Any trade-offs involved with enabling Intel vPro?

networking intel amt

Implementation of OOB is not a trivial exercise by any stretch, and takes a significant amount of planning and investment. Simply turning on vPro is not enough, you have to have the back-end architecture to support it as well. Unless you are ready to immediately implement out-of-band management, my recommendation is to leave vPro turned off, because by default, vPro is pre-provisioned with root CA keys from well-known vendors (e.g. VeriSign, GoDaddy). An attacker with access with your network could purchase an AMT cert and provision your machines without you ever knowing...

Since vPro uses PKI, once properly provisioned the architecture is actually quite secure, as clients will then only trust a caller that possesses the AMT private key that originally associated the machine. vPro can be configured to provide notification to users when a remote session is active (depending on your company's policies).

With that said, our shop uses vPro. We manage several hundred remote workstations that have no on-site IT support. vPro gives us the capability to perform troubleshooting at the hardware level and provides remote power-on capability, features that are not available via remote desktop.


Yes, there are tradeoffs involved, and I suspect a quick Google search would have told you most of this already, but having said that, check this HP doc on the tradeoffs of enabling vpro for IT professionals. It's for that specific model of HP, but the general case is the same for any system you use vpro on.

Aside from the expected increase in memory usage, power consumption and decreased networking performance (oh, and the tiny drive space usage), it's worth noting that enabling this will result in the system being powered [to some extent] at all times. The few watts of energy that wastes isn't much compared to the important caveat that you'll need to disconnect A/C power, rather than just powering the machine off to do any hardware installations/replacements. (Good practice anyway, but most people don't bother.)

And then what would probably by the biggest concern is the security and privacy implications. Since there's no easy way to tell from the workstation if someone's using this OoB management tool without your consent, you really better make sure your security's up to snuff, and your network's reasonably well hardened against intrusions before implementing anything like this.

Wikipedia has some more about the security and privacy implications, but my advice is if you don't need or plan to use OoB management, you're installing a backdoor into your system for no reason. So don't. Really, it's a workstation, what remote KVM applications to do you see needing for this that you can't do with Remote Desktop?

Related

How to understand convex duality intuitively
Configuring client certificate authentication in apache
Are the real numbers ever needed to prove a property of the natural numbers?
Is deconvolution simply division in frequency domain?
nohup multiple sequential commands
$\int_{0}^{\pi/2} \text{arctanh}(\sin x) \text{arctan}(a \tan(x)) \cos(x) \ dx$
gunicorn + django + nginx unix://socket failed (11: Resource temporarily unavailable)
Rewriting nginx's try_files
Who is buried in Weierstrass' tomb?
Examples of closed subspaces of Baire spaces that fail to be Baire?
How to add vlan without vconfig command? [closed]
Why did my zpool replace never finish and what should I do now?