Among the many enhancements with latest generation Intel SCS releases, one that you may have overlooked is Digest Master Passwords
First - some contextual understanding
The idea of a Digest Master Password (DMP) is to provide one password to Intel SCS which is used to randomize the Intel AMT admin password on every system configured.
To help put that in context, shown below is the Intel SCS console view to enable and set the Digest Master Password
Once a Digest Master Password has been established, when defining the Network Setting within a Configuration Profile, a third option appears to "Use Master Password to create a password for each system"
Those who have appropriate permissions to the Intel SCS console can lookup the password of an individual system. As shown below, all of the systems have been configured using Digest Master Password. The per-system Intel AMT password is a unique string. The notepad provides a few example randomized passwords due to Digest Master Password.
With the contextual understanding above, here are the four reasons to use Digest Master Password (DMP)
- Simple to add an additional Intel SCS or in disaster recovery scenarios - If you have already configured Intel AMT systems using Digest Master Password, additional Intel SCS instances can start communicating with them immediately. All you need to provide is the DMP in the Intel SCS console. (I'm looking forward to Intel AMT capable applications using DMP)
- No Database Required - In the past, a randomized password option could be used with each individual password stored in the Intel AMT database. If you lose or corrupt the database, you lose the passwords. This is not true with DMP - since the randomized password is calculated dynamically per an algorithm. (Again - I hope in the future Intel AMT capable applications will use DMP)
- Simplifies reconfiguration, delta configuration, and unconfiguration options - If you have manually typed the ACUconfig commands, you noticed a command option "/Adminpassword". This is the Intel AMT admin password, and if you must directly specify it in the command line there is a security risk. In contrast, if DMP is enabled the ACUconfig command execution will determine the Intel AMT admin password.
- Easy to maintain- Intel SCS will remember the last 8 DMP's used. If you update the DMP on the Intel SCS console, the change can be applied to systems in your environment causing a new random Intel AMT admin password per client to be generated and assigned. Until that job has completed, which is complicated with systems that may be disconnected from the network for a period of time, there is a good possibility that some systems may not get the update immediately. No worries - Intel SCS knows the previous DMPs used and can apply those if needed.
Ensure you secure the DMP
A final thought for this blog - be sure to secure the Digest Master Password. As shown above, the individual randomized passwords are accessible via the Intel SCS console. To calculate or obtain the Digest Master Password requires access to the Intel_RCS_Master_Password WMI namespace as shown below
Do you have an additional reason for using Digest Master Passwords? Please do tell