HotCakeX / Harden-Windows-Security

Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md
https://hotcakex.github.io
MIT License
1.84k stars 143 forks source link

[Suggestion]: PIN Complexity rules seem to contradict current microsoft recommendations #331

Closed stephan13360 closed 2 months ago

stephan13360 commented 2 months ago

Are you sure the Security measure is not already implemented?

Please explain your new Security measure suggestion

Hi, first of all, great Project.

I think the PIN Complexity rules beeing set by the Lock Screen category contradict current microsoft recommandations when it comes to passwort policy. The current recommandation I would base this on: https://learn.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations

Granted these are recommandations for passwords not TPM backed PINs, but since PINs in themself are already more secure the current rules should be even less importand than they already would be for passwords.

In detail:

Must include digits / Must include lower-case letters: As the document describes, this reduces key space and makes it harder to choose a Password / PIN. Also since complexity rules are not secret information, an atacker would also know of them and not try any combination breaking these rules. My suggestion would be to set a policy to allow all characters, not just digits as the default does.

Expires every 180 days: These just leads to people increase a number or month at the end of the password, making guessing the new PIN trivial if an atacker already knew the old one. My suggestion would be to keep the default of no expiration.

History of the 3 most recent selected PINs: There seems to be no direct recommandation from mircrosoft for this one. This only really matters if you have an expiration policy I would say, so with my suggestion of not expiring the PIN, this wouldn't really do anything anymore.

HotCakeX commented 2 months ago

Hi, Thank you

None of my policies prevent you from setting specific characters as the PIN, you can try it yourself. Apply the Lock Screen category, set a PIN and you will see that you can use upper case/lower case/special characters/digits etc.

The policies I defined only force lower case and digits to be included, but they don't prevent you from setting special characters, spaces etc.

You can see the same thing in group policy descriptions.

image



You can see the checkbox in there, so just press it and enter special characters, letters etc.

image



So even if a threat actor knows about which type of characters are forced to be used, they can never know which characters are actually being used in the PIN.


The logic behind setting an expiration date is so that if a device gets stolen, a threat actor won't be able to indefinitely try guessing the PIN. After 180 days, it will eventually expire, and they won't be able to even use the correct PIN even if they guessed it. They will have to initiate PIN reset by authenticating with Microsoft account or EntraID.

The anti-hammering policies coupled with BitLocker policies already make it extremely hard for an unauthorized person to guess the PIN, the expiration date guarantees that a threat actor in possession of your computer can't just be patient to try 5 PINs every day forever, they will have a time limit.


About the history and why there is no direct Microsoft recommendation is that all of the policies i use are a new layer on top of Microsoft Security baselines, so if Microsoft recommends something and they implement it then I use them, but if they don't and the policy makes sense, then I've added it to the policy sets in different categories.

Based on your suggestion, i'll change the number of previous PINs the history will remember from 3 to 1 so that it will be easier to choose a PIN, at least user can switch between 2 PINs forever if they're sure their PINs are not compromised.

I will also add the explanations I've written in here to the readme under the correct categories for better visibility for the future readers.



Btw, so far we've only talked about PIN, but Windows Hello also has facial recognition, fingerprint scan, multifactor authentication, physical key etc.

They don't expire like PINs, they are modern, faster and easier to use.


stephan13360 commented 2 months ago

Thanks for the detailed reply.

I understand your reasoning behind the expiration in case of theft, that was not something I considered here. This is then more a tradeoff between security against theft and convienience. And since this project focuses on security, the expiration probably takes priority here then.

You are absolutely right about all characters beeing allowed by default, I seem to have remembered that wrong.

The more importand part for me was, that forcing some characters (one digit and one lower case letter) makes choosing a PIN harder without increasing security. Yes an attacker can't know what characters where used, but they can discard all PINs that do not at least include a digit and a lower case letter. Without these requirements they would still not know which characters were used, but now also have to consider PINs without lower case letters and digits.

HotCakeX commented 2 months ago

Digits + lowercase letters substantially increase the attacker's wordlist to try. So this policy eliminates a very small number of guesses for the attacker (digits only) but sets a new minimum number of guesses which might even discourage them from trying.

At the end of the day, it all comes to 2 options:

  1. Set a policy in the organization to make sure users don't just use digits as PINs, increases security, but eliminates a small number of guesses for the threat actor which is for trying out digit-only PINs.

  2. Allow users to be able to use only digits as PINs, lower security, adds slightly more guesses for the threat actor to go through. If user selects a digit-only PIN and threat actor begins the guesses by trying out digit-only PINs then they can find the correct PIN faster than they would in option 1.

I chose option 1 and I'm not sure if option 2 is better.

stephan13360 commented 2 months ago

I see your reasoning, and can accept this decision since both options have advantages under different circumstances as you point out.