Transcription of Intel® AMT Configuration Utility User Guide
1 intel AMT Configuration Utility user Guide Version Document Release Date: December 17, 2015 intel AMTC onfigurationUtility UserGuideiiLicenseIntel SetupandConfigurationSoftware( intel SCS) ,refertothe ExhibitA sectionofthe intel (R) , (expressorimplied,byestoppelorotherwise) ,includingwithoutlimitation,theimpliedwa rrantiesofmerchantability,fitnessforapar ticularpurpose,andnon-infringement,aswel lasanywarrantyarisingfromcourseofperform ance,courseofdealing, 'featuresandbenefitsdependonsystemconfig urationandmayrequireenabledhardware,spec ificsoftware, AMTshouldbeusedbyaknowledgeableITadminis tratorandrequiresenabledsystems,software ,activation, Active Management vPro , : (Keyboard,Video,Mouse)isonlyavailablewit hIntel Core i5vPro andCore i7vPro processorswithintegratedgraphicsandIntel ,IntelvPro,andtheIntellogo, ,Windows,andtheWindowslogoaretrademarks, *Othernamesandbrandsmaybeclaimedasthepro pertyofothers. 2015 IntelCorporationIntel AMTC onfigurationUtility AMTC onfigurationUtility?
2 (Digest) (Kerberos) AMTC onfigurationUtility (MultipleSystems) (ACL) (TLS) AMTC onfigurationUtility : CannotConfigureIntelAMT : : TheCallerisUnauthorized. (ErrorinSetKerberos) AMTC onfigurationUtility,referredtointhisguid easthe ConfigurationUtility .Note:TheConfigurationUtilityisacomponen tofIntel SetupandConfigurationSoftware( intel SCS)thatyoucanusetoconfigureIntel ActiveManagementTechnology( intel AMT).Thisguideonlyincludesinformationabo utoptionsavailablewhentheConfigurationUt ilityisusedonitsown, (R) , AMTC onfigurationUtility? AMTC onfigurationUtility AMTC onfigurationUtility?TheIntelAMTC onfigurationUtility(ConfigurationUtility ) : RuntheConfigurationUtilityonanIntelAMTsy stemtoconfigureIntelAMT (CLI) :# ,see: StartingtheConfigurationUtilityonpage27 Configuring/UnconfiguringIndividualSyste msonpage28 Whenalargenumberofsystemsneedtobeconfigu red, ,see: UsingtheProfileDesigneronpage39 ConfiguringSystemsonpage88#2 TheIntelAMTV ersionsintheNetworkTheversionsofIntelAMT inyournetworkwilldefinewhichconfiguratio nmethodsyoucanuse(seeConfigurationMethod sandIntelAMTV ersionsonthenextpage).
3 # ,seeIntelAMTandSecurityConsiderationsonp age5.# ,beforeyoucreateatheprofile, AMTC onfigurationUtility : IntelAMTS ystems ManagementEngine( intel ME)andaBIOS menucalledtheIntel ManagementEngineBIOSE xtension( intel MEBX).TheIntelMEoperatesindependentlyoft heCentralProcessingUnits(CPUs)ofthecompu ter. ManagementConsole :ConfigurationMethods# , , #3and# (RCS) ,refertotheIntel(R) AMTC onfigurationUtility ,usingthesettingsinanXMLconfigurationpro file(seeDefiningIntelAMTP rofilesonpage43).Becausethismethodhasles ssecurityrelatedrequirementsthanearlierc onfigurationmethods,bydefaulttheIntelAMT deviceisputintheClientControlmode(seeCon trolModesonpage7).YoucanusetheConfigurat ionUtilitytoquicklydefineaprofileandthen immediatelyconfigurethesystem(seeConfigu ringaSystemonpage29).Alternatively, ,see: UsingtheProfileDesigneronpage39 (toinserttheUSB key).HoweverthisputsIntelAMTintoAdminCon trolMode(ACM)andassuchprovidesaccesstoal lAMTfeatures, ,see: ManualConfigurationonpage34 DefiningManualConfiguration(MultipleSyst ems)onpage40 Alternatively,youcanusetheConfigViaUSBco mmandoftheConfigurator(seeConfiguringaSy stemusingaUSBK eyonpage89).
4 AMTC onfigurationUtility ,withaminimumofoneofeachofthese: Anumber Anonalphanumericcharacter AlowercaseLatinletter AnuppercaseLatinletterNote: Theunderscore(_)characteriscountedasanal phanumericcharacter. TheRemoteFrameBuffer(RFB) (seeVNCC lientsonpage16). Thecolon(:),comma(,),anddoublequote( )charactersareNOTpermittedinthesepasswor ds: IntelMEBX password Digestuserpasswords(includingtheAdminuse r) ,eachprofilecreatedoreditedbytheConfigur ationUtilityisencrypted(withapasswordtha tyousupply).TheXMLprofilesareencryptedus ingthisformat: Encryptionalgorithm:AES128usingSHA-256on theprovidedpasswordtocreatethekey Encryptionmode:CBC InitializeVector(IV)isthefirst16bytesoft heHashSomeadvancedoptionsofIntelSCSusead ditionalXMLfiles(forexample,thededicated networksettingsfile).Ifyouwanttousethese optionalXMLfiles, , AMTC onfigurationUtility UserGuide6 Forexample: :\ @ssw0rd SomeWindowsversions(forexample,Windows8) , ,seeExitCode110onpage122. Insomeenvironments,authenticationofthedi gitalsignaturecanincreasetheconfiguratio ntimebyuptotwominutesChapter1 IntroductionIntel AMTC onfigurationUtility ,usethesestandardsecurityprecautions: EncryptalltheXML (seeFileEncryptiononpage5).
5 Makesurethatdeploymentpackagesandtheencr yptionpasswordarestoredinalocationthaton lyapprovedpersonnelcanaccess. SenddeploymentpackagestotheIntelAMTsyste mswithacommunicationmethodthatpreventsac cesstopersonswithoutapproval. Alwaysusethedefaultrequirementfordigital signatureauthenticationwhenusingtheConfi guratorCLIremotely(seeDigitalSigningofFi lesonthepreviouspage). IftheConfiguratorwillneedtocommunicatewi thaCAorcreateanADobject,givepermissionso nlytothespecificCAtemplateorthespecificA ctiveDirectoryOrganizationalUnit. Whenconfiguration/unconfigurationiscompl ete, ,allIntelAMTdevicesareputinoneofthesecon trolmodes: ClientControlMode : TheSystemDefensefeatureisnotavailable. Userconsentisrequiredforallredirectionop erationsandchangestothebootprocess. PermissionfromtheAuditoruser(ifdefined)i snotrequiredtounconfigureIntelAMT. Tomakesurethatuntrusteduserscannotgetcon troloftheIntelAMTsystem,someIntelAMTconf igurationfunctionsareblocked. Duringconfiguration,theIntelMEBX passwordwillnotbechangedifitisthedefault password(seeAccesstotheIntelMEBX onpage9).
6 AdminControlMode :Bydefault, AMTC onfigurationUtility , TheuserconsentfeatureisavailableonlyforK VMR edirection. ,userconsentismandatoryfortheseoperation s: SerialOverLANtoredirectBIOS screensandOSBoottextscreens KVMR edirection ToremotelysetBIOS bootoptions Tochangethesourceforremoteboot(forexampl e,bootfromPXE) IDE-Redirection(IDE-R)(throughAMT10) AMTC onfigurationUtility (TLS) (PKI) ,knownasaCertificationAuthority(CA). isconfigured(bydefiningTLSintheconfigura tionprofile), , ManagementEngineBIOSE xtension( intel MEBX) (usually<Ctrl-P>).AccesstotheIntelMEBX iscontrolledbyapassword, (usually admin ).WhenanIntelAMTsystemisconfiguredbytheR CSorusingaUSBkey, , , (ifitisnotchangedmanually).IfyouusetheUn ifiedConfigurationprocess, , :ForinformationabouttheRCSandtheUnifiedC onfigurationprocess,refertotheIntel(R) AMTC onfigurationUtility :Ifyou lose thepassword(s)oftheIntelAMT admin accountsconfiguredinyoursystems, ,itishighlyrecommendedtodefineanaddition aladministratoraccountinIntelAMT(prefera blyaKerberosuseraccount).
7 (Digest)EachIntelAMTdevicecontainsaprede finedadministrativeusernamed admin , : HasaccesstoalltheIntelAMTfeaturesandsett ingsonthedevice IsnotcontainedintheAccessControlListwith otherDigestusers,andcannotbedeletedThus, forsecurityreasonsitisimportanthowyoudef inethepasswordforthisuser(evenifyoudonot useit).ThepasswordisdefinedintheNetworkS ettingssectionoftheconfigurationprofile( seeDefiningSystemSettingsonpage76). , , , , (random) , , ,seeUser-DefinedAdminUser(Kerberos) (Kerberos)IfyournetworkhasActiveDirector y(AD), AMTC onfigurationUtility UserGuide11 TouseadedicatedActiveDirectoryAdminUser( Kerberos) (seeDefiningtheAccessControlList(ACL)onp age53). (seeDefaultAdminUser(Digest)onthepreviou spage). : WhenusingaKerberosuser,alwaysmakesuretha tthisKerberosuserexistsintheACLoftheprof ileyouusetodoreconfiguration. WhenusingaKerberosuserandthehost-basedco nfigurationmethod: TheConfiguratormustNOTbe Runasadministrator . , YoumustNOTaddthecredentialsofadomainuser totheprofile(seeSavingtheConfigurationPr ofileonpage46).
8 Chapter1 IntroductionIntel AMTC onfigurationUtility , , , ,forincreasedsecurity, , ,itisimportanttosynchronizethedevicecloc kwiththeclockofacomputerinthenetwork.( )Whentheclockisnotsynchronized, , , (whenusingTLS,EAC,RemoteAccess, ). AMTC onfigurationUtility UserGuide13 ReplacingActiveDirectoryObjectPasswordsI fanIntelAMTdeviceisconfiguredtouseActive Directory(AD)Integration, (notuser-defined).IftheADOU hasa maximumpasswordage passwordpolicydefinedinAD, , :Duringmaintenance, ,seeDefaultAdminUser(Digest) , (seeDefiningActiveDirectoryIntegrationon page50). (seeConfiguringSystemsonpage88).Note: AMTC onfigurationUtility (seeMaintainingConfiguredSystemsonpage92 ).FormoreinformationabouttheConfigurator , ( Configuration ,reconfiguration,maintenan ce,andunconfiguration).Thedataissavedint hisregistrykey: 32-bitoperatingsystems:HKLM\SOFTWARE\Int el\SetupandConfigurationSoftware\SystemD iscovery\ConfigurationInfo 64-bitoperatingsystems:HKLM\SOFTWARE\Wow 6432 Node\ intel \SetupandConfigurationSoftware \SystemDiscovery\ , , : ,reissueallthecertificates.
9 (ReissueCertificatestask.) ,thenewsettingsfromtheprofileareconfigur edinthedevice.(SyncNetworkSettingstask.) Stringvalues, ,changethepasswordaccordingtothepassword settingdefinedintheprofile.(RenewAdminPa sswordtask.)Chapter1 IntroductionIntel AMTC onfigurationUtility UserGuide15 ,changethepasswordoftheActiveDirectoryob ject.(RenewADPasswordtask.) ,synchronizetheclock.(SyncAMTT imetask.) : ,reconfiguration,maintenance,andunconfig urationtaskswillcompletebutwithwarnings. Iftheregistrykeysdonotexist,thefirsttime theAutoMaintainparameterisusedallthemain tenancetaskswillbedone(accordingtothepro file).Chapter1 IntroductionIntel AMTC onfigurationUtility ,VideoandMouse(KVM) (VNC)to share : VNCS erver ,aVNCS ervercomponentisembeddedintheIntelAMTdev ice. VNCC lient Anapplication,usuallylocatedonamanagemen tserver, ,KVMcannotbeenabledbyIntelSCSduringconfi guration(itmustbedonemanuallyatthesystem ). : RedirectionPorts(16994and16995) ,theVNCC lientusermustbedefinedintheIntelAMTdevic e(seeDefiningtheAccessControlList(ACL)on page53).
10 Port16995alsousesTransportLayerSecurity. DefaultPort(5900) : TheVNCC lientusermustsupplytheRemoteFrameBuffer( RFB) ,seeDefiningSystemSettingsonpage76. (RFB) , AMTC onfigurationUtility , , (DNS)resolutiondoneinyournetwork?OnanInt elAMTsystem,thehostplatformandtheIntelAM TdevicebothhaveaFullyQualifiedDomainName (FQDN).TheseFQDN sareusuallythesame, , ,thisishowIntelSCSconfigurestheFQDN( ) PrimaryDNSS uffix , , (IP)addresses?OnanIntelAMTsystem, , , , , , , (seeDefiningHomeDomainsonpage57).Note: Ifyouusethisoption, ,youmightnotbeabletoconnecttotheIntel Youmustmakesurethatyoudefinethedomainnam esexactlyastheyaredefinedinoption15ofthe DHCP servers(on-boardspecificDNSsuffix).Chapt er2 PrerequisitesIntel AMTC onfigurationUtility UserGuide19 GettingStartedChecklistforIntelSCS4 VPND oyouwanttopermitaccesstoIntelAMTviaaVPN? Bydefault,IntelAMTdevicesareconfiguredto blockaccessviaVirtualPrivateNetwork(VPN) snetworkandareconnectedtoitusingVPN, :Aprerequisiteforthissettingistodefineal istofHomeDomains(see item#3inthischecklist).
