- RC4 has been exploited in high-profile attacks across corporate Windows networks
- Kerberoasting exploits weaknesses in Active Directory, allowing attackers to perform offline password cracking
- AES-SHA1 requires thousands of times more resources than RC4 for cracking
Microsoft is moving to disable RC4, an encryption cipher embedded in Windows authentication for more than two decades.
The decision follows years of documented abuse, repeated warnings from security researchers and several high-impact breaches linked to its continued availability.
RC4 entered Windows with the launch of Active Directory in 2000, where it became central to administrative authentication across corporate networks.
Legacy support and ongoing vulnerabilities
RC4’s algorithm leaked in the mid-1990s, and practical attacks quickly eroded confidence in its security – but despite this, RC4 persisted across major protocols and platforms for years.
Even after stronger standards became available, Windows servers continued to accept and respond to RC4-based requests by default.
In Windows environments, its survival created a reliable downgrade path that attackers learned to exploit repeatedly.
Weak RC4-based administrative authentication became the holy grail of hackers for decades, with the most damaging attacks tied to RC4 in Windows networks involving Kerberos authentication.
Kerberos supports identity verification in Active Directory, making it a prime target for attackers seeking control of entire environments.
“Kerberoasting” abuses how service account credentials are protected, allowing attackers to extract encrypted material and crack it offline.
While RC4 has known weaknesses, the broader problem lies in how Windows implemented it, as organizations that rely on outdated systems often overlook the importance of antivirus software to reduce additional attack paths.
As used in Active Directory, Kerberos relies on unsalted passwords and a single MD4 hash pass.
In contrast, Microsoft’s AES-SHA1 implementation uses repeated hashing and resists brute-force attacks far more effectively, requiring far greater time and resources.
Firewall protection can help limit network exposure to attacks like Kerberoasting, although it cannot replace the need for stronger encryption.
Microsoft is pairing the deprecation with tools meant to expose hidden dependencies.
Updates to Key Distribution Center logs will record RC4-based requests and responses, giving administrators visibility into systems that still rely on the cipher.
New PowerShell scripts will also scan security event logs to flag problematic usage patterns.
These measures recognize that RC4 remains embedded in some environments, often through legacy or third-party system administrators may have forgotten.
Regular malware removal processes remain critical to ensure compromised systems are cleaned before new protections take effect.
Microsoft will finally remove the outdated cipher that has caused decades of damage, though it will allow a transition period.
By mid-2026, Windows domain controllers will only allow AES-SHA1 by default, with RC4 disabled unless administrators explicitly re-enable it.
Microsoft says eliminating RC4 proved complicated due to its presence across decades of code and compatibility rules.
Over time, incremental changes pushed usage close to zero, reducing the risk of widespread breakage.
Via Ars Technica
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
