Intel Active Management Technology - AbsoluteAstronomy.com

Intel Active Management Technology (AMT) is hardware-based technology for remotely managing and securing PCs out-of-band

Out-of-band management

In computing, out-of-band management involves the use of a dedicated management channel for device maintenance...

.
Currently, Intel AMT is available in desktop PCs with Intel Core 2

Intel Core 2

Core 2 is a brand encompassing a range of Intel's consumer 64-bit x86-64 single-, dual-, and quad-core microprocessors based on the Core microarchitecture. The single- and dual-core models are single-die, whereas the quad-core models comprise two dies, each containing two cores, packaged in a...

processor with Intel vPro

Intel vPro

Intel vPro technology is computer hardware technology to allow remote access to the PC independent of the state of the operating system or power state of the PC. It consists of a set of features built into a PC's motherboard and other hardware...

technology and available in laptop PCs with Centrino

Centrino

The Centrino brand represents Intel Wi-Fi and WiMAX adapters. It was formerly a platform-marketing initiative from Intel until January 7, 2010....

or Centrino 2 platform with vPro technology.

Overview of Intel AMT

Intel AMT is hardware and firmware technology that builds certain functionality into business PCs in order to monitor, maintain, update, upgrade, and repair PC's. Intel AMT is part of the Intel Management Engine, which is built into PCs with Intel vPro technology. Intel AMT is designed into a secondary processor located on the motherboard.

AMT is not intended to be used by itself; it is intended to be used with a software management application. It gives a management application (and thus, the system administrator who uses it) better access to the PC down the wire, in order to remotely and securely do tasks that are difficult or sometimes impossible when working on a PC that does not have remote functionalities built into it.

Hardware-based management and software-based management

Hardware-based management is different from software-based management and software management agents. Hardware-based management works at a different level than software applications, uses a communication channel (through the TCP/IP

Internet protocol suite

The Internet protocol suite is the set of communications protocols used for the Internet and other similar networks. It is commonly known as TCP/IP from its most important protocols: Transmission Control Protocol and Internet Protocol , which were the first networking protocols defined in this...

stack) that is different from software-based communication (which is through the software stack in the operating system). Hardware-based management does not depend on the presence of an OS or locally installed management agent.

DHCP, BOOTP, WOL vs Intel AMT hardware-based management

Hardware-based management has been available on Intel/AMD based computers in the past, but it has largely been limited to auto-configuration using DHCP

Dynamic Host Configuration Protocol

The Dynamic Host Configuration Protocol is a network configuration protocol for hosts on Internet Protocol networks. Computers that are connected to IP networks must be configured before they can communicate with other hosts. The most essential information needed is an IP address, and a default...

or BOOTP

BOOTP

In computer networking, the Bootstrap Protocol, or BOOTP, is a network protocol used by a network client to obtain an IP address from a configuration server. The BOOTP protocol was originally defined in RFC 951....

for dynamic IP allocation and diskless workstation

Diskless workstation

A diskless node is a workstation or personal computer without disk drives, which employs network booting to load its operating system from a server...

s, as well as Wake-on-LAN

Wake-on-LAN

Wake-on-LAN is an Ethernet computer networking standard that allows a computer to be turned on or woken up by a network message....

(WOL) for remotely powering on systems.

Intel AMT uses TLS

Transport Layer Security

Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...

-secured communication and strong encryption

Encryption

In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...

, to provide additional security.

Intel AMT features

Intel AMT includes hardware-based remote management, security, power-management, and remote-configuration features. These features allow an IT technician to access an AMT featured PC remotely.

Intel AMT relies on a hardware-based out-of-band

Out-of-band

The term out-of-band has different uses in communications and telecommunication. In case of out-of-band control signaling, signaling bits are sent in special order in a dedicated signaling frame...

(OOB) communication channel that operates below the OS level, the channel is independent of the state of the OS (present, missing, corrupted, down). The communication channel is also independent of the PC's power state, the presence of a management agent, and the state of many hardware components (such as hard disk drives and memory).

Most AMT features are available OOB, regardless of PC power state. Other features require the PC to be powered up (such as console redirection via serial over LAN

Serial over LAN

Serial Over LAN is a mechanism that enables the input and output of the serial port of a managed system to be redirected over IP.On some managed systems, notably blade server systems, the serial ports on the managed computers are not normally connected to a traditional serial port socket...

(SOL), agent presence checking, and network traffic filtering). Intel AMT has remote power-up capability.

Hardware-based features can be combined with scripting to automate maintenance and service.

Hardware-based AMT features in laptop and desktop PCs

Hardware-based AMT features include:

Encrypted, remote communication channel for network traffic
Network traffic
Network traffic is data in a network. In computer networks, the data is encapsulated in packets.*Network traffic control*Network traffic measurement*Network traffic simulation...

between the IT console and Intel AMT.
Ability for a wired PC (physically connected to the network) outside the company's firewall
Firewall (computing)
A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass....

on an open LAN
Local area network
A local area network is a computer network that interconnects computers in a limited area such as a home, school, computer laboratory, or office building...

to establish a secure communication tunnel (via AMT) back to the IT console. Examples of an open LAN include a wired laptop at home or at an site that does not have a proxy server.
Remote power up / power down / power cycle through encrypted WOL
Wake-on-LAN
Wake-on-LAN is an Ethernet computer networking standard that allows a computer to be turned on or woken up by a network message....

.
Remote boot
Booting
In computing, booting is a process that begins when a user turns on a computer system and prepares the computer to perform its normal operations. On modern computers, this typically involves loading and starting an operating system. The boot sequence is the initial set of operations that the...

, via integrated device electronics redirect (IDE-R).
Console redirection, via serial over LAN
Serial over LAN
Serial Over LAN is a mechanism that enables the input and output of the serial port of a managed system to be redirected over IP.On some managed systems, notably blade server systems, the serial ports on the managed computers are not normally connected to a traditional serial port socket...

(SOL).
Hardware-based filters for monitoring packet headers in inbound and outbound network traffic
Network traffic
Network traffic is data in a network. In computer networks, the data is encapsulated in packets.*Network traffic control*Network traffic measurement*Network traffic simulation...

for known threats (based on programmable timers), and for monitoring known / unknown threats based on time-based heuristics. Laptops and desktop PCs have filters to monitor packet headers. Desktop PCs have packet-header filters and time-based filters.
Isolation circuitry (previously and unofficially called "circuit breaker" by Intel) to port-block, rate-limit
Rate limiting
In computer networks, rate limiting is used to control the rate of traffic sent or received on a network interface. Traffic that is less than or equal to the specified rate is sent, whereas traffic that exceeds the rate is dropped or delayed...

, or fully isolate a PC that might be compromised or infected.
Agent presence checking, via hardware-based, policy-based programmable timer
Timer
A timer is a specialized type of clock. A timer can be used to control the sequence of an event or process. Whereas a stopwatch counts upwards from zero for measuring elapsed time, a timer counts down from a specified time interval, like an hourglass.Timers can be mechanical, electromechanical,...

s. A "miss" generates an event; you can specify that the event generate an alert.
OOB alerting.
Persistent event log, stored in protected memory (not on the hard drive).
Access (preboot) the PC's universal unique identifier (UUID).
Access (preboot) hardware asset information, such as a component's manufacturer and model, which is updated every time the system goes through power-on self-test
Power-on self-test
Power-On Self-Test refers to routines run immediately after power is applied, by nearly all electronic devices. Perhaps the most widely-known usage pertains to computing devices...

(POST).
Access (preboot) to third-party data store (TPDS), a protected memory area that software vendors can use, in which to version information, .DAT files, and other information.
Remote configuration options, including certificate-based zero-touch remote configuration, USB key configuration (light-touch), and manual configuration.
Protected Audio/Video Pathway
Pavp
PAVP PAVP protects the data path within a computer during video playback . It is supported by newer chipsets and operating systems . PAVP does the video decoding in the chipset to reduce processor load.PAVP can be configured in the BIOS...

for playback protection of DRM
DRM
-Information technology:*Digital rights management, access control technologies that limit the usage of digital content and devices*Data Reference Model, one of the five reference models of the Federal Enterprise Architecture...

-protected media.

Additional AMT features in laptop PCs

Laptops with AMT also include wireless technologies:

Support for IEEE 802.11
IEEE 802.11
IEEE 802.11 is a set of standards for implementing wireless local area network computer communication in the 2.4, 3.6 and 5 GHz frequency bands. They are created and maintained by the IEEE LAN/MAN Standards Committee . The base version of the standard IEEE 802.11-2007 has had subsequent...

a
IEEE 802.11a-1999
IEEE 802.11a-1999 or 802.11a is an amendment to the IEEE 802.11 specification that added a higher data rate of up to 54 Mbit/s using the 5 GHz band. It has seen widespread worldwide implementation, particularly within the corporate workspace...

/g
IEEE 802.11g-2003
IEEE 802.11g-2003 or 802.11g is an amendment to the IEEE 802.11 specification that extended throughput to up to 54 Mbit/s using the same 2.4 GHz band as 802.11b. This specification under the marketing name of Wi-Fi has been implemented all over the world...

/n
IEEE 802.11n
IEEE 802.11n-2009 is an amendment to the IEEE 802.11-2007 wireless networking standard to improve network throughput over the two previous standards—802.11a and 802.11g—with a significant increase in the maximum net data rate from 54 Mbit/s to 600 Mbit/s with the use of four...

wireless
Wireless LAN
A wireless local area network links two or more devices using some wireless distribution method , and usually providing a connection through an access point to the wider internet. This gives users the mobility to move around within a local coverage area and still be connected to the network...

protocols
Cisco
Cisco
Cisco may refer to:Companies:*Cisco Systems, a computer networking company* Certis CISCO, corporatised entity of the former Commercial and Industrial Security Corporation in Singapore...

-compatible extensions for Voice over WLAN

Intel vPro platform features

Intel AMT is security and management technology that is built into PCs with Intel vPro technology

Intel vPro

. PCs with Intel vPro include many other "platform" (general PC features) technologies and features:

Support for IEEE 802.1x
IEEE 802.1X
IEEE 802.1X is an IEEE Standard for port-based Network Access Control . It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN....

, Cisco
Cisco
Cisco may refer to:Companies:*Cisco Systems, a computer networking company* Certis CISCO, corporatised entity of the former Commercial and Industrial Security Corporation in Singapore...

Self Defending Network (SDN), and Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...

Network Access Protection
Network Access Protection
Network Access Protection is a Microsoft technology for controlling network access of a computer host based on the system health of the host, first introduced in Windows Server 2008....

(NAP).
Gigabit network
Gigabit Ethernet
Gigabit Ethernet is a term describing various technologies for transmitting Ethernet frames at a rate of a gigabit per second , as defined by the IEEE 802.3-2008 standard. It came into use beginning in 1999, gradually supplanting Fast Ethernet in wired local networks where it performed...

connection or network wireless connection (on laptops).
Intel Trusted Execution Technology (Intel TXT) and an industry-standard Trusted Platform Module
Trusted Platform Module
In computing, Trusted Platform Module is both the name of a published specification detailing a secure cryptoprocessor that can store cryptographic keys that protect information, as well as the general name of implementations of that specification, often called the "TPM chip" or "TPM Security...

(TPM) version 1.2.
Intel Virtualization Technology (Intel VT).
64-bit processors
Central processing unit
The central processing unit is the portion of a computer system that carries out the instructions of a computer program, to perform the basic arithmetical, logical, and input/output operations of the system. The CPU plays a role somewhat analogous to the brain in the computer. The term has been in...

.
64-bit integrated graphics
Graphics processing unit
A graphics processing unit or GPU is a specialized circuit designed to rapidly manipulate and alter memory in such a way so as to accelerate the building of images in a frame buffer intended for output to a display...

.
Industry standards, such as ASF
Alert Standard Format
Alert Standard Format is a DMTF standard for remote monitoring, management and control of computer systems in both OS-present and OS-absent environments...

, XML
XML
Extensible Markup Language is a set of rules for encoding documents in machine-readable form. It is defined in the XML 1.0 Specification produced by the W3C, and several other related specifications, all gratis open standards....

, SOAP
SOAP
SOAP, originally defined as Simple Object Access Protocol, is a protocol specification for exchanging structured information in the implementation of Web Services in computer networks...

, TLS
Transport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...

, HTTP authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...

, Kerberos
Kerberos
Kerberos may refer to:* Cerberus, the hound of Hades * Kerberos saga, a science fiction series by Mamoru Oshii* Kerberos , a computer network authentication protocol* Kerberos Dante, a character from Saint Seiya...

(Microsoft Active Directory
Active Directory
Active Directory is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. Server computers on which Active Directory is running are called domain controllers....

), DASH (based on draft 1.0 specifications), and WS-MAN
WS-Management
Web Services-Management is a DMTF open standard defining a SOAP-based protocol for the management of servers, devices, applications and various Web services. The DMTF has published the standards document DSP0226 with version v1.1.0 of 2010-03-03....

.
Quiet System Technology (QST), formerly called advanced fan speed control (AFSC).
Architecture, package design
Integrated circuit
An integrated circuit or monolithic integrated circuit is an electronic circuit manufactured by the patterned diffusion of trace elements into the surface of a thin substrate of semiconductor material...

, and technologies for power coordination and better thermals, in order to operate at very low voltage
Voltage
Voltage, otherwise known as electrical potential difference or electric tension is the difference in electric potential between two points — or the difference in electric potential energy per unit charge between two points...

s, use power more efficiently, and help meet Energy Star
Energy Star
Energy Star is an international standard for energy efficient consumer products originated in the United States of America. It was first created as a United States government program during the early 1990s, but Australia, Canada, Japan, New Zealand, Taiwan and the European Union have also adopted...

requirements.

Using Intel AMT

Almost all AMT features are available even if PC power is off, the OS is crashed, the software agent is missing, or hardware (such as a hard drive or memory) has failed. The console-redirection feature (SOL

Serial over LAN

), agent presence checking, and network traffic filters are available after the PC is powered up.

Intel AMT supports these management tasks:

Remotely power up, power down, power cycle, and power reset the computer.
Remote boot the PC by remotely redirecting the PC’s boot
Booting
In computing, booting is a process that begins when a user turns on a computer system and prepares the computer to perform its normal operations. On modern computers, this typically involves loading and starting an operating system. The boot sequence is the initial set of operations that the...

process, causing it to boot from a different image, such as a network share
Shared resource
In computing, a shared resource or network share is a device or piece of information on a computer that can be remotely accessed from another computer, typically via a local area network or an enterprise Intranet, transparently as if it were a resource in the local machine.Examples are shared file...

, bootable CD-ROM
CD-ROM
A CD-ROM is a pre-pressed compact disc that contains data accessible to, but not writable by, a computer for data storage and music playback. The 1985 “Yellow Book” standard developed by Sony and Philips adapted the format to hold any form of binary data....

or DVD
DVD
A DVD is an optical disc storage media format, invented and developed by Philips, Sony, Toshiba, and Panasonic in 1995. DVDs offer higher storage capacity than Compact Discs while having the same dimensions....

, remediation drive, or other boot device. This feature supports remote booting a PC that has a corrupted or missing OS.
Remotely redirect the system’s I/O via console redirection through serial over LAN
Serial over LAN
Serial Over LAN is a mechanism that enables the input and output of the serial port of a managed system to be redirected over IP.On some managed systems, notably blade server systems, the serial ports on the managed computers are not normally connected to a traditional serial port socket...

(SOL). This feature supports remote troubleshooting, remote repair, software upgrades, and similar processes.
Access and change BIOS
BIOS
In IBM PC compatible computers, the basic input/output system , also known as the System BIOS or ROM BIOS , is a de facto standard defining a firmware interface....

settings remotely. This feature is available even if PC power is off, the OS is down, or hardware has failed. This feature is designed to allow remote updates and corrections of configuration settings. This feature supports full BIOS updates, not just changes to specific settings.
Detect suspicious network traffic
Network traffic
Network traffic is data in a network. In computer networks, the data is encapsulated in packets.*Network traffic control*Network traffic measurement*Network traffic simulation...

. In laptop and desktop PCs, this feature allows a sys-admin to define the events that might indicate an inbound or outbound threat in a network packet header. In desktop PCs, this feature also supports detection of known and/or unknown threats (including slow- and fast-moving computer worm
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...

s) in network traffic via time-based, heuristics-based filters. Network traffic is checked before it reaches the OS, so it is also checked before the OS and software applications load, and after they shut down (a traditionally vulnerable period for PCs).
Block or rate-limit
Rate limiting
In computer networks, rate limiting is used to control the rate of traffic sent or received on a network interface. Traffic that is less than or equal to the specified rate is sent, whereas traffic that exceeds the rate is dropped or delayed...

network traffic
Network traffic control
In computer networking, network traffic control is the process of managing, prioritising, controlling or reducing the network traffic, particularly Internet bandwidth, used by network administrators, to reduce congestion, latency and packet loss. This is part of bandwidth management...

to and from systems suspected of being infected or compromised by computer virus
Computer virus
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...

es, computer worms, or other threats. This feature uses Intel AMT hardware-based isolation circuitry that can be triggered manually (remotely, by the sys-admin) or automatically, based on IT policy (a specific event).
Manage hardware packet filters in the on-board network adapter
Network card
A network interface controller is a computer hardware component that connects a computer to a computer network....

.
Automatically send OOB communication to the IT console when a critical software agent misses its assigned check in with the programmable, policy-based hardware-based timer
Timer
A timer is a specialized type of clock. A timer can be used to control the sequence of an event or process. Whereas a stopwatch counts upwards from zero for measuring elapsed time, a timer counts down from a specified time interval, like an hourglass.Timers can be mechanical, electromechanical,...

. A "miss" indicates a potential problem. This feature can be combined with OOB alerting so that the IT console is notified only when a potential problem occurs (helps keep the network from being flooded by unnecessary "positive" event notifications).
Receive Platform Event Trap (PET) events out-of-band from the AMT subsystem (for example, events indicating that the OS is hung or crashed, or that a password attack
Password cracking
Password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system. A common approach is to repeatedly try guesses for the password...

has been attempted). You can alert on an event (such as falling out of compliance, in combination with agent presence checking) or on a threshold (such as reaching a particular fan speed).
Access a persistent event log, stored in protected memory. The event log is available OOB, even if the OS is down or the hardware has already failed.
Discover an AMT system independently of the PC's power state or OS state. Discovery (preboot access to the UUID
Universally Unique Identifier
A universally unique identifier is an identifier standard used in software construction, standardized by the Open Software Foundation as part of the Distributed Computing Environment ....

) is available if the system is powered down, its OS is compromised or down, hardware (such as a hard drive or memory) has failed, or management agents are missing.
Perform a software inventory or access information about software
Computer software
Computer software, or just software, is a collection of computer programs and related data that provide the instructions for telling a computer what to do and how to do it....

on the PC. This feature allows a third-party software vendor to store software asset or version information for local applications in the Intel AMT protected memory. (This is the protected third party data store, which is different from the protected AMT memory for hardware component information and other system information). The third-party data store can be accessed OOB by the sys-admin. For example, an antivirus program
Antivirus software
Antivirus or anti-virus software is used to prevent, detect, and remove malware, including but not limited to computer viruses, computer worm, trojan horses, spyware and adware...

could store version information in the protected memory that is available for third-party data. A computer script
Scripting language
A scripting language, script language, or extension language is a programming language that allows control of one or more applications. "Scripts" are distinct from the core code of the application, as they are usually written in a different language and are often created or at least modified by the...

could use this feature to identify PCs that need to be updated.
Perform a hardware inventory by uploading the remote PC's hardware asset list (platform, baseboard management controller, BIOS
BIOS
In IBM PC compatible computers, the basic input/output system , also known as the System BIOS or ROM BIOS , is a de facto standard defining a firmware interface....

, processor
Central processing unit
The central processing unit is the portion of a computer system that carries out the instructions of a computer program, to perform the basic arithmetical, logical, and input/output operations of the system. The CPU plays a role somewhat analogous to the brain in the computer. The term has been in...

, memory, disks, portable batteries, field replaceable units, and other information). Hardware asset information is updated every time the system runs through power-on self-test
Power-on self-test
Power-On Self-Test refers to routines run immediately after power is applied, by nearly all electronic devices. Perhaps the most widely-known usage pertains to computing devices...

(POST).

VNC-based KVM remote control

From major version 6, Intel AMT embeds a proprietary VNC server

Virtual Network Computing

In computing, Virtual Network Computing is a graphical desktop sharing system that uses the RFB protocol to remotely control another computer...

, so you can connect out-of-band using dedicated VNC-compatible viewer technology, and have full KVM (Keyboard, Video, Mouse) capability throughout the power cycle - including uninterrupted control of the desktop when an operating system loads. Clients such as VNC Viewer Plus from RealVNC

RealVNC

RealVNC is a company that provides remote access software. The software consists of a server and client application for the Virtual Network Computing protocol to control another computer's screen remotely.-History:...

also provide additional functionality that might make it easier to perform (and watch) certain Intel AMT operations, such as powering the computer off and on, configuring the BIOS, and mounting a remote image (IDER).

Out-of-band (OOB) communication with AMT

Intel AMT is part of the Intel Management Engine. All access to the Intel AMT features is through the Intel Management Engine in the PC’s hardware and firmware. AMT communication depends on the state of the Management Engine, not the state of the PC’s OS.

As part of the Intel Management Engine, the AMT OOB communication channel is based on the TCP/IP

Internet protocol suite

firmware

Firmware

In electronic systems and computing, firmware is a term often used to denote the fixed, usually rather small, programs and/or data structures that internally control various electronic devices...

stack designed into system hardware. Because it is based on the TCP/IP stack, remote communication with AMT occurs via the network data path before communication is passed to the OS.

AMT out-of-band (OOB) communication for wired vs. wireless PCs

Intel AMT supports wired and wireless

Wireless LAN

A wireless local area network links two or more devices using some wireless distribution method , and usually providing a connection through an access point to the wider internet. This gives users the mobility to move around within a local coverage area and still be connected to the network...

networks. For wireless notebooks on battery power, OOB communication is available when the system is awake and connected to the corporate network, even if the OS is down. OOB communication is also available for wireless or wired notebooks connected to the corporate network over a host OS-based virtual private network

Virtual private network

A virtual private network is a network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users access to a central organizational network....

(VPN) when notebooks are awake and working properly.

AMT out-of-band (OOB) secure communication outside the corporate firewall

AMT version 4.0 and higher can establish a secure communication tunnel between a wired PC and an IT console outside the corporate firewall. In this scheme, a management presence server (Intel calls this a "vPro-enabled gateway") authenticates the PC, opens a secure TLS tunnel between the IT console and the PC, and mediates communication. The scheme is intended to help the user or PC itself request maintenance or service when at satellite offices or similar places where there is no on-site proxy server

Proxy server

In computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server...

or management appliance.

Technology that secures communications outside a corporate firewall

Firewall (computing)

A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass....

is relatively new. It also requires that an infrastructure

Infrastructure

Infrastructure is basic physical and organizational structures needed for the operation of a society or enterprise, or the services and facilities necessary for an economy to function...

be in place, including support from IT consoles and firewalls.

How it works

An AMT PC stores system configuration information in protected memory. For PCs version 4.0 and higher, this information can include the name(s) of appropriate "whitelist" management servers for the company. When a user tries to initiate a remote session between the wired PC and a company server from an open LAN

Local area network

A local area network is a computer network that interconnects computers in a limited area such as a home, school, computer laboratory, or office building...

, AMT sends the stored information to a management presence server (MPS) in the "demilitarized zone" ("DMZ") that exists between the corporate firewall and client (the user PC's) firewalls. The MPS uses that information to help authenticate

Authentication

Authentication is the act of confirming the truth of an attribute of a datum or entity...

the PC. The MPS then mediates communication between the laptop and the company’s management servers.

Because communication is authenticated, a secure communication tunnel can then be opened using TLS

Transport Layer Security

Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...

encryption. Once secure communications are established between the IT console and Intel AMT on the user's PC, a sys-admin can use the typical AMT features to remotely diagnose, repair, maintain, or update the PC.

Intel AMT security measures

Because AMT allows access to the PC below the OS level, security for the AMT features is a key concern.

Security for communications between Intel AMT and the provisioning service and/or management console can be established in different ways depending on the network environment. Security can be established via certificates and keys (TLS public key infrastructure, or TLS-PKI), pre-shared keys (TLS-PSK

TLS-PSK

Transport layer security pre-shared key ciphersuites is a set of cryptographic protocols that provide secure communication based on pre-shared keys . These pre-shared keys are symmetric keys shared in advance among the communicating parties.There are several ciphersuites: The first set of...

), or administrator password.

Security technologies that protect access to the AMT features are built into the hardware and firmware. As with other hardware-based features of AMT, the security technologies are active even if the PC is powered off, the OS is crashed, software agents are missing, or hardware (such as a hard drive or memory) has failed.

Using AMT in a secure network environment

Because in-band remote management does not usually occur over a secured network communication channel, businesses have typically had to choose between having a secure network

Network security

In the field of networking, the area of network security consists of the provisions and policies adopted by the network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of the computer network and network-accessible resources...

or allowing IT to use remote management applications

Information technology management

IT management is the discipline whereby all of the technology resources of a firm are managed in accordance with its needs and priorities. These resources may include tangible investments like computer hardware, software, data, networks and data centre facilities, as well as the staffs who are...

without secure communications to maintain and service PCs.

Modern security technologies and hardware designs allow remote management even in more secure environments. For example, Intel AMT supports IEEE 802.1x

IEEE 802.1X

IEEE 802.1X is an IEEE Standard for port-based Network Access Control . It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN....

, Preboot Execution Environment

Preboot Execution Environment

The Preboot eXecution Environment is an environment to boot computers using a network interface independently of data storage devices or installed operating systems.PXE was introduced as part of the Wired for Management framework by Intel and is described in the specification The Preboot...

(PXE), Cisco

Cisco

Cisco may refer to:Companies:*Cisco Systems, a computer networking company* Certis CISCO, corporatised entity of the former Commercial and Industrial Security Corporation in Singapore...

SDN

Network Access Control

Network Access Control is an approach to computer network security that attempts to unify endpoint security technology , user or system authentication and network security enforcement.-Background:Network Access Control is a computer networking solution that uses a set of protocols to define and...

, and Microsoft

Microsoft

Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...

NAP

Network Access Protection

Network Access Protection is a Microsoft technology for controlling network access of a computer host based on the system health of the host, first introduced in Windows Server 2008....

.

All AMT features are available in a secure network environment. With Intel AMT in the secure network environment:

The network can verify the security posture of an AMT-enabled PC and authenticate
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...

the PC before the OS loads and before the PC is allowed access to the network.
PXE
Preboot Execution Environment
The Preboot eXecution Environment is an environment to boot computers using a network interface independently of data storage devices or installed operating systems.PXE was introduced as part of the Wired for Management framework by Intel and is described in the specification The Preboot...

boot can be used while maintaining network security. In other words, an IT administrator can use an existing PXE infrastructure in an IEEE 802.1x
IEEE 802.1X
IEEE 802.1X is an IEEE Standard for port-based Network Access Control . It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN....

, Cisco
Cisco
Cisco may refer to:Companies:*Cisco Systems, a computer networking company* Certis CISCO, corporatised entity of the former Commercial and Industrial Security Corporation in Singapore...

SDN
Network Access Control
Network Access Control is an approach to computer network security that attempts to unify endpoint security technology , user or system authentication and network security enforcement.-Background:Network Access Control is a computer networking solution that uses a set of protocols to define and...

, or Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...

NAP
Network Access Protection
Network Access Protection is a Microsoft technology for controlling network access of a computer host based on the system health of the host, first introduced in Windows Server 2008....

network.

Intel AMT in a secured network environment: how it works

Intel AMT can embed network security credentials in the hardware, via the Intel AMT Embedded Trust Agent

Web of trust

In cryptography, a web of trust is a concept used in PGP, GnuPG, and other OpenPGP-compatible systems to establish the authenticity of the binding between a public key and its owner. Its decentralized trust model is an alternative to the centralized trust model of a public key infrastructure ,...

and an AMT posture plug-in. The plug-in collects security posture information, such as firmware

Firmware

In electronic systems and computing, firmware is a term often used to denote the fixed, usually rather small, programs and/or data structures that internally control various electronic devices...

configuration and security parameters from third-party software (such as antivirus software

Antivirus software

Antivirus or anti-virus software is used to prevent, detect, and remove malware, including but not limited to computer viruses, computer worm, trojan horses, spyware and adware...

and antispyware), BIOS

BIOS

In IBM PC compatible computers, the basic input/output system , also known as the System BIOS or ROM BIOS , is a de facto standard defining a firmware interface....

, and protected memory. The plug-in and trust agent can store the security profile(s) in AMT's protected, nonvolatile memory, which is not on the hard disk drive.

Because AMT has an out-of-band communication channel, AMT can present the PC's security posture to the network even if the PC's OS or security software is compromised. Since AMT presents the posture out-of-band, the network can also authenticate

Authentication

Authentication is the act of confirming the truth of an attribute of a datum or entity...

the PC out-of-band, before the OS or applications load and before they try to access the network. If the security posture is not correct, a system administrator can push an update OOB (via Intel AMT) or reinstall critical security software before letting the PC access the network.

Security postures supported by Intel AMT versions

Support for different security postures depends on the AMT release

Intel AMT versions

Intel Active Management Technology is hardware-based technology built into PCs with Intel vPro technology. AMT is designed to help sys-admins remotely manage and secure PCs out-of-band when PC power is off, the operating system is unavailable , software management agents are missing, or hardware...

Support for IEEE 802.1x
IEEE 802.1X
IEEE 802.1X is an IEEE Standard for port-based Network Access Control . It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN....

and Cisco
Cisco
Cisco may refer to:Companies:*Cisco Systems, a computer networking company* Certis CISCO, corporatised entity of the former Commercial and Industrial Security Corporation in Singapore...

SDN
Network Access Control
Network Access Control is an approach to computer network security that attempts to unify endpoint security technology , user or system authentication and network security enforcement.-Background:Network Access Control is a computer networking solution that uses a set of protocols to define and...

requires AMT version 2.6 or higher for laptops, and AMT version 3.0 or higher for desktop PCs.
Support for Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...

NAP
Network Access Protection
Network Access Protection is a Microsoft technology for controlling network access of a computer host based on the system health of the host, first introduced in Windows Server 2008....

requires AMT version 4.0 or higher.
Support for PXE
Preboot Execution Environment
The Preboot eXecution Environment is an environment to boot computers using a network interface independently of data storage devices or installed operating systems.PXE was introduced as part of the Wired for Management framework by Intel and is described in the specification The Preboot...

boot with full network security
Network security
In the field of networking, the area of network security consists of the provisions and policies adopted by the network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of the computer network and network-accessible resources...

requires AMT version 3.2 or higher for desktop PCs.

Intel AMT security technologies and methodologies

AMT includes several security schemes, technologies, and methodologies to secure access to the AMT features during deployment

System deployment

The deployment of a mechanical device, electrical system, computer program, etc., is its assembly or transformation from a packaged form to an operational working state....

and during remote management. AMT security technologies and methodologies include:

Transport Layer Security
Transport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...

, including pre-shared key TLS
TLS-PSK
Transport layer security pre-shared key ciphersuites is a set of cryptographic protocols that provide secure communication based on pre-shared keys . These pre-shared keys are symmetric keys shared in advance among the communicating parties.There are several ciphersuites: The first set of...

(TLS-PSK
TLS-PSK
Transport layer security pre-shared key ciphersuites is a set of cryptographic protocols that provide secure communication based on pre-shared keys . These pre-shared keys are symmetric keys shared in advance among the communicating parties.There are several ciphersuites: The first set of...

)
HTTP
Hypertext Transfer Protocol
The Hypertext Transfer Protocol is a networking protocol for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web....

authentication
Single sign-on to Intel AMT with Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...

domain authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...

, based on Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...

Active Directory
Active Directory
Active Directory is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. Server computers on which Active Directory is running are called domain controllers....

and Kerberos
Digitally signed firmware
Firmware
In electronic systems and computing, firmware is a term often used to denote the fixed, usually rather small, programs and/or data structures that internally control various electronic devices...
Pseudo-random number generator (PRNG) which generates session keys
Protected memory (not on the hard disk drive) for critical system data, such as the UUID
Universally Unique Identifier
A universally unique identifier is an identifier standard used in software construction, standardized by the Open Software Foundation as part of the Distributed Computing Environment ....

, hardware asset information, and BIOS
BIOS
In IBM PC compatible computers, the basic input/output system , also known as the System BIOS or ROM BIOS , is a de facto standard defining a firmware interface....

configuration settings
Access control list
Access control list
An access control list , with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject...

s (ACL)

As with other aspects of Intel AMT, the security technologies and methodologies are built into the chipset.

Versions

Intel AMT versions
Intel AMT versions
Intel Active Management Technology is hardware-based technology built into PCs with Intel vPro technology. AMT is designed to help sys-admins remotely manage and secure PCs out-of-band when PC power is off, the operating system is unavailable , software management agents are missing, or hardware...

can be updated in software to the next minor version. New major releases of Intel AMT are built into a new chipset

Chipset

A chipset, PC chipset, or chip set refers to a group of integrated circuits, or chips, that are designed to work together. They are usually marketed as a single product.- Computers :...

, and are updated through new hardware.

Management Engine firmware modules

Active Management Technology (AMT)
Alert Standard Format (ASF)
Quiet System Technology (QST), formerly Advanced Fan Speed Control (AFSC)
Trusted Platform Module (TPM)

Provisioning and integration of Intel AMT

AMT supports certificate

Public key certificate

In cryptography, a public key certificate is an electronic document which uses a digital signature to bind a public key with an identity — information such as the name of a person or an organization, their address, and so forth...

-based or PSK

Pre-shared key

In cryptography, a pre-shared key or PSK is a shared secret which was previously shared between the two parties using some secure channel before it needs to be used. To build a key from shared secret, the key derivation function should be used. Such systems almost always use symmetric key...

-based remote provisioning (full remote deployment), USB

Universal Serial Bus

USB is an industry standard developed in the mid-1990s that defines the cables, connectors and protocols used in a bus for connection, communication and power supply between computers and electronic devices....

key-based provisioning (“one-touch” provisioning), manual provisioning and provisioning using an agent on the local host ("Host Based Provisioning"). An OEM can also pre-provision AMT.

The current version of AMT supports remote deployment on both laptop and desktop PCs. (Remote deployment was one of the key features missing from earlier versions of AMT and which delayed acceptance of AMT in the market.) Remote deployment lets a sys-admin deploy PCs without “touching” the systems physically. It also allows a sys-admin to delay deployments and put PCs into use for a period of time before making AMT features available to the IT console.

Intel vPro PCs can be sold with AMT enabled or disabled

PCs with Intel AMT can be sold with AMT enabled or disabled. The OEM

Original Equipment Manufacturer

An original equipment manufacturer, or OEM, manufactures products or components that are purchased by a company and retailed under that purchasing company's brand name. OEM refers to the company that originally manufactured the product. When referring to automotive parts, OEM designates a...

determines whether to ship AMT with the capabilities ready for setup (enabled) or disabled. Your setup and configuration process will vary, depending on the OEM build.

Intel AMT includes a Privacy Icon application, called IMSS, that notifies the system's user if AMT is enabled. It is up to the OEM to decide whether they want to display the icon or not.

Disabling and re-enabling Intel AMT

Intel AMT supports different methods for disabling the management and security technology, as well as different methods for reenabling the technology.

Disabling Intel AMT

AMT can be partially unprovisioned using the AMT security credentials to erase configuration settings, or fully unprovisioned by erasing all configuration settings, security credentials, and operational and networking settings; or by resetting a specific jumper on the motherboard

Motherboard

In personal computers, a motherboard is the central printed circuit board in many modern computers and holds many of the crucial components of the system, providing connectors for other peripherals. The motherboard is sometimes alternatively known as the mainboard, system board, or, on Apple...

.

A partial unprovisioning leaves the PC in the setup state. In this state, the PC can self-initiate its automated, remote configuration process. A full unprovisioning erases the configuration profile as well as the security credentials and operational / networking settings required to communicate with the Intel Management Engine. A full unprovisioning returns Intel AMT to its factory default state.

Re-enabling Intel AMT

Once AMT is disabled, in order to enable AMT again, an authorized sys-admin can reestablish the security credentials required to perform remote configuration by either:

Using the remote configuration process (full automated, remote config via certificates and keys).
Physically accessing the PC to restore security credentials, either by USB key or by entering the credentials and MEBx parameters manually.

Returning AMT to factory default

There is a way to totally reset AMT and return in to factory defaults. This can be done in two ways:

Setting the appropriate value in the BIOS
BIOS
In IBM PC compatible computers, the basic input/output system , also known as the System BIOS or ROM BIOS , is a de facto standard defining a firmware interface....

.
Clearing the CMOS
CMOS
Complementary metal–oxide–semiconductor is a technology for constructing integrated circuits. CMOS technology is used in microprocessors, microcontrollers, static RAM, and other digital logic circuits...

memory and/or NVRAM
NVRAM
Non-volatile random-access memory is random-access memory that retains its information when power is turned off, which is described technically as being non-volatile...

.

Setup and integration tools

Setup and integration of Intel AMT is supported by a setup and configuration service (for automated setup), an AMT Webserver tool (included with Intel AMT), and AMT Commander, an unsupported and free, proprietary application available from the Intel website.

External links

The source of this article is wikipedia, the free encyclopedia. The text of this article is licensed under the GFDL.