Computers (Machine Accounts)

When a Windows system joins a domain, a computer account is created. Computer
accounts are essentially user accounts that are used by machines to log on and access
resources (thus, computers are also called machine accounts). This account name appends
a dollar sign ($) to the name of the machine (machinename$).
As you might imagine, to log on to a domain, computer accounts require passwords.
Computer passwords are automatically generated and managed by domain controllers.
(See the upcoming section Forests, Trees, and Domains.) Computer passwords are
otherwise stored and accessed just like any other user account password. (See the
upcoming section The SAM and Active Directory.) By default, they are reset every 30
days, but administrators can configure a different interval if they want.
The primary use for computer accounts is to create a secure channel between the
computer and the domain controller for purposes of exchanging information. By default,
this secure channel is not encrypted (although some of the information that passes through
it is already encrypted, such as password hashes), and its integrity is not checked (thus
making it vulnerable to spoofing or man-in-the-middle attacks). For example, when a
user logs on to a domain from a domain member computer, the logon exchange occurs
over the secure channel negotiated between the member and the domain controller.
Weve never heard of a case where exploitation of a machine account has resulted in
a serious exposure, so we will not discuss this much.