Microsoft has floated a new Windows security baseline that proposes to do away with its long-standing policy of requiring users to set new passwords every 60 days.
Security baselines are Microsoft’s advice to users on how best to secure Windows, which isn’t easy because as Microsoft explains, “there are over 3000 Group Policy settings for Windows 10, which does not include over 1800 Internet Explorer 11 settings.”
The baselines help users and partners figure out just how to run Windows securely.
Microsoft updates the baselines continuously and late last week issued new drafts for Windows 10 version 1903 and Windows Server version 1903.
The new policy is notable for two reasons.
One is that Windows Server version 1903 is a “core” version of Windows Server – the GUI-less version recommended for deployment at scale or in situations where management software will wrangle the OS. Microsoft’s not previously offered a security baseline for Windows Server Core.
The other is some big changes to the baselines, including changing the password policy that forces a password change every 60 days Windows’ Administrator and designated guest accounts.
Microsoft employee and self-described “Windows cybersec nerd” Aaron Margosis justified the proposed change as follows:
“If an organisation has successfully implemented banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous logon attempts, do they need any periodic password expiration? And if they haven’t implemented modern mitigations, how much protection will they really gain from password expiration?”
Margosis goes on to say that “Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value.
“By removing it from our baseline rather than recommending a particular value or no expiration, organisations can choose whatever best suits their perceived needs without contradicting our guidance. At the same time, we must reiterate that we strongly recommend additional protections even though they cannot be expressed in our baselines.”
Another proposed change Margosis floated would remove an option to apply 256-bit encryption for BitLocker, on grounds that “our crypto experts tell us that there is no known danger of [128-bit crypto] being broken in the foreseeable future.” He also pointed out that 256-bit crypto can deliver a performance hit to some machines.
Other changes Microsoft has proposed to its security baseline include:
Enforcing a requirement that anything running in svchost.exe must be signed by Microsoft, and that dynamically-generated code is disallowed;
Configuring the new App Privacy setting, “Let Windows apps activate with voice while the system is locked,” so that users cannot interact with applications using speech while the system is locked.
Disabling multicast name resolution (LLMNR) to mitigate server spoofing threats;
Restricting the NetBT NodeType to P-node, disallowing the use of broadcast to register or resolve names, also to mitigate server spoofing threats;
Correcting an oversight in the Domain Controller baseline by adding recommended auditing settings for Kerberos authentication service.
Dropping the File Explorer “Turn off Data Execution Prevention for Explorer” and “Turn off heap termination on corruption” settings, as it turns out they merely enforce default behaviour, as Raymond Chen describes here.