Microsoft released the final version of its security baseline configuration for the upcoming Windows 10 and Windows 10 Server build 1909 editions. One feature that had been introduced in the draft version of the security baseline was Exploit Protection, but Microsoft seems to have taken that out, along with the explicit enforcement of 30-day account password expiration for domain-joined devices.
Microsoft provides various configuration capabilities for Windows 10 and Windows 10 Server editions meant to be used by enterprise workers. According to the company, the security baseline was created based on feedback from Microsoft security engineering teams, product groups, partners and customers.
One of the main security capabilities that was introduced in the new security baseline for Windows 19 1909 was the Exploit Protection feature. The feature can help mitigate certain targeted attacks, but it can also cause some problems with legacy applications -- and enterprises do love their legacy applications.
Microsoft’s official answer to why it removed the Exploit Protection setting from the security baseline configuration is that it caused compatibility issues. The company also provided a PowerShell script to remove the feature if you’ve already applied it to your organization.
Password Expiration and Thunderbolt Restrictions Also Removed
Microsoft also removed the explicit enforcement of 30-day password expiration policy from the security baseline for Active Directory domain-joined computers. Microsoft believes that the risks resulting from this removal are quite low, because to steal a computer account password someone would need to gain full administrative access to the computer. The company added that if anyone gains access to the account password, they’d only be able to act as that computer on the network, but not much else.
Restriction to Thunderbolt devices was also removed from the security baseline for Windows 10 1909 because the kernel Direct Memory Access (DMA) protection that the company has added in the new Windows version can mitigate against DMA side-channel attacks on BitLocker.
Previously, Microsoft dropped general password expiration policies starting with the Windows 10 1903 build and instead recommended the use of multi-factor authentication, detection of anomalous log-on attempts, detection of password-guessing attacks and the enforcement of banned passwords lists.
Microsoft implemented the change after the U.S. National Institute for Standards and Technology (NIST) urged government organizations to enforce password expiration policies only post-data breaches.
The Windows 10 1909 security baseline is now available for download via Microsoft’s Security Compliance Toolkit.