Microsoft has announced it will deprecate RC4 by default in Windows authentication, ending a 26-year fallback used in Active Directory. The change is designed to reduce exposure to attackers who have exploited RC4 to gain access to networks.
RC4, short for Rivest Cipher 4, was created by Ron Rivest in 1987. After a leak in 1994, researchers demonstrated attacks that weakened RC4’s security, and the cipher lingered in TLS and SSL for years despite known weaknesses.
For years, RC4 remained the default in Windows domains, with AES gradually taking over. The continued RC4 responses allowed attackers to mount credential theft techniques like Kerberoasting; the Ascension breach highlighted the risk, exposing millions of patient records and disrupting dozens of hospitals.
US Senator Ron Wyden criticized Microsoft in September, urging the Federal Trade Commission to investigate the company over RC4’s default status, calling it “gross cybersecurity negligence.” Microsoft cited Kerberoasting as a root cause for Ascension’s intrusion and reaffirmed that the deprecation will reduce risk.
Microsoft will provide new tools to identify systems that still rely on RC4, including enhanced Kerberos logs and PowerShell scripts to pinpoint legacy usage. Once RC4 is disabled by default, only administrators who explicitly enable RC4 in specific cases will be affected, and third-party systems may require manual updates.
