Hi, for each client that gets provisioned the AMT process creates an object in AD for AMT. The object is created with a non expiring password, can we change this and if so how?
also each object is added to the domain users group., can this be changed as well?
both the non expiring password and the domain users group were spotted by our IT security team.
Do you also have detailed documentation about the risks if any of these objects that are created.
they seem like half user objects and half computer object??
you can search and find them in AD under a user and groups search but when you right click on any of them you have the computer object menu, reset, disable etc....choices
let me know
I would suggest checking the AMT documentation at:
Can you be specific as to which documentation to check for finding answers to the questions? I am interested as well to the answers and have searched, however, I have not found answers to the questions.
Here is what the Intel SCS 7.0 User Guide says:
"If the ADOU has a maximum password age password policy defined in AD, the password must be replaced before it expires." So I think you set it in AD.
If you are using Intel SCS 7.0, page 15 of the User Guide (available in the download zip file) tells you how to schedule a maintenance task to reset the password.
I don't know the answer to the security implications, but I think they are greatly reduced if you set a password expiration policy.
I have not yet gotten a response for this?
Can i set AD AMT object password to reset every 30days or so, will it break AMT fonctionality?
Currently there is no way to do that, the only way to reset the AMT password is manually.
Youcannot set the system to remind you every 30 days or so.
Sorry about the delay on your security question. I've entered an internal support request to our Intel AMT team get some help on this issue. You should be getting a reply in a few days.
Building on what Adolfo said, the maintenance tasks to reset the AD object password depend on what software you are using. Can you give me some more background on your implementation? Are you provisioning with the Intel SCS? If so, which version?
ok thanks Steve i will wait on a reply from them.
I got one from Adolfo saying the amt password cannot be reset every 30 days but i don't beleive he is talking about the amt active directory object.
let me know
Hi Dan, i am in band provisioning these clients through sccm 2007 r2
auto provisioning is set through sccm with a 3rd party cert.
if there is any other info you need let me know
Ah, Ok. You are in good shape then. SCCM takes care of the maintenance of the AD objects for AMT and will make sure that passwords get changed automatically in accordance with any policies you have in place in the AD.
Dan, the problem is when the amt object get created in AD the account's password is set not to HAVE to expire. So because of this our policy to change the password does not take effect.
can we change this?