Skip navigation

This past week I was experimenting with the Active Directory object that gets created by the SCS when a system is configured with Kerberos integration. I found some things you should be careful with and wanted to share.

 

First let’s take a look at how we set up the Active Directory to get it ready for provisioning with the SCS:

In order to use Kerberos to authenticate with your AMT device out of band, you need to first set up a new Organizational Unit within your Active Directory:

 

1.png

 

Now because our SCS Service will be creating the AMT Device Objects, we need to grant the SCS Service Account Create/Delete permission on the container:

 

2.png

 

In my case im just using my AMT\Administrator account to keep things simple. Once I have the Create / Delete options selected, I am finished with the new OU.

 

The next thing I need to do is add the Active Directory OU Information to my SCS Profile:

 

3.png

4.png

 

After we set up the Profile in the SCS, we can go ahead and configure the AMT Client using the ACUConfig tool.

 

Once configured, we should be able to see the Active Directory object of the AMT Device in the OU we created:

 

5.png

 

Sure enough, there is our object.

 

Now let’s take a closer look at that object:

 

6.PNG

 

Notice that it is a “User” object. Because it is a user object, it will show up by default when you go to add an object to a group or when you are trying to grant users/objects access to a folder or access list.

 

For example if I had a security group in Active Directory named “SecurityGroup” and I wanted to add this client (e6420) to it, I would search for the name of the system (e6420):

 

7.png

 

I hit “Check Names” and it looks as though the search returned the computer account:

 

8.png

 

But look closer and you will see that the object returned was really the AMT Device Object.

 

Now if you are not careful when trying to add computers to a security group, and assume that this object was the computer object, you could run into issues.

 

What you want to do is make sure you include “Computers” when searching for objects:

 

9.png

 

Now when you search:

 

10.png

 

You will see multiple objects returned, the top one is the “AMT Device Object” (machine name + $iME)

And the bottom one is the acutal OS Machine Object (machine name + $)

 

To avoid confusion, in a future release of the SCS, the AD object that gets created by the SCS will be created as a “Computer Object”.

Currently, the most common way people verify their digital identity is by using a password. Exceptions often times are found with online banking, where most use a second factor for authentication (e.g. OTP token or even a confirmation code sent to mobile phone), that is costly or inconvenient for user experience, but due to the weakness of password  versus value at risk, this kind of approach is accepted and the costs justify the investment. However it is not reality for the vast majority of digital services. Passwords are used to sign in to your PC, webmail, social network, and lots of other places. There is a research conducted by Microsoft Research conducted with half million PC users showing that the average person typically has about 25 online accounts.Are you an average user? In fact, the data also shows that the number of unique passwords across those 25 accounts is only about 6, so around 4 passwords are reused across accounts. This is in addition to the tendency of websites to increase password complexities such as mixing lower case with upper case, special characters and numbers. Password reuse probably will increase among websites and cases  like those described by Mat Honan (Wired writer) will become even more frequent.


Dealing with username and password leads to a set of interesting challenges. We all want the web to be easy and safe. However, having to remember a dozen of complex passwords generally isn’t easy, and is even harder for websites accessed less frequently. However, using the same easy-to-remember password across multiple sites isn’t safe. The ideal solution here involves somehow finding a way to make it both easy and safe to use all of your different digital identities.


As I already explained in this post in InformationWeek, on how to effectively managing identity in the cloud, I introduced Intel Identity Protection Technology and described about strategies adopted by online banking to increase security and how One Time Password (aka. OTP) as second factor authentication can be used to increase security. However, all these approaches, even those more sophisticated, are based on symmetric key and thereby not resistant against an active man-in-the-middle attack (e.g. phishing).


One alternative is public/private key pairs, i.e. based on Public Key Infrastructure (aka. PKI) – these are the most commonly used methods for protecting network traffic on the Internet today. PKI is based on an asymmetric key – the private key and the public key are different, so the public key should become public in a way proving that it belongs to user and not someone else. Also, the private key must be stored securely where only the user has access. With this method, the website sends a sign-in request to be signed by user’s private key and sent back to website that uses the user’s public key to confirm the user has a private key. So long as the private key is not compromised, this system is resistant against phishing and keylogging attacks. However this method is not widely used on the Internet today due to the high costs associated with having dedicated hardware to protect the private key such as Smart Cards and other associated logistics.


Intel IPT-PKI architecture


Intel Identity Protection Technology (aka. Intel IPT) with PKI uses the Intel Management Engine (aka. Intel ME) and 3rd generation Intel Core vPro processor based systems to provide a hardware-based security solution similar to that of other hardware security modules like Smart Cards. Unlike most hardware security modules, Intel IPT-PKI is designed to be managed as software but hardware resistant against tampering.

The hardware based security is achieved by using the Intel ME to perform all cryptographic operations. This way, the keys are never exposed to software running on the computer’s central processing unit (CPU). Furthermore, all certificates are tied to the platform on which they are created.


IPT-PKI diagram.png


 

As you can see in this diagram, so long as the ME is part of chipset and tied with PC, the user’s PC becomes part of authentication process. Intel IPT-PKI as showed exposes his capabilities as a Cryptographic Service Provides (CSP) via Microsoft CryptoAPI software layer. IPT-PKI can be used to:


  • Generate a persistent RSA key pair in hardware;
  • Generate PKI certificates, that can be used to identify user possession and password knowledge;
  • Perform operation with RSA private key;
  • And protect key usage with PIN

 

Intel IPT-PKI can be used to enhance user identity on several applications such as SSL web site authentication, S/MIME with Microsoft Exchange Server/Outlook client or VPN authentication.


In order to avoid operating system attacks keylogging user’s PIN and replaying automatically this PIN in a MiTB attack, a second IPT building block, Intel IPT Protected Transaction Display (aka. IPT PDT) can be used to create a secure channel between user’s interfaces. (I.e. keyboard, mouse and video, in order that operation system is not able to hook, as I explained in this Brazilian bank case in a previous post.)


If you are looking on how to start using IPT-PKI and IPT-PDT, there is an excellent Use Case Reference Design that explains majority of scenarios and how to configure. The only requirement from client side is a Intel vPro machine with 3rd Core generation and Windows operating system homologated for this particular machine.


Best Regards!


I get asked quite a few questions regarding the provisioning certificate install location for Intel® Setup and Configuration Software 8.0. I wanted to take a moment to walk you through the process and hopefully help you avoid any confusion.

 

Once you have your Provisioning Certificate, you need to install that cert in the appropriate Certificate Store. SCS 8 is expecting this location to be the “Personal Store” of the user that is running the scs service.

 

For example, the user I am running the SCS Service with is: amt\scs_service

 

I need to install the certificate in that user’s Personal Store. But what if I cannot log in locally on this account and install the cert? Let’s take a look at how we can accomplish this:

 

Once you have your provisioning certificate w/private key exported, save it to a location on your SCS server.

Now usually we would just launch MMC and add the certificate snap-in for the local user. Because we cannot log in to the server as the service account (amt\SCS_Service) this can be a challenge. Luckily it is just a matter of launching MMC as a “different user”.

 

An easy way to do this is to “Shift+right click” on MMC.exe.

 

I simply search for MMC, and when it pops up in the start menu, shift+right click and select “Run as different user”.

A normal right click will bring up the standard right click context munu as shown on the left. A shift+right click will bring up the extended version as shown on the right:

1.png2.png

Now I can use the SCS Service Account

 

3.png

Now you can add the cert snap-in and because we ran MMC as our service account, we can install the provisioning certificate in the Personal Store of the amt\SCS_Service account.

 

4.png

 

Now right click on the Personal Store and choose “All Tasks-->Import”

And just follow the prompts.

5.png

6.png

7.png

8.png

And when you are finished with the import wizard, you should see the certificate show up in the personal store:9.png

Now you are ready to provision!

 

This is only one of a few different methods you can use to install your provisioning certificate, for more information see the SCS User Guide.

spanish olympic committee.jpgDownload Now

 

The Spanish Olympic Committee (COE) is responsible for Spain’s participation in the Olympic Games. It needed to move from a dedicated to a virtual IT infrastructure that would let employees work from their desktops and communicate with the Madrid office anytime and from anywhere. COE implemented a virtual infrastructure based on computers powered by Intel® Core™ vPro™ processors.

 

“Our people travel far and wide and our operations can be complex,” explained Manuel Pastrana, IT manager for COE. “Thanks to Ermestel and Intel® and Citrix technology, a template was implemented that provided users with the same business profile, which can be centrally updated and used from any location. This allows them to retain their personal profiles on their devices while using a virtualized system for COE. It has cut costs, made management far easier and introduced far greater flexibility.”

 

Read all about it in our new COE business success story. You can find more like this one on Intel.com and iTunes. And to keep up to date on the latest business success stories, be sure to follow ReferenceRoom on Twitter.

I was investigating some strange certificate issues a while back when I ran across one that I had not seen before. I was attempting to configure a Lenovo T410 using the latest version of the SCS (8.1). I purchased a certificate from GoDaddy for my domain and everything appeared to be set up correctly. Here are a few screenshots of my setup:

I had DHCP set up correctly with option 15 matching my certificate CNAME DNS Suffix:

1.png

I had the SCS Service running under my amt\administrator account:

2.png

I was logged on my SCS server as amt\administrator:

3.png

I had my provisioning certificate installed in my “Current User” certificate store and I had the Private Key:

4.png

The certificate chained up to the correct GoDaddy CA with the correct thumbprint:

5.png

6.png

Everything looked great, until I tried to configure a client:

7.png

Hrmm, failed to get private key? But my certificate clearly shows that I have the key! Digging a bit more into what may be causing this issue I found reference to CNG which is Cryptography API: Next Generation, which you can read about it here.

 

Now when I originally created the CSR for the provisioning certificate, I used the Cert Snap-In in MMC. The first step in that process was to select a template to use:

8.png

Sure enough, it defaults to CNG Key. Doing a bit more research, I find out that CNG Key based provisioning certificates are not supported in our Setup and Configuration (SCS) software.

 

So to fix this, I just ended up creating a new CSR and selecting Legacy Key as my template. Then I went to my GoDaddy account and chose to “Re-Key” my certificate. After that I could once again provision my systems with SCS!

 

So if you are seeing a similar issue to the one above, there is an easy way to find out if the cert template you selected was a CNG template:

On the server where you have the cert installed, just open the certificate, then use the details tab to copy it out to a file. Once you have the file run this command against it:


     CERTUTIL filename.pfx

9.png

If you see “Microsoft Software Key Storage Provider” it is a CNG cert, and you may have issues with SCS.

 

What you want to see is a cert that uses the Legacy Key template:

10.png

Now we are set up and ready to configure!

For the launch of the new generation of vPro™ processors, Intel has prepared an environment for IT professionals to test their abilities and compete for a trip to Brazil as well as an HP Elite Book Folio 9470m Ultrabook™. That is how the “Invisible Agent - Ultimate IT Challenge” was born - a cultural contest in the best secret agent style.

 

For that reason, an exclusive site that mixes fantasy and reality was created for the project. When the participant enters the site he gets the illusion it’s a common site but soon suffers a hacker invasion and a mysterious voice explains what is going on and launches the challenge: Check out how Intel® vPro™ can help you improve your work, put an end to hacker invasions and become an Invisible Agent.

 

That way, each participant gets the chance to live his days of special agent and neutralize hacker actions reestablishing order and productivity inside a major corporation. All his work is, naturally, enabled by the resources of Intel® vPro™ technology.

 

The Contest has two phases: the first one to be initiated by 10/15. In order to participate, just access the action site ultimateitchallenge.intel.com – take part in the dynamics, watch the videos and answer the question: “How can computers equipped with smart processors change the routine in your company?”. The author of the most creative answer wins a week-long trip to Brazil for two besides a brand new Ultrabook™.

Noledge.jpgFor intelligent performance with embedded security, three companies have recently turned to Intel® Core™ vPro™ processors:

 

You can read all about it in our three new business success stories. Find more like these on Intel.com and iTunes. And to keep up to date on the latest business success stories, be sure to follow ReferenceRoom on Twitter.

 

*Other names and brands may be claimed as the property of others.

Filter Blog

By date: By tag: