> With features like hardware-level remote keyboard, video, and mouse control (KVM)1 3 Intel AMT allows you to discover, repair, and help protect networked computing assets as easily as if working in person.
No. Nerds love to hate any notion of their hardware spying on them, especially if it’s Intel. Computers need to work exactly as they did in 2004. But let’s also ignore the management functionality we had in ‘04 :)
You could have the machine act as a client and reach out to a management server. If you wanted to get really fancy you could maybe even add a DHCP option to advertise the local management server for autoconfiguration. I'm not convinced that would actually be much more secure, but it is a thing you could do.
I'm not sure how you'd actually pull that off. Are you configuring AMT with such settings? Don't you then end up with 2 IPs per MAC? Or is AMT given its own MAC?
Seems messy regardless. Just having it be a passive server is much simpler as it never needs to care how the packets got routed to it, it just responds in kind
To be quite clear, I don't believe anyone has implemented it like this, I was just spitballing theoretical possibilities. And yes, you're right, you'd probably need to make the ethernet port present 2 MACs so the management system can have its own independent network stack, unless I've forgotten some awful trick to get around that (which is possible; I can't quite remember how single-port servers host their LoM interfaces).
localhost:16992 is just the windows service redirecting port 16992 from the ethernet/WiFi interfaces. It actually listens on your external interfaces by sniffing DHCP packets and grabbing all connections on port 16992.
Yup. I used that feature for many years to remote manage a file server at my folks place. Works great! Just don't expose it directly to the outside world.
Nowadays I'd probably turn it off and use pikvm instead, though.
The CPU/chipset has an integrated keyboard/video/mouse (via VNC), serial console, power control (on/off) and some settings exposed via this webserver over some kind of XMLRPC.
It is activated either by configuring it locally through the BIOS or some special key combination at boot, or when connecting to a network that has a setup server with a special certificate (not really a security feature, just a money grab) present. Some vendors might also ship it always-on. Network can be either wired or WiFi, not sure about mobile networks.
The threat is extreme, hidden remote access, several known vulnerabilities in the past in e.g. the broken XML parser, activation and takeover via brief physical access at boot (press the magic key, set username and password, boom, it is not your machine anymore) or connecting to a network with a magic setup server and certificate (corporate WiFi might do this accidentially to your machine). No good consistent and easy way to deactivate or prevent, it is different for each generation and vendor unfortunately, if at all possible.
I've edited my text to be more precise. But to elaborate:
Eh! Read what your link says:
> Beginning in Release 12.0, it is possible to globally disable Intel AMT.
It took them 12 versions to put in an off-switch, so only newer hardware even has one. And:
> Intel AMT can be disabled using one of the following methods: Through the MEBX menu: Make sure that Manageability Feature State is disabled, then open the MEBX menu and change the Intel ® AMT option to Disabled. This option can only be reenabled after a reboot.
That only works if your hardware vendor exposes the MEBX menu, which not all vendors do.
> Through an MEI command invoked by OS software: Invoke the CFG_DisableAndClearAMT MEI command.
For that AMT has to be already enabled and configured in the operating system.
The Intel Management Engine is part of the CPU, and it's there for remote management of a system so you can do things like control power on/off or configure the BIOS from over the network.
It's a remote console to the management engine for "lights out management" or remotely being able to to what a hardware tech would generally need physical access for like accessing the preboot environment.
It's bad if you don't know it's on because it lets you remotely access pieces of the computer you normally need physical access for like accessing the preboot environment.
The vpro cpus include things like
AMT (Active Management Technology), which is similar to IPMI. A way to remotely manage the device even if it's not booted yet.
The internal web server shown here lets you configure AMT, disable it if you wish, etc.
No shit, AMT is literally the point of vPro. Why present it as some sort of conspiracy? Don’t buy enterprise hardware if you don’t like the enterprise features, I guess.
> Remote Manageability
> Remotely power up, update, and repair PCs outside of the firewall, even if they’re out-of-band1, to help your users from virtually anywhere.
https://www.intel.com/content/www/us/en/now/itheroes.html
> With features like hardware-level remote keyboard, video, and mouse control (KVM)1 3 Intel AMT allows you to discover, repair, and help protect networked computing assets as easily as if working in person.
https://www.intel.com/content/www/us/en/architecture-and-tec...
Morale of the story here seems to be to actually bother to spend 5 seconds figuring out what you bought?