********************************************************************** * * Copyright(c) 2009, Intel Corporation. All rights reserved. * Intel(R) Management & Security Application (Intel(R) MSA) * User Notification Service (UNS) * ********************************************************************** ********************************************************************** * 1. Overview ********************************************************************** Intel(R) Management & Security Application (Intel(R) MSA) 5.2 is able to write user notifications to the local host Microsoft Windows* OS Event Viewer for the purpose of notifying end users of predefined events, such as when critical System Defense policies are applied by the Intel(R) Management Engine firmware. The UNS also provides NAC (via a plugin) and NAP functionality. To enable NAP, see the installation Note below. The User Notification Service (UNS) is a Windows service installed on the host on a platform that has Intel(R) MSA Release 2.5 or greater. The UNS registers with the Intel(R) MSA device to receive a set of alerts. When UNS receives an alert it logs the alert in the Windows "Application" event log. To view the alerts, right-click on My Computer, select Manage/System Tools/Event Viewer/ Application. The Event Source will be "Intel(R) MSA". The following table shows the Category, Event ID, and Event Description for all of the defined alerts. Category Event ID User Message - ----------------- -------- --------------------------------------------------------------------------- 1 System Defense 1001 Security policy invoked. Some or all network traffic (TX) was stopped. 2 System Defense 1002 Security policy invoked. TX Network connectivity was reduced. 3 System Defense 1003 Security policy invoked. Some or all network traffic (RX) was stopped. 4 System Defense 1004 Security policy invoked. RX Network connectivity was reduced. 5 Remote Diagnostics 1201 A remote Serial Over LAN session was established. 6 Remote Diagnostics 1202 Remote Serial Over LAN session finished. User control was restored. 7 Remote Diagnostics 1203 A remote IDE-Redirection session was established. 8 Remote Diagnostics 1204 Remote IDE-Redirection session finished. User control was restored. 9 WLAN 1102 WLAN Profile insufficient for management session over WLAN interface. 10 WLAN 1104 Management session was established over WLAN interface. 11 WLAN 1103 Security parameters insufficient for management session over WLAN interface. 12 WLAN 1105 Management session over WLAN interface has finished. ********************************************************************** * 2. System Requirements ********************************************************************** The UNS is supported on the following operating systems: - Windows* XP SP2 (32 and 64 bit) - Windows Vista* (32 and 64 bit) - Windows 7* (32 and 64 bit) ********************************************************************** * 3. Installation ********************************************************************** UNS.exe is found in the \LMS_SOL directory. To install the UNS, run setup.exe and note the following installation circumstances: 1) TLS: If Intel(R) MSA is configured to work with TLS then any application that wants to communicate with the Intel(R) MSA PC must be able to verify the server certificate that Intel(R) MSA sends. To do that, the root certificate (which signed the Intel(R) MSA certificate) must be installed (by the IT administrator) in Windows's* trusted root certificate store. Being a service, the UNS runs in the system context (not as a user process), and as such does not see the same certificate store the user account sees. For the UNS to have access to the root certificate, it must be installed using the "mmc" tool, as is specified in step 4 in: http://support.microsoft.com/kb/901183/ 2) Mutual Authentication TLS: If Intel(R) MSA is configured to use mutual authentication TLS for local (this can be set separately for remote and local), then when local applications try to connect, Intel(R) MSA will require from them a client certificate for verification. This client certificate must be installed in Windows's personal certificate store. Again, as was the case with the server certificate, the UNS being a service means that the IT administrator must install the client certificate using steps 1-3 of the above link. Furthermore the UNS can be told which client certificate in the store to actually use, which can be done with the following command line argument: "-cert ". (Services can receive arguments either on the command line (using the "sc" command) or in the graphical service controller window.) 3) HTTP Credentials: Regardless of the TLS situation, the UNS uses SOAP calls to Intel(R) MSA and may require credentials. The UNS calls two SOAP services in Intel(R) MSA: User Notification and Endpoint Access Control. These two realms might have different access privileges (that is, different users can be part of these realms). By default there is no need for credentials to access the above two realms for the UNS to work. However, the administrator can decide to block this anonymous access and mandate credentials for one or both of the above realms. This can be done using the SetRealmAuthOptions SOAP command in the Security Administration interface. If credentials are needed for these realms, they need to be passed to the UNS as arguments: "-unsUser -unsPass " for the User Notification realm, and "-eacUser -eacPass " for the Endpoint Access Control realm. Arguments used to start a service can be read at the process table of the OS. A property of the above arguments is that the UNS saves them for the next time it is run and then stops. This means that the UNS should be started once with the credentials as arguments, and then restarted without the credentials -- which will still be used (as long as Intel(R) MSA is configured to require them). This allows the administrator to run the UNS without the credentials showing in the process table as the UNS process's arguments. If clearing the configured credential information is desired, the "-clear" parameter should be used. When starting the UNS with this argument, all the credentials data will be deleted. The UNS must then be restarted without arguments. Note: Enabling NAP is currently a manual process. To enable NAP, ensure that the UNS is not running, then run the following command: "UNS.exe RegisterNap". Restart the UNS. To disable the NAP access, ensure that the UNS is not running, then run: "UNS.exe UnregisterNap" ********************************************************************** * 4. Uninstall procedure ********************************************************************** Click Start > Control Panel, double-click Add or Remove Programs. Select Intel(R) Active Management Technology and click Remove. Note that this will also remove the Intel(R) Management and Security Status application, the LMS and the SOL driver. ****************************************************************************** *INTEL SOFTWARE LICENSE AGREEMENT (OEM / IHV / ISV Distribution & Single User) ****************************************************************************** IMPORTANT - READ BEFORE COPYING, INSTALLING OR USING. Do not use or load this software and any associated materials (collectively, the "Software") until you have carefully read the following terms and conditions. By loading or using the Software, you agree to the terms of this Agreement. If you do not wish to so agree, do not install or use the Software. Please Also Note: If you are an Original Equipment Manufacturer (OEM), Independent Hardware Vendor (IHV), or Independent Software Vendor (ISV), this complete LICENSE AGREEMENT applies; If you are an End-User, then only Exhibit A, the INTEL SOFTWARE LICENSE AGREEMENT, applies. For OEMs, IHVs, and ISVs: LICENSE. This Software is licensed for use only in conjunction with Intel component products. Use of the Software in conjunction with non-Intel component products is not licensed hereunder. Subject to the terms of this Agreement, Intel grants to You a nonexclusive, nontransferable, worldwide, fully paid-up license under Intel’s copyrights to: a) use, modify and copy Software internally for Your own development and maintenance purposes; and b) modify, copy and distribute Software, including derivative works of the Software, to Your end-users, but only under a license agreement with terms at least as restrictive as those contained in Intel's Final, Single User License Agreement, attached as Exhibit A; and c) modify, copy and distribute the end-user documentation which may accompany the Software, but only in association with the Software. If You are not the final manufacturer or vendor of a computer system or software program incorporating the Software, then You may transfer a copy of the Software, including derivative works of the Software (and related end-user documentation) to Your recipient for use in accordance with the terms of this Agreement, provided such recipient agrees to be fully bound by the terms hereof. You shall not otherwise assign, sublicense, lease, or in any other way transfer or disclose Software to any third party. You shall not reverse- compile, disassemble or otherwise reverse-engineer the Software. Except as expressly stated in this Agreement, no license or right is granted to You directly or by implication, inducement, estoppel or otherwise. Intel shall have the right to inspect or have an independent auditor inspect Your relevant records to verify Your compliance with the terms and conditions of this Agreement. CONFIDENTIALITY. If You wish to have a third party consultant or subcontractor ("Contractor") perform work on Your behalf which involves access to or use of Software, You shall obtain a written confidentiality agreement from the Contractor which contains terms and obligations with respect to access to or use of Software no less restrictive than those set forth in this Agreement and excluding any distribution rights, and use for any other purpose. Otherwise, You shall not disclose the terms or existence of this Agreement or use Intel's name in any publications, advertisements, or other announcements without Intel's prior written consent. You do not have any rights to use any Intel trademarks or logos. OWNERSHIP OF SOFTWARE AND COPYRIGHTS. Title to all copies of the Software remains with Intel or its suppliers. The Software is copyrighted and protected by the laws of the United States and other countries, and international treaty provisions. You may not remove any copyright notices from the Software. Intel may make changes to the Software, or to items referenced therein, at any time and without notice, but is not obligated to support or update the Software. Except as otherwise expressly provided, Intel grants no express or implied right under Intel patents, copyrights, trademarks, or other intellectual property rights. You may transfer the Software only if the recipient agrees to be fully bound by these terms and if you retain no copies of the Software. LIMITED MEDIA WARRANTY. If the Software has been delivered by Intel on physical media, Intel warrants the media to be free from material physical defects for a period of ninety (90) days after delivery by Intel. If such a defect is found, return the media to Intel for replacement or alternate delivery of the Software as Intel may select. EXCLUSION OF OTHER WARRANTIES. EXCEPT AS PROVIDED ABOVE, THE SOFTWARE IS PROVIDED "AS IS" WITHOUT ANY EXPRESS OR IMPLIED WARRANTY OF ANY KIND, INCLUDING WARRANTIES OF MERCHANTABILITY, NONINFRINGEMENT, OR FITNESS FOR A PARTICULAR PURPOSE. Intel does not warrant or assume responsibility for the accuracy or completeness of any information, text, graphics, links or other items contained within the Software. LIMITATION OF LIABILITY. IN NO EVENT SHALL INTEL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, LOST PROF¬ITS, BUSINESS INTERRUPTION OR LOST INFORMATION) ARISING OUT OF THE USE OF OR IN¬ABILITY TO USE THE SOFTWARE, EVEN IF INTEL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME JURISDICTIONS PROHIBIT EXCLUSION OR LIMITA¬TION OF LIABILITY FOR IMPLIED WARRANTIES OR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE LIMITA¬TION MAY NOT APPLY TO YOU. YOU MAY ALSO HAVE OTHER LEGAL RIGHTS THAT VARY FROM JURISDICTION TO JURISDICTION. TERMINATION OF THIS AGREEMENT. Intel may terminate this Agreement at any time if you violate its terms. Upon termination, you will immediately destroy the Software or return all copies of the Software to Intel. APPLICABLE LAWS. Claims arising under this Agreement shall be governed by the laws of California, excluding its principles of conflict of laws and the United Nations Convention on Contracts for the Sale of Goods. You may not export the Software in violation of applicable export laws and regulations. Intel is not obligated under any other agreements unless they are in writing and signed by an authorized representative of Intel. GOVERNMENT RESTRICTED RIGHTS. The Software is provided with "RESTRICTED RIGHTS." Use, duplication, or disclosure by the Government is subject to restrictions as set forth in FAR52.227-14 and DFAR252.227-7013 et seq. or their successors. Use of the Software by the Government constitutes acknowledg¬ment of Intel's proprietary rights therein. Contractor or Manufacturer is Intel Corporation, 2200 Mission College Blvd., Santa Clara, CA 95052. EXHIBIT “A” INTEL SOFTWARE LICENSE AGREEMENT (Final, Single User) IMPORTANT - READ BEFORE COPYING, INSTALLING OR USING. Do not use or load this software and any associated materials (collectively, the “Software”) until you have carefully read the following terms and conditions. By loading or using the Software, you agree to the terms of this Agreement. If you do not wish to so agree, do not install or use the Software. LICENSE. You may copy the Software onto a single computer for your personal, noncommercial use, and you may make one back-up copy of the Software, subject to these conditions: 1. This Software is licensed for use only in conjunction with Intel component products. Use of the Software in conjunction with non-Intel component products is not licensed hereunder. 2. You may not copy, modify, rent, sell, distribute or transfer any part of the Software except as provided in this Agreement, and you agree to prevent unauthorized copying of the Software. 3. You may not reverse engineer, decompile, or disassemble the Software. 4. You may not sublicense or permit simultaneous use of the Software by more than one user. 5. The Software may contain the software or other property of third party suppliers, some of which may be identified in, and licensed in accordance with, any enclosed “license.txt” file or other text or file. OWNERSHIP OF SOFTWARE AND COPYRIGHTS. Title to all copies of the Software remains with Intel or its suppliers. The Software is copyrighted and protected by the laws of the United States and other countries, and international treaty provisions. You may not remove any copyright notices from the Software. Intel may make changes to the Software, or to items referenced therein, at any time without notice, but is not obligated to support or update the Software. Except as otherwise expressly provided, Intel grants no express or implied right under Intel patents, copyrights, trademarks, or other intellectual property rights. You may transfer the Software only if the recipient agrees to be fully bound by these terms and if you retain no copies of the Software. LIMITED MEDIA WARRANTY. If the Software has been delivered by Intel on physical media, Intel warrants the media to be free from material physical defects for a period of ninety (90) days after delivery by Intel. If such a defect is found, return the media to Intel for replacement or alternate delivery of the Software as Intel may select. EXCLUSION OF OTHER WARRANTIES. EXCEPT AS PROVIDED ABOVE, THE SOFTWARE IS PROVIDED "AS IS" WITHOUT ANY EXPRESS OR IMPLIED WARRANTY OF ANY KIND INCLUDING WARRANTIES OF MERCHANTABILITY, NONINFRINGEMENT, OR FITNESS FOR A PARTICULAR PURPOSE. Intel does not warrant or assume responsibility for the accuracy or completeness of any information, text, graphics, links or other items contained within the Software. LIMITATION OF LIABILITY. IN NO EVENT SHALL INTEL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, LOST PROF¬ITS, BUSINESS INTERRUPTION, OR LOST INFORMATION) ARISING OUT OF THE USE OF OR IN¬ABILITY TO USE THE SOFTWARE, EVEN IF INTEL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME JURISDICTIONS PROHIBIT EXCLUSION OR LIMITA¬TION OF LIABILITY FOR IMPLIED WARRANTIES OR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE LIMITA¬TION MAY NOT APPLY TO YOU. YOU MAY ALSO HAVE OTHER LEGAL RIGHTS THAT VARY FROM JURISDICTION TO JURISDICTION. TERMINATION OF THIS AGREEMENT. Intel may terminate this Agreement at any time if you violate its terms. Upon termination, you will immediately destroy the Software or return all copies of the Software to Intel. APPLICABLE LAWS. Claims arising under this Agreement shall be governed by the laws of California, excluding its principles of conflict of laws and the United Nations Convention on Contracts for the Sale of Goods. You may not export the Software in violation of applicable export laws and regulations. Intel is not obligated under any other agreements unless they are in writing and signed by an authorized representative of Intel. GOVERNMENT RESTRICTED RIGHTS. The Software is provided with "RESTRICTED RIGHTS." Use, duplication, or disclosure by the Government is subject to restrictions as set forth in FAR52.227-14 and DFAR252.227-7013 et seq. or their successors. Use of the Software by the Government constitutes acknowledg¬ment of Intel's proprietary rights therein. Contractor or Manufacturer is Intel Corporation, 2200 Mission College Blvd., Santa Clara, CA 95052. SLA/OEM/IHV/RBK/ April 23, 2004 *********************************************************** * DISCLAIMER *********************************************************** Intel is making no claims of usability, efficacy or warranty.The INTEL SOFTWARE LICENSE AGREEMENT contained herein completely defines the license and use of this software. *********************************************************** Information in this document is provided in connection with Intel products. Except as expressly stated in the INTEL SOFTWARE LICENSE AGREEMENT contained herein, no license, express or implied, by estoppel or otherwise, to any intellectual property rights is granted by this document. Except as provided in Intel's Terms and Conditions of Sale for such products, Intel assumes no liability whatsoever, and Intel disclaims any express or implied warranty, relating to sale and/or use of Intel products, including liability or warranties relating to fitness for a particular purpose, merchantability or infringement of any patent, copyright or other intellectual property right. Intel products are not intended for use in medical, lifesaving, or life-sustaining applications. *********************************************************** * Intel Corporation disclaims all warranties and * liabilities for the use of this document, the software * and the information contained herein, and assumes no * responsibility for any errors which may appear in this * document or the software, nor does Intel make a * commitment to update the information or software * contained herein. Intel reserves the right to make * changes to this document or software at any time, without * notice. *********************************************************** * Other names and brands may be claimed as the property of others. Copyright (c) Intel Corporation, 2009