Computers are people too
Posted by BPuhl on August 7, 2008
I remember hearing (and saying) that “computers are people too” quite a bit during Server 2008 dogfooding. It was the way that we reminded ourselves that machine accounts are security principles, and in many ways, they are the most vulnerable security principles. For example, a machine account is an “authorized user”, and can do the whole plethora of things which auth’d users can do, but it lacks the reliability of separate user names and passwords the way traditional users do. Machine accounts manage their own passwords, but they’ll let any schmuck who can run something in machine context to “use” them.
This has a few implications. From the AD perspective, when we’ve thought about machine accounts, it’s usually in the context of life cycle management of data in the directory. You know, find all the machine which haven’t reset their passwords in 45 days – assume that this indicates that they aren’t on the network anymore, so delete the object. Good housekeeping maneuver.
With Windows Server 2008, and specifically, with Read Only Domain Controllers – machine accounts became a little bit more important. Do you let them have their passwords replicated into the RODC? What happens if the users password is cached, but the machine isn’t? No service ticket, no work-ey…
In the federated identity world specifically, we branch this thought process out a little bit further – We want to treat the people like people, and the computers like people, but we also treat the applications like people too! This actually isn’t specific to federated identity, because we all do this all the time anyway – we just use fancy words, like “service accounts”, “application pools”, and “delegation”. But at the end of the day, what we’re doing is trying to force the application to “authenticate” to that which it is “authorized” to perform some function – huh…sounds just like machines and people…
So I’ll leave this for now, to let you munch on for a bit – just remember that your users aren’t the only users that you have – machines, and in some cases applications, are people too – and when you’re considering things like security policy, you shouldn’t forget it.