- RC4 has been exploited in high-profile attacks on corporate Windows networks
- Kerberoasting exploits vulnerabilities in Active Directory and allows attackers to crack passwords offline
- AES-SHA1 requires thousands of times more resources to decode than RC4
Microsoft is disabling RC4, an encryption key that has been part of Windows authentication for more than two decades.
The decision comes after years of documented abuse, repeated warnings from security researchers, and several serious and persistent accessibility breaches.
With the introduction of Active Directory 2000, RC4 came to Windows and became a central part of administrative authentication on corporate networks.
Mature support and persistent vulnerabilities
RC4’s algorithm was leaked in the mid-1990s, and practical attacks quickly undermined confidence in its security. But RC4 has been around for years on major protocols and platforms.
Even after stricter standards became available, Windows servers continued to accept and respond to RC4-based queries by default.
In Windows environments, its persistence has created a reliable degradation path that attackers have repeatedly learned to exploit.
RC4-based weak administrative authentication has been the holy grail of hackers for decades, with the most malicious attacks targeting RC4 on Windows networks and Kerberos authentication.
Kerberos supports identity authentication in Active Directory, making it a prime target for attackers looking to take over entire environments.
“Kerberoasting” exploits the protection of service account credentials and allows attackers to extract encrypted material and hack it offline.
While RC4 is aware of the vulnerabilities, the main problem lies in how Windows has implemented them, as organizations that rely on legacy systems often overlook the importance of antivirus software to mitigate other avenues of attack.
As used in Active Directory, Kerberos relies on unreasonable passwords and a single-pass MD4 hash.
In contrast, Microsoft’s AES-SHA1 implementation uses iterative hashing and is much more resistant to brute force attacks, requiring much more time and resources.
Firewall protection can help limit your network’s exposure to attacks like Kerberoasting, but it cannot replace the need for stronger encryption.
Microsoft combines pruning with tools designed to uncover hidden dependencies.
Large distribution center log updates record RC4-based requests and responses, giving administrators visibility into systems that still rely on encryption.
The new PowerShell scripts also analyze security event logs to identify problematic usage patterns.
These statistics recognize that RC4 remains embedded in some environments, often due to legacy or third-party systems that administrators may have overlooked.
Regular malware removal processes are still critical to ensure compromised systems are cleaned up before new protections take effect.
Microsoft will finally remove outdated encryption that has caused damage for decades, but with a deadline.
By mid-2026, Windows domain controllers will only allow AES-SHA1 by default, with RC4 disabled, unless administrators explicitly re-enable it.
Microsoft said removing RC4 was complicated by its presence over decades of code and compatibility rules.
Over time, incremental changes led to almost zero usage, reducing the risk of widespread failure.
