A system and method that utilizes clean groups for reducing security
management complexity. The system reduces the complexity of managing
security technologies by automatically assigning objects such as
computers or persons to clean groups which are defined by existing
management infrastructure. In an embodiment where members are computers,
ongoing automatic efforts ensure that clean groups include only computers
that satisfy specified security principles, which allows administrators
to treat all computers that are in compliance as a group. Separately, the
members of the clean group are required to implement self-governance,
which is an ability to detect being compromised and to take steps to
remove themselves from the clean group when they are compromised. In
addition to attempting to remove itself from the clean group, a
compromised computer may take additional steps aimed at minimizing
further damage, such as erasing or hiding computer domain credentials,
hiding/protecting/disabling cryptographic (e.g. EFS) keys, or logging out
a user.