- RC4 has been exploited in high-profile attacks across enterprise Windows networks
- Kerberoasting exploits weaknesses in Active Directory, allowing attackers to perform offline password cracking
- AES-SHA1 requires thousands of times more resources than RC4 for cracking
Microsoft is moving to disable RC4, an encryption cipher embedded in Windows authentication for more than two decades.
The decision follows years of documented abuse, repeated warnings from security researchers, and several high-impact breaches tied to its continued availability.
RC4 entered Windows with the launch of Active Directory in 2000, where it became central to administrative authentication across enterprise networks.
Legacy support and ongoing vulnerabilities
RC4’s algorithm leaked in the mid-1990s, and practical attacks quickly eroded confidence in its security – but despite this, RC4 persisted across major protocols and platforms for years.
Even after stronger standards became available, Windows servers continued to accept and respond to RC4-based requests by default.
In Windows environments, its survival created a dependable downgrade path that attackers learned to exploit repeatedly.
Weak RC4-based administrative authentication became a hackers’ holy grail for decades, with the most damaging attacks tied to RC4 in Windows networks involving Kerberos authentication.
Kerberos underpins identity verification in Active Directory, making it a prime target for attackers seeking control over entire environments.
“Kerberoasting” abuses how service account credentials are protected, allowing attackers to extract encrypted material and crack it offline.
Although RC4 has known weaknesses, the wider issue lies in how Windows implemented it, as organizations relying on outdated systems often overlook the importance of antivirus software in reducing additional attack paths.
As used in Active Directory, Kerberos relies on unsalted passwords and a single MD4 hashing pass.
By contrast, Microsoft’s AES-SHA1 implementation uses repeated hashing and resists brute-force attacks far more effectively, requiring far greater time and resources.
Firewall protection can help limit network exposure to attacks like Kerberoasting, although it can’t replace the need for stronger encryption.
Microsoft is pairing the deprecation with tools meant to surface hidden dependencies.
Updates to Key Distribution Center logs will record RC4-based requests and responses, giving administrators visibility into systems still relying on the cipher.
New PowerShell scripts will also scan security event logs to flag problematic usage patterns.
These measures acknowledge that RC4 remains embedded in some environments, often through legacy or third-party systems administrators may have forgotten.
Regular malware removal processes remain critical to ensure compromised systems are cleaned before new protections take effect.
Microsoft will finally remove the obsolete cipher that has caused decades of harm, although it will allow a transition period.
By mid-2026, Windows domain controllers will default to allowing only AES-SHA1, with RC4 disabled unless administrators explicitly re-enable it.
Microsoft says eliminating RC4 proved complicated due to its presence across decades of code and compatibility rules.
Over time, incremental changes pushed usage close to zero, reducing the risk of widespread breakage.
Via Ars Technica
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
