For many years, Microsoft has published a security baseline configuration: a set of system policies that are a reasonable default for a typical organization. This configuration may be sufficient for some companies, and it represents a good starting point for those corporations that need something stricter. While most of the settings have been unproblematic, one particular decision has long drawn the ire of end-users and helpdesks alike: a 60-day password expiration policy that forces a password change every two months. That reality is no longer: the latest draft for the baseline configuration for Windows 10 version 1903 and Windows Server version 1903 drops this tedious requirement.
The rationale for the previous policy is that it limits the impact a stolen password can have—a stolen password will automatically become invalid after, at most, 60 days. In reality, however, password expiration tends to make systems less safe, not more, because computer users don’t like picking or remembering new passwords. Instead, they’ll do something like pick a simple password and then increment a number on the end of the password, making it easy to “generate” a new password whenever they’re forced to.
In the early days of computing, this might have been a sensible trade-off, because cracking passwords was relatively slow. But these days, with rainbow tables, GPU acceleration, and the massive computational power of the cloud, that’s no longer the case—short passwords are a liability, so any policy that makes people favor short passwords is a bad policy. It’s better instead to choose a long password and, ideally, multifactor authentication, supplementing the password with a time-based code or something similar.
The baseline configs are often used by auditors, with companies dinged for each baseline policy they don’t follow. Accordingly, Microsoft is making a few other changes to the baseline in an effort to ensure that audits only pick up security configurations that are truly important. Previously, the baseline would require that the strongest possible disk encryption is used (256-bit); it no longer does so. Some devices have a meaningful performance difference between 128- and 256-bit encryption, making 256-bit encryption undesirable. Others, like the Surface, ship with 128-bit encryption rather than 256-bit. Abiding by the policy means decrypting the disk and then re-encrypting it. Microsoft believes that 128-bit full-disk encryption is sufficient for most situations, and hence demanding 256-bit does little to improve security but hurts performance and requires tedious re-encryption.
In the new baseline, Microsoft is also considering dropping the long-standing requirement to disable the Guest account and the default Administrator account. Windows 10 disables the Guest account by default already, meaning that if it’s enabled, it’s probably for a good reason and shouldn’t be picked up in an audit.
The built-in Administrator account is also disabled by default in Windows 10, with the operating system creating a separate Administrator-privileged account during installation. However, the built-in account has certain properties that make it better—it isn’t subject to account lockout policies, and it can’t be removed from the Administrators group. As such, the decision to use the built-in Administrator account or a different one is more a matter of taste than security.