BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Microsoft Announces New Windows 10 Password And Encryption Security Defaults

Following
This article is more than 4 years old.

Last month I reported that Microsoft had decided to make an important change to password policy for Windows 10 users and now that change has been formalized. It's been a while in the making, but Microsoft has finally confirmed important changes to the recommended guidance for IT administrators looking to secure the Windows 10 operating system by way of group policy. Aaron Margosis, a principal consultant with Microsoft, has announced the final release of the security configuration baseline settings for Windows 10 version 1903.

While the latest Windows update doesn't bring many new group policy settings as such, and Microsoft itself only recommends configuring two of them, there are other changes to existing settings including some that were in the draft version referenced in my previous article.

While not changing the baseline requirements as they apply to minimum password length, history, or complexity, dropping the password expiration policy recommendation remains top of the list in my book. Margosis says that this is being done as periodic password expiration is "a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity." As Margosis points out, if the password is never stolen then there is no need to ever expire it; if there's evidence that is has been stolen then it would be changed immediately rather than wait for it to expire anyway. By removing the expiration requirement from the Microsoft baseline rather than recommending a particular value or no expiration, Margosis rightly concludes that "organizations can choose whatever best suits their perceived needs without contradicting our guidance." I've said it before, and no doubt will again, that forcing users to change passwords over relatively short timeframes inevitably leads to those users choosing the simplest, and therefore most memorable, passwords possible. And that's not good security practice.

So what else has changed? The next on the that's interesting list of things that have been dropped is encryption. Not entirely, of course, but rather when it comes to advice regarding what BitLocker encryption method and cipher strength to use for the baseline security policy. Previously Microsoft has insisted that this should be the strongest available BitLocker encryption, simple as. You might be surprised that Microsoft is no longer insisting on 256-bit encryption where available. The reasoning behind this is sound enough though, namely that the 128-bit encryption default is seen as being in no danger of "being broken in the foreseeable future." Although this is true enough, stronger is usually better when it comes to security posture so why this advice? It's all down to balancing that security risk against the likely performance hit. Given that Microsoft has concluded the risk from using 128-bit instead of 256-bit is relatively low, it all comes down to performance then. "On some hardware there can be noticeable performance degradation going from 128-bit to 256-bit," Margosis says, adding that many devices turn on BitLocker by default and use the default algorithms. "Converting those to use 256-bit requires first decrypting the volumes and then re-encrypting," he continues, "which creates temporary security exposure as well as user impact."

The security baseline requirements to turn off data execution prevention and heap termination on corruption setting for File Explorer have also been scrapped. Quite why it has taken all of two years to reach this inevitable conclusion is beyond me. It was back in June 2017 that influential Microsoft developer Raymond Chen explained doing so just enforces default behaviors and suggested users should "go ahead and disable those policies in your organization."

The final dropped requirement concerns the default disabling of built-in administrator and guest accounts. To understand why, you have to appreciate that these security baselines need to be manageable so cutting the slack is always a favorable option when they get reviewed. And slack is what has been cut here. As Margosis says, enforcing the secure default disabling of these accounts does not meet the criteria of non-administrative users being able to override them or misinformed admins making poor choices regarding the settings. Which doesn't mean that Microsoft is recommending these accounts are enabled and dropping the settings won't see them enabled. "Removing the settings from the baselines simply means that administrators can now choose to enable these accounts as needed," Margosis concludes.

All the new baseline settings are available to download with immediate effect from the Microsoft Security Compliance Toolkit.

Follow me on Twitter or LinkedInCheck out my website or some of my other work here