Microsoft reminder of next phase of Kerberos RC4 hardening
Microsoft wants to get rid of insecure RC4 encryption. The company points out that the next phase starts in April.
(Image: Jirsak/Shutterstock.com)
In April, Microsoft plans to start the next phase in the process of phasing out insecure RC4 encryption from Kerberos. Authentication in Active Directory is intended to become significantly more secure as a result, as RC4 encryption has been considered cracked for many years.
To this end, Microsoft has published a 30-day reminder in the Message Center of the Windows release health notes. The Windows updates for the April Patchday and subsequent ones herald the second implementation phase to establish protective measures against a Kerberos information leak (CVE-2026-20833, CVSS 5.5, risk "medium"). The first phase, which Microsoft calls the "deployment phase," began with the Windows updates for the January Patchday. With this, Microsoft introduced "new auditing and optional configuration controls that help reduce reliance on legacy encryption types such as RC4 and prepare domain controllers for a future shift, starting with the April 2026 update, to using AES‑SHA1 encrypted tickets by default.“
"Enforcement phase" from April 2026
In the associated support article, Microsoft explains that the "enforcement phase with manual rollback" will start in April. With this, Microsoft continues the path that leads away from outdated encryption like RC4 through "moving toward stronger default ticket behavior." Domain controllers will use AES-SHA1 encrypted tickets as the new default for accounts that do not have explicit Kerberos encryption configured. Microsoft names "0x18" as the specific default value for "DefaultDomainSupportedEncTypes" for KDC operations of accounts for which no AD attribute "msds-SupportedEncryptionTypes" has been set. Admins can still override the behavior by manually configuring the "RC4DefaultDisablementPhase" REG_DWORD in the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters." "0" means no monitoring, "1" generates warnings in the logs of phase 1, while "2" activates the enforcement phase.
Videos by heise
Microsoft strongly advises that now is the time to resolve dependencies on RC4-based Kerberos tickets for service accounts or apps before the "enforcement phase" begins in July 2026.
This was also discussed in the heise security webinar on Securing Authentication in Active Directory: Surviving (and Thriving) with Microsoft's Outdated Concepts, which highlighted the practical problems of Kerberos and NTLM and their solutions.
(dmk)
