution name is Out of Band Management. It has all the pieces for Provisioning vPro so you can get at the functionality."

 

 

"I appreciate it."

 

 

His frown returned. "A few simple sentences in IM would have sufficed. Did you dye your hair red?"

 

 

"What? No, I've told you before. It's natural."

 

 

"It looks nice."

 

 

He turned around, shrugging uncomfortably, and pulled out his keyboard. She opened her mouth to say goodbye when Bobby's phone rang. He squinted at the LCD, and his eyes widened.

 

 

"It's Mr. Johnson, the CEO!" he declared. He picked up the handset. "Hello? Hello, Mr. Johnson, how are you? Yes, this is he. Yes, she's here too. A meeting? Yes, of course. We'll be right there. Bye."

 

 

He turned to her as he hung up the phone, his expression slack. "An important meeting in the Executive Conference room! We better hurry."

 

 

Dim light glowed from white panels in the conference room, shadows gathered in the corners and under the large oval table. Tevita already sat at the table, his hands behind his head as he stretched out, his eyes focused on a projection screen lit against the far wall. Edgar sat next to him, an unusual deep frown that far surpassed his previous demeanor marring his features. For once the usual stack of papers he clutched lay untouched on the conference table. Bobby moved past her, sitting next to Edgar, and she finally moved in to sit next to Tevita.

 

 

"I'm glad you could all make it on such short notice," a rich, resonate voice declared. Jessica jumped, unaware that someone stood in the shadows next to the glowing projection screen. She managed to clamp down on the squeak that tried to escape her mouth.

 

 

Mr. Johnson stood like a pillar of strength and courage. Though wrapped in shadows, she couldn't miss the sleek suit, a gold watch gleaming in the light from the screen. He wore sunglasses, and she realized she'd never seen him without them. His perfectly sculpted hair framed his head perfectly, as if he stood in a business fashion magazine. He wore a light smile on his face, that asked for her trust and confidence even in the dim light of the room.

 

 

He stepped in front of the projection screen, like a hero emerging from a long battle in the night. "I have always been grateful for the work that all of you do to keep our IT infrastructure up and running. I think you can agree that most of us take you for granted, especially Edgar. Since you are strictly a cost center, he is very keen on monitoring the expenses generated by your team."

 

 

With a warm chuckle he stepped to the side back into the shadows, lifting a remote. The projection screen flickered, and a graph appeared.

 

 

"This," Mr. Johnson said in his rich voice, "represents the cost of your department. And this," he said, his voice rising dramatically, "is the additional budget afforded you at the start of the latest budget cycle."

 

 

The screen showed an increase. It wasn't dramatic, but the numbers fit. Jessica swallowed.

 

 

"This increase appeared for two reasons," he continued. "Security and continuity . It is vital that we step up on our ability to protect our infrastructure and intellectual property. To be more specific, you're probably aware that New Nifty Networks is trying to cross over into the internet marketing business, and will become our primary competition here in the Boston area. That by itself isn't significant, but the owner of Nifty is Jake Willis."

 

 

Edgar, who'd been looking at the surface of the table with an expression between anxiety and anger, perked up. "Jack Willis? You can't be serious!" he blurted.

 

 

Jessica glanced at Tevita and Bobby, but both shrugged back at her.

 

 

"I am serious," Mr. Johnson answered. "I attended Yale with him a decade ago. He got kicked out for cheating in a competition. I won't go into details, but wanted to stress that his manner of cheating was not only against school rules, but crossed the line into illegal activities. Now that he's eyeing our business, I'm afraid we may see much of the same."

 

 

She tried to swallow but found that her throat had grown dry.

 

 

Tevita raised his hand. "Mr. Johnson? What kind of illegal stuff?"

 

 

"Electronic hacking, forgery, and, believe it or not, assault in the form of intimidation."

 

 

"You're pulling our legs."

 

 

Edgar shook his head, reaching up to rub at his eyes. "No, he's not."

 

 

Jessica managed to find her tongue. "He wouldn't do those things here, would he?"

 

 

Mr. Johnson smiled, a trifle sadly. "That's too much to hope for. He's a lot more careful now, but he will resort to the same tactics. Cyber attacks, hacks, data theft, you name it, and he'll try it. Bobby, Jessica, and Tevita, you are our first line of defense. Be ready."

 

 

She wanted to say something, but the room filled with silence until the buzz of the projector pressed against her ears. Tevita wore a smile as if he expected the CEO to laugh and say "Just kidding!" Bobby looked thoughtful, his arms folded tightly against his stomach, and Jessica wouldn't be surprised to find a picture of Edgar's expression next to the dictionary entry for "Disgruntled". She rubbed her arms, trying to warm them from the unusual chill in the conference room.

 

 

"Any questions at this time?" Mr. Johnson inquired.

 

 

After the meeting Jessica hardly remembered walking back to her cube. She sat there for several minutes starting at her email inbox. She finally turned when a noise caught her attention.

 

 

Tevita stood, his muscled arms folded and an unusually thoughtful expression on his face. "I wish today was April Fools," he commented with a quick laugh.

 

 

"It's absurd."

 

 

"Not really. Most major corporations face those types of threats all the time."

 

 

"Tevita, no offense, but most hackers don't add assault to their tactics!"

 

 

"I'm not worried."

 

 

She eyed him. "Of course not. You're six-foot-nine and weight a solid two-hundred eighty pounds."

 

 

He smiled. "You're what, six foot? You're not a shrimp yourself, plus your husband knows karate, right? No? Well, I'm not worried about you. It's Bobby I'm worried about."

 

 

She shook her head viciously. "I'm not exactly muscled... What are we saying? This is ridiculous. It's the computer attacks we need to worry about. Let's get moving. I just have no idea where to start."

 

 

"What about the vPro stuff? I seem to remember a lot of security-related stuff there."

 

 

She straightened in her chair. "You're absolutely right. Bobby indicated he'd installed vPro management components into Altiris."

 

 

Tevita brought a chair over. "Altiris. Why didn't you tell me they had solutions? I might hve been more supportive of vPro."

 

 

Jessica pulled up the Altiris Console, her mind racing through the possibilities.

 

 

 

 

END Part 1

This ends Part 1. In Part 2 the first method or attack against the Mighty Modern Marketing's IT Infrastructure commences while the players scramble to defend their network and business.

 

The primary key of identity for an AMT computer is its Fully Qualified Domain Name (FQDN). One of the essential parts of the setup and configuration process (Provisioning) is when Altiris attempts to map a valid FQDN inside the IntelAMT database. This article covers how to handle FQDN issues, including ways to correct invalid entries, the best method to avoid the issues, and how it all works. If you're using Altiris Out of Band Management for provisioning, this is a must read!

 

 

 

 

Introduction

The two key identity items for vPro are the UUID (Universally unique Identification) and the FQDN. The UUID is contained within the hello packet sent by AMT, but the FQDN is not held within AMT without Provisioning. This means it is up to Altiris to acquire the system's FQDN. While this may sound simple, the problems arise when the system is in its setup process, whether prepping or being imaged, having software and scripts rolled out to provision and join the system to the domain, including when its final identity on the Domain and network are established and it received a new IP Address.

 

 

 

Preferred Provisioning method

For specifics I'll refer to the Best Practices document, but for the general steps to be followed specifically for the FQDN I'll provide the steps below.

 

 

 

 

 

LINK: http://juice.altiris.com/article/2810/best-practices-configuring-intel-vpro-capable-system-within-symantecaltiris-vpro-toolki

 

 

 

 

 

 

 

  1. Image the system with the Operating System, including any post-imaging work to get the system configured. This includes rolling out software or scripts.

  2. Join the system to the Domain after it has its rightful identity. The computer name should be set. When the computer is joined to the domain, this will provide the valid operable FQDN.

  3. Install the Altiris Agent on the system. This provides the information for the FQDN in the Inv_AeX_AC_Location table.
    +NOTE: If the Altiris Agent was part of the image, make sure the system sends Basic Inventory again after the system has been joined to the network to ensure we have the valid FQDN within the Altiris database.+

  4. Ensure the Out of Band Discovery package is enabled and configured via the collection to go to all machines.
    +NOTE: This step is essential because OOB Discovery will pick up the FQDN from the Basic Inventory and map it in the IntelAMT database. This screenshot shows where the data is located:+
    +!OOBCapACLocation.JPG!+

  5. Now if the hello message was sent before the above steps were completed, normally it will recover as long as the process completes before 24 hours have passed. 24 hours is the period of time the hello packets will be sent from the client. AMT will continue to send hello packets throughout the period UNTIL it is fully provisioned. This helps reestablish connection if the IP Address changes in the middle of the Provisioning process and the Server can't connect back up to the remote AMT system.

 

Preferred Provisioning Settings

Not all settings within Out of Band are FQDN friendly. The following items affect how Out of Band Management approaches provisioning.

 

  1. Resource Synchronization - Make certain this is enabled! A Disabled Resource Synch policy will halt Provisioning, greatly increasing the change for FQDN problems when it is finally enabled.

  2. Use DNS IP resolution to find FQDN when assigning profiles - This option, under the Resource Synchronization policy, is typically unreliable. While this option allows for bare-metal provisioning or Agentless provisioning, it also is at the mercy of the DNS and DHCP environment. It is highly recommended NOT to use this option unless you fully trust your DHCP and DNS environment. Factors to consider are:

    1. IP Lease times - The lease times afforded systems may be short, increasing the possibility that when OOB fetches the FQDN via IP the lease will have expired and the wrong FQDN will be mapped.

    2. PXE or other auxiliary boots - Often these types of systems will obtain a different IP address from DHCP as their identity is not the same as when the system is booted to the OS.
      !ResourceSynchronizationOOB2.JPG!

  3. Intel AMT 2.0+ to Profile - This option allows a default Profile to be setup for Provisioning. Make sure you've created a default profile and set it in the Resource Synchronization policy. Without a profile Provisioning will not occur.

  4. Intel AMT requires authorization before provisioning - Under the General node within Provisioning, this option stops provisioning from occurring. The profile will not go down to the system until the system is selected, using the right-click to choose ‘authorize'. This can aggravate FQDN problems by delaying full provisioning.

 

FQDN Fixes

Invalid FQDN in IntelAMT

The first issue stems from a variety of causes. The issue is that in the IntelAMT database, shown under the Intel AMT Systems node under Provisioning for Out of Band Management, the FQDN is invalid. The causes vary, but here are a few we've seen:

 

  1. Reverse DNS IP Lookup is enabled - Unless your DHCP and DNS environment are rock solid, often IP Address leases expire, and other systems pick up the IPs that the AMT systems originally sent the Hello message with. When this occurs, the wrong FQDN is mapped.

  2. IP Leases short - Often the IP Lease length can create a problem acquiring the correct FQDN. This can especially have problems with TLS as the FQDN is part of authentication using certificates.

  3. FQDN is incomplete - When a system is in setup mode, sometimes the mapped FQDN is not part of a domain, resulting in the Host Name only being set as the FQDN.

 

 

 

 

IMPORTANT! When the FQDN is invalid in the IntelAMT database, Resource Synchronization can have troubles matching resources with their correct counterparts in the Altiris database. Because of this, duplicates can emerge. If the checkbox in Resource Synchronization labeled: ‘Remove duplicate Intel AMT resources from Notification Server database' is checked, managed resources can get deleted from the Altiris database!

 

 

 

 

FQDN has Changed

Another not-uncommon occurrence is when a system changes identity. This can occur in a variety of ways, including:

 

  • The system has been reimaged

  • The computer name has been changed

  • The computer has been migrated to a new Domain

  • The system has switched subnets, resulting in a new FQDN

 

 

 

 

Regardless of the method, changing the FQDN on the system does not change it in the Intel ME or AMT firmware, and also does not change it within the Intel SCS component database (IntelAMT). When these are not synched up, it can cause problems when you need to manage the system via AMT when the computer is booted to the operating system. This particularly has problems when TLS is enabled and the provisioned certificate no longer matches the FQDN in Windows.

 

 

 

 

Issues Resolution

Since the Altiris Agent sends Basic Inventory daily by default, the Altiris database usually has a valid FQDN on record in the Inv_AeX_AC_location database table. We can run a query that will capture the correct FQDN from the Altiris database and insert it into the IntelAMT database, correcting any duplicate or invalid FQDN entries. This is the first step. The second step is to update the FQDN within AMT on the local systems. The following processes walk you through the resolution:

 

 

 

Update IntelAMT from Altiris

  1. Open up SQL Query Analyzer or Microsoft SQL Server Management Studio.

  2. Open a Query window within the database instance that contains both the Altiris database and the IntelAMT database.

  3. Run the following query, though for testing purposes you can omit the line ‘COMMIT TRANSACTION until you can verify the operation completed as expected. Once validated, run COMMIT TRANSACTION to complete the process:
         BEGIN TRANSACTION
         UPDATE intelamt.dbo.csti_amts SET fqdn = b.fqdn FROM (SELECT il.[Fully Qualified domain name] AS 'fqdn',
         REPLACE(oob.uuid, '-', '') AS 'uuid' FROM
         altiris.dbo.Inv_AeX_AC_Location il JOIN altiris.dbo.Inv_OOB_Capability oob ON
         oob._ResourceGuid = il._Resourceguid) b WHERE intelamt.dbo.csti_amts.uuid = b.uuid
         COMMIT TRANSACTION

  4. Done! The FQDNs now match between Altiris and IntelAMT.

 

Update FQDN on local AMT

  1. It is recommended to follow these steps in batches so as to not overwhelm the Intel SCS component. Perhaps run this against 100 systems at any one time, or run it against those systems you know have been updated. While it doesn't hurt to run this against systems that didn't have the FQDN changed from the above process, it is unnecessary if you are able to target those systems with invalid FQDNs.
    +Note: This process assumes that the system can be reached via the SCS using the new FQDN supplied by Altiris. For TLS there may be complications we have not foreseen.+

  2. In the Altiris Console browse under View > Solutions > Out of Band Management > Configuration > Intel AMT Systems > and select the Intel AMT Systems node.

  3. Select one or more systems you need to update the local AMT FQDN on.

  4. Right-click and choose the ‘Re-provision...' option.
    !Re-provision.JPG!

  5. Check the Action status node under Provisioning > Logs > Action Status for messages concerning the Re-provision attempts. You can also check the Log node for errors.

  6. Done! The systems, when reprovisioned, should have the correct FQDN planted by the IntelAMT database entry that was updated from the Altiris database.

 

Conclusion

Use this article to resolve your FQDN issues to ensure ATM functionality is available when it is needed. The above process has been verified, though all environmental potential issues have not been explored. It is advised to test the process in your environment before implementing on a wide scale.

Filter Blog

By author:
By date:
By tag: