Updated Security Best Practices for Out of Band Management in Service Pack 1

First published on CloudBlogs on Aug, 05 2009
[Today's post is provided by Carol Bailey ]

We have recently updated the Configuration Manager Documentation Library for out of band management in Configuration Manager 2007 SP2, including revisions to security best practices.  Some of these revisions are also applicable to out of band management in Configuration Manager 2007 SP1, but we can't publish them with our monthly updates because of the new SP2 content.  Rather than waiting until SP2 is released, I'm including the revisions here that affect existing customers using out of band management in Configuration Manager 2007 SP1.

We have also updated the recommended collection query for in-band provisioning. The previous query included computers with the AMT status of Not Provisioned and Detected. Note that Detected means AMT capability is detected but the out of band service point is unable to currently provision it for AMT because the AMT Remote Admin Account or the MEBx Account has been changed. This is usually an indication that you need to configure an AMT Provisioning and Discovery Account.

The new query excludes Configuration Manager clients that are blocked or not approved.  As a security best practice, provision only computers that you trust.  Blocked clients and unapproved clients are deemed to be untrusted.  This security best practice will be enforced in Configuration Manager 2007 SP2, but it is not enforced with Configuration Manager 2007 SP1, so the revised query automatically excludes these computers.  The revised query to use for the collection configured for in-band provisioning is as follows:

Select SMS_R_System.* from SMS_R_System inner join SMS_CM_RES_COLL_SMS00001 on SMS_CM_RES_COLL_SMS00001.ResourceId = SMS_R_System.ResourceId where (AMTStatus = 1 or AMTStatus = 2) and SMS_CM_RES_COLL_SMS00001.IsApproved = 1 and SMS_CM_RES_COLL_SMS00001.IsBlocked = 0

Security Best Practices for Out of Band Management in Configuration Manager 2007 SP1

Request customized firmware before purchasing AMT-based computers Computers that can be managed out of band have BIOS extensions that can set customized values to significantly increase security when these computers are on your network. Check which BIOS extension settings are available from your computer manufacturer, and specify your choice of values. For more information, see Decide Whether You Need a Customized Firmware Image From Your Computer Manufacturer . If your AMT-based computers do not have the firmware values that you want to use, you might be able to manually specify them yourself. For more information about manually configuring the BIOS extensions, refer to the Intel documentation or the documentation from your computer manufacturer. You can also refer to the Intel vPro Expert Center: Microsoft vPro Manageability Web site ( http://go.microsoft.com/fwlink/?LinkId=132001 ). Customize the following options to increase your security:

• Replace all certificate thumbprints of external certification authorities (CAs) with the certificate thumbprint of your own internal CA. This prevents rogue provisioning servers from attempting to provision your AMT-based computers, and you will not have to purchase provisioning certificates from external CAs. For information about how to locate the certificate thumbprint of your internal root CA, see How to Locate the Certificate Thumbprint of Your Internal Root Certificate for AMT Provisionin... .
• Use a custom password for the MEBx Account so that the default value of admin is not used. Then specify this password with an AMT Provisioning and Discovery Account in Configuration Manager. This prevents rogue provisioning servers from attempting to provision your AMT-based computers with the known default password. For more information, see About the MEBx Account and How to Add an AMT Provisioning and Discovery Account .
• Change the value for the default provisioning server. Using the default name of ProvisionServer could present a security risk if a record with this name is configured to resolve to an IP address of the wrong computer or a rogue computer. Configuring the provisioning server value with an IP address is more secure than using a well-known name. However, an IP address cannot be used for multiple AMT-based computers if they will be provisioned by different sites. If you configure an alternative name rather than an IP address, you must configure DNS to perform name resolution. When you use name resolution for either ProvisionServer or a custom name, secure the DNS record to safeguard against the record being modified in such a way that it no longer resolves to the out of band service point site system computer. For more information, see Decide Whether You Should Register an Alias for the Out of Band Service Point in DNS .
• Configure an alternate port for server provisioning. Using a custom port is more secure than using the default port for out of band provisioning. If you will use out of band provisioning, configure your alternative port number on the Out of Band Management Properties: General tab.

Use in-band provisioning instead of out of band provisioning Using in-band provisioning, especially in native mode, allows the client to use the trust relationship already established between the client and the Configuration Manager infrastructure. With out of band provisioning, untrusted computers can be provisioned if they supply the SMBIOS GUID (also known as the UUID) that has been specified in the Import Out of Band Computers wizard. Successfully provisioned computers have an account automatically created in Active Directory Domain Services and receive a certificate with server authentication capability from your enterprise CA. If a rogue computer is provisioned, the resulting network authentication results in an elevation of privileges and the account could be used to read information on the network that is secured for authenticated access (information disclosure). A certificate with server authentication might be misused to establish trust. It is also possible for attackers to create servers that impersonate valid DNS servers and provisioning servers so that AMT-based computers are misdirected to rogue provisioning servers. If you do not need to use out of band provisioning, do the following to help reduce these security risks:

• To help prevent rogue computers from being provisioned out of band: Do not use the Import Out of Band Computers wizard to add new computers to the Configuration Manager database; configure Windows firewall on the server running the out of band service point role to block the provisioning port (by default, TCP 9971); and do not register an alias for the out of band service point in DNS. For more information about the DNS alias, see Decide Whether You Should Register an Alias for the Out of Band Service Point in DNS . Additionally, restrict physical access to the network, and monitor clients to detect unauthorized computers.
• To help prevent rogue servers from provisioning your AMT-based computers, use a custom password for the MEBx Account in the AMT BIOS extensions so that the default value of admin is not used. Then specify this password with an AMT Provisioning and Discovery Account in Configuration Manager. For more information, see About the MEBx Account and How to Add an AMT Provisioning and Discovery Account .

If you cannot use in-band provisioning because the computer is new and has no operating system installed, consider using operating system deployment to install the operating system and install the Configuration Manager 2007 SP1 client so that the computer can be provisioned in-band. Unlike out of band provisioning, operating system deployment does not create an authenticated account in Active Directory Domain Services and does not request a server authentication certificate from your enterprise CA. For more information about operating system deployment, see Operating System Deployment in Configuration Manager . If you cannot use in-band provisioning because the computer does not have the Configuration Manager 2007 SP1 client installed or because the computer does not have a version of AMT that is natively supported by Configuration Manager, install the Configuration Manager 2007 SP1 client and upgrade the firmware to a supported version as appropriate. For more information about the AMT versions supported by Configuration Manager, see Overview of Out of Band Management .

Manually revoke certificates and delete Active Directory accounts for AMT-based computers that are blocked by a Configuration Manager 2007 SP1 site Computers that are blocked by a Configuration Manager 2007 SP1 site continue to accept out of band management communication. When an AMT-based computer is blocked because it is no longer trusted, take the following manual action:

• On the issuing CA, revoke the certificate that was issued to the site server with the FQDN of the AMT-based computer in the certificate Subject.
• In Active Directory Domain Services, disable or delete the AMT account that was created for the AMT-based computer.

Control the request and installation of the provisioning certificate Request the provisioning certificate directly from the provisioning server by using the computer security context so that the certificate is installed directly into the local computer store. If you must request the certificate from another computer, you will have to export the private key and then use additional security controls while transferring and importing the certificate into a certificate store with restricted access.

Ensure that you request a new provisioning certificate before the existing certificate expires An expired AMT provisioning certificate will result in provisioning failure. If you are using an external CA for your provisioning certificate, allow additional time to complete the renewal process and reconfigure the out of band management point.

Note

To help you identify when the AMT provisioning certificate is about to expire, Configuration Manager generates a warning status message with ID 7210 when the provisioning certificate in use is 40 days or less from expiration. This status message will be repeated once a day until the certificate is replaced with a validity period greater than 40 days or until the validity period is less than 15 days. When the validity period is less than 15 days, an error status message with ID 7211 is generated until the certificate is replaced with a validity period greater than 15 days.

If the provisioning certificate is revoked, delete it from the certificate store on the out of band service point site system server, and remove it from the out of band management component configuration properties If you know that the AMT provisioning certificate is revoked, you must manually prevent it from being used to provision AMT-based computers by Configuration Manager because AMT-based computers do not check the CRL for the provisioning certificate. Delete the certificate from the certificate store on the out of band service point site system server. Then deploy a new provisioning certificate, and configure it in the Out of Band Management Properties dialog box. If you cannot immediately deploy a valid AMT provisioning certificate, remove the out of band service point role until you have a replacement certificate.

If you must revoke a provisioning certificate supplied by an internal CA, revoke the certificate in the Certification Authority console There is no functionality to revoke the provisioning certificate in Configuration Manager 2007 SP1.

Use a dedicated certificate template for provisioning AMT-based computers If you are using an Enterprise version of Windows Server for your enterprise CA, create a new certificate template by duplicating the default Web Server certificate template, ensure that only Configuration Manager site servers have Read and Enroll permissions, and do not add additional capabilities to the default of server authentication. Having a dedicated certificate template allows you to better manage and control access to help prevent elevation of privileges. If you have a Standard version of Windows Server for your enterprise CA, you will not be able to create a duplicate certificate template. In this scenario, do not allow Read and Enroll permissions to computers other than Configuration Manager site servers that will provision AMT-based computers.

Use out of band management instead of Wake On LAN Although both solutions support waking up computers for software updates and advertisements, out of band management is a more secure solution than Wake On LAN because it provides authentication and encryption using standard industry security protocols. It can also integrate with an existing public key infrastructure (PKI) deployment, and the security controls can be managed independently from the product. For more information, see Choose Between Power On Commands with Out of Band Management and Wake-Up Packets for Wake On LA... .

Use a dedicated OU to publish AMT-based computers Do not use an existing container or OU to publish the Active Directory accounts that are created during AMT provisioning. A separate OU allows you to better manage and control these accounts and helps to ensure that they are not granted more privileges than they need.

Use Group Policy to Restrict User Rights for the AMT Accounts Apply restrictive user rights to the AMT accounts that are published to Active Directory Domain Services to help protect against elevation of privileges and to reduce the attack surface if an attacker gains access to one of these accounts. Create a security group that contains the AMT accounts automatically created by Configuration Manager during the ATM provisioning process, and then add this group to the following enabled group policy settings under Computer ConfigurationWindows SettingsSecurity SettingsLocal PolicyUser Rights Assignment:

• Deny access to this computer from the network
• Deny log on as a batch job
• Deny log on as a service
• Deny log on locally
• Deny log on through Terminal Services

Apply these group policy settings to all computers in the forest. Periodically review and revise if necessary the group membership to ensure that it contains all the AMT accounts currently published to Active Directory Domain Services.

Use a dedicated collection for in-band provisioning Do not use an existing collection that contains more computers than you want to provision in-band. Instead, create a query-based collection by using the procedure for in-band provisioning in How to Provision Computers for AMT . When the site is in mixed mode, ensure that these computers are approved. For more information about approval, see About Client Approval in Configuration Manager and How to Approve Configuration Manager Clients .

Restrict who has the Media Redirection right and the PT Administration right Granting someone the Media Redirection right is almost equivalent to granting someone physical access to the computer. While attackers still require physical access to open the computer, someone with the Media Redirection right could load an alternate operating system and use it to remotely attack data on the hard drive. The PT Administration right automatically includes all AMT rights, which includes the Media Redirection right.

Retrieve and store image files securely when booting from alternative media to use the IDE redirection function When you boot from alternative media to use the IDE redirection function, whenever possible, store the image files locally on the computer running the out of band management console. If you must store them on the network, ensure that connections to retrieve the files over the network use SMB signing to help prevent the files being tampered with during the network transfer. In both scenarios, secure the stored files to help prevent unauthorized access (for example, using NTFS permissions and the encrypted file system).

Minimize the number of AMT Provisioning and Discovery Accounts Although you can specify multiple AMT Provisioning and Discovery Accounts so that Configuration Manager can discover computers that have management controllers and provision them for out of band management, do not specify accounts that are not currently required and delete accounts that are no longer needed. Specifying only the accounts that you need helps to ensure that these accounts are not granted more privileges than they need and helps to reduce unnecessary network traffic and processing. For more information about the AMT Provisioning and Discovery Account, see Determine Whether to Configure an AMT Provisioning and Discovery Account for Out of Band Manage... and About the AMT Provisioning and Discovery Account .

-- Carol Bailey

This posting is provided "AS IS" with no warranties, and confers no rights.