Microsoft has released the baseline settings for Windows 10 v1903 (19H1) and Windows Server v1903. The release document mentions that the operating system will drop password expiration starting with Windows 10 May 2019 update.
Windows 10 v1903 drops password expiration policies
In all likelihood, the password expiration will be replaced by better security features like two-factor authentication, enforcement of banned password and detection of attacks that involve password guessing. The release also talks about GPO backups, GPO reports, scripts that can apply to local GPO and other related spreadsheet documentation.
That being said Windows Server v1903 is Server core and doesn’t offer a Desktop Experience. Starting this release Microsoft will publish baselines for Core-Ony Windows Server versions. However, the current version will not differentiate between the desktop and the core server version.
Microsoft said that,
“Periodic password expiration is ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value. By removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance. At the same time, we must reiterate that we strongly recommend additional protections even though they cannot be expressed in our baselines.”
Despite discontinuing the periodic password-expiration, Microsoft is yet to add superlative password-oriented security configurations. It is good to see companies taking stock of the situation and enforcing stricter security measures.
The latest documents also speak about the proposal of removing the enforcement of the built-in administrator and guest accounts which are currently being disabled by default. This feature will allow administrators to enable two accounts as and when it is required.
Talking about security, Microsoft has also enabled the new “Enable svchost.exe mitigation options” policy which is aimed at stricter enforcement of Windows services that are hosted on svchost.exe.