I'm looking to setup AMT in my environment. We decided to use the SCCM add-on with RCS integration. I have two major security concerns with this: First, the instructions in the Intel(R)_SCS_Addon_SCCM_2012.pdf call for giving the Operations Administrator role to the Domain Computers group. That's was a huge security concern to me, since the Operations Administrator role is an extremely powerful one. I was able to find advice on this from another discussion that I found on this site.
This brings me to the second issue, on which I have yet to make any progress. In section 2.7 of the guide, it gives the option to run the packages used by the add-on either as the system account on the host computer (default) or designate an account for running the package. If I go with the system accounts, then it requires me to give every computer Remote Enable rights to the site_<sccm site code> namespace in WMI. This is opening up my SCCM infrastructure to any person who can run something as the system account on any host computer, which is not very difficult to do, so this is not a good option.
The second option (using a dedicated account) also has problems, as I need to grant this account admin rights to all of my hosts and open up the same WMI namespace to it. This is fine so long as I can keep this one account safe. But for this to work, the add-on has to use the “Run this step as the following account” option in the task sequence and store its credentials there. This is a problem, because that password can easily be extracted from any host computer which is able to run the task sequence. In order to verify this, I ran a test of it and was able to get the password for this account from a host, using one very simple step followed by a one-liner. I'm not going to post that here for obvious reasons. This is why Microsoft has multiple warnings about accounts used to “run as” from a task sequence. This issue presents a huge concern because the instructions are calling for this account to have admin rights to all of my hosts, plus the ability to remotely connect to SCCM's WMI namespace. I don't want to leave such a powerful account so exposed.
So, given all of the above, does anybody know of a reasonably secure way to handle this? This can't be the only way to make this work. Of all the companies using AMT, somebody else must have already discovered this problem and developed a more secure method.