Out of Band Management Security Best Practices and Privacy Information
Updated: October 1, 2009
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
Out of band management in Microsoft System Center Configuration Manager 2007 SP1 and later provides a convenient way to control computers that have the Intel vPro chip set and a version of Intel Active Management Technology (Intel AMT) firmware that is supported by Configuration Manager. However, it is important to restrict access so that unauthorized users cannot use this feature to attack computers on your network.
Security Best Practices
Request customized firmware before purchasing AMT-based computers Computers that can be managed out of band have BIOS extensions that can set customized values to significantly increase security when these computers are on your network. Check which BIOS extension settings are available from your computer manufacturer, and specify your choice of values. For more information, see Decide Whether You Need a Customized Firmware Image From Your Computer Manufacturer. If your AMT-based computers do not have the firmware values that you want to use, you might be able to manually specify them yourself. For more information about manually configuring the BIOS extensions, refer to the Intel documentation or the documentation from your computer manufacturer. You can also refer to the Intel vPro Expert Center: Microsoft vPro Manageability Web site (http://go.microsoft.com/fwlink/?LinkId=132001). Customize the following options to increase your security:
Replace all certificate thumbprints of external certification authorities (CAs) with the certificate thumbprint of your own internal CA. This prevents rogue provisioning servers from attempting to provision your AMT-based computers, and you will not have to purchase provisioning certificates from external CAs. For information about how to locate the certificate thumbprint of your internal root CA, see How to Locate the Certificate Thumbprint of Your Internal Root Certificate for AMT Provisioning.
Use a custom password for the MEBx Account so that the default value of admin is not used. Then specify this password with an AMT Provisioning and Discovery Account in Configuration Manager. This prevents rogue provisioning servers from attempting to provision your AMT-based computers with the known default password. For more information, see About the MEBx Account and How to Add an AMT Provisioning and Discovery Account.
Change the value for the default provisioning server. Using the default name of ProvisionServer could present a security risk if a record with this name is configured to resolve to an IP address of the wrong computer or a rogue computer. Configuring the provisioning server value with an IP address is more secure than using a well-known name. However, an IP address cannot be used for multiple AMT-based computers if they will be provisioned by different sites. If you configure an alternative name rather than an IP address, you must configure DNS to perform name resolution. When you use name resolution for either ProvisionServer or a custom name, secure the DNS record to safeguard against the record being modified in such a way that it no longer resolves to the out of band service point site system computer. For more information, see Decide Whether You Should Register an Alias for the Out of Band Service Point in DNS.
Configure an alternate port for server provisioning. Using a custom port is more secure than using the default port for out of band provisioning. If you will use out of band provisioning, configure your alternative port number on the Out of Band Management Properties: General tab.
Use in-band provisioning instead of out of band provisioning Using in-band provisioning, especially in native mode, allows the client to use the trust relationship already established between the client and the Configuration Manager infrastructure. With out of band provisioning, untrusted computers can be provisioned if they supply the SMBIOS GUID (also known as the UUID) that has been specified in the Import Out of Band Computers wizard. Successfully provisioned computers have an account automatically created in Active Directory Domain Services and receive a certificate with server authentication capability from your enterprise CA. If a rogue computer is provisioned, the resulting network authentication results in an elevation of privileges and the account could be used to read information on the network that is secured for authenticated access (information disclosure). A certificate with server authentication might be misused to establish trust. It is also possible for attackers to create servers that impersonate valid DNS servers and provisioning servers so that AMT-based computers are misdirected to rogue provisioning servers. If you do not need to use out of band provisioning, do the following to help reduce these security risks:
- Applicable to Configuration Manager 2007 SP2 only: From Component Configuration, do not select the option Allow out of band provisioning on the General tab of the Out of Band Management Properties dialog box. This option is not selected by default. With this default setting, Configuration Manager will not respond to out of band provisioning requests, which helps to prevent rogue computers from being provisioned out of band.
- To help prevent rogue computers from being provisioned out of band: Do not use the Import Out of Band Computers wizard to add new computers to the Configuration Manager database; configure Windows firewall on the server running the out of band service point role to block the provisioning port (by default, TCP 9971); and do not register an alias for the out of band service point in DNS. For more information about the DNS alias, see Decide Whether You Should Register an Alias for the Out of Band Service Point in DNS. Additionally, restrict physical access to the network, and monitor clients to detect unauthorized computers.
- To help prevent rogue servers from provisioning your AMT-based computers, use a custom password for the MEBx Account in the AMT BIOS extensions so that the default value of admin is not used. Then specify this password with an AMT Provisioning and Discovery Account in Configuration Manager. For more information, see About the MEBx Account and How to Add an AMT Provisioning and Discovery Account.
If you cannot use in-band provisioning because the computer is new and has no operating system installed, consider using operating system deployment to install the operating system and install the client for Configuration Manager 2007 SP1 or later so that the computer can be provisioned in-band. Unlike out of band provisioning, operating system deployment does not create an authenticated account in Active Directory Domain Services and does not request a server authentication certificate from your enterprise CA. For more information about operating system deployment, see Operating System Deployment in Configuration Manager. If you cannot use in-band provisioning because the computer does not have the client installed for Configuration Manager 2007 SP1 or later or because the computer does not have a version of AMT that is natively supported by Configuration Manager, install the client for Configuration Manager 2007 SP1 or later and upgrade the firmware to a supported version as appropriate. For more information about the AMT versions supported by Configuration Manager, see Overview of Out of Band Management.
Manually revoke certificates and delete Active Directory accounts for AMT-based computers that are blocked by a Configuration Manager 2007 SP1 site Computers that are blocked by a Configuration Manager 2007 SP1 site continue to accept out of band management communication. When an AMT-based computer is blocked because it is no longer trusted, take the following manual action:
- On the issuing CA, revoke the certificate that was issued to the site server with the FQDN of the AMT-based computer in the certificate Subject.
- In Active Directory Domain Services, disable or delete the AMT account that was created for the AMT-based computer.
Control the request and installation of the provisioning certificate Request the provisioning certificate directly from the provisioning server by using the computer security context so that the certificate is installed directly into the local computer store. If you must request the certificate from another computer, you will have to export the private key and then use additional security controls while transferring and importing the certificate into a certificate store with restricted access.
Ensure that you request a new provisioning certificate before the existing certificate expires An expired AMT provisioning certificate will result in provisioning failure. If you are using an external CA for your provisioning certificate, allow additional time to complete the renewal process and reconfigure the out of band management point.
|To help you identify when the AMT provisioning certificate is about to expire, Configuration Manager generates a warning status message with ID 7210 when the provisioning certificate in use is 40 days or less from expiration. This status message will be repeated once a day until the certificate is replaced with a validity period greater than 40 days or until the validity period is less than 15 days. When the validity period is less than 15 days, an error status message with ID 7211 is generated until the certificate is replaced with a validity period greater than 15 days.|
If the provisioning certificate is revoked, delete it from the certificate store on the out of band service point site system server, and remove it from the out of band management component configuration properties If you know that the AMT provisioning certificate is revoked, you must manually prevent it from being used to provision AMT-based computers by Configuration Manager because AMT-based computers do not check the CRL for the provisioning certificate. Delete the certificate from the certificate store on the out of band service point site system server. Then deploy a new provisioning certificate, and configure it in the Out of Band Management Properties dialog box. If you cannot immediately deploy a valid AMT provisioning certificate, remove the out of band service point role until you have a replacement certificate.
If you must revoke a provisioning certificate supplied by an internal CA, revoke the certificate in the Certification Authority console There is no functionality to revoke the provisioning certificate in Configuration Manager 2007 SP1 and later.
Use a dedicated certificate template for provisioning AMT-based computers If you are using an Enterprise version of Windows Server for your enterprise CA, create a new certificate template by duplicating the default Web Server certificate template, ensure that only Configuration Manager site servers have Read and Enroll permissions, and do not add additional capabilities to the default of server authentication. Having a dedicated certificate template allows you to better manage and control access to help prevent elevation of privileges. If you have a Standard version of Windows Server for your enterprise CA, you will not be able to create a duplicate certificate template. In this scenario, do not allow Read and Enroll permissions to computers other than Configuration Manager site servers that will provision AMT-based computers.
Use out of band management instead of Wake On LAN Although both solutions support waking up computers for software updates and advertisements, out of band management is a more secure solution than Wake On LAN because it provides authentication and encryption using standard industry security protocols. It can also integrate with an existing public key infrastructure (PKI) deployment, and the security controls can be managed independently from the product. For more information, see Choose Between Power On Commands with Out of Band Management and Wake-Up Packets for Wake On LAN.
Disable AMT in the firmware if the computer is not supported for out of band management Even when AMT-based computers have a supported version of AMT, there are some scenarios that out of band management does not support. These scenarios include the following: workgroup computers, computers that have a different namespace, and computers that have a disjointed namespace. To ensure that AMT-based computers are not published to Active Directory Domain Services and do not have a PKI certificate requested for them, disable AMT in the firmware. AMT provisioning in Configuration Manager creates domain credentials for the accounts published to Active Directory Domain Services, which risks the elevation of privileges when the computers are not part of your Active Directory forest.
Use a dedicated OU to publish AMT-based computers Do not use an existing container or OU to publish the Active Directory accounts that are created during AMT provisioning. A separate OU allows you to better manage and control these accounts and helps to ensure that they are not granted more privileges than they need.
Use Group Policy to Restrict User Rights for the AMT Accounts Apply restrictive user rights to the AMT accounts that are published to Active Directory Domain Services to help protect against elevation of privileges and to reduce the attack surface if an attacker gains access to one of these accounts. Create a security group that contains the AMT accounts automatically created by Configuration Manager during the ATM provisioning process, and then add this group to the following enabled group policy settings under \Computer Configuration\Windows Settings\Security Settings\Local Policy\User Rights Assignment:
- Deny access to this computer from the network
- Deny log on as a batch job
- Deny log on as a service
- Deny log on locally
- Deny log on through Terminal Services
Apply these group policy settings to all computers in the forest. Periodically review and revise if necessary the group membership to ensure that it contains all the AMT accounts currently published to Active Directory Domain Services.
Use a dedicated collection for in-band provisioning Do not use an existing collection that contains more computers than you want to provision in-band. Instead, create a query-based collection by using the procedure for in-band provisioning in How to Provision Computers for AMT. When the site is in mixed mode, ensure that these computers are approved. For more information about approval, see About Client Approval in Configuration Manager and How to Approve Configuration Manager Clients.
Restrict who has the Media Redirection right and the PT Administration right (Configuration Manager 2007 SP1) or Platform Administration right (Configuration Manager 2007 SP2) Granting someone the Media Redirection right is almost equivalent to granting someone physical access to the computer. While attackers still require physical access to open the computer, someone with the Media Redirection right could load an alternate operating system and use it to remotely attack data on the hard drive. The PT Administration right (Configuration Manager 2007 SP1) and Platform Administration right (Configuration Manager 2007 SP2) automatically includes all AMT rights, which includes the Media Redirection right.
Retrieve and store image files securely when booting from alternative media to use the IDE redirection function When you boot from alternative media to use the IDE redirection function, whenever possible, store the image files locally on the computer running the out of band management console. If you must store them on the network, ensure that connections to retrieve the files over the network use SMB signing to help prevent the files being tampered with during the network transfer. In both scenarios, secure the stored files to help prevent unauthorized access (for example, using NTFS permissions and the encrypted file system).
Minimize the number of AMT Provisioning and Discovery Accounts Although you can specify multiple AMT Provisioning and Discovery Accounts so that Configuration Manager can discover computers that have management controllers and provision them for out of band management, do not specify accounts that are not currently required and delete accounts that are no longer needed. Specifying only the accounts that you need helps to ensure that these accounts are not granted more privileges than they need and helps to reduce unnecessary network traffic and processing. For more information about the AMT Provisioning and Discovery Account, see Determine Whether to Configure an AMT Provisioning and Discovery Account for Out of Band Management and About the AMT Provisioning and Discovery Account.
For Configuration Manager 2007 SP2 only: Manually add computers provisioned for 802.1X and wireless to a security group From Component Configuration, do not automatically add computers to a security group by using the option Automatically add AMT-based computers to security group on the 802.1X and Wireless tab of the Out of Band Management Properties dialog box. To help guard against elevation of privileges, carefully control membership of a security group that is used to grant network access to computers. Select the option Do not automatically add AMT-based computers to security group, and manually add known and trusted computer accounts to a security group.
For Configuration Manager 2007 SP2 only: Use a single certificate template for client authentication certificates whenever practical Although you can specify different certificate templates for each of the wireless profiles, use a single certificate template unless you have a business requirement for different settings to be used for different wireless networks, specify only client authentication capability, and dedicate this certificate template for use with Configuration Manager out of band management. For example, if one wireless network required a higher key size or shorter validity period than another, you would need to create a separate certificate template. Having a single certificate template allows you to more easily control its use and guard against elevation of privileges.
For Configuration Manager 2007 SP2 only: Ensure only authorized administrators perform auditing actions and manage the audit logs as required Depending on the AMT version, Configuration Manager might stop writing new entries to the AMT audit log when it is nearly full or might overwrite old entries. To ensure that new entries are logged and old entries are not overwritten, periodically clear the audit log if required, and save the auditing entries. For more information about how to manage the audit log and monitor auditing activities, see How to Manage the Audit Log for AMT-Based Computers.
The out of band management console in Microsoft System Center Configuration Manager 2007 SP1 and later manages computers that have the Intel vPro chip set and Intel Active Management Technology (Intel AMT) with a firmware version that is supported by Configuration Manager. Configuration Manager 2007 SP1 and later temporarily collects information about the computer configuration and settings, such as the computer name, IP address, and MAC address. Information is transferred between the managed computer and the out of band management console by using an encrypted channel. This feature is not enabled by default and typically no information is retained after the management session is ended. If you enable auditing in Configuration Manager 2007 SP2, you can save auditing information to a file that includes the IP address of the AMT-based computer that is managed, together with the domain and user account that performed the management action on the recorded date and time. This information is not sent to Microsoft.
You have the option to enable Configuration Manager to discover computers with management controllers that can be managed by the out of band management console. Discovery creates records for the manageable computers and stores them in the database. Data discovery records contain computer information, such as the IP address, operating system, and computer name. Discovery of management controllers is not enabled by default. For more information, see How to Discover Computers with Management Controllers. Discovery information is not sent back to Microsoft. Discovery information is stored in the site database. Information is retained in the database until deleted by the site maintenance task Delete Aged Discovery Data every 90 days. You can configure the deletion interval.
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.