This post has been republished via RSS; it originally appeared at: MSDN Blogs.
A customer had turned on the
Require trusted path for credential entry policy
(under Computer Configuration, Administrative Templates,
Windows Components, Credential User Interface).
They demanded that Microsoft provide clear written
documentation that the policy
is no longer recommended.
This was an interesting demand, because that setting
was never recommended in the first place.
Aaron Margosis,
who knows a lot about recommended security settings,
confirmed that that setting was never in any Microsoft-published
security baseline.
He recalls that it was part of a draft government baseline,
but was quickly removed and never made it past the draft stage.
Aaron even
gave a talk titled
Unintended Consequences of Security Lockdowns
where he demonstrates
how useless that policy is:
The demonstration begins at timecode 32:47,
and he continues at 37:10 with
a discussion of the secure attention sequence.
Being told that Microsoft never recommended the setting
was not enough to placate the customer,
who reiterated their demand that Microsoft formally
publish a recommendation not to set that setting.
Faced with another case of a customer
demanding that there be published documentation stating
that a bad idea is a bad idea,
Aaron suggested that the customer consider
sticking with well-known and proven solutions.