从Intel® AMT 2.5开始,安装Intel® 相关的本地驱动后,在系统服务里面,我们可以看到新增了一个和Intel® AMT有关的服务:Intel® Active Management Technology User Notification Service (UNS),如下图,这个服务是用来配合从Intel® AMT 2.5开始的一个新特性:User Notification。
那 User Notification 这个特性是起什么作用的呢?是用来实时的告诉本地用户发生在这台机器上的管理操作。举个例子,比如 IT 管理员事先给用户机器设置好了 System Defense 策略,用来防止蠕虫或网络攻击;在攻击发生时, System Defense 策略生效,用户网络将会被阻断或者变慢;普通情况下,用户就会觉得很奇怪,为什么自己突然就不能上网了,或者是上网速度突然慢了;有了 User Notification 这个特性后,这个问题就解决了,当有这样的事件产生时, UNS 就能通过 HECI 驱动即时收到 AMT 相应的事件消息,然后 UNS 会把收到的事件写到 Windows 事件日志的应用程序日志中。查看 Windows 事件日志,我们可以看到类似下图的事件。
有两类事件,一类是UNS,是UNS启动和停止相关的事件;另外一类是Intel® AMT,这个就是和AMT管理操作有关的事件。上图显示的就是一条Intel® AMT事件,从Description中我么可以看到“A remote Serial Over LAN session was established”,表示管理员成功建立了一条从其管理控制台到用户本地AMT的SOL会话。System Defense策略的激活,也会有相应的事件记录到Windows事件日志中。 Intel® AMT 4.x/5.x机器上自带的Intel® Management and Security Status能够自动从Windows系统日志中读取出UNS记录的事件,并显示出来,如下图所示。也就是或,如果管理软件提供商需要支持User Notification特性,就需要管理软件的本地客户端程序能够自动发现新记录再Windows日志中的Intel® AMT事件,然后解析,并通过PopUp的方法自动弹出告诉用户。 那么,到底什么样的事件能被UNS捕获并记录下来呢?事实上,并不是所有Intel® AMT Event Manager能记录的事件都会被UNS获得,并记录到Windows事件日志中。可以参考SDK中的《Network Interface Guide.pdf》 9.10节的“User Notification Alert”,那里定义了可以通过AMT User Notification通知到本地应用程序的事件,分成了五类:General Notification, Circuit Breaker notification, EAC notification, Remote diagnostics, WLAN notification。下面的表列出来了部分可以被记录的事件:Category | Event Viewer Message | What it really means | System Defense | Security policy invoked. Some or all network traffic (TX) was stopped. | Transmission of specific types of network packets have been stopped according to IT policies (all other network protocols perform normally) | System Defense | Security policy invoked. Some or all network traffic (RX) was stopped. | As above, but for network Reception. | System Defense | Security policy invoked. TX Network connectivity was reduced. | Transmission of specific types of network packets have been "reduced" by allowing only some of the packets (a determined percentage), according to IT policies (all other network protocols perform normally). | System Defense | Security policy invoked. RX Network connectivity was reduced. | As above, but for network Reception. | Remote Diagnostics | A remote Serial Over LAN session was established. | An IT Administrator has started an SOL session on this system, which confers him rights on the I/O of the SOL port. | Remote Diagnostics | Remote Serial Over LAN session finished. User control was restored. | The aforementioned SOL session was closed. The end user is the only one controlling the system. | Remote Diagnostics | A remote IDE-Redirection session was established. | An IT Administrator has started an SOL session on this system, which confers him rights on the I/O of the SOL port. | Remote Diagnostics | Remote IDE-Redirection session finished. User control was restored. | The aforementioned IDE-R session was closed. The end user is the only one controlling the system. | WLAN | WLAN Profile insufficient for management session over WLAN interface. | | WLAN | Management session was established over WLAN interface. | | WLAN | Security parameters insufficient for management session over WLAN interface | | WLAN | Management session over WLAN interface has finished | | UNS默认是采用匿名方式从AMT获取事件,因为在默认配置情况下,AMT是允许这么做的。如果需要认证,则需要先通过SecurityAdminstration接口的SetRealmAuthOptions方法将LocalUN Realm设置成Auth;然后同样通过SecurityAdministration提供的接口,新增一个具有Loncal UN Realm权限的用户。然后需要告诉UNS新设置的用户名和密码,UNS才能通过AMT的认证,获取需要的事件。在命令行运行如下命令:
sc stop uns
sc start uns -unsuser <username> -unspass <password>
sc start uns UNS会记住上一次使用的用户名密码,所以以后的运行只需sc start uns,或UNS随系统启动默认运行就可以。另外,恢复UNS到默认值的命令是: sc uns –clear。 UNS的具体工作原理大致如下:
1) UNS向Intel(R) AMT订阅事件,告诉AMT将特定类型的事件发给它,发给UNS的事件都是基于SOAP的,而不是SNMP Trap方式;
2) 订阅事件时,UNS需要被AMT Firmware认证,如果手动设置了用户名密码,则用手动设置的,如果没有,则使用匿名或AMT默认内置的“$$uns“用户;
3) 如果AMT连接必须用TLS方式,UNS就会使用TLS与AMT连接,TLS的处理是有操作系统来完成的;
4) 然后,UNS作为连接的服务器端,AMT作为连接的客户端,当有订阅的事件产生时,AMT就会把事件发送给UNS,然后从UNS获取是否成功的状态码。这个LZ可以了解下情况!
|