Intel Active Management Technology

Intel Active Management Technology

Intel Active Management Technology (AMT) is hardware-based technology for remotely managing and securing PCs out-of-band.] cite web |title=New Intel-Based Laptops Advance All Facets of Notebook PCs|url=http://www.intel.com/pressroom/archive/releases/20080715comp_sm.htm#story|publisher=Intel|accessdate=2008-07-15] cite web |title=Understanding Intel AMT over wired vs. wireless (video) |url=http://communities.intel.com/docs/DOC-1129|publisher=Intel|accessdate=2008-08-14]
* Cisco-compatible extensions for Voice over WLANcite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|accessdate=2008-08-07] cite web |title=Intel Centrino 2 with vPro Technology|url=http://download.intel.com/products/centrino/pro/316888.pdf|publisher=Intel|accessdate=2008-07-15] cite web |title=New Intel-Based Laptops Advance All Facets of Notebook PCs|url=http://www.intel.com/pressroom/archive/releases/20080715comp_sm.htm#story|publisher=Intel|accessdate=2008-07-15] cite web |title=Understanding Intel AMT over wired vs. wireless (video) |url=http://communities.intel.com/docs/DOC-1129|publisher=Intel|accessdate=2008-08-14]

Intel vPro platform features

Intel AMT is security and management technology that is built into PCs with Intel vPro technology.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|accessdate=2008-08-07] cite web |title=A new dawn for remote management? A first glimpse at Intel's vPro platform|url=http://arstechnica.com/articles/paedia/hardware/vpro.ars/1|publisher=ars technica|accessdate=2007-11-07] PCs with Intel vPro include many other “platform” (general PC features) technologies and features:
* Support for IEEE 802.1x, Cisco Self Defending Network (SDN), and Microsoft Network Access Protection (NAP).cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|accessdate=2008-08-07] cite web |title=Intel Software Network, engineer / developers forum|url=http://softwarecommunity.intel.com/isn/Community/en-US/forums/thread/30235057.aspx|publisher=Intel|accessdate=2008-08-09] cite web |title=Cisco Security Solutions with Intel Centrino Pro and Intel vPro Processor Technology|url=http://www.intel.com/business/casestudies/cisco.pdf|publisher=Intel|2007]
* Gigabit network connection or network wireless connection (on laptops).cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|accessdate=2008-08-07] cite web |title=Intel Centrino 2 with vPro Technology|url=http://download.intel.com/products/centrino/pro/316888.pdf|publisher=Intel|accessdate=2008-07-15]
* Intel Trusted Execution Technology (Intel TXT) and an industry-standard Trusted Platform Module (TPM) version 1.2.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|accessdate=2008-08-07] cite web |title=New Intel vPro Processor Technology Fortifies Security for Business PCs (news release) |url=http://www.intel.com/pressroom/archive/releases/20070827comp.htm |publisher=Intel|accessdate=2007-08-07]
* Intel Virtualization Technology (Intel VT).cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|accessdate=2008-08-07] cite web |title=New Intel vPro Processor Technology Fortifies Security for Business PCs (news release) |url=http://www.intel.com/pressroom/archive/releases/20070827comp.htm |publisher=Intel|accessdate=2007-08-07] cite web |title=Benefits of VT |url=http://softwarecommunity.intel.com/Wiki/VT-Virtualization/544.htm|publisher=Intel|accessdate=2008-08-12 (From the Intel Software Network Base Wiki)] cite web |title=Intel Virtualization Technology: Hardware-Assisted Virtualization for Today's Businesses|url=http://download.intel.com/products/processor/xeon/vt_prodbrief.pdf|publisher=Intel|accessdate=2008-07-01] cite web |title=Intel VT for Directed I/O|url=http://www.intel.com/technology/itj/2006/v10i3/2-io/1-abstract.htm|publisher=Intel|accessdate=2008-08-12]
* 64-bit processors that are optimized for multi-tasking and multithreading.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|date=2008|accessdate=2008-08-07]
* 64-bit integrated graphics to provide enough performance that the PC does not need a discrete (separate) graphics card even for graphics-intensive OSs such as Microsoft Windows Vista.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|date=2008|accessdate=2008-08-07] cite web |title=Links to Manufacturer Information about CPU and Graphics Processor Capabilities |url=http://technet.microsoft.com/en-us/windows/aa905088.aspx|publisher=Microsoft|accessdate=2008-08-16] cite web |title=Intel Graphics Media Accelerator for Windows Vista |url=http://www.intel.com/support/graphics/sb/CS-023621.htm|publisher=Intel|accessdate=2008-08-04]
* Industry standards, such as ASF, XML, SOAP, TLS, HTTP authentication, Kerberos (Microsoft Active Directory), DASH (based on draft 1.0 specifications), and WS-MAN.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|date=2008|accessdate=2008-08-07]
* Quiet System Technology (QST), formerly called advanced fan speed control (AFSC).
* Architecture, package design, and technologies for power coordination and better thermals, in order to operate at very low voltages, use power more efficiently, and help meet Energy Star requirements.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|date=2008|accessdate=2008-08-07]

Using Intel AMT

Almost all AMT features are available even if PC power is off, the OS is crashed, the software agent is missing, or hardware (such as a hard drive or memory) has failed.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|accessdate=2008-08-07] cite web |title=Architecture Guide: Intel Active Management Technology|url=http://softwarecommunity.intel.com/articles/eng/1032.htm |publisher=Intel|accessdate=2008-06-26] The console-redirection feature (SOL), agent presence checking, and network traffic filters are available after the PC is powered up.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|accessdate=2008-08-07] cite web |title=Architecture Guide: Intel Active Management Technology|url=http://softwarecommunity.intel.com/articles/eng/1032.htm |publisher=Intel|accessdate=2008-06-26]

Intel AMT supports these management tasks:
* Remotely power up, power down, power cycle, and power reset the computer.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|accessdate=2008-08-07]
* Remote boot the PC by remotely redirecting the PC’s boot process, causing it to boot from a different image, such as a network share, bootable CD-ROM or DVD, remediation drive, or other boot device.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|accessdate=2008-08-07] cite web |title=Revisiting vPro for Corporate Purchases |url=http://mediaproducts.gartner.com/reprints/intel/153886.html |publisher=Gartner|accessdate=2008-08-07] This feature supports remote booting a PC that has a corrupted or missing OS.
* Remotely redirect the system’s I/O via console redirection through serial over LAN (SOL).cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|accessdate=2008-08-07] This feature supports remote troubleshooting, remote repair, software upgrades, and similar processes.
* Access and change BIOS settings remotely.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|accessdate=2008-08-07] This feature is available even if PC power is off, the OS is down, or hardware has failed. This feature is designed to allow remote updates and corrections of configuration settings. This feature supports full BIOS updates, not just changes to specific settings.
* Detect suspicious network traffic.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|accessdate=2008-08-07] cite web |title=Intel Active Management Technology System Defense and Agent Presence Overview|url=http://cache-www.intel.com/cd/00/00/32/09/320960_320960.pdf|publisher=Intel|date=2007-02|accessdate=2008-08-16] In laptop and desktop PCs, this feature allows a sys-admin to define the events that might indicate an inbound or outbound threat in a network packet header. In desktop PCs, this feature also supports detection of known and/or unknown threats (including slow- and fast-moving computer worms) in network traffic via time-based, heuristics-based filters. Network traffic is checked before it reaches the OS, so it is also checked before the OS and software applications load, and after they shut down (a traditionally vulnerable period for PCs).
* Block or rate-limit network traffic to and from systems suspected of being infected or compromised by computer viruses, computer worms, or other threats.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|accessdate=2008-08-07] cite web |title=Intel Active Management Technology System Defense and Agent Presence Overview|url=http://cache-www.intel.com/cd/00/00/32/09/320960_320960.pdf|publisher=Intel|date=2007-02|accessdate=2008-08-16] This feature uses Intel AMT hardware-based isolation circuitry that can be triggered manually (remotely, by the sys-admin) or automatically, based on IT policy (a specific event).
* Manage hardware packet filters in the on-board network adapter.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|accessdate=2008-08-07] cite web |title=Intel Active Management Technology System Defense and Agent Presence Overview|url=http://cache-www.intel.com/cd/00/00/32/09/320960_320960.pdf|publisher=Intel|date=2007-02|accessdate=2008-08-16]
* Automatically send OOB communication to the IT console when a critical software agent misses its assigned check in with the programmable, policy-based hardware-based timer.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|accessdate=2008-08-07] cite web |title=Intel Active Management Technology System Defense and Agent Presence Overview|url=http://cache-www.intel.com/cd/00/00/32/09/320960_320960.pdf|publisher=Intel|date=2007-02|accessdate=2008-08-16] A "miss" indicates a potential problem. This feature can be combined with OOB alerting so that the IT console is notified only when a potential problem occurs (helps keep the network from being flooded by unnecessary "positive" event notifications).
* Receive PET events out-of-band from the AMT subsystem (for example, events indicating that the OS is hung or crashed, or that a password attack has been attempted).cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|accessdate=2008-08-07] You can alert on an event (such as falling out of compliance, in combination with agent presence checking) or on a threshold (such as reaching a particular fan speed).
* Access a persistent event log, stored in protected memory.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|accessdate=2008-08-07] The event log is available OOB, even if the OS is down or the hardware has already failed.
* Discover an AMT system independently of the PC's power state or OS state.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|accessdate=2008-08-07] Discovery (preboot access to the UUID) is available if the system is powered down, its OS is compromised or down, hardware (such as a hard drive or memory) has failed, or management agents are missing.
* Perform a software inventory or access information about software on the PC.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|accessdate=2008-08-07] This feature allows a third-party software vendor to store software asset or version information for local applications in the Intel AMT protected memory. (This is the protected third party data store, which is different from the protected AMT memory for hardware component information and other system information). The third-party data store can be accessed OOB by the sys-admin. For example, an antivirus program could store version information in the protected memory that is available for third-party data. A computer script could use this feature to identify PCs that need to be updated.
* Perform a hardware inventory by uploading the remote PC’s hardware asset list (platform, baseboard management controller, BIOS, processor, memory, disks, portable batteries, field replaceable units, and other information).cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|accessdate=2008-08-07] Hardware asset information is updated every time the system runs through power-on self-test (POST).

OOB Communication with AMT

Intel AMT is part of the Intel Management Engine. All access to the Intel AMT features is through the Intel Management Engine in the PC’s hardware and firmware.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|date=2008|accessdate=2008-08-07] AMT communication depends on the state of the Management Engine, not the state of the PC’s OS.

As part of the Intel Management Engine, the AMT OOB communication channel is based on the TCP/IP firmware stack designed into system hardware.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|date=2008|accessdate=2008-08-07] Because it is based on the TCP/IP stack, remote communication with AMT occurs via the network data path before communication is passed to the OS.

AMT OOB Communication for Wired vs. Wireless PCs

Intel AMT supports wired and wireless networks.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|date=2008|accessdate=2008-08-07] cite web |title=New Intel-Based Laptops Advance All Facets of Notebook PCs|url=http://www.intel.com/pressroom/archive/releases/20080715comp_sm.htm#story|publisher=Intel|accessdate=2008-07-15] cite web |title=Intel Centrino 2 with vPro Technology|url=http://download.intel.com/products/centrino/pro/316888.pdf|publisher=Intel|accessdate=2008-07-15] cite web |title=Technical Considerations for Intel AMT in a Wireless Environment|url=http://softwarecommunity.intel.com/articles/eng/1538.htm |publisher=Intel|date=2007-09-27|accessdate=2008-08-16] For wireless notebooks on battery power, OOB communication is available when the system is awake and connected to the corporate network, even if the OS is down. OOB communication is also available for wireless or wired notebooks connected to the corporate network over a host OS-based virtual private network (VPN) when notebooks are awake and working properly.

AMT OOB Secure Communication Outside the Corporate Firewall

AMT version 4.0 and higher can establish a secure communication tunnel between a wired PC and an IT console outside the corporate firewall.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|date=2008|accessdate=2008-08-07] cite web |title=Intel Active Management Technology Setup and Configuration Service, Version 5.0|url=http://softwarecommunity.intel.com/isn/downloads/Manageability/Intel_AMT_SCS_Console_Guide_5.0.pdf|publisher=Intel|accessdate=2008-08-04("see CIRA configuration discussion")] In this scheme, a management presence server (Intel calls this a “vPro-enabled gateway”) authenticates the PC, opens a secure TLS tunnel between the IT console and the PC, and mediates communication.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|date=2008|accessdate=2008-08-07] cite web |title=Intel AMT - Fast Call for Help|url=http://softwareblogs.intel.com/2008/08/18/intel-amt-fast-call-for-help/|publisher=Intel|date=2008-08-15|accessdate=2008-08-17(Intel developer's blog)] The scheme is intended to help the user or PC itself request maintenance or service when at satellite offices or similar places where there is no on-site proxy server or management appliance.

Technology that secures communications outside a corporate firewall is relatively new. It also requires that an infrastructure be in place, including support from IT consoles and firewalls.

How It Works

An AMT PC stores system configuration information in protected memory. For PCs version 4.0 and higher, this information can include the name(s) of appropriate “whitelist” management servers for the company. When a user tries to initiate a remote session between the wired PC and a company server from an open LAN, AMT sends the stored information to a management presence server (MPS) in the “demilitarized zone” ("DMZ") that exists between the corporate firewall and client (the user PC's) firewalls. The MPS uses that information to help authenticate the PC. The MPS then mediates communication between the laptop and the company’s management servers.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|date=2008|accessdate=2008-08-07]

Because communication is authenticated, a secure communication tunnel can then be opened using TLS encryption. Once secure communications are established between the IT console and Intel AMT on the user's PC, a sys-admin can use the typical AMT features to remotely diagnose, repair, maintain, or update the PC.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|date=2008|accessdate=2008-08-07]

Intel AMT Security Measures

Because AMT allows access to the PC below the OS level, security for the AMT features is a key concern.

Security for communications between Intel AMT and the provisioning service and/or management console can be established in different ways depending on the network environment. Security can be established via certificates and keys (TLS public key infrastructure, or TLS-PKI), pre-shared keys (TLS-PSK), or administrator password.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|date=2008|accessdate=2008-08-07] cite web |title=Architecture Guide: Intel Active Management Technology|url=http://softwarecommunity.intel.com/articles/eng/1032.htm |publisher=Intel|accessdate=2008-06-26]

Security technologies that protect access to the AMT features are built into the hardware and firmware. As with other hardware-based features of AMT, the security technologies are active even if the PC is powered off, the OS is crashed, software agents are missing, or hardware (such as a hard drive or memory) has failed.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|date=2008|accessdate=2008-08-07] cite web |title=Architecture Guide: Intel Active Management Technology|url=http://softwarecommunity.intel.com/articles/eng/1032.htm |publisher=Intel|accessdate=2008-06-26] cite web |title=New Intel vPro Processor Technology Fortifies Security for Business PCs (news release) |url=http://www.intel.com/pressroom/archive/releases/20070827comp.htm |publisher=Intel|date=2007-08-27|accessdate=2007-08-07]

Using AMT in a Secure Network Environment

Because in-band remote management does not usually occur over a secured network communication channel, businesses have typically had to choose between having a secure network or allowing IT to use remote management applications without secure communications to maintain and service PCs.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|date=2008|accessdate=2008-08-07]

Modern security technologies and hardware designs allow remote management even in more secure environments. For example, Intel AMT supports IEEE 802.1x, Preboot Execution Environment (PXE), Cisco SDN, and Microsoft NAP.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|date=2008|accessdate=2008-08-07]

All AMT features are available in a secure network environment. All AMT features are available in a secure network environment. With Intel AMT in the secure network environment:
*The network can verify the security posture of an AMT-enabled PC and authenticate the PC before the OS loads and before the PC is allowed access to the network.
*PXE boot can be used while maintaining network security. In other words, an IT admin can use an existing PXE infrastructure in an IEEE 802.1x, Cisco SDN, or Microsoft NAP network

Intel AMT in a Secured Network Environment: How It Works

Intel AMT can embed network security credentials in the hardware, via the Intel AMT Embedded Trust Agent and an AMT posture plug-in.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|date=2008|accessdate=2008-08-07] cite web |title=Architecture Guide: Intel Active Management Technology|url=http://softwarecommunity.intel.com/articles/eng/1032.htm |publisher=Intel|accessdate=2008-06-26] The plug-in collects security posture information, such as firmware configuration and security parameters from third-party software (such as antivirus software and antispyware), BIOS, and protected memory. The plug-in and trust agent can store the security profile(s) in AMT’s protected, nonvolatile memory, which is not on the hard disk drive.

Because AMT has an out-of-band communication channel, AMT can present the PC’s security posture to the network even if the PC’s OS or security software is compromised. Since AMT presents the posture out-of-band, the network can also authenticate the PC out-of-band, before the OS or applications load and before they try to access the network. If the security posture is not correct, a sys-admin can push an update OOB (via Intel AMT) or reinstall critical security software before letting the PC access the network.

ecurity Postures Supported by Intel AMT Versions

Support for different security postures depends on the AMT release:
*Support for IEEE 802.1x and Cisco SDN requires AMT version 2.6 or higher for laptops, and AMT version 3.0 or higher for desktop PCs.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|accessdate=2008-08-07] cite web |title=Intel Software Network, engineer / developers forum|url=http://softwarecommunity.intel.com/isn/Community/en-US/forums/thread/30235057.aspx|publisher=Intel|accessdate=2008-08-09] cite web |title=Cisco Security Solutions with Intel Centrino Pro and Intel vPro Processor Technology|url=http://www.intel.com/business/casestudies/cisco.pdf|publisher=Intel|2007]
*Support for Microsoft NAP requires AMT version 4.0 or higher.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|accessdate=2008-08-07]
*Support for PXE boot with full network security requires AMT version 3.2 or higher for desktop PCs.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|accessdate=2008-08-07]

Intel AMT Security Technologies and Methodologies

AMT includes several security schemes, technologies, and methodologies to secure access to the AMT features during deployment and during remote management.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|accessdate=2008-08-07] cite web |title=Architecture Guide: Intel Active Management Technology|url=http://softwarecommunity.intel.com/articles/eng/1032.htm |publisher=Intel|accessdate=2008-06-26] cite web |title=New Intel vPro Processor Technology Fortifies Security for Business PCs (news release) |url=http://www.intel.com/pressroom/archive/releases/20070827comp.htm |publisher=Intel|date=2007-08-27|accessdate=2007-08-07] AMT security technologies and methodologies include:
* Transport Layer Security, including pre-shared key TLS (TLS-PSK)
* HTTP authentication
* Single sign-on to Intel AMT with Microsoft Windows domain authentication, based on Microsoft Active Directory and Kerberos
* Digitally signed firmware
* Pseudo-random number generator (PRNG) which generates session keys
* Protected memory (not on the hard disk drive) for critical system data, such as the UUID, hardware asset information, and BIOS configuration settings
* Access control lists

As with other aspects of Intel AMT, the security technologies and methodologies are built into the chipset.

Versions

Intel AMT versions can be updated in software to the next minor version. New major releases of Intel AMT are built into a new chipset, and are updated through new hardware.cite web |title=Architecture Guide: Intel Active Management Technology|url=http://softwarecommunity.intel.com/articles/eng/1032.htm |publisher=Intel|accessdate=2008-06-26]

Management Engine firmware modules

* Active Management Technology (AMT)
* Alert Standard Format (ASF)
* Quiet System Technology (QST), formerly Advanced Fan Speed Control (AFSC)
* Trusted Platform Module (TPM)

Provisioning and Integration of Intel AMT

AMT supports certificate-based remote provisioning (full remote deployment), USB key-based provisioning (“one-touch” provisioning), and manual provisioning.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|date=2008|accessdate=2008-08-07] An OEM can also pre-provision AMT.cite web |title=Intel Centrino 2 with vPro Technology|url=http://softwarecommunity.intel.com/articles/eng/1477.htm|publisher=Intel|accessdate=2008-06-30]

The current version of AMT supports remote deployment on both laptop and desktop PCs. (Remote deployment was one of the key features missing from earlier versions of AMT and which delayed acceptance of AMT in the market.)cite web |title=Revisiting vPro for Corporate Purchases |url=http://mediaproducts.gartner.com/reprints/intel/153886.html |publisher=Gartner|accessdate=2008-08-07] Remote deployment lets a sys-admin deploy PCs without “touching” the systems physically.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|date=2008|accessdate=2008-08-07] It also allows a sys-admin to delay deployments and put PCs into use for a period of time before making AMT features available to the IT console.cite web |title=Part 3: Post Deployment of Intel vPro in an Altiris Environment: Enabling and Configuring Delayed Provisioning |url=http://communities.intel.com/docs/DOC-1920 |publisher=Intel (forum) |accessdate=2008-09-12]

Intel vPro PCs Can Be Sold with AMT Enabled or Disabled

PCs with Intel AMT can be sold with AMT enabled or disabled. The OEM determines whether to ship AMT with the capabilities ready for setup (enabled) or disabled. Your setup and configuration process will vary, depending on the OEM build.cite web |title=Intel Centrino 2 with vPro Technology|url=http://softwarecommunity.intel.com/articles/eng/1477.htm|publisher=Intel|accessdate=2008-06-30]

Intel AMT includes a Privacy Icon application that notifies the system's user if AMT is enabled. It is up to the OEM to decide whether they want to display the icon or not.

Disabling and Reenabling Intel AMT

Intel AMT supports different methods for disabling the management and security technology, as well as different methods for reenabling the technology.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|date=2008|accessdate=2008-08-07] cite web |title=Part 3: Post Deployment of Intel vPro in an Altiris Environment: Enabling and Configuring Delayed Provisioning |url=http://communities.intel.com/docs/DOC-1920 |publisher=Intel (forum) |accessdate=2008-09-12] cite web |title=Intel vPro Provisioning |url=http://www.planet-lab.org/files/AMT.pdf |publisher=HP (Hewlett Packard)|accessdate=2008-06-02] cite web |title=vPro Setup and Configuration for the dc7700 Business PC with Intel vPro Technology |url=http://www.icare.hp.com.cn/TechCenter_StaticArticle/37022/44474.pdf|publisher=HP (Hewlett Packard)|accessdate=2008-06-02 Note: large document]

Disabling Intel AMT

AMT can be partially unprovisioned using the AMT security credentials to erase configuration settings, or fully unprovisioned by erasing all configuration settings, security credentials, and operational and networking settings; or by resetting a specific jumper on the motherboard.cite web |title=Part 4: Post Deployment of Intel vPro in an Altiris EnvironmentIntel: Partial UnProvision vs. Full UnProvision vs. Factory Default|url=http://communities.intel.com/docs/DOC-1921;jsessionid=135269B177AAE4D212868A42B9437F00 |publisher=Intel (forum) |accessdate=2008-09-12]

A partial unprovisioning leaves the PC in the setup state. In this state, the PC can self-initiate its automated, remote configuration process. A full unprovisioning erases the configuration profile as well as the security credentials and operational / networking settings required to communicate with the Intel Management Engine. A full unprovisioning returns Intel AMT to its factory default state..

Reenabling Intel AMT

Once AMT is disabled, in order to enable AMT again, an authorized sys-admin can reestablish the security credentials required to perform remote configuration by either:
*Using the remote configuration process (full automated, remote config via certificates and keys).cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|date=2008|accessdate=2008-08-07]
*Physically accessing the PC to restore security credentials, either by USB key or by entering the credentials and MEBx parameters manually.cite web |title=Intel Centrino 2 with vPro Technology and Intel Core2 Processor with vPro Technology|url=ftp://download.intel.com/products/vpro/whitepaper/crossclient.pdf |publisher=Intel|date=2008|accessdate=2008-08-07]

etup and Integration Tools

Setup and integration of Intel AMT is supported by a setup and configuration service (for automated setup), an AMT Webserver tool (included with Intel AMT), and AMT Commander, an unsupported and freeware application available from the Intel Web site.

See also

* Relationships between Intel vPro, Intel AMT, Intel Centrino 2, and Intel Core 2
* Intel AMT versions
* Intel vPro
* Intel Core 2
* Intel Centrino 2
* Host Embedded Controller Interface (HECI)
* Alert Standard Format (ASF)
* Distributed Management Task Force (DMTF)
* Intelligent Platform Management Interface (IPMI)
* Baseboard management controller (BMC)
* Trusted Platform Module (TPM)
* Northbridge (computing) (NB)
* Southbridge (computing) (SB)
* I/O Controller Hub (ICH)
* Out-of-band management
* Lights out management
* HP Integrated Lights-Out (HP/Compaq specific)

References

External links

* [http://www.intel.com/technology/platform-technology/intel-amt/ Intel Active Management Technology]
* [http://softwarecommunity.intel.com/isn/home/manageability.aspx Intel Manageability Developer Community]
* [http://www.intel.com/go/vproexpert Intel vPro Expert Center]
* [http://www.openamt.org/ Intel AMT Open Source Drivers and Tools]
* [http://www.intel.com/design/network/products/lan/controllers/82573.htm Intel 82573E Gigabit Ethernet Controller (Tekoa)]
* [http://www.arc.com/upload/download/F1010.5_ARC%20A4_4-9-03_FINAL.pdf ARC4 Processor ]
* [http://video.intel.com/ AMT videos (select the desktop channel) ]


Wikimedia Foundation. 2010.

Игры ⚽ Поможем сделать НИР

Look at other dictionaries:

  • Intel® Active Management Technology — Intel vPro von Intel ist eine Plattform für Business Desktop PCs. Neben Centrino für den Mobilbereich und Viiv für den Multimediabereich ist vPro bereits Intels dritte Plattform. Die neue Marke umfasst neben einem Prozessor auf Basis von Intels… …   Deutsch Wikipedia

  • Intel Active Management Technology — Intel Active Management Technology  аппаратная технология, позволяющая удаленно («out of band»  «внеполосно», по независимому вспомогательному каналу TCP/IP) управлять настройками и безопасностью компьютера независимо от состояния… …   Википедия

  • Active Management Technology — Intel Active Management Technology  аппаратная технология, предоставляющая удаленный, и внеполосный (по независимому вспомогательному каналу TCP/IP) доступ для управления настройками и безопасностью компьютера независимо от состояния питания …   Википедия

  • Intel vPro — technology is a set of features built into a PC’s motherboard and other hardware.cite web |title=Remote Pc Management with Intel s vPro |url=http://www.tomshardware.com/reviews/command conquer,1591.html |publisher=Tom s Hardware… …   Wikipedia

  • Intel AMT versions — Intel Active Management Technology (AMT) is hardware based technology built into PCs with Intel vPro technology. AMT is designed to help sys admins remotely manage and secure PCs out of band when PC power is off, the operating system (OS) is… …   Wikipedia

  • Intel Core 2 Duo — <<   Core      Центральный процессор Производство: Ноябрь 2006 Производитель …   Википедия

  • Intel vPro — Logo von Intel vPro Intel vPro von Intel ist eine Plattform für Business Desktop PCs. Neben Centrino für den Mobilbereich und Viiv für den Multimediabereich ist vPro bereits Intels dritte Plattform. Die neue Marke umfasst neben einem Prozessor… …   Deutsch Wikipedia

  • Intel Core 2 — Duo Microprocesador Producción 2006   2009 Fabricante(s) Intel Frecuencia de reloj de CPU 1,06 GHz a 3,33 GHz …   Wikipedia Español

  • Intel Core 2 — <<   Core 2   >> Центральный процессор Логотип Core 2 Duo Производство: 2006 настоящее время …   Википедия

  • Intel — For other uses, see Intel (disambiguation). Coordinates: 37°23′16.54″N 121°57′48.74″W / 37.3879278°N 121.9635389°W / 37.3879278; 121.9 …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”