- RC4 was exploited in high-profile attacks on enterprise Windows networks
- Kerberoasting exploits weaknesses in Active Directory, allowing attackers to hack passwords offline.
- AES-SHA1 requires thousands of times more resources than RC4 to crack
Microsoft is preparing to disable RC4, an encryption that has been part of Windows authentication for more than two decades.
The move follows years of documented abuse, repeated warnings from security researchers, and several high-impact breaches related to its continued availability.
RC4 entered Windows with the launch of Active Directory in 2000, where it became central for administrative authentication on corporate networks.
Existing support and persistent vulnerabilities
RC4’s algorithm was leaked in the mid-1990s, and practical attacks quickly eroded confidence in its security. Despite this, RC4 persisted on major protocols and platforms for years.
Even after stricter standards became available, Windows servers continued to accept and respond to RC4-based queries by default.
In Windows environments, its survival has created a reliable downgrade path that attackers have learned to exploit repeatedly.
Weak RC4-based administrative authentication has become the holy grail of hackers for decades, with the most damaging RC4-related attacks in Windows networks involving Kerberos authentication.
Kerberos underpins identity verification in Active Directory, making it a prime target for attackers seeking to control entire environments.
“Kerberoasting” abuses the way service account credentials are protected, allowing attackers to extract encrypted material and hack it offline.
While RC4 has known weaknesses, the broader problem lies in how Windows has implemented it, as organizations that rely on outdated systems often overlook the importance of antivirus software in reducing additional avenues of attack.
As used in Active Directory, Kerberos relies on unsalted passwords and a single pass MD4 hash.
In contrast, Microsoft’s AES-SHA1 implementation uses repeated hashing and is much more resistant to brute force attacks, requiring significantly more time and resources.
Firewall protection can help limit network exposure to attacks such as Kerberoasting, although it cannot replace the need for stronger encryption.
Microsoft combines deprecation with tools intended to reveal hidden dependencies.
Key Distribution Center log updates will record RC4-based requests and responses, giving administrators visibility into systems that still rely on encryption.
The new PowerShell scripts will also analyze security event logs to report problematic usage patterns.
These measures recognize that RC4 remains integrated into certain environments, often through legacy or third-party systems administrators who may have overlooked it.
Regular malware removal processes remain essential to ensure compromised systems are cleaned before new protections take effect.
Microsoft will finally remove the outdated figure that has caused decades of damage, although it will allow a transition period.
By mid-2026, Windows domain controllers will only allow AES-SHA1 by default, with RC4 disabled unless administrators explicitly enable it again.
Microsoft says eliminating RC4 proved complicated due to its presence over decades of code and compatibility rules.
Over time, incremental changes brought usage closer to zero, reducing the risk of widespread breakage.
Via Ars Technica
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
