8

Does enabling vPro disable or conflict with any other functionality?

I'm configuring a Dell Precision T1600 workstation. It will be added to a small network with one server and two desktops:

  • CentOS server used for file sharing via Samba and hosting for web development
  • Windows Vista used for development and testing
  • Windows XP Pro used for development and testing
  • Gigabit Switch
  • Router which acts as DHCP server, but all computers use assigned IP addresses

The new workstation will have Win 7 Pro with XP mode. It will be used for web development and graphics processing: Eclipse, Netbeans, Visual Studio, Photoshop, etc.

The Out-of-Band options offered for configuration are:

  • Intel vPro Technology Enabled
  • Intel Standard Manageability
  • No Out-of-Band Systems Management

I don't expect to have much need for Out-of Band management at this point, but plan to continue adding workstations in the future. The workstation will have a discrete graphics card, so Remote KVM won't be available.

I'd like to have the capabilities offered by vPro available, but I'd like to know if there are any trade-offs involved.

Should any tags be added or changed for this question?

Here is the information I bookmarked during my research:

I looked at the Intel vPro Technology FAQ

It said there was no impact on performance:
Q6: What is the impact of Intel® vPro™ technology and its Manageability Engine on the PC's performance?
A6: The Intel vPro technology impact on PC performance is not noticeable to the end-user.

I looked at the wikipedia entry Intel Active Management Technology, it didn't mention any downsides.

I looked at Remote PC Management with Intel's vPro on the Tom's hardware site, it didn't mention any trade-offs.

From server fault, there were only about 15 questions for amt and vPro combined. I favorited this one and looked at some of the links suggested. How do I manage PCs with vPro?

Tools and Utilities for Intel vPro Technoloy

I looked at additional pages, but the above are the ones I bookmarked.

Information provided in answers and comments:

My specific case concerns a workstation, but I'll use "client" to represent the system in which vPro is being enabled.

It appears that activating vPro doesn't impose any limitations, but that it can create security issues if the client isn't provisioned properly during installation.

vPro must be enabled at purchase or it's permanently disabled. Can temporarily disable it in MEBx (Management Engine BIOS Extension).

vPro causes increased memory usage, power consumption and decreased networking performance.
(Intel states that the impact on PC performance is not noticeable to the end-user)

Small amount of drive space is used.

System is powered [to some extent] at all times. Important to disconnect A/C power, rather than just powering the machine off to do any hardware installations/replacements.

You need the back-end architecture to support it.

Two IP addresses per machine (one for the OS and one for vPro).
If your machines get their assignments via DHCP, you can use one for both.
If you need a fixed address for a machine, use a DHCP reservation instead.

Security and Privacy Implications:

You are essentially installing a backdoor into your system.

There's no easy way to tell from the client if someone's using this OoB management tool without your consent, but vPro can be configured to provide notification to users when a remote session is active (depending on your company's policies).

You should immediately provision the client if out-of-band management is enabled, because by default, vPro is pre-provisioned with root CA keys from well-known vendors (e.g. VeriSign, GoDaddy).
This means that an attacker with access to your network could purchase an AMT cert and provision your machines without you ever knowing.

vPro uses PKI and an AMT provisioning certificate is required to provision the client. The easiest approach is to purchase an AMT provisioning certificate from a vendor.

You can use a self-signed cert, but you'll need to be knowledgable about PKI before deploying vPro. You will need to either:
1) have the vendor preload the certificate hash in MEBx (There are tools out there that allow you to create the provisioning config and send the custom certificate hash via USB thumbdrive.)
2) manually configure MEBx on EVERY machine with your self-signed certificate hash.

For the AMT provisioning certificate, you have to create the PKI certificate with an OID of 2.16.840.1.113741.1.2.3.

If you use a Windows Server-based CA, you'll need Windows Server Enterprise or better to do custom cert templates.
Technet has instructions to do this with Windows Certification Authority (see link below).

If using Linux: it may be possible to use OpenSSL to create the PKI certificate, can anyone confirm this?

Once the client is properly provisioned, it's quite secure, as it will only trust a caller that possesses the AMT private key that originally associated the machine.

Suggestions:
Manage vPro with SCCM, it's not free, but it makes life with vPro A LOT easier once it's properly configured. You also get all kinds of other configuration management tricks that are very useful.

Links provided in answers and comments:
vPro Prerequisites and Trade-offs for the dc7800p Business PC with Intel vPro Processor Technology (PDF)

vPro security (Wikipedia)

Requesting, Installing, and Preparing the AMT Provisioning Certificate (MicroSoft TechNet)

Community
  • 1
codewaggle
  • 247
  • 1
  • 4
  • 11
  • 1
    Completely off-topic to your question but relating to security and I personally see this as a bigger risk... you mentioned file sharing and web hosting on the same server... so, if someone just for example hacked into your website itself by via various means... he/she would now have access to ALL your data on those shares potentially. Can you afford that risk to the company? – Cold T Jul 25 '12 at 08:10
  • I hadn't thought about this because the websites are for development and accessed by assigning a test domain name to the network IP address of the web server in the client `hosts` files. But the server does have access to the real world through the router, I guess that I should block incoming traffic on the ports used for the web and file servers. Another thing to do, Thanks A Lot:) – codewaggle Jul 25 '12 at 17:23

2 Answers2

6

Implementation of OOB is not a trivial exercise by any stretch, and takes a significant amount of planning and investment. Simply turning on vPro is not enough, you have to have the back-end architecture to support it as well. Unless you are ready to immediately implement out-of-band management, my recommendation is to leave vPro turned off, because by default, vPro is pre-provisioned with root CA keys from well-known vendors (e.g. VeriSign, GoDaddy). An attacker with access with your network could purchase an AMT cert and provision your machines without you ever knowing...

Since vPro uses PKI, once properly provisioned the architecture is actually quite secure, as clients will then only trust a caller that possesses the AMT private key that originally associated the machine. vPro can be configured to provide notification to users when a remote session is active (depending on your company's policies).

With that said, our shop uses vPro. We manage several hundred remote workstations that have no on-site IT support. vPro gives us the capability to perform troubleshooting at the hardware level and provides remote power-on capability, features that are not available via remote desktop.

newmanth
  • 3,913
  • 4
  • 25
  • 46
  • The Dell ["Help me choose"](http://content.dell.com/us/en/business/d/help-me-choose/hmc-systems-management.aspx?c=us&l=en&ref=CFG) section says that if you don't enable the Out-of-Band management at purchase, it can't be added later, that's why I'm trying to decide now. It sounds like the minimum I would need to do is set up a cert and provision the workstation (which I'll need to find out how to do). Can I use a self-signed cert? – codewaggle Jul 24 '12 at 17:42
  • You are correct, if you don't select it when you order your machine, you can't get it later (the feature is permanently disabled). So, go ahead and order it, just make sure that you disable it in MEBx until you're ready to use it. -- You can use a self-signed cert, but will need to either: 1) have Dell preload the thumbprint in MEBx or 2) manually configure MEBx on EVERY machine with your self-signed thumbprint (not really that hard, just something to be aware of). There are tools out there that allow you to create the provisioning config and send the custom thumbprint via USB thumbdrive. – newmanth Jul 24 '12 at 18:00
  • Just so you're aware, if you're using static IP addresses for your workstations, you'll need two per machine (one for the OS and one for vPro). If your machines get their assignments via DHCP, you can use one for both (which I personally recommend). If you need a fixed address for a machine, use a DHCP reservation instead. -- Also, we manage vPro with SCCM, something I also recommend. I know it's not free (and I don't work for M$), but it makes life with vPro A LOT easier once it's properly configured. You also get all kinds of other configuration management tricks that are very useful. – newmanth Jul 24 '12 at 18:08
  • When you mentioned the root CA keys, I was thinking of those used for SSL certificates. I've created self-signed certs for use on development web servers using the linux openssl command, I don't have a thumbprint reader, would the openssl cert be enough? I did read that the out-of-band connection uses it's own IP address, I use DHCP reservations to assign the IP addresses, so it sounds like that should be ok. I'll look at SCCM, but was hoping to use a free app to learn my way around as I'll only have one vPro enabled machine at this point. – codewaggle Jul 24 '12 at 18:21
  • Sorry, I wasn't clear... when I referred to thumbprint, I'm talking about the certificate hash (not an actual thumbprint :P). For the AMT provisioning certificate, you have to create PKI certificate with an OID of 2.16.840.1.113741.1.2.3. I haven't done this with OpenSSL, but it should be possible. We use a Windows Server-based CA, so that's how we did ours. Technet has instructions to do this with Windows Certification Authority at http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning. You'll need Windows Server Enterprise or better to do custom cert templates, though. – newmanth Jul 24 '12 at 18:37
  • If you don't already have self-signed PKI in place on your network, I would recommend just purchasing an AMT provisioning certificate from a vendor if you can afford it. Otherwise, you'll need to get smart on PKI before deploying vPro, which may or may not be worth the effort. – newmanth Jul 24 '12 at 18:39
  • It's possible to create a self-signed root CA with OpenSSL, I'll need to look into it further. I've taken this outside the original question, if I need further help after doing some research, I'll create a new question. – codewaggle Jul 24 '12 at 21:05
  • let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/4229/discussion-between-newmanth-and-codewaggle) – newmanth Jul 24 '12 at 21:52
4

Yes, there are tradeoffs involved, and I suspect a quick Google search would have told you most of this already, but having said that, check this HP doc on the tradeoffs of enabling vpro for IT professionals. It's for that specific model of HP, but the general case is the same for any system you use vpro on.

Aside from the expected increase in memory usage, power consumption and decreased networking performance (oh, and the tiny drive space usage), it's worth noting that enabling this will result in the system being powered [to some extent] at all times. The few watts of energy that wastes isn't much compared to the important caveat that you'll need to disconnect A/C power, rather than just powering the machine off to do any hardware installations/replacements. (Good practice anyway, but most people don't bother.)

And then what would probably by the biggest concern is the security and privacy implications. Since there's no easy way to tell from the workstation if someone's using this OoB management tool without your consent, you really better make sure your security's up to snuff, and your network's reasonably well hardened against intrusions before implementing anything like this.

Wikipedia has some more about the security and privacy implications, but my advice is if you don't need or plan to use OoB management, you're installing a backdoor into your system for no reason. So don't. Really, it's a workstation, what remote KVM applications to do you see needing for this that you can't do with Remote Desktop?

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
  • I did more than a quick Google search and spent hours researching before asking the question, unfortunately, I'm not that knowledgeable about IT matters and wasn't able to determine the answer to my question by looking at the available information. I'll add additional information about what I've looked at to my answer. – codewaggle Jul 24 '12 at 17:18
  • I spend most of my time on stackoverflow and have actually suggested to people that they include info about what they've tried or found out in their question. Seems like I should take my own advice. One thing that caught my eye in the HP doc was the "Hard Drive Duplication" section where it said that because the network controller is virtualized, you are limited to using the same size drive when cloning via software. The doc is from 2007, so I was wondering if that's still the case. I've spent some time looking into it but haven't found anything. Maybe I'll create a question about it. – codewaggle Jul 24 '12 at 22:08