Microsoft has released a really great blog on the “Security Best Practices for Out of Band Management in Configuration Manager 2007 SP1”.  The following topics are covered in great detailed and is a definite read.  http://blogs.technet.com/configmgrteam/archive/2009/08/05/updated-security-best-practices-for-out-of-band-management-in-service-pack-1.aspx

 

  • Request customized firmware before purchasing AMT-based computers
  • Use in-band provisioning instead of out of band provisioning
  • Manually revoke certificates and delete Active Directory accounts for AMT-based computers that are blocked by a Configuration Manager 2007 SP1 site 
  • Control the request and installation of the provisioning certificate
  • Ensure that you request a new provisioning certificate before the existing certificate expires
  • If the provisioning certificate is revoked, delete it from the certificate store on the out of band service point site system server, and remove it from the out of band management component configuration properties
  • If you must revoke a provisioning certificate supplied by an internal CA, revoke the certificate in the Certification Authority console
  • Use a dedicated certificate template for provisioning AMT-based computers
  • Use out of band management instead of Wake On LAN
  • Use a dedicated OU to publish AMT-based computers
  • Use Group Policy to Restrict User Rights for the AMT Accounts
  • Use a dedicated collection for in-band provisioning
  • Restrict who has the Media Redirection right and the PT Administration right
  • Retrieve and store image files securely when booting from alternative media to use the IDE redirection function
  • Minimize the number of AMT Provisioning and Discovery Accounts

 

--Matt Royer