Disabling Intel AMT on Windows (and a simpler CVE-2017-5689 Mitigation Guide)

FINAL UPDATE (2018): Starting with Intel AMT Release 12.0, it is possible to globally disable Intel AMT

UPDATE3: There is now a tool to check whether AMT is enabled and provisioned on Linux systems.

UPDATE2: It gets worse. Much worse. If your Windows laptop runs #IntelAMT, and you enable #WiFi for AMT and you connect to public WiFi AMT is accessible to anyone on that network.

UPDATE1: The vulnerability is now called “SILENT BOB IS SILENT” and is worse than imagined – an attacker can bypass authentication and log on to Intel AMT remotely simply by sending an empty password (a NULL HTTP Digest response). Furthermore,

“The exploit is trival, max five lines of Python, could be doable in one-line shell command. It gives full control of affected machines, including the ability to read and modify everything. It can be used to install persistent malware (possibly in firmware), and read and modify any data. For security servers, it may allow disabling security features, creating fake credentials, or obtaining root keys. …  IT folks, KEEP WORKING THROUGH THE WEEKEND, DISABLE AMT NOW or block access to it. This can get ugly.”

Completely and permanently (unless you re-install it) disable Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability on Windows. These are components of  the Intel Management Engine firmware.

This is especially relevant since a privilege escalation issue affecting Intel ME (CVE-2017-5689) was made public on May 1st. A patch for Linux is forthcoming. This vulnerability was discovered by Embedi.

PS: words within ` ` are commands, you need to copy and paste these commands without the `

1) Download the Intel Setup and Configuration Software (Intel SCS) and extract the files

2) Open up an administrator command prompt and navigate to where you extracted the files in step 1:

• run `cd Configurator`

3) In the command prompt, run `ACUConfig.exe UnConfigure`. If you get an error, try one of the options below:

• Unconfiguring a system in ACM without RCS integration:
  `ACUConfig.exe UnConfigure /AdminPassword <password> /Full`
• Unconfiguring a system with RCS integration:
  `ACUConfig.exe UnConfigure /RCSaddress <RCSaddress> /Full`

4) Still in the command prompt, disable and/or remove LMS (Intel Management and Security Application Local Management Service):

• `sc config LMS start=disabled`
• `sc delete LMS`
• also run `sc qc LMS`, which will either show you the path to LMS.exe or FAIL. If it shows you the path, use Explorer to delete it. If it FAILED, do not be concerned.

5) Reboot your computer.

6) Check if there is still a socket listening on the Intel ME Internet Assigned Names Authority (IANA) ports on the client: 16992, 16993, 16994, 16995, 623, and 664 (you can also do this before you start to verify it is listening. The Intel ME listens even if the Intel AMT GUI shows Intel ME is “Unconfigured”)

• in a command prompt (does not need to be elevated), run `netstat -na | findstr “\<16993\> \<16992\> \<16994\> \<16995\> \<623\> \<664\>”`

7) The Intel AMT GUI should now show “information unavailable on both remaining tabs” (you might have had 3 or more tabs before going thru the steps above)

8) Optionally, you can now delete LMS.exe. It is usually located in “C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS”. You could go further and use Add/Remove Programs to uninstall the AMT GUI, but then you will have a harder time in the future checking whether Intel AMT remains disabled.

Voilá, you have gotten rid of the Intel AMT components.

But the Intel ME co-processor is still running. Disabling the Intel Management Engine chip has long been a desired goal. If you can point to resources on disabling the Intel ME co-processor for chipsets Haswell and after, please comment below. If your computer has a chipset earlier than Haswell, you can try, at your own risk, these steps.