Community
cancel
Showing results for 
Search instead for 
Did you mean: 
kumarsaurabh25
Beginner
35 Views

Issues with AMT Commander: It stores the password of the AMT client

Hey Guys,
Just wanted to check with you all regarding the issues I have been facing with AMT Commander. I have 3-4 machines having AMT enabled as SMB. All of them have the same password configured in the AMT ME engine.

Now when I discover and add the AMT Client using AMT commander, I enter the AMT client password the first time and connect to the client and do things like remoted reboot etc. I make sure that remeber password is not checked

After that I disconnect the client using AMT commander, Remove the client AMT computer from the list and clear all entries and exit AMT Commander.

Now, if I launch AMT Commander again and try to connect and add the same client again or the other client, in the option to connect, I see the same password even though I made sure that remember password was not checked previously.

To me this is a security issue for me as anyone who can access my computer having AMT commander will not need to know the password to connect to the AMT client using AMT commander because the password is still cached in the commander when we discover and add a client using commander. I have been using the latest version of AMT commander and noticed the same thing with the prev versions as well. Am I missing something?

Can you guys pls shed some light on this as to how to handle this issue?

Thanks a lot in advance
0 Kudos
2 Replies
Gael_H_Intel
Moderator
35 Views

Hey Guys,
Just wanted to check with you all regarding the issues I have been facing with AMT Commander. I have 3-4 machines having AMT enabled as SMB. All of them have the same password configured in the AMT ME engine.

Now when I discover and add the AMT Client using AMT commander, I enter the AMT client password the first time and connect to the client and do things like remoted reboot etc. I make sure that remeber password is not checked

After that I disconnect the client using AMT commander, Remove the client AMT computer from the list and clear all entries and exit AMT Commander.

Now, if I launch AMT Commander again and try to connect and add the same client again or the other client, in the option to connect, I see the same password even though I made sure that remember password was not checked previously.

To me this is a security issue for me as anyone who can access my computer having AMT commander will not need to know the password to connect to the AMT client using AMT commander because the password is still cached in the commander when we discover and add a client using commander. I have been using the latest version of AMT commander and noticed the same thing with the prev versions as well. Am I missing something?

Can you guys pls shed some light on this as to how to handle this issue?

Thanks a lot in advance

Hi there,

I'm not sure if this is a bug on the DTK, or not. I do know that the DTK stores a lot of information in the registry and maybe it keeps the password for the variousAPI calls that need the username an password (otherwise once connected, I imagine that you would have to be entereing the username and password everytime you wanted it to do something.) Regardless, if you feel this is a bug, here is the bug report form and you can submit it to Support_DOPD_SWE@intel.com.

Now as far as what is secure and what is not. Please keep in mind that the DTK was never intended to be an Enterprise-ready Management Console. It was developed in order to give AMT users and developers an idea of how Intel AMT works and it is a nice utility for a quick test. It is also great in that it comes with source code so that developers have somewhere to start and improves their time to market.Since the DTK does store a lot of information in the Registry (which is why you don't need your own Database and is what makes it a nice, light weight and portable tool) - this is not secure. We would expect that our Software Vendors who are writing software would incorporate the necessary security in their software by using encrypted Databases, for example, to store critical information.

I hope this helps! And feel free to submit the bug report if you feel that what you are observing is a bug.

Thanks,
Gael
kumarsaurabh25
Beginner
35 Views

Thanks Gael,

The bug form is not working for me on IE7 & Firefox but I have sent an email to the support group. I am not much concerned with the security settings but this is an annoying bug that AMT commander caches the username and password of the prev AMT client that it connected to. I will try to find out where exactly is this setting in the registry.

Has anyone else noticed the same issue while using AMT commander to connect to AMT clients?





Hi there,

I'm not sure if this is a bug on the DTK, or not. I do know that the DTK stores a lot of information in the registry and maybe it keeps the password for the variousAPI calls that need the username an password (otherwise once connected, I imagine that you would have to be entereing the username and password everytime you wanted it to do something.) Regardless, if you feel this is a bug, here is the bug report form and you can submit it to Support_DOPD_SWE@intel.com.

Now as far as what is secure and what is not. Please keep in mind that the DTK was never intended to be an Enterprise-ready Management Console. It was developed in order to give AMT users and developers an idea of how Intel AMT works and it is a nice utility for a quick test. It is also great in that it comes with source code so that developers have somewhere to start and improves their time to market.Since the DTK does store a lot of information in the Registry (which is why you don't need your own Database and is what makes it a nice, light weight and portable tool) - this is not secure. We would expect that our Software Vendors who are writing software would incorporate the necessary security in their software by using encrypted Databases, for example, to store critical information.

I hope this helps! And feel free to submit the bug report if you feel that what you are observing is a bug.

Thanks,
Gael

Reply