Why administrative passwords will never be like nuclear missile launchers
During the past few months many people have lamented that Windows lacks a nuclear missile style control option for administrator passwords. Surely you've read about or seen photographs of missile silos where two operators, separated by a distance greater than the span of a single human's arms, must each simultaneously turn a key in a switch to launch a missile. Such a fail-safe is important when considering missile launches: presumably a nation can't thus be committed to global thermonuclear war on the deranged whims of a single raving lunatic.
At first glance, it seems reasonable to allow for similar control over domain and enterprise administrator accounts. A while back I wrote about the fundamental requirement of trust in administrators; missile control-style passwords (is there some official term for this?) might lessen the requirement for such trust, goes the thinking. Well, I'm not convinced that the logic that works for missile silos extends to administrator passwords. Let's examine the differences.
It works for missile silos because the fail-safe is tuned to the characteristics of its environment. It takes two keys, each of which must be rotated simultaneously, and they're separated by around ten feet or so: therefore, two humans absolutely are required. To accidentally or intentionally launch a missile when not under orders, both people must be either equally stupid or equally insane -- and in the second case, also equally trust that each is, in fact, a criminal, rather than one acting as a double agent attempting to entrap the other. Furthermore, both operators perform the function in full view of a whole lot of government staff and military officers. The environment and the fail-safe work together to keep the deadly missiles in the ground. Another important aspect is this: the silo and its control system are designed by and operated by the same entity, the government.
Now compare that to a domain controller. Let's say that it's possible to enable a feature that requires entering two passwords. Where would you do this? A logon screen with two password entry fields lacks both physical and human separation: one person could enter both passwords if he or she knew them. It's no better with smartcards -- again, one person could insert both cards into the readers. Replicating a silo-like environment using a pair of computers isn't the answer, because unlike the silos and their control systems, Microsoft designs Windows but you operate it. The fail-safe works for the silos because of the required physical separation. Microsoft can't dictate, and certainly can't enforce, that you have two domain controllers, separated by at least ten feet. Not everyone can afford all the necessary hardware; plus, think of the demands that would place on space and power in a data center. And besides, even with separated domain controllers, a malicious admin need only to enter the first password or insert the first smartcard in one computer then wheel over to the other one and enter the second password or smarcard there. I'm not sure there's a way to check for simultaneous credential entry.
Separation and delegation of administrative duties is, of course, a good and important concept, one that we'll continue to refine throughout the operating system. There's a lot of power granted to administrators right now, this power we will help you segregate among multiple roles (humans) in your organization. But because of the nature of computer systems, any human granted a particular bit of administrative power must be trusted with that power. Computer systems and the data they store, process, and protect aren't silos; applying silo-style security is the wrong approach to mitigating security risk.
Comments
Anonymous
January 01, 2003
Many IT people I know require their users to come up with complex passwords and require them to changeAnonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
Are there really only the two operators in the control room? I thought there'd be a lot more folks hanging around, meaning that if Alice shot Bob, someone else almost certainly would immediately shoot Alice. Assuming that folks in the control room can be armed, of course.Anonymous
November 21, 2006
It's great to see you posting again. The Trustworthy Administrator article is an interesting read!Anonymous
November 21, 2006
The comment has been removedAnonymous
November 21, 2006
But you've got to admit, the idea of having the "two keys" option to some uberadmin account really does seem cool sometimes! The whole two keys ten meters apart thing really does endow the keyholder with a real sense of importance they may otherwise not get elsewhere :) People, in my experience, are led almost solely on how secure they perceive themselves/their companies to be, so often in ignorance of the "real" truth - buying this kind of mumbo jumbo increases their perceived level of security and makes them happy. This is only really ever challenged if companies are ever hacked AND that they actually discover this. But does it matter? Many small to mid sized companies make a good "script kiddie" targets but are of little interest to other commercial organisations. Should they care? When does security become philosophy? ;)Anonymous
November 23, 2006
I have used and on occasions mandated the password split into two parts because (a) perception of security mattered in the project being delivered - ah the politics of project delivery (b) doing so provided at least a slowdown in attacking the account in questions as both safes / teams in management of the safes needed to be compromised or persuaded to act together. Doing this can be of value in some situations but only delivers incremental increase in security, if that, on the never ending path toward security and sometimes a little is a lot better than nothing at all.Anonymous
November 24, 2006
The comment has been removedAnonymous
November 28, 2006
The comment has been removedAnonymous
December 08, 2006
The comment has been removedAnonymous
December 22, 2006
The comment has been removed