Announcement: McAfee ePO Deep Command 2.0 Released June 25th!
The information provided below is based on McAfee ePO Deep Command version 1.5. The new version 2.0 release includes Host Based Configuration, McAfee ePO generated TLS certificates, integrated User Consent for specific boot\reboot operations, and more. The improvements simplify the Intel® AMT configuration experience enabling a faster path to using the technology solution
Intel® Setup and Configuration Software (SCS) defines, applies, and helps maintain Intel® Active Management Technology (AMT) configuration profiles. Components of Intel® SCS and the orchestration of Intel® AMT configuration events is one of the new features within McAfee ePO Deep Command version 1.5.
This document provides a recommended approach for Intel SCS installation that is secure and compatible with McAfee ePO Deep Command.
The following prerequisites are required for the steps shared in this document:
- Microsoft Active Directory environment with Intel AMT capable systems joined to domain
- Microsoft Active Directory domain administrator privileges
- Microsoft Certificate Authority with Web Enrollment enabled (Note: Requires Microsoft IIS)
- Download of Intel SCS, available via McAfee ePO Software Manager or http://www.intel.com/go/scs
- Microsoft Windows Server joined to domain to host Intel SCS
- Optional but recommended: Microsoft SQL Server 2003 or higher installed
- Download of Microsoft PStools, specifically PSexec, available at http://technet.microsoft.com/en-us/sysinternals/bb897553
The core installation and configuration steps in this document include:
- Install Intel SCS to use the Network Service Account
- Import Remote Configuration Certificate to the Network Service Account
- Configure Intel SCS to use Digest Master Password
- Create an Intel AMT Configuration Profile
- Configure communication permissions between Intel SCS and infrastructure components
- Update McAfee ePO Console Settings
- Apply and validate the Intel AMT Configuration Profile
Install Intel SCS to Use the Network Service Account
The examples provided in this section use an existing Microsoft Windows 2008 Server that is joined to the domain. Intel SCS will be installed to run via the Network Service Account of the server. The database option of Intel SCS will be included, using a Microsoft SQL 2008 database that is local to the server in this example.
- Extract the downloaded Intel SCS package to the local system
- Navigate to the RCS directory of the extracted files and run IntelSCSInstaller.exe
- Use the default selection of Intel SCS components
- At the next screen, accept the Intel SCS License Agreement
- When prompted for service account, type Network Service and leave the password blank
- Click Next
- On the database properties screen, specific your preferred Database Server and Database Name. The default Database Name is IntelSCS
- Click Next
- Specify whether to use Windows Integrated Security (i.e. the current logged in user) SQL Standard Security (i.e. an account in SQL Server) to connect and create the IntelSCS Database
- Click Next
- Accept the default of the SQL Server user account that will be used for operation. This is the Network Service account of the system where the Intel SCS server component (i.e. RCSserver) is installed
- Click Next
- A prompt will appear indicating the indicated account (i.e. Network Service) will be added as an explicit login. Click Yes to accept
- Click Next
- Click Install to complete the installation
- Click Finish to start the service and open the Intel SCS Console
- Validate that the RCSserver service has started with Network Service as the logon account
The Intel SCS server component, RCSserver, is now running on the platform. The next three sections further configure Intel SCS settings on the server, followed by defining the infrastructure communication permissions required for an Intel AMT configuration event.
Import Remote Configuration Certificate to the Network Service Account
This section is optional for initial testing, but recommended for production deployments. If you cannot obtain a remote configuration certificate from a public certificate authirty, then please consider an alternative AMT configuration method (McAfee recommends host based configuration as the primary alternative to remote configuration).
For production testing and deployment, a certificate from a public CA is recommended. More information on how to obtain a production remote configuration certificate is available at http://www.intel.com/content/www/us/en/remote-support/intel-vpro-certificates.ht ml.
The following steps show an interactive approach to installing the certificate under the Network Service Account. The steps require the PSexec.exe utility, a part of the Microsoft SysInternals download.
- Copy the Remote Configuration PFX and PSexec files to the server hosting Intel SCS
- Instructions on obtaining a remote configuration certificate available here http://www.intel.com/content/www/us/en/remote-support/intel-vpro-certificates.ht ml
- PSexec available here http://technet.microsoft.com/en-us/sysinternals/bb897553
- Open a command prompt with elevated privileges, by right clicking and select “Run As Administrator”
- Using the PSexec utility, type psexec –i –u “NT Authority\Network Service” cmd.exe
- A new command prompt will appear. Type whoami to confirm user context is Network Service
- Type certmgr.msc to load the certificate manager for the current user
- Import the PFX file according to section 5.3 of the Intel SCS Deployment Guide
- The Remote Configuration Certificate is now loaded into Personal Certificate Store of the Network Service Account. The Network Service Account is the logon account for RCSserver, the server component of Intel SCS.
Configure Intel SCS to Use Digest Master Password
This section is optional, but highly recommended to secure Intel AMT administrator account.
Each Intel AMT configured system will have a default user account of admin, also referred to as the Intel AMT Admin account. This account cannot be deleted nor disabled within the firmware. This common account represents a security risk and we recommend that you minimize this risk by giving that common account a unique, random password on each system. You can use the SCS console to create this randomized password by using the Digest Master Password (DMP) feature. The DMP uses a per-session algorithm to calculate a randomized password and stores it within the Intel AMT firmware of each client. The DMP is defined within the Intel SCS console, with up to 8 DMP value possible.
Once DMP is implemented, use of the admin account is effectively eliminated (unless you have administrative access to the Intel SCS console). Instead, administrators must use digest accounts or kerberos authentication - both of which are discussed below. For a more complete understanding of why we recommend the use of DMP, please refer to this document: http://communities.intel.com/community/vproexpert/blog/2012/09/21/four-reasons-f or-using-digest-master-passwords-with-intel-scs/.
The DMP value is set via the Intel SCS console as follows:
- Click on Tools > Settings
- Select the Security Settings tab
- Click Set… and enter the DMP for your environment
- Click OK twice to save the settings
Create an Intel AMT Configuration Profile
Profiles within the Intel SCS console define settings to be applied to Intel AMT during a configuration event. This section shows two examples in defining the Intel AMT configuration profile (i.e. AMTprofile). One is based on a digest user authentication and is simpler to implement. The other is based on a Kerberos user authentication which requires additional settings for greater security. Choose only one profile example for this section. For initial testing and production, digest user authentication is recommend. For environments requiring Microsoft Active Directory integration, choose the second option. Additional guidance to decide on Digest vs. Kerberos is available here.
Option 1: Digest User Profile
This profile aligns with the minimal Intel AMT configuration requirements for McAfee ePO Deep Command. The three focus points of a Digest User profile include:
Digest User account with PT Administration Realm access to Intel AMT
Transport Layer Security settings to define what Certificate Authority and Certificate Template will be used.
System Settings to define enabled Intel AMT interfaces, power settings, and network settings
To create this profile, within the Intel SCS console:
- Click the "plus" button to create a new profile
- Provide a name for the profile (i.e. AMTprofile) and click Next
- For the Optional Settings, select Access Control List (ACL) and Transport Layer Security (TLS)
- Click Next to define the ACL and TLS settings
- In the Access Control List section, click Add
- Provide a username and password as shown below (e.g. ePO_DC)
- Select the PT Administration Realm
- Click OK to save the User\Group Details setting
- In the Transport Layer Security section, select the internal Microsoft Certificate Authority to be used for issuing certificates for Intel AMT devices. The example below shows Stand-Alone CA will be used.
- On the System Setting page, enter the desired values similar to the following example. If the Digest Master Password was enabled earlier, the third option for Intel® AMT admin user password will appear.
- Click Next and save the profile settings
Option 2: Use Kerberos
For higher security and support of 802.1x authentication if needed, AD Integration must be included. AD integration will require a Kerberos user to be defined. The Kerberos authentication sequence with Intel AMT requires a secondary domain object representing the target Intel AMT device.
The Kerberos profile creation builds upon the Digest User profile. Ensure the previous sub-section has been completed first.
As a prerequisite to defining AD integration, an Organizational Unit (OU) must be defined in the same Microsoft Active Directory Domain where the Computer objects exist. Commonly referred to as the AMT_OU, this OU stores the Service Principal Objects used for Kerberos authentication to Intel AMT.
- Create a new OU for Intel AMT objects. The example below is the Server Manager of the Microsoft Active Directory domain controller.
- Right click on the domain, select New, and Organizational Unit.
- When defining the AMTprofile in Intel SCS console, select Active Directory Integration.
- On the AD Integration configuration option, select the newly create OU. In the example below, Intel AMT objects will be added to AMT_OU container of the ENT Domain.
- When defining the Access Control List, at least one Active Directory User\Group must be added. In the example below, the ENT Domain Admins have already been added
- To add an additional group or user, use the Add and Browse buttons to locate the desired selection.
- For McAfee ePO Deep Command, the designated group or user must have PT Administrator access to the Intel AMT Realms.
- Complete the Intel AMT configuration profile creation similar to the previous Digest User example, except as noted for AD Integration and Access Control List
- Note: With AD integration enabled, an object with the same name will appear in the Intel AMT OU as shown below
The Intel AMT configuration profile is now defined. The next step is to define permissions forUser Logon Account of RCSserver (i.e. Network Service Account) to communicatewith the necessary infrastructure components.
Set Communication Permissions Between Intel SCS and Infrastructure Components
During an Intel AMT configuration event, infrastructure components such as the Microsoft Certificate Authority and Microsoft Active Directory Domain will be contacted to create or modify settings. The configuration event starts with the Intel SCS client component, ACUconfig.exe, which is included as part of the ePO Deep Command Client agent component.
Overview of ACUconfig to RCSserver to Infrastructure Permissions
The following diagram summarizes the events and permissions required for the AMT Configuration Policy within McAfee ePO Deep Command to complete:
- ACUconfig starts and must have elevate execution rights to interface with HECI.sys, and Intel AMT kernel mode driver on the system
- ACUconfig contacts the server where RCSserver is running. This is defined by the RCS Manager agent plugin. ACUconfig must have appropriate WMI namespace and DCOM access rights.
- If AD Integration is defined in the Intel AMT Configuration profile, the logon account of RCSserver contacts the domain named in the profile to modify objects in the Intel AMT OU container. This action requires appropriate access rights of the RCSserver logon account
- With TLS defined in the Intel AMT Configuration profile, the logon account of RCSserver contacts the defined Microsoft Certificate Authority to request a TLS WebServer certificate for the Intel AMT client.
Permissions must be defined for communications to RCSserver, Microsoft Active Directory domain and Certificate Authority for the events shown above to complete correctly. With RCSserver running under the Network Service Account contacts, the server account (i.e. SCS8$) will be used.
Validate WMI Namespace Rights to RCSserver
Follow these steps to validate WMI namespace rights to the RCSserver.
- On the system running RCSserver, open wmimgmt.msc
- Right click WMI control and select Properties
- In the WMI control properties window, select security
- Validate the Network Service Account has Execute Methods, Full Write, and Remote Enable WMI rights to Intel_RCS namespace
- Note: If using Digest Master Passwords, ensure same access to Intel_RCS_Master_Password namespace
- The Intel SCS installation will setup the necessary rights. The above step is to validate and also be familiar with this security setting for future reference.
NOTE: If Intel SCS is installed on the same server hosting the Microsoft Certificate Authority, the above explanation and screenshots are used. If Intel SCS and the Microsoft Certificate Authority are hosted on separate servers in the same domain, the computer account of the server hosting Intel SCS must be granted the appropriate permissions as shown above. The computer account is the hostname of the server where Intel SCS resides. Ensure the "Computers" object type is selected as shown below.
Configure Intel AMT OU Rights for RCSserver Computer Account
Follow these steps to configure Intel AMT OU Rights for RCSserver computer account.
- In the Server Manager screen of the Domain Control, select the desired domain
- Enable the Advanced Features via the View menu option
- Right click on the Intel AMT OU (i.e. AMT_OU) and select Properties.
- Click on the Security tab
- Add the Computer Name of the server running RCSserver. In the example below, SCS8$ is the computer account.
- Note: The default Object Types do not include Computers. In the example below, the Computers object must be enabled for the selection option.
- Allow Read, Write, Create all child objects, and Delete all child objects
- Click Apply and close the Intel AMT OU Properties window
Configure Certificate Template and Certificate Server Rights
In this document, a Stand-Alone CA server is running on the same platform was RCSserver is loaded. The Network Service account will already have the necessary rights in most situations. If the Microsoft CA server is running on a system separate from where RCSserver (i.e. Intel SCS server component) is located, the server computer object must be granted the rights and permissions as shown below.
- For the Certificate Template selected during the Intel AMT Profile Configuration settings, the designated account must be granted Read and Enroll permissions
- Note: The example below shows Network Service has the appropriate permissions, since RCSserver is running on the same server where the Microsoft Stand-Alone Certificate Authority is installed. If a separate server is used, then host$ would be shown (i.e. scs8$)
- The RCSserver logon account or computer object must be granted the following rights to the certificate server
- Issue and Manage Certificates
- Request Certificates
- Right click on the Certificate Server listed in Server Manager. In this example, IntelAMTCerts is the Stand-Alone Certificate server name.
- Click the Security tab, select or add the designated logon account or computer object.
- Select the required permissions
The infrastructure permissions are now defined to allow the Intel AMT Configuration events with RCSserver running under the Network Service Account.
More resources for installing McAfee Deep Command 1.5
Step 2: Install Intel SCS
Step 4: Deploy Deep Command
Note: There are many ways to configure Intel AMT hardware. This document references a method known as remote configuration. This requires the use of an SSL certificate. While this is recommended for production deployments, you might consider an alternative configuration method for test environments. McAfee recommends using the host based configuration method for test or proof-of-concept environments.
Appendix C: McAfee ePO Deep Command 1.5 Setup Checklist