Re: Intel AMT Active Directory Objects

idata · ‎05-31-2011

Hi, for each client that gets provisioned the AMT process creates an object in AD for AMT. The object is created with a non expiring password, can we change this and if so how?

also each object is added to the domain users group., can this be changed as well?

both the non expiring password and the domain users group were spotted by our IT security team.

Do you also have detailed documentation about the risks if any of these objects that are created.

they seem like half user objects and half computer object??

you can search and find them in AD under a user and groups search but when you right click on any of them you have the computer object menu, reset, disable etc....choices

let me know

thanks

Stéphane

Adolfo_S_Intel2 · ‎06-02-2011

I would suggest checking the AMT documentation at:

http://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/ http://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/

idata · ‎06-03-2011

Can you be specific as to which documentation to check for finding answers to the questions? I am interested as well to the answers and have searched, however, I have not found answers to the questions.

Thank you.

idata · ‎06-06-2011

yes please specify, i read through it and didn't seem to find specific info on what i needed.

thanks

Stéphane

idata · ‎06-14-2011

I have not gotten any specific answer on this or where to find it yet...

can someone help please?

thanks

Stéphane

idata · ‎06-14-2011

Here is what the Intel SCS 7.0 User Guide says:

"If the ADOU has a maximum password age password policy defined in AD, the password must be replaced before it expires." So I think you set it in AD.

If you are using Intel SCS 7.0, page 15 of the User Guide (available in the download zip file) tells you how to schedule a maintenance task to reset the password.

I don't know the answer to the security implications, but I think they are greatly reduced if you set a password expiration policy.

idata · ‎07-11-2011

Hi, do you have any idea who or where i could get the answers from to the security questions i have?

thanks

idata · ‎08-03-2011

I have not yet gotten a response for this?

Any idea?

Can i set AD AMT object password to reset every 30days or so, will it break AMT fonctionality?

thanks

Stéphane

Adolfo_S_Intel2 · ‎08-03-2011

Currently there is no way to do that, the only way to reset the AMT password is manually.

Youcannot set the system to remind you every 30 days or so.

idata · ‎08-03-2011

Sorry about the delay on your security question. I've entered an internal support request to our Intel AMT team get some help on this issue. You should be getting a reply in a few days.

idata · ‎08-03-2011

Building on what Adolfo said, the maintenance tasks to reset the AD object password depend on what software you are using. Can you give me some more background on your implementation? Are you provisioning with the Intel SCS? If so, which version?

idata · ‎08-03-2011

Adolfo, i am talking about the amt active directory object password.

idata · ‎08-03-2011

ok thanks Steve i will wait on a reply from them.

I got one from Adolfo saying the amt password cannot be reset every 30 days but i don't beleive he is talking about the amt active directory object.

let me know

thanks.

Stéphane

idata · ‎08-04-2011

Hi Dan, i am in band provisioning these clients through sccm 2007 r2

auto provisioning is set through sccm with a 3rd party cert.

if there is any other info you need let me know

thanks

Stéphane

idata · ‎08-04-2011

Ah, Ok. You are in good shape then. SCCM takes care of the maintenance of the AD objects for AMT and will make sure that passwords get changed automatically in accordance with any policies you have in place in the AD.

idata · ‎08-16-2011

Dan, the problem is when the amt object get created in AD the account's password is set not to HAVE to expire. So because of this our policy to change the password does not take effect.

can we change this?

idata · ‎08-14-2011

Hi Stephane,

Before I can respond to your question, I need to know which version of SCS you are using and what is the AD Integration setting you are using?

David

idata · ‎08-16-2011

Hi David, I am using sccm 2007 with a verisign cert for auto provisioning.

What do you mean by Ad intergration?

thanks

Stéphane