Posted by: kurtsh | June 18, 2019

INFO: No, we are *not* dropping password expiration policies in Windows 10 1903

imageWe are not “dropping the ability to enforce a password expiration policy in Windows 10 1903”.  Not via Group Policy (.ADMX), not on the local computer policy.

MISINTERPRETING A MICROSOFT SECURITY BLOG POST
I believe there’s been a bunch of articles incorrectly interpreting Aaron Margosis’ blog post about “Security Baselines for Windows 10 1903” which explains that we’re no longer making password expiration part of the “Security Baseline” compliance check for Windows 10 1903.

(Again, Aaron’s talking about the Security Baseline for Windows 10 1903.  He never says anything about the Windows 10 1903 operating system itself)

WHAT’S A SECURITY BASELINE?
For those unaware, “Security Baselines” are sort of like checklists that can be automated to see if the implementation of a Microsoft software product adheres to the policies in the list.  They’re like a “minimum bar or threshold of compliance” that a company should be maintaining on their computers to ensure that they comply with Microsoft’s recommendations for Enterprise security.  They’re useful for audits, readiness reports, etc.  We have “Security Baselines” for not just Windows, but also SQL Server, Office, etc.

Here’s a line from the post highlighting that we’re talking about the Security Baseline for W10, not Windows 10 itself:

Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value. By removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance.

CONFIRMATION FROM AARON MARGOSIS, AUTHOR OF THE ORIGINAL POST
Aaron responded to a similar misinterpretation here:

[Aaron Margosis] I think you might be misunderstanding what we’re doing. You can still configure password expiration if you want (where “want” can include “we’re forced to by some regulation”). The password-expiration security option is still in Windows and will remain there. We are simply no longer recommending it as part of our GPO-centric security baselines. And as the post says, we recommend better alternatives including MFA and Azure AD Password Protection but those recommendations can’t be expressed within these baselines. As far as “all compliance standards” go, we have no control over them or their timelines, and it doesn’t make much sense for us to wait for them all. We need to be the last to change?

BTW, none of these controls will help with passwords shared across multiple environments.

(Oh, and one more thing, to really double click on this matter: I’ve actually talked with Aaron Margosis about this internally here at Microsoft & he confirmed that indeed, his blog post has been misinterpreted and that no such changes have been made to Windows 10.  I get the feeling however he doesn’t have time to correct everyone that’s misreported his comment about the changes that were made to the Window 10 Security Baseline.)

SO WHAT EXACTLY HAS CHANGED IN WINDOWS 10 1903:
If you want to see what in fact did change in Windows 10 1903, we have that documented online here:

(You’ll note it never says anything about “removing password expiration policies”. Smile)


Categories

%d bloggers like this: