Windows 10

Microsoft DOESN’T admit expiring-password rules are useless

CNET has an article titled “Microsoft admits expiring-password rules are useless” which I strongly disagree with, and thought it was worth explaining why.

Beyond the actual blog post from Aaron Margosis at Microsoft not actually containing the word ‘useless’, it’s an inaccurate summary of what is a well written and clear write-up from where I sit.

This all came out of publishing the draft of the Security Baseline recommendations for Windows 10 1903, which details out what settings Microsoft recommend and why. If you’re managing a Windows environment, these are a must read, and should be reviewed with each version of Windows 10 you plan to move to.

The general take of the CNET article was that password changes have been useless for years, suggests Microsoft should completely ‘yank’ the ability to force passwords to expire, and if your IT staff don’t remove password expiry immediately, they’re living in a ‘security Stone Age’. It’s rather insulting and coming from someone in my opinion, who doesn’t know what they’re talking about. They might say the same about me, of course :)

On the other hand, Microsoft’s blog post tells a different story. Yes, passwords are problematic and forcing them to change frequently causes other issues where people just change the number on the end by ‘1’, but they aren’t saying password changes are useless.

Microsoft used to recommend 90 day expiries, then to 60 days. The idea there was that if a credential is leaked somehow, the smaller window that the password is known by third parties, the better. But, if your password M0nkey34! is now M0nkey35!, that’s probably going to be the first thing a targeted attacker tries if the password they had for you didn’t work.

Although all this is true, it works on the assumption that someone is actively targeting you. It happens, but it’s much more common for attackers to just do spray attacks based on millions of credentials they have. Why are they going to pick your account and try a bunch of combinations of passwords, when they could just go through stupid amounts of records with no effort and find weaknesses there?

Say you are a target for some reason; it’s likely that the password leaked from somewhere isn’t new – it’s probably months or years old. If you’d never changed your password because your company never forced it to change, then the attacker now has a valid password for you.

It’s also much more likely your password was stolen from a 3rd party service, nothing to do with your corporate systems. You might have signed up with your work email address, but the password ‘should’ be unique to the service signed up for. We all know users don’t work that way, and use the same password all over the place. Having a password they know will change frequently, may mean that they use something at least unique, even if it does increment.

All of this is moot of course, if you have multi-factor authentication (MFA) in place, because the requirement of something else (a phone, bio-metrics etc) means a username and password by themselves are actually useless. However, most companies do have systems in place that have no options around MFA, so what do they do?

To re-iterate, I agree with everything said in Microsoft’s blog post. This is where one paragraph in the blog post sums it up nicely:

Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value. By removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance. At the same time, we must reiterate that we strongly recommend additional protections even though they cannot be expressed in our baselines.

Work out your risks, your userbase, what systems might be impacted, what extra protection you have in place and make an informed decision around what frequency works for you.

The focus shouldn’t be on password changes, but should be on implementing those other protections in all scenarios – but before that happens (which for many companies can easily take several years), you’ll need to work out what policy you do. There is no single best-fit recommendation on what that is when using pure passwords, because they’re inherently bad however you look at them.

Look at Conditional Access, Password Protection and Azure AD Identity Protection for starters on adding in these extra protections!

The answer isn’t a pure ‘password changes are useless’, and it’s irresponsible to say so.

Disable Windows Defender Summaries via Registry

Windows Defender does some great stuff, but in my opinion one of the more ‘noisy’ things it doesin Windows 10 is provide a frequent notification to say it’s working but hasn’t found anything.

Many users may find this notification unnecessary and breaking their work focus just to be told that their PC is fine. Especially in a business environment, they’d think that is someone else’s problem.

Windows Defender Security Center Settings

A user can turn these off themselves of course, in the Windows Defender Security Settings page under Virus & threat protection notifications. It’s possible to turn off all informational notifications, or untick certain types.

Although there is an inbuilt Group Policy to also turn off informational notifications, to me I’d still want users knowing a threat was found or something was blocked – those are useful to the user. However the recent activity and scan results is the one I’d suggest disabling, but there’s no Group Policy for that.

Luckily this is just a single registry key which I’ve found through using Procmon:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Virus and threat protection\

REG_DWORD: SummaryNotificationDisabled

Value: 1 (decimal)

This setting can be rolled out through Group Policy (even as a run once and don’t reapply) if you’d like users to have control over turning the setting on.

“This page wants to run the following add-on…” won’t go away in Internet Explorer

In the last few weeks, I found that a lot of users were complaining about IE11 on Windows 10, and the prompt “This page wants to run the following add-on” with the add-on name, and the allow button:

This webpage wants to run the following add-on ‘Adobe Flash Player’ from Microsoft Windows Third Party Application Compon…

However, clicking the ‘Allow’ button, or using the drop down arrow to choose ‘Allow for all sites’ did nothing, and the prompt would show again and again.

I ended up working out this was due to the Add-On List GPO to list IE add-ons that was being used to manage the add-ons I wanted disabled or enabled https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy

The policy explicitly states “The ‘Deny all add-ons unless specifically allowed in the Add-on List’ policy setting will still determine whether add-ons not in this list are assumed to be denied.”

However, since a recent update (either Windows 10 1803, or a recent security patch  – unsure which!), anything not listed in the Add-On List was being blocked. 

Adding an update to the list and allowing it with the ‘1’ value fixes the issue for that particular add-in, but it shouldn’t be working this way.

I even tried disabling the Group Policy setting ‘Deny all add-ons unless specifically allowed in the Add-on List’ but that made no difference. That policy also states: ‘If you disable or do not configure this policy setting, users may use Add-on Manager to allow or deny any add-ons that are not included in the ‘Add-on List’ policy setting.’

Something wacky’s going on – if I find out more I’ll update this post, but if you do use the ‘Add-On List’ GPO for Internet Explorer, be aware of this potential issue. You may need to list all your add-ins into the policy to avoid this.

I’ve also updated all my ADMX files for Win10 1803.

Update:

I believe I fixed this by auditing all the IE addins and making sure they were allowed. Somtimes an addin has a prerequisite of another adding being enabled, so you can’t always trust the message you see.

OneDrive for Business – Turn Off ‘Allow Editing’ By Default

Update 21st March 2019

You can now find these settings in the OneDrive Admin Center (Preview) at https://admin.onedrive.com and that’s a clearer experience.

Original Post

Every organisation has their own requirements and standards. For mine, I see a risk when the default action of sharing a document via OneDrive for Business is the ability to ‘Allow editing’ of any document sent out. It’s worse because that option is hidden behind the main popup when sharing a file, and you don’t actually see that you’re giving ‘modify’ access rather than ‘read only’:

OneDrive for Business default sharing popup
OneDrive for Business ‘Allow editing’ on by default

There is a way to change this default behavior though, and it’s not in the OneDrive admin center.

Instead, you’ll need to head to the SharePoint admin center (since the backend of OneDrive is SharePoint Online, this makes some sense). From here, go into ‘sharing’ and there’s an option around ‘Default link permissions’. You can change this to ‘View’ rather than ‘Edit’:

SharePoint admin center

The change was immediate from my testing, as soon as I went to share another file via OneDrive for Business, the ‘Allow editing’ option was unticked. This is only changing the default too, someone can still decide they want to allow editing and tick the box.

It’s worth considering what you should have as your default. The new versioning in OneDrive/SharePoint Online is really good, and will let a user easily roll back to a previous version of a document if something accidentally gets changed – but will your users be aware if something does change? It’s possible to set up an alert, but it’s a bit tedious: http://itgroove.net/brainlitter/2016/05/16/creating-alerts-documents-new-onedrive-business/

Hope this helps anyone considering rolling out OneDrive, or wants to start allowing external sharing.

Clipboard History Is Coming In Windows 10

I play with and use Windows 10 Insider builds but don’t often blog about them – there’s plenty of other people that do that already. However, I saw this notification come up which seemed very useful; Clipboard History!

 

Something I’ve been wanting for many years. I currently use Ditto which I recommended in another writeup of free sysadmin tools for TechTarget. However, if a native solution does enough for me I’d rather use that – I’m on that many different systems and devices, having non-native apps is a pain that I’m not going to bother with.

I might be a bit late to the party – on May 9th 2018, Build 17666 was announced with this feature. I’ve had a quick play and like it… so how does it work?

First, go into Settings > System > Clipboard. You’ll need to toggle the ‘Save multiple items’ to ‘On’. This is probably good being off by default, I can imagine complaints about Microsoft tracking what people do or someone finding something in the history that another person did.

Once that option is on, you can use Windows Key + V to bring up the clipboard history window:

It will be blank at the start, unless you’ve used the clipboard since enabling the feature. Text and images are both supported which is great! Selecting the history item will immediately paste it as well as put it onto your clipboard. It’s basic but does the job

On top of this, there’s also a ‘Sync across devices’ option for the clipboard history. You can enable that in the same settings area, and your clipboard will be available from all devices that support it. Right now that seems to only be Windows 10 on this insider build or newer, but I’d expect it to go further to mobile devices when released properly. This is a great way to send a small bit of information such as a long URL from one device to another.

However, if you use a password manager where you copy and paste usernames and passwords from, they’ll get added to this history also. If someone were able to gain access to this history, it could be a quick gateway to accessing a lot of your other stuff – so use multi-factor authentication wherever you can.

Still, it’s a great feature albeit simple – it’s nice to see Windows 10 getting loaded with different mini-utilities that add to it’s usefulness, while leveraging a centralised Microsoft account to keep and sync information.