Two weeks ago, I finally got a chance to try out a Windows 8 system. First, I have to give huge kudos to Dell, who makes the XPS 12 system I’m playing with. This system seems to be the ideal platform for a Windows 8 user. A thin and light notebook with plenty of power, with the ability to flip the screen around and make it into a touchscreen tablet.
That said, during my initial installation of the system, alarm bells immediately rang in my head. “This system doesn’t comply with many password policies!” I found that as I joined my Windows 8 system to my company’s domain (which enforces a number of things through group policy), some configurations were allowed that surprised me. In this blog post I will outline how to make configuration changes in order to have Windows 8 comply with most large organizations’ security policies.
To make these configuration changes, you can make a local policy restriction, or make a group policy restriction. My preference is for a group policy restriction so that the policy gets enforced throughout the domain. To make these restrictions you must have the Windows Server 2012 Schema applied to your forest, and must make the change using a group policy editor on a Windows 8 or Windows Server 2012 system.
The Picture Password feature is a neat one for touch-enabled devices. Similar to what you might see with a pattern swipe unlock on Android phones, you can use your finger to draw a pattern on the screen in order to log in to the system. It’s a great feature for touch-enabled devices and improves usability. Sadly, it also is likely not compliant with your corporate password policy which requires 83 character passwords from 4 different classes and no words from either English or Klingon dictionaries.
To prevent picture passwords, launch the Group Policy Management tool and edit the appropriate policy which will apply to your Windows 8 systems. Drill down to Computer Configuration -> Policies -> Administrative Templates -> System -> Logon and change Turn off picture password sign-in to Enabled.
Reveal Password Button
Since Windows 8 has a large focus on touch usability, and touch screens lack the typical feedback one might receive from a physical keyboard, Microsoft has added a reveal password button to every password entry field in the system. Unfortunately, this is likely not compliant with password policies which require that passwords always be masked or hidden when shown on screen.
To prevent the reveal password button from appearing, launch the Group Policy Management tool and edit the appropriate policy which will apply to your Windows 8 systems. Drill down to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Credential User Interface and change Do not display the password reveal button to Enabled.
While my system doesn’t have it, more and more laptops are shipping with fingerprint readers. Windows 8’s support for biometric devices such as these is outstanding, and makes it easy to replace your domain logon with a biometric logon instead. Unfortunately, these types of systems are often easily defeated, and therefore many corporate security policies do not allow authentication to occur on the basis of biometrics alone.
To prevent the capability of logging in using biometrics instead of your domain password, launch the Group Policy Management tool and edit the appropriate policy which will apply to your Windows 8 systems. Drill down to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Biometrics and change Allow domain users to log on using biometrics to Disabled.
Windows Domain Administrators will want to be proactive to apply these settings to their domains before they begin deploying Windows 8 systems into their businesses. Otherwise, individuals will be surprised when the changes are made once they’ve got used to using picture passwords and biometrics to log in. Making these changes is a quick and simple process, and will allow your Windows 8 systems to remain compliant with corporate password policies.
Note: I am part of the Windows Champions program. As part of this program, I receive equipment and software from Microsoft to assist me in evaluating products and developing content.