Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Microsoft kills From outdated and weak encryption encryption Windows It has been supported by default for 26 years. It comes after more than a decade of devastating hacks that exploited it, and recent harsh criticism from a prominent US senator.
When the software maker introduced Active Directory in 2000, it made RC4 the only way to secure the Windows component, which administrators use to configure and provision administrator accounts and fellow users within large organizations. RC4, short for Rivist Cipher 4, is a nod to mathematician and cryptographer Ron Rivest of RSA Security, who developed stream cipher in 1987. Within days of the trade-secret-protected algorithm being leaked in 1994, a researcher demonstrated a cryptographic attack that dramatically weakened the security it was believed to provide. Despite its known vulnerability, RC4 remained a staple of cryptographic protocols, including SSL and its successor TLS, until nearly a decade ago.
Out with the old
One of the biggest holdouts in RC4 support has been Microsoft. Finally, Microsoft has upgraded Active Directory to support the more secure AES encryption standard. But by default, Windows servers continue to respond to RC4-based authentication requests and return an RC4-based response. The RC4 variant has been a favorite vulnerability exploited by hackers to compromise enterprise networks. Playing Use RC4 A The main role In last year’s health giant Ascension hack. The hack caused life-threatening disruptions at 140 hospitals and put the medical records of 5.6 million patients into the attackers’ hands. US Senator Ron Wyden, a Democrat from Oregon, In September The Federal Trade Commission called for an investigation into Microsoft for “gross negligence in cybersecurity,” citing continued virtual support for RC4.
“By mid-2026, we will update the default Kerberos Key Distribution Center (KDC) domain controller settings on Windows Server 2008 and later to only allow AES-SHA1 encryption,” wrote Matthew Balko, Microsoft’s principal program manager. “RC4 will be disabled by default and will only be used if an account is explicitly configured by a domain administrator or a key distribution center (KDC) uses it.”
AES-SHA1, an algorithm widely believed to be secure, has been available in all supported versions of Windows since the introduction of Windows Server 2008. Since then, Windows clients are authenticated by default using the more secure standard, and servers respond using the same standard. However, Windows servers also, by default, respond to RC4-based authentication requests and return an RC4-based response, leaving networks open to Kerberoasting.
After the change to be made the following year, RC4 authentication will no longer work unless administrators do the extra work to allow it. In the meantime, Palko said, it’s important for administrators to identify any systems within their networks that rely on encryption. Despite known vulnerabilities, RC4 remains the only means for some legacy third-party systems to authenticate on Windows networks. These systems are often overlooked in networks even though they are required for vital functions.