Great list!
As you mention the expiring users’ passwords: What about also requiring SSL certificates (or other certs absolutely required for connections) to be valid for several years?
I did the Fulcrum box when it was already retired and I worked around the expired cert by changing the attack machine’ system time … which of course has other unpleasant consequences.
Often you can skip certificate validation all together but in this case it was not an option as far as know, at least it had to be time valid!