Security and Privacy for Out of Band Management in Configuration Manager
Updated: May 14, 2015
Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1
This topic appears in the Assets and Compliance in System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide.
This topic contains security and privacy information for out of band management in System Center 2012 Configuration Manager.
Use the following security best practices when you manage Intel AMT-based computers out of band.
Security best practice
Request customized firmware before you purchase Intel AMT-based computers.
Computers that can be managed out of band have BIOS extensions that can set customized values to significantly increase security when these computers are on your network. Check which BIOS extension settings are available from your computer manufacturer, and specify your values. For more information, see Determine Whether to Use a Customized Firmware Image From Your Computer Manufacturer.
If your AMT-based computers do not have the firmware values that you want to use, you might be able to manually specify them. For more information about manually configuring the BIOS extensions, see the Intel documentation or the documentation from your computer manufacturer. For additional information, see Intel vPro Expert Center: Microsoft vPro Manageability. Customize the following options to increase your security:
Control the request and installation of the provisioning certificate.
Request the provisioning certificate directly from the provisioning server by using the computer security context so that the certificate is installed directly into the local computer store. If you must request the certificate from another computer, you have to export the private key, and then use additional security controls when you transfer and import the certificate into a certificate store.
Ensure that you request a new provisioning certificate before the existing certificate expires.
An expired AMT provisioning certificate results in a provisioning failure. If you are using an external CA for your provisioning certificate, allow for additional time to complete the renewal process and reconfigure the out of band management point.
Use a dedicated certificate template for provisioning AMT-based computers.
If you are use an Enterprise version of Windows Server for your enterprise CA, create a new certificate template by duplicating the default Web Server certificate template, ensure that only the security group that you specify in the out of band management component properties has Read and Enroll permissions, and do not add additional capabilities to the default of server authentication.
A dedicated certificate template allows you to better manage and control access to help prevent elevation of privileges. If you have a Standard version of Windows Server for your enterprise CA, you cannot create a duplicate certificate template. In this scenario, you must add Read and Enroll permissions to the security group that you specify in the out of band management component properties and remove any permission that you do not require.
Use AMT power on commands instead of wake-up packets.
Although both solutions support waking up computers for software installation, AMT power on commands are more secure than transmitting wake-up packets because they provide authentication and encryption by using standard industry security protocols. By using AMT power on commands with out of band management, this solution can also integrate with an existing public key infrastructure (PKI) deployment, and the security controls can be managed independently from the product. For more information, see “Planning How to Wake Up Clients” in Planning for Client Communication in Configuration Manager.
Disable AMT in the firmware if the computer is not supported for out of band management.
Even when AMT-based computers have a supported version of AMT, there are some scenarios that out of band management does not support. These scenarios include workgroup computers, computers that have a different namespace, and computers that have a disjoint namespace.
To ensure that these AMT-based computers are not published to Active Directory Domain Services and do not have a PKI certificate requested for them, disable AMT in the firmware. AMT provisioning in Configuration Manager creates domain credentials for the accounts published to Active Directory Domain Services, which risks the elevation of privileges when the computers are not part of your Active Directory forest.
Use a dedicated OU to publish AMT-based computer accounts.
Do not use an existing container or organizational unit (OU) to publish the Active Directory accounts that are created during AMT provisioning. A separate OU lets you manage and control these accounts better and helps ensure that site servers and these accounts are not granted more permissions than they require.
Allow the site server computer accounts Write permission to the OU, the Domain Computers group, and the Domain Guests group in each domain that contains AMT-based computers.
In addition to allowing the site server computer accounts Create all child objects and Delete all child objects permissions for the OU and apply to This object only, allow the following permissions for the site server computer accounts:
Use a dedicated collection for AMT provisioning.
Do not use an existing collection that contains more computers than you want to provision for AMT. Instead, create a query-based collection by using the AMT status of Not Provisioned.
For more information about the AMT Status and how to construct a query for Not Provisioned, see About the AMT Status and Out of Band Management in Configuration Manager.
Retrieve and store image files securely when you boot from alternative media to use the IDE redirection function.
When you boot from alternative media to use the IDE redirection function, whenever possible, store the image files locally on the computer running the out of band management console. If you must store them on the network, ensure that connections to retrieve the files over the network use SMB signing to help prevent the files being tampered with during the network transfer. In both scenarios, secure the stored files to help prevent unauthorized access, for example, by using NTFS permissions and the encrypted file system.
Retrieve and store AMT audit log files securely.
If you save AMT audit log files, whenever possible, store the files locally on the computer that is running the out of band management console. If you must store them on the network, ensure that connections to retrieve the files over the network use SMB signing to help prevent the files being tampered with during the network transfer. In both scenarios, secure the stored files to help prevent unauthorized access, for example, by using NTFS permissions and the encrypted file system.
Minimize the number of AMT Provisioning and Discovery Accounts.
Although you can specify multiple AMT Provisioning and Discovery Accounts so that Configuration Manager can discover computers that have AMT management controllers and provision them for out of band management, do not specify accounts that are not currently required and delete accounts that are no longer required. Specify only the accounts that you require to help ensure that these accounts are not granted more permissions than they require and to reduce unnecessary network traffic and processing. For more information about the AMT Provisioning and Discovery Account, see Step 5: Configuring the Out of Band Management Component.
For service continuity, specify a user account as the AMT Provisioning Removal Account and ensure that this user account is also specified as an AMT User Account.
The AMT Provisioning Removal Account helps ensure service continuity if you must restore the Configuration Manager site. After you restore the site, request and configure a new AMT provisioning certificate, use the AMT Provisioning and Removal Account to remove provisioning information from AMT-based computers, and then reprovision the computers.
You might also be able to use this account if an AMT-based computer was reassigned from another site and the provisioning information was not removed.
For more information about how to remove AMT provisioning information, see How to Remove AMT Information.
Use a single certificate template for client authentication certificates whenever practical.
Although you can specify different certificate templates for each of the wireless profiles, use a single certificate template unless you have a business requirement for different settings to be used for different wireless networks, specify only client authentication capability, and dedicate this certificate template for use with Configuration Manager out of band management. For example, if one wireless network required a higher key size or shorter validity period than another, you would have to create a separate certificate template. A single certificate template lets you control its use more easily and guards against elevation of privileges.
Ensure that only authorized administrative users perform AMT auditing actions and manage the AMT audit logs as required.
Depending on the AMT version, Configuration Manager might stop writing new entries to the AMT audit log when it is nearly full or might overwrite old entries. To ensure that new entries are logged and old entries are not overwritten, periodically clear the audit log if required, and save the auditing entries. For more information about how to manage the audit log and monitor auditing activities, see How to Manage the Audit Log for AMT-Based Computers in Configuration Manager.
Use the principle of least privileges and role-based administration to grant administrative users permissions to manage AMT-based computers out of band.
Use the Remote Tools Operator security role to grant administrative users the Control AMT permission, which allows them to view and manage computers by using the out of band management console, and initiate power control actions from the Configuration Manager console.
For more information about the security permissions that you might require to manage AMT-based computers, see “Configuration Manager Dependencies” in Prerequisites for Out of Band Management in Configuration Manager.
Managing AMT-based computers out of band has the following security issues:
An attacker might fake a provisioning request, which results in the creation of an Active Directory account. Monitor the OU where the AMT accounts are created to ensure that only expected accounts are created.
You cannot configure web proxy access for the out of band service point to check the certificate revocation list (CRL) that is published on the Internet. If you enable CRL checking for the AMT provisioning certificate, and the CRL cannot be accessed, the out of band service point does not provision AMT-based computers.
The option to disable automatic AMT provisioning is stored on the Configuration Manager client and not in AMT. This means that the AMT-based computer can still be provisioned. For example, the Configuration Manager client might be uninstalled, or the computer might be provisioned by another management product.
Even though you select the option to disable automatic provisioning for an AMT-based computer, the out of band service point accepts a provisioning request from that computer.
The out of band management console manages computers that have the Intel vPro chip set and Intel Active Management Technology (Intel AMT) with a firmware version that is supported by Configuration Manager. Configuration Manager temporarily collects information about the computer configuration and settings, such as the computer name, IP address, and MAC address. Information is transferred between the managed computer and the out of band management console by using an encrypted channel. By default, this feature is not enabled, and typically no information is retained after the management session is ended. If you enable AMT auditing, you can save auditing information to a file that includes the IP address of the AMT-based computer that is managed and the domain and user account that performed the management action on the recorded date and time. This information is not sent to Microsoft.
You have the option to enable Configuration Manager to discover computers with management controllers that can be managed by the out of band management console. Discovery creates records for the manageable computers and stores them in the database. Data discovery records contain computer information, such as the IP address, operating system, and computer name. By default, discovery of management controllers is not enabled. Discovery information is not sent to Microsoft. Discovery information is stored in the site database. Information is retained in the database until the site maintenance task Delete Aged Discovery Data deletes it in intervals of every 90 days. You can configure the deletion interval.
Before you configure out of band management, consider your privacy requirements.