Page 1:Security systems like biometrics can work without a Trusted Platform Module, but they're more secure with it. Click the image to see a larger version.
Page 2:Trusting The Trusted Platform Module
Page 3:Trusting The Trusted Platform Module, Continued
Page 4:The Future Of TPM In The Chipset
Page 5:Encrypt Everything With TPM
Page 6:AMT Improves Security As Well As Remote Support
Page 7:AMT Improves Security As Well As Remote Support, Continued
AMT Improves Security As Well As Remote Support, Continued
You don't need special software to see the details from the AMT Web server; you can use any Web browser. If you have a Dell or HP system with AMT, you'll get the AMT client software free with the PC; Lenovo vPro laptops and desktops come with the free LANDesk Starter Kit for Lenovo systems. If you want more control, you can download the AMT Developer Toolkit from Intel's SDK site, which includes Intel AMT Commander, a console that implements all the AMT features. This allows you to configure the BIOS remotely, force another PC to boot from an alternate image, turn it off if it's been left on, or turn it on to get Windows Updates.
AMT also gives each vPro PC a persistent Universal Unique Identifier (UUID) which can be read even when the PC is turned off, and doesn't change if you install another OS, format the hard drive or change the memory, graphics card or other hardware. Not only does that ensure that management software is talking to the right PC each time, it's also a secure identifier for that PC. That means that you can install software at the same time as Windows, which would normally have to wait until the PC has been named, so everything can go in the same image for an automated installation - handy if you want to slipstream your own images for a faster reinstallation.
When AMT moves into home PCs as part of VIIV, we can expect to see management and security services from PC manufacturers and computer stores that use it. In China, Star SoftCom has an AMT-based service called StarNet that manages business PCs. The company has demonstrated a version of StarNet for home PCs that has policies to manage the firewall and anti-virus software, along with security services like NetNanny; if a user disables the NetNanny service, the AMT policy disconnects the PC from the Internet to prevent browsing, but the PC can still be managed remotely through AMT. If the home PC crashes or can't boot because of a virus or rootkit, StarNet can connect remotely, run a diagnostic operating system, mount the hard drive and look for corrupted drivers, viruses, a corrupted boot sector and other problems, fix the system, and send a signal that reboots the machine.
Intel needs to make changes to AMT to make it work well for home users. In a business, the management console is on the same network; at home, your router would block the management software from connecting, so the home PC has to request the connection first. The AMT firmware has the functions to ask for help, but not to make the network connection to send the request, so Intel plans to add that to the firmware in the next version of AMT.
Danbury will also simplify some AMT functions, like unlocking a system remotely. If you forget your password on a system with Danbury, the IT helpdesk will be able to send a remote unlock command from the management software, rather than using a recovery key stored on a flash drive to restore your system manually.
Like all the hardware security features Intel is building into its platforms, this needs software that expects the hardware to be there, and it needs a system that trusts PCs secured by hardware in the platform. You may not use vPro hardware security for anything yet, but in the future it could do everything from protecting your files to proving your identity. Microsoft's Chief Research and Strategy Officer, Craig Mundie, thinks platform level hardware is ideal for a secure identity system. "TPM allows us to sequester secrets and to have very reliable identities. We will have identities for people, for programs and hardware devices that are not spoofable; we will be able to assemble devices and have people trust them."
Intel's Active Management Technology allows compromised PCs to be diagnosed, updated and fixed remotely; so far it's restricted to business systems. Click the image to see a larger version.
- Security systems like biometrics can work without a Trusted Platform Module, but they're more secure with it. Click the image to see a larger version.
- Trusting The Trusted Platform Module
- Trusting The Trusted Platform Module, Continued
- The Future Of TPM In The Chipset
- Encrypt Everything With TPM
- AMT Improves Security As Well As Remote Support
- AMT Improves Security As Well As Remote Support, Continued