The information provided below is based on McAfee ePO Deep Command version 1.5. The new version 2.0 release includes Host Based Configuration, McAfee ePO generated TLS certificates, integrated User Consent for specific boot\reboot operations, and more. The improvements simplify the Intel® AMT configuration experience enabling a faster path to using the technology solution
Intel® Setup and Configuration Software (SCS) defines, applies, and helps maintain Intel® Active Management Technology (AMT) configuration profiles. Components of Intel® SCS and the orchestration of Intel® AMT configuration events is one of the new features within McAfee ePO Deep Command version 1.5.
This document provides a recommended approach for Intel SCS installation that is secure and compatible with McAfee ePO Deep Command.
The following prerequisites are required for the steps shared in this document:
The core installation and configuration steps in this document include:
Install Intel SCS to Use the Network Service Account
The examples provided in this section use an existing Microsoft Windows 2008 Server that is joined to the domain. Intel SCS will be installed to run via the Network Service Account of the server. The database option of Intel SCS will be included, using a Microsoft SQL 2008 database that is local to the server in this example.
The Intel SCS server component, RCSserver, is now running on the platform. The next three sections further configure Intel SCS settings on the server, followed by defining the infrastructure communication permissions required for an Intel AMT configuration event.
Import Remote Configuration Certificate to the Network Service Account
This section is optional for initial testing, but recommended for production deployments. If you cannot obtain a remote configuration certificate from a public certificate authirty, then please consider an alternative AMT configuration method (McAfee recommends host based configuration as the primary alternative to remote configuration).
For production testing and deployment, a certificate from a public CA is recommended. More information on how to obtain a production remote configuration certificate is available at http://www.intel.com/content/www/us/en/remote-support/intel-vpro-certificates.html.
The following steps show an interactive approach to installing the certificate under the Network Service Account. The steps require the PSexec.exe utility, a part of the Microsoft SysInternals download.
Configure Intel SCS to Use Digest Master Password
This section is optional, but highly recommended to secure Intel AMT administrator account.
Each Intel AMT configured system will have a default user account of admin, also referred to as the Intel AMT Admin account. This account cannot be deleted nor disabled within the firmware. This common account represents a security risk and we recommend that you minimize this risk by giving that common account a unique, random password on each system. You can use the SCS console to create this randomized password by using the Digest Master Password (DMP) feature. The DMP uses a per-session algorithm to calculate a randomized password and stores it within the Intel AMT firmware of each client. The DMP is defined within the Intel SCS console, with up to 8 DMP value possible.
Once DMP is implemented, use of the admin account is effectively eliminated (unless you have administrative access to the Intel SCS console). Instead, administrators must use digest accounts or kerberos authentication - both of which are discussed below. For a more complete understanding of why we recommend the use of DMP, please refer to this document: http://communities.intel.com/community/vproexpert/blog/2012/09/21/four-reasons-for-using-digest-mast....
The DMP value is set via the Intel SCS console as follows:
Create an Intel AMT Configuration Profile
Profiles within the Intel SCS console define settings to be applied to Intel AMT during a configuration event. This section shows two examples in defining the Intel AMT configuration profile (i.e. AMTprofile). One is based on a digest user authentication and is simpler to implement. The other is based on a Kerberos user authentication which requires additional settings for greater security. Choose only one profile example for this section. For initial testing and production, digest user authentication is recommend. For environments requiring Microsoft Active Directory integration, choose the second option. Additional guidance to decide on Digest vs. Kerberos is .
Option 1: Digest User Profile
This profile aligns with the minimal Intel AMT configuration requirements for McAfee ePO Deep Command. The three focus points of a Digest User profile include:
Digest User account with PT Administration Realm access to Intel AMT
Transport Layer Security settings to define what Certificate Authority and Certificate Template will be used.
System Settings to define enabled Intel AMT interfaces, power settings, and network settings
To create this profile, within the Intel SCS console:
Option 2: Use Kerberos
For higher security and support of 802.1x authentication if needed, AD Integration must be included. AD integration will require a Kerberos user to be defined. The Kerberos authentication sequence with Intel AMT requires a secondary domain object representing the target Intel AMT device.
The Kerberos profile creation builds upon the Digest User profile. Ensure the previous sub-section has been completed first.
As a prerequisite to defining AD integration, an Organizational Unit (OU) must be defined in the same Microsoft Active Directory Domain where the Computer objects exist. Commonly referred to as the AMT_OU, this OU stores the Service Principal Objects used for Kerberos authentication to Intel AMT.
The Intel AMT configuration profile is now defined. The next step is to define permissions forUser Logon Account of RCSserver (i.e. Network Service Account) to communicatewith the necessary infrastructure components.
Set Communication Permissions Between Intel SCS and Infrastructure Components
During an Intel AMT configuration event, infrastructure components such as the Microsoft Certificate Authority and Microsoft Active Directory Domain will be contacted to create or modify settings. The configuration event starts with the Intel SCS client component, ACUconfig.exe, which is included as part of the ePO Deep Command Client agent component.
Overview of ACUconfig to RCSserver to Infrastructure Permissions
The following diagram summarizes the events and permissions required for the AMT Configuration Policy within McAfee ePO Deep Command to complete:
Permissions must be defined for communications to RCSserver, Microsoft Active Directory domain and Certificate Authority for the events shown above to complete correctly. With RCSserver running under the Network Service Account contacts, the server account (i.e. SCS8$) will be used.
Validate WMI Namespace Rights to RCSserver
Follow these steps to validate WMI namespace rights to the RCSserver.
NOTE: If Intel SCS is installed on the same server hosting the Microsoft Certificate Authority, the above explanation and screenshots are used. If Intel SCS and the Microsoft Certificate Authority are hosted on separate servers in the same domain, the computer account of the server hosting Intel SCS must be granted the appropriate permissions as shown above. The computer account is the hostname of the server where Intel SCS resides. Ensure the "Computers" object type is selected as shown below.
Configure Intel AMT OU Rights for RCSserver Computer Account
Follow these steps to configure Intel AMT OU Rights for RCSserver computer account.
Configure Certificate Template and Certificate Server Rights
In this document, a Stand-Alone CA server is running on the same platform was RCSserver is loaded. The Network Service account will already have the necessary rights in most situations. If the Microsoft CA server is running on a system separate from where RCSserver (i.e. Intel SCS server component) is located, the server computer object must be granted the rights and permissions as shown below.
The infrastructure permissions are now defined to allow the Intel AMT Configuration events with RCSserver running under the Network Service Account.
More resources for installing McAfee Deep Command 1.5
Step 2: Install Intel SCS
Step 4: Deploy Deep Command
Note: There are many ways to configure Intel AMT hardware. This document references a method known as remote configuration. This requires the use of an SSL certificate. While this is recommended for production deployments, you might consider an alternative configuration method for test environments. McAfee recommends using the host based configuration method for test or proof-of-concept environments.
Appendix C: McAfee ePO Deep Command 1.5 Setup Checklist