Use in-band provisioning instead of out of band provisioning     Using in-band provisioning, especially in native mode, allows the client to use the trust relationship already established between the client and the Configuration Manager infrastructure. With out of band provisioning, untrusted computers can be provisioned if they supply the SMBIOS GUID (also known as the UUID) that has been specified in the Import Out of Band Computers wizard. Successfully provisioned computers have an account automatically created in Active Directory Domain Services and receive a certificate with server authentication capability from your enterprise certification authority. If a rogue computer is provisioned, the resulting network authentication results in an elevation of privileges and the account could be used to read information on the network that is secured for authenticated access (information disclosure). A certificate with server authentication might be misused to establish trust. It is also possible for attackers to create servers that impersonate valid DNS servers and provisioning servers so that AMT-based computers are misdirected to rogue provisioning servers. If you do not need to use out of band provisioning, do the following to help reduce these security risks:

• To help prevent rogue computers from being provisioned out of band: Do not use the Import Out of Band Computers wizard to add new computers to the Configuration Manager database; configure Windows firewall on the server running the out of band service point role to block the provisioning port (by default, TCP 9971); and do not register an alias for the out of band service point in DNS. For more information about the DNS alias, see Decide Whether You Should Register an Alias for the Out of Band Service Point in DNS. Additionally, restrict physical access to the network, and monitor clients to detect unauthorized computers.
  
  
• To help prevent rogue servers from provisioning your AMT-based computers, use a custom password for the MEBx Account in the AMT BIOS extensions so that the default value of admin is not used. Then specify this password with an AMT Provisioning and Discovery Account in Configuration Manager. For more information, see About the MEBx Account and How to Add an AMT Provisioning and Discovery Account.
  
  

If you cannot use in-band provisioning because the computer is new and has no operating system installed, consider using operating system deployment to install the operating system and install the Configuration Manager 2007 SP1 client so that the computer can be provisioned in-band. Unlike out of band provisioning, operating system deployment does not create an authenticated account in Active Directory Domain Services and does not request a server authentication certificate from your enterprise certification authority. For more information about operating system deployment, see Operating System Deployment in Configuration Manager. If you cannot use in-band provisioning because the computer does not have the Configuration Manager 2007 SP1 client installed or because the computer does not have a version of AMT that is natively supported by Configuration Manager, install the Configuration Manager 2007 SP1 client and upgrade the firmware to a supported version as appropriate. For more information about the AMT versions supported by Configuration Manager, see Overview of Out of Band Management.

Control the request and installation of the provisioning certificate    Request the provisioning certificate directly from the provisioning server by using the computer security context so that the certificate is installed directly into the local computer store. If you must request the certificate from another computer, you will have to export the private key and then use additional security controls while transferring and importing the certificate into a certificate store with restricted access.

Ensure that you request a new provisioning certificate before the existing certificate expires    An expired AMT provisioning certificate will result in provisioning failure. If you are using an external certification authority (CA) for your provisioning certificate, allow additional time to complete the renewal process and reconfigure the out of band management point.

Note

To help you identify when the AMT provisioning certificate is about to expire, Configuration Manager generates a warning status message with ID 7210 when the provisioning certificate in use is 40 days or less from expiration. This status message will be repeated once a day until the certificate is replaced with a validity period greater than 40 days or until the validity period is less than 15 days. When the validity period is less than 15 days, an error status message with ID 7211 is generated until the certificate is replaced with a validity period greater than 15 days.

If the provisioning certificate is revoked, delete it from the certificate store on the out of band service point site system server, and remove it from the out of band management component configuration properties    If you know that the AMT provisioning certificate is revoked, you must manually prevent it from being used to provision AMT-based computers by Configuration Manager because AMT-based computers do not check the CRL for the provisioning certificate. Delete the certificate from the certificate store on the out of band service point site system server. Then deploy a new provisioning certificate, and configure it in the out of band management component properties. If you cannot immediately deploy a valid AMT provisioning certificate, remove the out of band service point role until you have a replacement certificate.

If you must revoke a provisioning certificate supplied by an internal CA, revoke the certificate in the Certification Authority console    There is no functionality to revoke the provisioning certificate in Configuration Manager 2007 SP1.

Use out of band management instead of Wake On LAN    Although both solutions support waking up computers for software updates and advertisements, out of band management is a more secure solution than Wake On LAN because it provides authentication and encryption using standard industry security protocols. It can also integrate with an existing public key infrastructure (PKI) deployment, and the security controls can be managed independently from the product. For more information, see Choose Between Power On Commands with Out of Band Management and Wake-Up Packets for Wake On LAN.

Change the default provisioning server    By default, the BIOS extensions for AMT-based computers look for a provisioning server named ProvisionServer. Although changing the default name is not a simple process, using the default name of ProvisionServer could present a security risk if a record with this name is configured to resolve to an IP address of the wrong computer or a rogue computer. Configuring the provisioning server value with an IP address is more secure than using a well-known name. If you configure a name, you must configure DNS to perform name resolution. If you are using name resolution for either ProvisionServer or a custom name, secure the DNS record to safeguard against the record being modified in such a way that it no longer resolves to the out of band service point site system computer. For more information, see Decide Whether You Should Register an Alias for the Out of Band Service Point in DNS.

Configure an alternate port for server provisioning    The port used for server provisioning can be set in the custom AMT firmware image. Using a custom port is more secure than using the default port. You can also use the Management Engine BIOS Extensions (MEBx) to manually configure these values on each AMT-based computer. Configure your alternative port number on the Out of Band Management Properties: General tab.

Restrict who has the Media Redirection right   Granting someone the Media Redirection right is almost equivalent to granting someone physical access to the computer. While attackers still require physical access to open the computer, someone with the Media Redirection right could load an alternate operating system and use it to remotely attack data on the hard drive.

The out of band management console in Microsoft System Center Configuration Manager 2007 SP1 manages computers that have the Intel vPro chip set and Intel Active Management Technology (Intel AMT) with a firmware version that is supported by Configuration Manager. Configuration Manager 2007 SP1 temporarily collects information about the computer configuration and settings, such as the computer name, IP address, and MAC address. Information is transferred between the managed computer and the out of band management console by using an encrypted channel. The information is not retained after the management session is ended. This feature is not enabled by default.

You have the option to enable Configuration Manager 2007 SP1 to discover computers with management controllers that can be managed by the out of band management console. Discovery creates records for the manageable computers and stores them in the database. Data discovery records contain computer information, such as the IP address, operating system, and computer name. Discovery of management controllers is not enabled by default. For more information, see How to Discover Computers with Management Controllers. Discovery information is not sent back to Microsoft. Discovery information is stored in the site database. Information is retained in the database until deleted by the site maintenance task Delete Aged Discovery Data every 90 days. You can configure the deletion interval.

Other Resources