If a client computer is no longer trusted, the Configuration Manager administrator can block the client in the Configuration Manager 2007 console so that it can no longer communicate with site systems to download policy, upload inventory data, or send state or status messages. A client can also be unblocked if it is later deemed trusted. Blocking and unblocking clients has specific consequences when the computer is provisioned for out of band management, as described in the following sections. For more information about blocking clients, see Determine If You Need to Block Configuration Manager Clients and How to Block Configuration Manager Clients.
Note |
---|
The information in this topic applies only to Configuration Manager 2007 SP1 and later. |
Blocking AMT-Based Computers in Configuration Manager 2007 SP1
Computers that are blocked by Configuration Manager 2007 SP1 continue to accept out of band management communication. When an AMT-based computer is blocked because it is no longer trusted, you have the following options:
- Manually revoke the computer’s AMT
certificate, and manually disable or delete the AMT account in
Active Directory Domain Services. This option is the most secure
because it doesn’t require a connection to the untrusted computer,
you can immediate verify that these actions have succeeded, and you
can also control the revocation reason and whether the account is
disabled or deleted. The main disadvantage of this option is that
if you unblock this client later, you will be unable to manage the
computer out of band until you manually remove the provisioning
information from the BIOS extensions and then reprovision the
computer. The other disadvantages are the administrator overhead
and potential delays in taking these manual actions.
- Remove provisioning information from the
AMT-based computer by using Configuration Manager when the out
of band service point can connect to the AMT-based computer. This
action automatically revokes the computer’s AMT certificate (with
the revocation reason of Superseded) and automatically deletes the
AMT account in Active Directory Domain Services. It also deletes
the associated SPN. For more information about removing
provisioning information, see How to Remove
Provisioning Information for AMT-Based Computers. This option
is the most convenient, while offering additional security, because
the revocation and account deletion happens automatically.
Additionally, if you unblock this client later, you will be able to
reprovision it without having to locally reconfigure the BIOS
extensions. The disadvantages of using this option include the
following: You must communicate with an untrusted computer; you
cannot control the revocation reason; and, you cannot disable the
account even if your company policy prefers or requires you to do
so—instead, the account is automatically deleted. If you use this
option, verify that the certificate has been revoked and the
account deleted, and take manual remedial action if necessary.
- Take no actions to prevent out of band
management communication. This option is the least secure because
an untrusted computer has a valid certificate and account that can
log into Active Directory Domain Service, which results in the
security risks of elevation of privileges and information
disclosure. However, being able to manage this computer out of band
means that you can take additional steps to help protect the
computer, such as re-imaging or reformatting it and then powering
it down. These additional steps alone will not prevent an attacker
from powering up the computer again nor protect the information in
AMT.
Note |
---|
To identify the AMT certificate, on the issuing CA, locate the certificate that was issued to the site server with the FQDN of the AMT-based computer in the certificate Subject. To identify the AMT account, in the computer’s domain, locate the organizational unit (OU) or container specified in the Out of Band Management component properties General tab. The account will display as Computer with <computername> in the results pane of the Active Directory Users and Computers console, although the full properties of this account shows the name in the following format: <computername>$iME. |
Blocking AMT-Based Computers in Configuration Manager 2007 SP2
Computers that are blocked by Configuration Manager 2007 SP2 cannot continue to be managed out of band. When an AMT-based computer is blocked, the following actions automatically occur to help protect the network from the security risks of elevation of privileges and information disclosure:
- The site server revokes all certificates
issued to the AMT-based computer with the revocation reason of
Superseded. The AMT-based computer might have multiple certificates
because Configuration Manager 2007 SP2 supports 802.1X
authenticated wired and wireless networks that support client
certificates.
- The site server deletes the AMT account in
Active Directory Domain Services.
Provisioning information is not removed from AMT, but it can no longer be managed out of band because its certificate is revoked and its account is deleted. If you later unblock the client, you must take the following actions before you can manage the computer out of band:
- Manually remove provisioning information from the computer’s
BIOS extensions. You will not be able to perform this configuration
remotely.
- Reprovision the computer with Configuration Manager.
If you think you might unblock the client later and you can verify a connection to the AMT-based computer before blocking the client, you can remove provisioning information with Configuration Manager and then block the client. This sequence of actions saves you from having to manually configure the BIOS extensions after unblocking the client. However, this option relies on a successful connection to the untrusted computer to complete the removal of provisioning information. This is particularly risky when the AMT-based computer is a laptop and might be disconnected from the network or on a wireless connection.
Note |
---|
To verify that the AMT-based computer successfully removed provisioning information, confirm that the AMT status has changed from Provisioned to Not Provisioned. However, if the provisioning information was not removed before the client was blocked, the AMT status remains at Provisioned but you will be unable to manage the computer out of band until you reconfigure the BIOS extensions and reprovision the computer for AMT. For more information about the AMT status, see About the AMT Status and Out of Band Management. |
See Also
Tasks
How to Block Configuration Manager ClientsHow to Remove Provisioning Information for AMT-Based Computers
Concepts
About Certificates for Out of Band ManagementDetermine If You Need to Block Configuration Manager Clients
Overview of Out of Band Management
Out of Band Management Security Best Practices and Privacy Information