March 12th, 2019

Asking for clear written documentation that “Require trusted path for credential entry” is no longer recommended

A customer had turned on the Require trusted path for credential entry policy (under Computer Configuration, Administrative Templates, Windows Components, Credential User Interface). They demanded that Microsoft provide clear written documentation that the policy is no longer recommended.

This was an interesting demand, because that setting was never recommended in the first place.

Aaron Margosis, who knows a lot about recommended security settings, confirmed that that setting was never in any Microsoft-published security baseline. He recalls that it was part of a draft government baseline, but was quickly removed and never made it past the draft stage. Aaron even gave a talk titled Unintended Consequences of Security Lockdowns where he demonstrates how useless that policy is:

The demonstration begins at timecode 32:47, and he continues at 37:10 with a discussion of the secure attention sequence.

Being told that Microsoft never recommended the setting was not enough to placate the customer, who reiterated their demand that Microsoft formally publish a recommendation not to set that setting.

Faced with another case of a customer demanding that there be published documentation stating that a bad idea is a bad idea, Aaron suggested that the customer consider sticking with well-known and proven solutions.

Author

Raymond has been involved in the evolution of Windows for more than 30 years. In 2003, he began a Web site known as The Old New Thing which has grown in popularity far beyond his wildest imagination, a development which still gives him the heebie-jeebies. The Web site spawned a book, coincidentally also titled The Old New Thing (Addison Wesley 2007). He occasionally appears on the Windows Dev Docs Twitter account to tell stories which convey no useful information.

1 comment

Discussion is closed. Login to edit/delete existing comments.

  • Mark Sowul

    The description for the policy says, “…As a security best practice, this policy should be enabled.”