Device control from a distance

Device control from a distance

Embassy Remote Administration Server identifies built-in hardware security to deliver remote administration of trusted systems

By Greg Crowe
August 18, 2008

Link to GCN article

Every network administrator knows that hardware-based security is less prone to hacking than software-based systems. What they might not realize is that the hardware for better security is largely in place, and all they have to do is take advantage of it.

The Trusted Platform Module, or TPM, has been integrated into many new computers and hard drives for several years. The 170-plus member companies of the Trusted Computing Group have developed standards for Trusted Computing that every major computer manufacturer is adopting. Many government agencies, such as the Defense Department, now require every new PC they acquire to have a TPM. In only a matter of years, every laptop PC along with most desktop PCs and hard drives — called trust drives or TDs — will include TPM.

Why is this technology so pervasive? TPM facilitates the secure generation of cryptographic keys at the hardware level, which makes remote identification more reliable than an entirely software-based process. The use of this module can more effectively control who can access programs and data. A chip on the motherboard stores password and biometric information, making them almost impossible to steal.

The problem is that even though practically every company is jumping on this bandwagon, many of them differ on the best way to encrypt the information, and there haven’t been many attempts to unify all brands of TPM under a single management system.

The Embassy Remote Administration Server (ERAS) from Wave Systems does exactly that. ERAS works with all TPMs currently manufactured, bringing them into one central management interface. It also works with Microsoft Active Directory to keep track of authorized users. So it acts as a central headquarters that pulls together all disparate TPM security systems, organizing the chaos and letting you focus on what is probably an already-robust, but unmanaged, security architecture.

ERAS can be installed on any computer that runs Microsoft Windows Server 2003, Internet Information Service (IIS) 6.0, and any version of SQL Server 2005. We found the setup to be fairly simple and straightforward, although it does require knowledge of Active Directory to create the user groups and accounts ERAS needs to function properly. After the server application is installed, the client software must be installed on each network computer you want to administrate remotely.

The server application interface is in the style of most Windows administration consoles. This wasn’t surprising, considering it is an actual Microsoft Management Console snap-in. Performing a quick search allowed us to find all of the computers on the network that had TPMs or TDs, in addition to the client software.

Right-clicking on a specific computer opened a menu of options, which included enrollment and allowing the remote administrator to take ownership. After this was done, changes could only be made through the remote console, and nothing could be changed locally.

Adding and removing users of the TPM or TD was done with a few simple clicks. We could even enable and disable the trusted chip with one click, plus another for confirmation. There was also an option to cryptographically erase the entire drive remotely, ensuring that no data remains. This can be used when a disk is re-purposed, or when it is ultimately being discarded. Another option is to lock the drive from being used by anyone.

A simplified, Web-based version of the administration console is available with the use of IIS. Designed to be used by help-desk employees, the interface allows an operator to search for the computer in question. Once found, the operator can perform the most commonly requested tasks, such as issuing recovery passwords, while leaving the more complex operations to an administrator.

For administrators who like to type in line commands or run scripts, there is a command- line interface that will let them do just that.

Wave Systems is selling Embassy Remote Administration Server starting at $93 per user for as many as 50 users, with volume discounts for larger numbers of users. We found this price to be acceptable, especially considering what the application is capable of doing. Of course, this price does not include the server on which it runs, but we think any existing server in a network that is not already heavily taxed should be able to run ERAS.

This application is just the thing for an administrator who wants to take direct, central control of the network’s trusted drives and computers. Given that most agencies probably have, or will soon have, a security system embedded in equipment, ERAS can help them harness that power. At $93 per seat, it’s a good deal.