We're replacing our laptop clients with a new model from HP (EliteBook 1040-G1). In total we're going to deploy more than 2500 new clients. The clients provides AMT functionalities, however, we don't want to use it and also the user should not be able to activate it. Therefore, we would like to set a strong password instead of using the default password. Is there a way to change the default password automatically during the staging/provisioning process without manual interaction?
Interesting question. You are asking Intel how to block their own technology? :-) In order to change the MEBx password programmatically you would need to do a mass remote provisioning on all your systems. I really don't think you want to spend the effort on that. Why not just run a "spyware" service that looks for the MEI driver and if it is present on the system, delete it.
Actually, in retrospect, you probably don't want to get rid of the MEI driver. The new systems have technologies that use the Firmware in the Management Engine so if you get rid of the driver, you will be getting rid of functionalities that you may have wanted. You could, perhaps block off ports 16992 and 16993 - these are the ports that AMT uses to send manageability messages to and from the Management Console.
Thank you Gael. So there are no other customers who have the same problem? Where should I block the ports? If client A and client B are in the same Layer 3 segmet and no firewall is between these devices, the it does not make any sense to block these ports.
I would like to give you a short risk scenario:
The CEO got a new client which has vPro/AMT (by default its disabled). At night a malicous insider goes to the CEO's office and turns on the device and enters MEBx with the default credentials "admin", changes the account credentials. Then he activates AMT and turns off the device. The next day, the CEO helds a board meeting. Suddenly during the meeting the device shuts down. Why? Because the malicious insider accessed the device through the management software (WebUI or Client) and shut down the device. This has an impact on the availability.
From my point of view, it's a little bit strange, that MEBx is enabled by default an can be entered with the default credentials. Have a look at SANS Top 20 Security Controls or at any other Best-Practice Security recommendation: Change the default credentials! However, there is no way to do this in an automated way? Hmmm...
Well, I would have to argue that in your scenario, this would be a problem whether the system had AMT enabled or not. Your CEO's system should be shut down and should have PGP or some other password required to boot the system up (at a pre BIOS level). Is the CEO's system a desktop? Most people either lock their Notebooks/tablets in their desks or take them home with them - we don't typically leave our work systems on our desks at night, accessible for the bad guys to log on (we get in trouble for that.)
Aside from all employees being required to be conscientious of safe-gaurding their company's assets, the bad guy would need access to the system in order to get into the MEBx menus in order to turn AMT on. Unless he has configured it with an MPS server he/she would need to be on your company's network in order to log in to AMT from the network. If he has access to your company's network, your problems are much broader.