Microsoft Sweeps RC4 Remnants from Kerberos
RC4 encryption has been cracked for over a decade. Now Microsoft is slowly sweeping the last remnants, such as in Kerberos, away.
(Image: M.Moira / Shutterstock.com)
Although RC4 encryption should already be a thing of the past, it is still used sporadically today. Microsoft has now announced that it will remove Rivest Cipher 4 from Kerberos. This is intended to improve security, as the cracked encryption enables attacks such as “Kerberoasting” to steal credentials and compromise networks.
“It is critical to stop using RC4,” explains Program Manager Matthew Palko in a post on the Windows Server blog. By mid-2026, Microsoft plans to update the default settings of the Kerberos Key Distribution Center (KDC) on domain controllers from Windows Server 2008 onwards so that they only allow AES-SHA1 encryption. RC4 will then be deactivated by default and can only be used if domain admins explicitly configure access or the KDC to use RC4.
More Secure Windows Authentication
“Secure Windows authentication does not require RC4; AES-SHA1 can be used across all supported Windows versions since its introduction in Windows Server 2008,” Microsoft explains. If existing RC4 usage is not addressed by the time the default configuration changes, authentication based on the outdated algorithm will no longer work.
The blog post provides guidance on how to identify where RC4 is still in use. RC4 might be necessary for legacy apps or interoperability with non-Windows devices, which admins need to address. To detect RC4 usage, Microsoft is expanding the information in the Security Event Log. New PowerShell auditing scripts are also available for analysis. The improvements are available for Windows Server 2019, 2022, and 2025. The blog post explains the new fields in the extended security log events and introduces two PowerShell scripts.
Videos by heise
Palko further explains in the post how admins can deal with their findings. In addition to the overview, Microsoft provides a more in-depth support article, with which IT managers should prepare for the impending end of RC4 in Kerberos.
RC4 encryption has been considered cracked for a very long time. As early as 2013, Microsoft recommended disabling RC4 for web encryption. In 2015, the IETF (Internet Engineering Task Force) practically banned the use of RC4 with RFC 7465 for TLS encryption, not even as an optional or fallback solution. Turning off RC4 in Windows domain authentication now is actually overdue in this context.
(dmk)
