Share this article

Latest news

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low

Copilot in Outlook will generate personalized themes for you to customize the app

Microsoft will raise the price of its 365 Suite to include AI capabilities

Death Stranding Director’s Cut is now Xbox X|S at a huge discount

Outlook will let users create custom account icons so they can tell their accounts apart easier

Windows 10 1903, Windows Server 1903 to drop password expiration requirements in proposed security guidelines

2 min. read

Published onApril 24, 2019

published onApril 24, 2019

Share this article

Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more

Today onthe Microsoft Security Guidance blog, the company has published an explanation of its draft release of its security configuration baseline settings for Windows 10 1903 and Windows Server 1903. This document sets guidelines for Group Policy baseline settings, and with this latest draft there are some significant changes. Among the most noteworthy is a change to no longer set password expiration policies that require “periodic password changes,” a long standing baseline that Microsoft says has become “an ancient and obsolete mitigation of very low value.”

The blog post goes on to explain why Microsoft is dropping the password expiration policy, noting first that “we are not proposing changing requirements for minimum password length, history, or complexity:”

Periodic password expiration is a defenseonlyagainst the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.

While the baseline guidelines are dropping the outdated expiration policy, the blog post also notes that “we must reiterate that westronglyrecommend additional protections even though they cannot be expressed in our baselines,” and notes that Azure AD password protection and multi-factor authenitcaion are much better alternatives.

In addition to the news about password expiration, default disabling of built in Guest and Administrator accounts are also being proposed for elimination.

Note that removing these settings from the baseline wouldnotmean that we recommend that these accounts be enabled, nor would removing these settings mean that the accountswillbe enabled. Removing the settings from the baselines would simply mean that administrators could now choose to enable these accounts as needed.

The proposed guidelines are just that, proposed, and interested parties can download the draft and comment via the blog post.

Kip Kniskern

User forum

0 messages

Sort by:LatestOldestMost Votes

Comment*

Name*

Email*

Commenting as.Not you?

Save information for future comments

Comment

Δ

Kip Kniskern