What do you use to audit, configure & secure your Dev PC's?

So nearly 4 months on, now I’ve got a stable development machine, I’m still auditing, and securing the machine, making sure things like open source software used in the Intel vPro tech, Dell Command | Update automation software is patched and upto date, because I’ve found for my machine that Intel have released driver updates for HW and Dell still havent done an OEM update for it making me question, is my Dell kit as up to date as it could be?

I’m doing this by hand at the moment but I wondered what other SME devs use to audit, configure and secure their machines and networks because some of the Intel ME/vPro/AMT works with network security and thats when I found out I’ve got a web server running on my Intel CPU which I can do fancy things with, but also means seeing what vulnerabilities exist for it, even if its a cut down/minimal/lite version of some FOSS code.

Has anyone disabled the High Assurance Platforn bit unofficially supported by Intel?
dobry-law09-HAP-Challenges.pdf (sri.com)
Intel ME controller chip has secret kill switch • The Register

If you put this in your web browser, you can see if its running Intel vPro and check the status of different area’s of it if this interface is enabled.
Port 16992 is http
Port 16993 is https provided you have configured it, which means your own certs I guess.
Intel® Active Management Technology

Your router and any other compromised device on your network could have access to it, unless you have setup network security like small CIDR’s etc.

I havent found any apps which do all of this job which is why I’m having to do it by hand, and its rather tedious, but I have found some novel ways to get onto machines now when they appear to be switched off (Out of Band) and then lift or place what ever I want on a device and mess around with its windows security settings. :thinking:

Things like this still exist, and this blog post was published just 2 days ago. :face_with_raised_eyebrow:
Spectre exploits in the “wild” (dustri.org)
" The binary has its -h option stripped, likely behind a #define to avoid detection,"
" Unsurprisingly, it had a 0 detection rate before I published this blogpost"