Microsoft announced the configuration baseline settings draft release for Windows 10 v1903 (19H1) and Windows Server v1903, as well as the intention to drop password expiration policies starting with the Windows 10 May 2019 Update.
Once removed, the preset password expiration settings should be replaced by organizations with more modern and better password-security practices such as multi-factor authentication, detection of password-guessing attacks, detection of anomalous log on attempts, and the enforcement of banned passwords lists (such as Azure AD's password protection currently available in public preview).
However, as Redmond further explains, "While we recommend these alternatives, they cannot be expressed or enforced with our recommended security configuration baselines, which are built on Windows’ built-in Group Policy settings and cannot include customer-specific values."
Back in 2016, the United States National Institute for Standards and Technology (NIST) also advised government organizations to remove password expiration policies and recommends forced password changes only after a fraudulent activity is observed.
As detailed in the 'Special Publication 800-63-3: Digital Authentication Guidelines', "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator."
Password-expiration policies an obsolete mitigation
Microsoft's Aaron Margosis states that the password expiration mechanism which requires periodic password changes is in itself a flawed defense method given that, once a password is stolen, mitigation measures should be taken immediately instead of waiting for it to expire as per the set expiration policy.
In addition, the soon to be removed policies are "a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity."
As further explained by Microsoft in the draft release for the Windows 10 version 1903 configuration baseline settings:
Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value. By removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance. At the same time, we must reiterate that we strongly recommend additional protections even though they cannot be expressed in our baselines.
The removal of the password-expiration policies without the addition of other password-oriented security configurations does not directly translate into a decrease in security but, instead, it simply stands as proof that security-conscious organizations need to implement extra measures to enforce their users' security.
As Microsoft further detailed, "to try to avoid inevitable misunderstandings, we are talking here only about removing password-expiration policies – we are not proposing changing requirements for minimum password length, history, or complexity."
More changes to the security configuration baseline settings
The just-published security baseline draft also comes with the proposal of removing the enforcement of the built-in Administrator and Guest accounts being disabled by default.
This would allow administrators to enable the two accounts as they are needed but the removal of this policy will not automatically mean that the accounts will be enabled by default.
Microsoft also added a number of other changes to the Windows 10 v1903 and Windows Server v1903 draft baseline and a number of additional modifications are also being considered:
- Enabling the new “Enable svchost.exe mitigation options” policy, which enforces stricter security on Windows services hosted in svchost.exe, including that all binaries loaded by svchost.exe must be signed by Microsoft, and that dynamically-generated code is disallowed. Please pay special attention to this one as it might cause compatibility problems with third-party code that tries to use the svchost.exe hosting process, including third-party smart-card plugins.
- Configuring the new App Privacy setting, “Let Windows apps activate with voice while the system is locked,” so that users cannot interact with applications using speech while the system is locked.
- Disabling multicast name resolution (LLMNR) to mitigate server spoofing threats.
- Restricting the NetBT NodeType to P-node, disallowing the use of broadcast to register or resolve names, also to mitigate server spoofing threats. We have added a setting to the custom “MS Security Guide” ADMX to enable managing this configuration setting through Group Policy.
- Correcting an oversight in the Domain Controller baseline by adding recommended auditing settings for Kerberos authentication service.
- Dropping the password-expiration policies that require periodic password changes.
- Dropping the specific BitLocker drive encryption method and cipher strength settings. The baseline has been requiring the strongest available BitLocker encryption. We are removing that item for a few reasons. The default is 128-bit encryption, and our crypto experts tell us that there is no known danger of its being broken in the foreseeable future. On some hardware there can be noticeable performance degradation going from 128- to 256-bit. And finally, many devices such as those in the Microsoft Surface line turn on BitLocker by default and use the default algorithms. Converting those to use 256-bit requires first decrypting the volumes and then re-encrypting, which creates temporary security exposure as well as user impact.
- Dropping the File Explorer “Turn off Data Execution Prevention for Explorer” and “Turn off heap termination on corruption” settings, as it turns out they merely enforce default behavior
The Windows 10 v1903 Security Baseline draft is available for download from HERE, including Group Policy Object (GPO) backups and reports, scripts to apply settings to the local GPO, and Policy Analyzer rules files.
With this draft release, Redmond also provides administrators with spreadsheets documenting in detail all security settings and group policies for Windows 10 version 1903 and Windows Server version 1903 "along with the Microsoft-recommended configuration of those settings for well-managed enterprise systems", as well as Policy Analyzer rules files for each security baseline.
Comments
bobsage - 11 months ago
So will expiration be removed from Active Directory for AD accounts as well or is this only for local accounts?
britechguy - 11 months ago
Hallelujah!!! Password expiration has been an exercise in stupidity and futility since it started. If you have a secure password that you've never shared, why on earth change it if no suspicious activity has ever been observed?
I've used the same passwords on certain things for decades, and those are no more likely to be guessed or brute-force cracked today than the day they were chosen. No one else has the slightest idea of what they are, either.
GT500 - 11 months ago
This is a good change. Changing a password only helps after the password has been compromised, or if you're increasing the complexity of the password to make brute force attacks more difficult.
The only way the average password changing policy would thwart a brute force attack would be if the user changed the password in the middle of the attack, and happened to change it to something the brute force attack had already tried. Unfortunately that would just make it easier for the next brute force attack to guess the correct password, so unless the user is changing passwords hourly then it's useless against a brute force attack.
It wouldn't even help against phishing, unless the user's password was changed before the stolen credentials could be used, and the odds of that are pretty slim.
The only real thing I can think of that a password changing policy might help with is coworkers figuring out your password. Considering the fact that threats from outside an organization are now more significant than threats from inside an organization, this does not seem like a good reason to maintain such a policy. Especially since when confronted with a password changing policy users tend to use even more simplistic passwords that are easier to remember, and then cycle through the same few every time they need to change their password, which ends up reducing password security rather than strengthening it.
lefty_x0 - 11 months ago
delete
lefty_x0 - 11 months ago
Please, poke a whole on my reasoning regarding this. While this change is good, I am personally missing a discussion on Windows 10 MFA support.
Have been evaluated Windows Hello for Business for a while (PIN/Fingerprint reader and IR Camera) and I am pretty far from advising us to deploy on wide scale in production.
Primary reasons are that WHfB is too limited and not end-user friendly:
- User would still need to remember their passwords for when using RDP (alternatively deploy 1809 and certificate based WHfB authentication)
- Biometric devices are not working always working properly
- A computer with the combination of PIN, biometrics and password are open for more attacks. Being able to login with a 6 digit PIN alone is of course a decrease in security. Forcing a strong, alphanumeríc PIN is not much better (for a user) than a password and will likely be the same.
If Windows 10 would support PIN + Microsoft Authenticator notification for logon (otherwise full password), that would be better to deploy on a large scale.
Or? :)
NMI - 11 months ago
A PIN is more secure than a password because it only applies to one device:
Why a PIN is better than a password:
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password
lefty_x0 - 11 months ago
Yes, read their password less strategy. So far I am with Microsoft. EXCEPT, for that on that device you are now lowering the security if your PIN security policy is similar strong as your password policy. Easier to manage forgotten passwords than PIN's as well.
Regardless security and management, native MFA login in Windows 10 would be "the right way" to do it, imho.
NickAu - 11 months ago
Is 123456 a good password?