Jump to content

Windows 10 1903, Windows Server 1903 to drop password expiration requirements in proposed security guidelines

The AchieVer

Recommended Posts

The AchieVer

Windows 10 1903, Windows Server 1903 to drop password expiration requirements in proposed security guidelines 



Today on the Microsoft Security Guidance blog, the company has published an explanation of its draft release of its security configuration baseline settings for Windows 10 1903 and Windows Server 1903. This document sets guidelines for Group Policy baseline settings, and with this latest draft there are some significant changes. Among the most noteworthy is a change to no longer set password expiration policies that require “periodic password changes,” a long standing baseline that Microsoft says has become “an ancient and obsolete mitigation of very low value.”


The blog post goes on to explain why Microsoft is dropping the password expiration policy, noting first that “we are not proposing changing requirements for minimum password length, history, or complexity:”

Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.

While the baseline guidelines are dropping the outdated expiration policy, the blog post also notes that “we must reiterate that we strongly recommend additional protections even though they cannot be expressed in our baselines,” and notes that Azure AD password protection and multi-factor authenitcaion are much better alternatives.


In addition to the news about password expiration, default disabling of built in Guest and Administrator accounts are also being proposed for elimination.

Note that removing these settings from the baseline would not mean that we recommend that these accounts be enabled, nor would removing these settings mean that the accounts will be enabled. Removing the settings from the baselines would simply mean that administrators could now choose to enable these accounts as needed.

The proposed guidelines are just that, proposed, and interested parties can download the draft and comment via the blog post.




Link to comment
Share on other sites

  • Replies 2
  • Views 697
  • Created
  • Last Reply

Microsoft tells IT admins to nix 'obsolete' password reset practice

The company now says forcing users to routinely reset passwords at pre-set time intervals doesn't work as well other security options.

5 password best practices unique passwords authentication
Getty Images

Microsoft last week recommended that organizations no longer force employees to come up with new passwords every 60 days.


The company called the practice - once a cornerstone of enterprise identity management - "ancient and obsolete" as it told IT administrators that other approaches are much more effective in keeping users safe.


"Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don't believe it's worthwhile for our baseline to enforce any specific value," Aaron Margosis, a principal consultant for Microsoft, wrote in a post to a company blog.


In the latest security configuration baseline for Windows 10 - a draft for the not-yet-in-general-release "May 2019 Update," aka 1903 - Microsoft dropped the idea that passwords should be frequently changed. The Windows security configuration baseline is a massive collection of recommended group policies and their settings, accompanied by reports, scripts and analyzers. Previous baselines had advised enterprises and other organizations to mandate a password change every 60 days. (And that was down from an earlier 90 days.)


No longer.


Margosis acknowledged that policies to automatically expire passwords - and other group policies that set security standards - are often misguided. "The small set of ancient password policies enforceable through Windows' security templates is not and cannot be a complete security strategy for user credential management," he said. "Better practices, however, cannot be expressed by a set value in a group policy and coded into a template."

Among those other, better practices, Margosis mentioned multi-factor authentication - also known as two-factor authentication - and banning weak, vulnerable, easily-guessed or frequently revealed passwords.


Microsoft is not the first to doubt the convention.

Two years ago, the National Institute of Standards and Technology (NIST), an arm of the U.S. Department of Commerce, made similar arguments as it downgraded regular password replacement. "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically)," NIST said in a FAQ that accompanied the June 2017 version of SP 800-63, "Digital Identity Guidelines," using the term "memorized secrets" in place of "passwords."


Then, the institute had explained why mandated password changes were a bad idea this way: "Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password."


Both the NIST and Microsoft urged organizations to require password resets when there is evidence that the passwords had been stolen or otherwise compromised. And if they haven't been touched? "If a password is never stolen, there's no need to expire it," Microsoft's Margosis said.


"I agree 100% with Microsoft's logic for enterprises, which are who uses [group policies] anyway," said John Pescatore, the director of emerging security trends at the SANS Institute. "Forcing every employee to change passwords at some arbitrary period almost invariably causes more vulnerabilities to appear in the password reset process (because there are now frequent spikes of users forgetting their passwords) which increases risk more than the forced password reset ever decreases it."

Like Microsoft and NIST, Pescatore thought periodic password resets are the hobgoblins of little minds. "Having [this] as part of the baseline makes it easier for security teams to claim compliance, because auditors are happy," Pescatore said. "Focusing on password reset compliance was a huge part of all the money wasted on Sarbanes-Oxley audits 15 years ago. Great example of how compliance does not*equal security."*


Elsewhere in the Windows 10 1903 draft baseline, Microsoft also dropped policies for the BitLocker drive encryption method and its cipher strength. The prior recommendation was to use the strongest available BitLocker encryption, but that, Microsoft said, was overkill: ("Our crypto experts tell us that there is no known danger of [128-bit encryption] being broken in the foreseeable future," Margosis of Microsoft contended.) And it could easily degrade device performance.


Microsoft also asked for feedback on another proposed change that would dump the forced disabling of Windows' built-in Guest and Administrator accounts. "Removing these settings from the baseline would not mean that we recommend that these accounts be enabled, nor would removing these settings mean that the accounts will be enabled," Margosis said. "Removing the settings from the baselines would simply mean that administrators could now choose to enable these accounts as needed."


The draft baseline can be downloaded from Microsoft's website as a .zip archived file.


Source: Microsoft tells IT admins to nix 'obsolete' password reset practice (Computerworld - Gregg Keizer)

Link to comment
Share on other sites

Similar topics merged. <blush>

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...