Misplaced Pages

#70929

49-549: Intel Active Management Technology ( AMT ) is hardware and firmware for remote out-of-band management of select business computers, running on the Intel Management Engine , a microprocessor subsystem not exposed to the user, intended for monitoring, maintenance, updating, and repairing systems. Out-of-band (OOB) or hardware-based management is different from software-based (or in-band) management and software management agents. Hardware-based management works at

98-464: A developer's toolkit software package that allows basic access to iAMT, but is not intended to be normally used to access the technology. Only basic modes of access are supported, without full access to the encrypted communications of the complete purchased management system. Intel AMT includes hardware-based remote management, security, power management, and remote configuration features that enable independent remote access to AMT-enabled PCs. Intel AMT

147-487: A DVD drive, or disk images , from the remote machine. If necessary, this allows one to perform remote installation of the operating system. Remote management can be used to adjust BIOS settings that may not be accessible after the operating system has already booted. Settings for hardware RAID or RAM timings can also be adjusted as the management card needs no hard drives or main memory to operate. As management via serial port has traditionally been important on servers,

196-507: A Remote Elevation of Privilege bug ( CVE - 2017-5689 , SA-00075) in its Management Technology on May 1, 2017. Every Intel platform with either Intel Standard Manageability, Active Management Technology, or Small Business Technology, from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME. Some manufacturers, like Purism and System76 are already selling hardware with Intel Management Engine disabled to prevent

245-442: A VAR might bundle a software application with supplied hardware. The added value can come from professional services such as integrating, customizing, consulting, training and implementation. The value can also be added by developing a specific application for the product designed for the customer's needs which is then resold as a new package. VARs incorporate platform software into their own software product packages. The term

294-406: A common Ethernet connection becomes shared between the computer's operating system and the integrated baseboard management controller (BMC), usually by configuring the network interface controller (NIC) to perform Remote Management Control Protocol (RMCP) ports filtering, use a separate MAC address, or to use a virtual LAN ( VLAN ). Thus, out-of-band nature of the management traffic is ensured in

343-435: A complete remote management system also allows interfacing with the server through a serial over LAN cable. As sending monitor output through the network is bandwidth intensive, cards like AMI's MegaRAC use built-in video compression (versions of VNC are often used in implementing this ). Devices like Dell DRAC also have a slot for a memory card where an administrator may keep server-related information independently from

392-458: A different level from software applications and uses a communication channel (through the TCP/IP stack) that is different from software-based communication (which is through the software stack in the operating system). Hardware-based management does not depend on the presence of an OS or a locally installed management agent. Hardware-based management has been available on Intel/AMD-based computers in

441-718: A firmware update to patch the vulnerability for some of the affected devices. While some protocols for in-band remote management use a secured network communication channel (for example Secure Shell ), some other protocols are not secured. Thus some businesses have had to choose between having a secure network or allowing IT to use remote management applications without secure communications to maintain and service PCs. Modern security technologies and hardware designs allow remote management even in more secure environments. For example, Intel AMT supports IEEE 802.1x , Preboot Execution Environment (PXE), Cisco Self-Defending Network, and Microsoft NAP . All AMT features are available in

490-799: A non-optional part in all current (as of 2015) Intel chipsets. Starting with ME 11, it is based on the Intel Quark x86-based 32-bit CPU and runs the MINIX 3 operating system. The ME state is stored in a partition of the SPI flash , using the Embedded Flash File System (EFFS). Previous versions were based on an ARC core , with the Management Engine running the ThreadX RTOS from Express Logic . Versions 1.x to 5.x of

539-430: A partially independent power supply and can switch the main machine on and off through the network. Because a special device is required for each machine, out-of-band management can be much more expensive. Serial consoles are an in-between case: they are technically OOB as they do not require the primary network to be functioning for remote administration. However, without special hardware, a serial console cannot configure

SECTION 10

#1732772285071

588-459: A reboot to recover. An older version of out-of-band management is a layout involving the availability of a separate network that allows network administrators to get command-line interface access over the console ports of network equipment , even when those devices are not forwarding any payload traffic. If a location has several network devices, a terminal server can provide access to different console ports for direct CLI access. In case there

637-410: A remote management card (while some cards only support a limited list of motherboards). Newer server motherboards often have built-in remote management and need no separate management card. Internally, Ethernet -based out-of-band management can either use a dedicated separate Ethernet connection, or some kind of traffic multiplexing can be performed on the system's regular Ethernet connection. That way,

686-534: A secure communication tunnel between a wired PC and an IT console outside the corporate firewall. In this scheme, a management presence server (Intel calls this a "vPro-enabled gateway") authenticates the PC, opens a secure TLS tunnel between the IT console and the PC, and mediates communication. The scheme is intended to help the user or PC itself request maintenance or service when at satellite offices or similar places where there

735-557: A secure network environment. With Intel AMT in the secure network environment: Intel AMT can embed network security credentials in the hardware, via the Intel AMT Embedded Trust Agent and an AMT posture plug-in . The plug-in collects security posture information, such as firmware configuration and security parameters from third-party software (such as antivirus software and antispyware ), BIOS , and protected memory . The plug-in and trust agent can store

784-560: A shared-connection scenario, as the system configures the NIC to extract the management traffic from the incoming traffic flow on the hardware level, and to route it to the BMC before reaching the host and its operating system. Both in-band and out-of-band management are usually done through a network connection, but an out-of-band management card can use a physically separated network connector if preferred. A remote management card usually has at least

833-783: Is brought up. It does not allow management of remote network components independently of the current status of other network components. A classic example of this limitation is when a sysadmin attempts to reconfigure the network on a remote machine only to find themselves locked out and unable to fix the problem without physically going to the machine. Despite these limitations, in-band solutions are still common because they are simpler and much lower-cost. A complete remote management system allows remote reboot, shutdown, powering on; hardware sensor monitoring (fan speed, power voltages, chassis intrusion, etc.); broadcasting of video output to remote terminals and receiving of input from remote keyboard and mouse ( KVM over IP ). It also can access local media like

882-521: Is designed for client computing systems as compared with the typically server-based IPMI. Currently, AMT is available in desktops, servers, ultrabooks, tablets, and laptops with Intel Core vPro processor family, including Intel Core i5, Core i7, Core i9, and Intel Xeon E3-1000, Xeon E, Xeon W-1000 product family. AMT also requires an Intel networking card and the corporate version of the Intel Management Engine binary. Intel confirmed

931-447: Is no on-site proxy server or management appliance. Technology that secures communications outside a corporate firewall is relatively new. It also requires that an infrastructure be in place, including support from IT consoles and firewalls. An AMT PC stores system configuration information in protected memory. For PCs version 4.0 and higher, this information can include the name(s) of appropriate " whitelist " management servers for

980-411: Is now considered an essential network component to ensure business continuity and many manufacturers have it as a product offering. By contrast, in-band management through VNC or SSH is based on in-band connectivity (the usual network channel). It typically requires software that must be installed on the remote system being managed and only works after the operating system has been booted and networking

1029-402: Is often used in the computer industry, where a company purchases computer components and builds (for example) a fully operational personal computer system usually customized for a specific task (such as non-linear video editing ). By doing this, the company has added value above the cost of the individual computer components. Customers would purchase the system from the reseller if they lacked

SECTION 20

#1732772285071

1078-469: Is only one or just a few network devices, some of them provide AUX ports making it possible to connect a dial-in modem for direct CLI access. The mentioned terminal server can often be accessed via a separate network that does not use managed switches and routers for a connection to the central site, or it has a modem connected via dial-in access through POTS or ISDN . Remote management can be enabled on many computers (not necessarily only servers) by adding

1127-515: Is security and management technology that is built into PCs with Intel vPro technology . Intel AMT uses a hardware-based out-of-band (OOB) communication channel that operates regardless of the presence of a working operating system. The communication channel is independent of the PC's power state, the presence of a management agent, and the state of many hardware components such as hard disk drives and memory . Most AMT features are available OOB, regardless of PC power state. Other features require

1176-554: The AMT features are built into the hardware and firmware. As with other hardware-based features of AMT, the security technologies are active even if the PC is powered off, the OS is crashed, software agents are missing, or hardware (such as a hard drive or memory) has failed. Because the software that implements AMT exists outside of the operating system, it is not kept up-to-date by the operating system's normal update mechanism. Security defects in

1225-416: The AMT software can therefore be particularly severe, as they will remain long after they have been discovered and become known to potential attackers. On May 15, 2017, Intel announced a critical vulnerability in AMT. According to the update "The vulnerability could enable a network attacker to remotely gain access to business PCs or devices that use these technologies". Intel announced partial availability of

1274-546: The IT console. As delivery and deployment models evolve, AMT can now be deployed over the Internet, using both "Zero-Touch" and Host-Based methods. PCs can be sold with AMT enabled or disabled. The OEM determines whether to ship AMT with the capabilities ready for setup (enabled) or disabled. The setup and configuration process may vary depending on the OEM build. AMT includes a Privacy Icon application, called IMSS, that notifies

1323-674: The Intel website. All access to the Intel AMT features is through the Intel Management Engine in the PC's hardware and firmware. AMT communication depends on the state of the Management Engine, not the state of the PC's OS. As part of the Intel Management Engine, the AMT OOB communication channel is based on the TCP/IP firmware stack designed into system hardware. Because it is based on the TCP/IP stack, remote communication with AMT occurs via

1372-654: The ME used the ARCTangent-A4 (32-bit only instructions) whereas versions 6.x to 8.x used the newer ARCompact (mixed 32- and 16-bit instruction set architecture ). Starting with ME 7.1, the ARC processor could also execute signed Java applets . The ME shares the same network interface and IP as the host system. Traffic is routed based on packets to ports 16992–16995. Support exists in various Intel Ethernet controllers, exported and made configurable via Management Component Transport Protocol (MCTP). The ME also communicates with

1421-454: The PC below the OS level, security for the AMT features is a key concern. Security for communications between Intel AMT and the provisioning service and/or management console can be established in different ways depending on the network environment. Security can be established via certificates and keys (TLS public key infrastructure, or TLS-PKI), pre-shared keys ( TLS-PSK ), or administrator password. Security technologies that protect access to

1470-734: The PC down the wire, to remotely do tasks that are difficult or sometimes impossible when working on a PC that does not have remote functionalities built into it. AMT is designed into a service processor located on the motherboard and uses TLS -secured communication and strong encryption to provide additional security. AMT is built into PCs with Intel vPro technology and is based on the Intel Management Engine (ME). AMT has moved towards increasing support for DMTF Desktop and mobile Architecture for System Hardware (DASH) standards and AMT Release 5.1 and later releases are an implementation of DASH version 1.0/1.1 standards for out-of-band management. AMT provides similar functionality to IPMI , although AMT

1519-453: The PC in the setup state. In this state, the PC can self-initiate its automated, remote configuration process. A full unprovisioning erases the configuration profile as well as the security credentials and operational / networking settings required to communicate with the Intel Management Engine. A full unprovisioning returns Intel AMT to its factory default state. Once AMT is disabled, to enable AMT again, an authorized sys-admin can reestablish

Intel Active Management Technology - Misplaced Pages Continue

1568-551: The PC is powered up. Intel AMT supports these management tasks: From major version 6, Intel AMT embeds a proprietary VNC server , for out-of-band access using dedicated VNC-compatible viewer technology, and have full KVM (keyboard, video, mouse) capability throughout the power cycle – including uninterrupted control of the desktop when an operating system loads. Clients such as VNC Viewer Plus from RealVNC also provide additional functionality that might make it easier to perform (and watch) certain Intel AMT operations, such as powering

1617-433: The PC to be powered up (such as console redirection via serial over LAN (SOL), agent presence checking, and network traffic filtering). Intel AMT has remote power-up capability. Hardware-based features can be combined with scripting to automate maintenance and service. Hardware-based AMT features on laptop and desktop PCs include: Laptops with AMT also include wireless technologies: Software updates provide upgrades to

1666-484: The UEFI (or BIOS) settings, reinstall the operating system remotely, or fix problems that prevent the system from booting. Value added reseller A value-added reseller ( VAR ) is a company that adds features or services to an existing product, then resells it (usually to end-users) as an integrated or complete " turn-key " product. This practice occurs commonly in the electronics or IT industry, where, for example,

1715-414: The company. When a user tries to initiate a remote session between the wired PC and a company server from an open LAN , AMT sends the stored information to a management presence server (MPS) in the "demilitarized zone" ("DMZ") that exists between the corporate firewall and client (the user PC's) firewalls. The MPS uses that information to help authenticate the PC. The MPS then mediates communication between

1764-529: The computer off and on, configuring the BIOS, and mounting a remote image (IDER). AMT supports certificate -based or PSK -based remote provisioning (full remote deployment), USB key-based provisioning ("one-touch" provisioning), manual provisioning and provisioning using an agent on the local host ("Host Based Provisioning"). An OEM can also pre-provision AMT. The current version of AMT supports remote deployment on both laptop and desktop PCs. (Remote deployment

1813-510: The full capabilities of iAMT, including encrypted remote access via a public key certificate and automatic remote device provisioning of unconfigured iAMT clients, are not accessible for free to the general public or to the direct owners of iAMT equipped devices. iAMT cannot be fully utilized to its maximum potential without purchasing additional software or management services from Intel or another 3rd party independent software vendor (ISV) or value added reseller (VAR). Intel itself provides

1862-600: The host via PCI interface. Under Linux, communication between the host and the ME is done via /dev/mei or more recently /dev/mei0 . Until the release of Nehalem processors, the ME was usually embedded into the motherboard's northbridge , following the Memory Controller Hub (MCH) layout. With the newer Intel architectures ( Intel 5 Series onwards), ME is included into the Platform Controller Hub (PCH). Because AMT allows access to

1911-447: The laptop and the company's management servers. Because communication is authenticated, a secure communication tunnel can then be opened using TLS encryption. Once secure communications are established between the IT console and Intel AMT on the user's PC, a sys-admin can use the typical AMT features to remotely diagnose, repair, maintain, or update the PC. The Management Engine (ME) is an isolated and protected coprocessor, embedded as

1960-433: The main hard drive. The remote system can be accessed either through an SSH command-line interface, specialized client software, or through various web-browser-based solutions. Client software is usually optimized to manage multiple systems easily. There are also various scaled-down versions, up to devices that only allow remote reboot by power cycling the server. This helps if the operating system hangs, but only needs

2009-522: The network data path before communication is passed to the OS. Intel AMT supports wired and wireless networks. For wireless notebooks on battery power, OOB communication is available when the system is awake and connected to the corporate network, even if the OS is down. OOB communication is also available for wireless or wired notebooks connected to the corporate network over a host OS-based virtual private network (VPN) when notebooks are awake and working properly. AMT version 4.0 and higher can establish

Intel Active Management Technology - Misplaced Pages Continue

2058-697: The network. If the security posture is not correct, a system administrator can push an update OOB (via Intel AMT) or reinstall critical security software before letting the PC access the network. Support for different security postures depends on the AMT release : AMT includes several security schemes, technologies, and methodologies to secure access to the AMT features during deployment and during remote management. AMT security technologies and methodologies include: Out-of-band management OOB can use dedicated management interfaces, serial ports, or cellular 4G and 5G networks for connectivity. Out-of-band management

2107-498: The next minor version of Intel AMT. New major releases of Intel AMT are built into a new chipset , and are updated through new hardware. Almost all AMT features are available even if the PC is in a powered-off state but with its power cord attached, if the operating system has crashed, if the software agent is missing, or if hardware (such as a hard drive or memory) has failed. The console-redirection feature ( SOL ), agent presence checking, and network traffic filters are available after

2156-421: The past, but it has largely been limited to auto-configuration using DHCP or BOOTP for dynamic IP address allocation and diskless workstations , as well as wake-on-LAN (WOL) for remotely powering on systems. AMT is not intended to be used by itself; it is intended to be used alongside a software management application. It gives a management application (and thus, the system administrator who uses it) access to

2205-408: The remote exploit. Additional major security flaws in the ME affecting a very large number of computers incorporating Management Engine, Trusted Execution Engine , and Server Platform Services firmware, from Skylake in 2015 to Coffee Lake in 2017, were confirmed by Intel on November 20, 2017 (SA-00086). Although iAMT may be included for free in devices sold to the public and to small businesses,

2254-412: The security credentials required to perform remote configuration by either: There is a way to totally reset AMT and return to factory defaults. This can be done in two ways: Setup and integration of AMT is supported by a setup and configuration service (for automated setup), an AMT Webserver tool (included with Intel AMT), and AMT Commander, an unsupported and free, proprietary application available from

2303-437: The security profile(s) in AMT's protected, nonvolatile memory, which is not on the hard disk drive . Because AMT has an out-of-band communication channel, AMT can present the PC's security posture to the network even if the PC's OS or security software is compromised. Since AMT presents the posture out-of-band, the network can also authenticate the PC out-of-band, before the OS or applications load and before they try to access

2352-562: The system's user if AMT is enabled. It is up to the OEM to decide whether they want to display the icon or not. AMT supports different methods for disabling the management and security technology, as well as different methods for reenabling the technology. AMT can be partially unprovisioned using the Configuration Settings, or fully unprovisioned by erasing all configuration settings, security credentials, and operational and networking settings. A partial unprovisioning leaves

2401-416: Was one of the key features missing from earlier versions of AMT and which delayed acceptance of AMT in the market.) Remote deployment, until recently, was only possible within a corporate network. Remote deployment lets a sys-admin deploy PCs without "touching" the systems physically. It also allows a sys-admin to delay deployments and put PCs into use for a period of time before making AMT features available to

#70929