The new generation of notebook PCs with Intel vPro technology includes Intel Anti-Theft Technology PC Protection (Intel AT-p). Intel AT-p offers you the option of activating hardware-based client-side intelligence to secure the PC and data if a notebook is lost or stolen. Because the technology is built into PC hardware, it provides local, tamper-resistant defense that works even if the OS is re-imaged, a new hard-drive is installed, or the notebook is not connected to the network.
For a good introduction of the Intel® AT-p Technology please visit - http://communities.intel.com/community/openportit/vproexpert/blog/2008/12/04/anti-theft-technology-has-arrived
In the following we describe an example of how this technology is deployed and used in the life of a typical employee working for a security conscious company. Consider a user Jane who is a new employee of a company called SecureBank. SecureBank wants all its employees laptops to be protected against theft and is therefore utilizing the Intel® vPro Anti-Theft Technology for Asset Protection (AT-p) with Absolute ISV.
In particular Jane has two (rather adventurous) days –
- Day 1: IT admin receives a new laptop and sets it up for Jane. Jane uses the new laptop for the day when she receives her new laptop and manages to loose it to a thief!
- Day 2: the thief is unable to use the laptop due to the poison pill sent as a feature of the AT-p technology. The thief therefore gives up on it and leaves it in a coffee shop. The laptop is subsequently recovered by SecureBank, made functional again and is ready to be handed over to Jane.
Below are the details –
(Check out the video uploaded at youtube –
(1) Initial Setup by IT Admin:
The IT admin receives a new laptop and creates the SecureBank IT image on the laptop. This includes the Absolute agent which would be used for AT-p. The Absolute Client Windows Installer is a part of the IT image. The two key steps are undertaken -
- Enrollment: The IT admin runs the Absolute Client Windows Installer which installs the Absolute agent on the client. As part of the installation this client is enrolled with the Absolute server. Enrollment consists of the following steps –
1. The Absolute Agent checks the local platform to ensure that the platform is eligible for Intel® AT-p.
2. The Agent requests permission of activate AT-p with the ISV Server i.e. the Absolute Server.
3. The ISV Server takes this unique client request and sends it (along with a license key) to the Intel permit signing server.
4. Once the Intel signing server has validated this request, an AT-p permit is generated for that unique client. The client system is now ready to validate signed messages from the ISV server.
Once the machine is enrolled it shows up on the administrator console. The machine is identified using a unique identifier generated by the Absolute server, Detected Full Computer Name and Detected Serial Number. At this point a default policy for the client machine is also applied.
- Policy Setup: The IT admin can also fine tune the policy for Jane. Examples of Attributes he can set include:
AT-p Timer Value
The machine’s disablement timer (time after which the machine is disabled if it does not connect with the server) is 48 hours.
AT-p Timer Action
The action a machine performs once the AT-p Timer has expired. In this case, the machine will shut down immediately (even if OS was up and running) and not allow the boot process to be carried out.
AT-p Theft Action
The action a machine performs once the machine is marked stolen when connecting with the server. In this case, the machine will shut down immediately, same as above.
Admin Password used to recover the machine when it is disabled or locked.
Marks whether AT-p is currently active or not on a machine. When it has a legitimate working user then it is marked as active.
Marks whether the machine is stolen or secure. In this case, the machine is not stolen.
Once the IT admin has set the above policy he is ready to hand over the laptop to Jane.
(2) Normal Usage:
On receiving her new Laptop, Jane logs in with her domain credentials and uses it seamlessly (as if there were no AT-p). The rendezvous may occur without any active participation of Jane. As such the rendezvous happens in the background and is transparent to Jane.
- Rendezvous (Machine Not Stolen)
The Absolute solution has a rendezvous timer of 24.5 hours. After this time the following steps would occur –
1. As the Rendezvous Timer (24.5 hours) expires the ISV Client Agent initializes a rendezvous.
2. The ISV Server’s response is relayed to the Intel Management Engine (in the firmware) through the ISV Client Agent. Any new settings are relayed.
3. Acknowledgments are generated for any message received.
4. Once finished, the Disablement Timer (or AT-p Timer) reset message is sent to the Intel Management Engine.
After a good first day of work, Jane’s colleagues take her out for a dinner. She leaves her laptop in the car and heads to the restaurant. To Jane’s bad luck her car is broken into and the notorious thief steals her laptop.
- Malicious Usage: The thief has a hacking tool that allows bypassing the windows login/password challenge and can use the laptop. He feels he can make a good fortune by selling this laptop in the black-market.
- Theft Reporting: When Jane returns to the car, she is shocked to see her car broken into and her laptop stolen. She immediately calls the IT admin helpdesk and reports the theft. The IT admin sets the Theft Status to Stolen. Next time the laptop checks in with the Absolute server, the Theft Action, which is Immediate Lock, will take place.
(4) Poison Pill:
The attacker logs in again using his hacking tool. Since it is past 24.5 hours (i.e. the rendezvous timer has expired) the agent initiates a rendezvous. At this time the following steps happen -
- Rendezvous (Machine Stolen)
- As the rendezvous timer expires the ISV Client Agent initializes a rendezvous.
- The server has marked the system as stolen, and sends an AssertStolen message (“Poison Pill”) to the system.
- The local system takes action based on the current policy.
As the action is to immediately lock, the thief to his surprise observes that the machine just shuts down. When he tries to power on the machine he sees a pre-boot authentication screen which requests him to insert admin credentials. The thief’s hacker tools are not able to bypass this screen as the same OS (which is potentially more vulnerable) as the pre-boot environment serves as an extension of the boot firmware and guarantees a secure, tamper-proof environment external to the operating system as a trusted authentication layer. Brute force attacks in this environment are also much harder as the tamperproof firmware reboots the machine after a threshold time or number of attempts to login has expired.
To the thief’s dismay, he cannot really use the laptop and leaves it in the coffee shop where he logged in from.
(5) Asset Recovery:
The IT admin of SecureBank was able to get the IP of the location where the thief last logged in from and contacts the coffee shop. SecureBank officials pick up the laptop and bring it back to the IT admin desk for recovery. To recover the platform the IT admin carries out the following steps –
- The IT admin (re)sets the Theft Status to be Secure (from Stolen).
- Upon boot, the admin is presented with a “system locked” message in the pre-boot environment.
- The admin recovery passphrase must be entered before a given time (say 2 minutes). The admin immediately inputs his admin passphrase for the given machine.
- When the admin credentials and theft status have been verified, the AT-p timer is reset and the client platform is unlocked. The platform then boots to the OS.
Once this is done, the IT admin is ready to return this machine back to Jane without loosing any time. Thus we can see that AT-p solution not only provides a way to secure machines against theft and continued malicious use, but also ensures efficient recovery and continued use of the recovered machine!