Intel vPro/AMT Security Considerations
I'm new to the selfhosted/homelab space and eyeing a used Dell Optiplex Micro system to experiment with. The unit has an i5-8500T and appears to support Intel vPro/AMT for remote management and KVM. This is interesting to me as I may not want to have a monitor and peripherals permanently connected. After substantial searching, most of the documentation and discussions on this topic are aimed at people with a deeper background. I believe I can figure out how to set it up, but I couldn't find straightforward answers to these security questions:
-I only want to use this for KVM while at my home. It seems like a security risk if this functionality works over the internet rather than just LAN. Is this actually the case, and if so, can it be set to LAN-only?
-Since the machine had a prior owner, is it advisable to reset the BIOS or somehow clear out potential vPro settings from the previous user?
Thanks for any help you can offer!
So I have a 3-node cluster of optiplex 5060 micros with i5-6800. I have AMT enabled on a different VLAN from the hypervisor I have running and it works great for remote management. One thing to keep in mind that for the KVM access to continue to work, I had to add an HDMI dummy plugs to keep the display working after reboots. All of the other functions associated with AMT worked after reboots.
For your other questions: ATM would only be accessible from the network you have it running on without any firewall rules/port forwarding/NAT
Yes reset it to factory. Turn ATM off and reset it.
Thanks for the tips - I can manage a dummy plug if required. Glad to hear AMT would be local-only unless I take additional steps.
What software do you use to access the AMT machines?
I use MeshCentral running on Debian on a small VM and then I access MeshCentral through the Web UI. If you have any Raspberry Pi's laying around that aren't being used, it would be a great candidate for that type of setup.
Thank ye much.
If it runs on a pi I can probably make a small VM for it without over angering the VMware HA capacity alarm.