Microsoft updates Security Baseline: drops password expiration
Microsoft published a draft of the security baseline for Windows 10 version 1903, the May 2019 Update, and Windows Server 2019 (v1903).
While you can download the draft and go through it word by word, you may also head over to the Microsoft Security Guidance blog if you are just interested in the things that changed when compared to security baselines for previous versions of Windows.
The blog post highlights eight changes in particular, and at least one may make the life of computer users more convenient. Microsoft droppedÂ password expiration policies that require frequent password changes from the security baselines for Windows 10 version 1903 and Windows Server 1903.
I worked in IT support for a large German financial organization more than 15 years ago. Security policies were set to very high standards and one of the most painful policies was the enforcement of regular password changes. I cannot remember the exact interval but it happened multiple times a year and rules dictated that you had to pick a secure password, could not re-use any of the parts of the existing password, and had to follow certain guidelines in regards to password selection.
This resulted in many support requests by employees who could not remember their passwords, and others writing their new passwords down because they could not remember them.
Microsoft explains the reason behind the dropping of the password expiration policies in the blog post. Microsoft mentions the same issues that I had when I worked in IT:
When humans pick their own passwords, too often they are easy to guess or predict. When humans are assigned or forced to create passwords that are hard to remember, too often theyâ€™ll write them down where others can see them. When humans are forced to change their passwords, too often theyâ€™ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords.
Microsoft notes that password expiration policies help against a single scenario only: when passwords get compromised. If a password does not get compromised, there is no need to change passwords regularly.
The default time period for the expiration of passwords was set to 60 days, and the Windows default is 42 days. It was 90 days in earlier baselines; that is a long time and not very effective either as a compromised password may not be changed for several weeks or even months so that an attacker may use it for that period.
Periodic password expiration is an ancient and obsolete mitigation of very low value, and we donâ€™t believe itâ€™s worthwhile for our baseline to enforce any specific value.
Microsoft notes that other security practices improve security significantly even though they are not in the baseline. Two-factor authentication, the monitoring of unusual login activity, or enforcing a blacklist of passwords are mentioned by Microsoft explicitly.
Other changes that are noteworthy:
- Dropping the enforced disabling of the built-in Windows administrator and Guest account.
- Dropping of specific BitLocker drive encryption methods and cipher strength settings.
- Disabling multicast name resolution.
- Configuring "Let Windows apps activate with voice while the system is locked".
- Enabling the "Enable svchost.exe mitigation options" policy.
- Dropping File Explorer "Turn off Data Execution Prevention for Explorer" and "Turn off heap termination on corruption".
- Restricting the NetBT NodeType to P-node, disallowing the use of broadcast to register or resolve names, also to mitigate server spoofing threats.
- Adding recommended auditing settings for Kerberos authentication service.
Now You: What is your take on password expiration policies?Advertisement