- RC4 has been exploited in high-profile attacks on Windows enterprise networks
- Kerberoasting exploits weaknesses in Active Directory, allowing attackers to crack passwords offline
- AES-SHA1 requires thousands of times more resources than RC4 for cracking
Microsoft is taking steps to disable RC4, an encryption built into Windows authentication for more than two decades.
The decision comes after years of documented abuse, repeated warnings from security researchers, and several high-impact breaches related to its continued availability.
RC4 entered Windows with the release of Active Directory in 2000, where it became central to administrative authentication on enterprise networks.
Legacy Support and Continued Vulnerabilities
RC4’s algorithm was leaked in the mid-1990s, and practical attacks quickly eroded confidence in its security; but despite this, RC4 persisted on major protocols and platforms for years.
Even after stricter standards became available, Windows servers continued to accept and respond to RC4-based requests by default.
In Windows environments, its survival created a reliable degradation path that attackers learned to exploit repeatedly.
Weak administrative authentication based on RC4 became the holy grail of hackers for decades, and the most damaging attacks linked to RC4 on Windows networks involved Kerberos authentication.
Kerberos underpins identity verification in Active Directory, making it a prime target for attackers seeking to take over entire environments.
Kerberoasting abuses the way service account credentials are protected, allowing attackers to extract encrypted material and decrypt it offline.
Although RC4 has known weaknesses, the broader problem lies in how Windows implemented it, as organizations that rely on outdated systems often overlook the importance of antivirus software in reducing additional attack paths.
As used in Active Directory, Kerberos relies on unsalted passwords and a single MD4 hash pass.
In contrast, Microsoft’s AES-SHA1 implementation uses repeated hashing and resists brute force attacks much more effectively, requiring much more time and resources.
Firewall protection can help limit your network’s exposure to attacks like Kerberoasting, but it cannot replace the need for stronger encryption.
Microsoft is combining deprecation with tools aimed at uncovering hidden dependencies.
Updates to the Key Distribution Center logs will record RC4-based requests and responses, giving administrators visibility into systems that still rely on encryption.
The new PowerShell scripts will also scan security event logs to flag problematic usage patterns.
These measures recognize that RC4 remains embedded in some environments, often through legacy or third-party systems that administrators may have forgotten about.
Regular malware removal processes remain essential to ensure that compromised systems are cleaned before new protections come into effect.
Microsoft will finally remove outdated encryption that has caused decades of damage, although it will allow a transition period.
By mid-2026, Windows domain controllers will by default allow only AES-SHA1, with RC4 disabled unless administrators explicitly re-enable it.
Microsoft says removing RC4 was complicated because of its presence across decades of code and compatibility rules.
Over time, incremental changes brought wear to near zero, reducing the risk of widespread breaks.
Through Ars Technique
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
