Alongside the draft release of the configuration baseline settings for Windows 10 v1903 and Windows Server v1903, Microsoft has revealed its plan to do away with password expiration policies beginning with the Windows 10’s May update.
Once these policies are removed, organizations should replace them with modern and improved password-security practices such as multi-factor authentication, detection of attacks aimed at guessing passwords, detection of anomalous log on attempts and the enforcement of banned password lists.
Microsoft offered further insight on these recommendations, saying: “While we recommend these alternatives, they cannot be expressed or enforced with our recommended security configuration baselines, which are built on Windows’ built-in Group Policy settings and cannot include customer-specific values.”
According to the company’s principal consultant Aaron Margosis, the password expiration mechanism is a flawed defense method because once a password is stolen, mitigation measures should be taken immediately as opposed to when the password expires.
Password expiry policies
Microsoft also made the point that its soon to be removed password expiration policies are only a defense against the probability that a password will be stolen while its still valid and used by an unauthorized entity.
Essentially the company is allowing organizations to choose the security measures that best suit their needs without contradicting its own guidance.
The recently published security baseline draft also proposes removing the enforcement of built-in administrator and guest accounts being disabled by default. Administrators would then be able to enable the two accounts when they need to though the removal of the policy does not mean that these accounts will be enabled by default.
It’s worth keeping in mind that this is just a draft release and things could change before it is finalized though most experts agree that organizations have outgrown password expiration policies as a means of securing their accounts.