Published in News

Microsoft finally bins RC4 after decades of pain

by on16 December 2025
Microsoft finally bins RC4 after decades of pain


Ancient cypher meets its end after years of hacks and warnings

Software King of the World, Microsoft, is pulling the plug on RC4, an obsolete and leaky encryption cypher it has propped up by default for 26 years despite a trail of break-ins and public embarrassment.

The software giant wired RC4 into Active Directory when it launched the system in 2000, making the cypher the only way to secure the Windows component that manages users and administrators across large organisations.

For those who came in late, RC4, short for Rivest Cypher 4, was created in 1987 by RSA Security cryptographer Ron Rivest and promptly began unravelling once its secret sauce leaked in 1994.

Within days of that leak, a researcher showed how the cypher could be attacked, badly denting the security guarantees it was supposed to offer. Even so, RC4 lingered for years inside major encryption standards such as SSL and TLS, long after its weaknesses were well understood.

According to Ars TechnicaVole said it would finally deprecate RC4, citing its vulnerability to Kerberoasting, an attack method known since 2014 and blamed for high-profile breaches, including the initial intrusion into Ascension’s network.

Volish, principal program manager, Matthew Palko wrote: “By mid-2026, we will be updating domain controller defaults for the Kerberos Key Distribution Centre (KDC) on Windows Server 2008 and later to only allow AES-SHA1 encryption.”

“RC4 will be disabled by default and only used if a domain administrator explicitly configures an account or the KDC to use it,” he added.

After the change, RC4 authentication will stop working unless administrators jump through extra hoops to keep it alive.

Until then, Palko warned that admins need to track down any systems still relying on RC4, a task made awkward by the number of third-party legacy systems that still depend on it for critical functions.

Microsoft admits these old systems often lurk in networks, unnoticed, until they break or get exploited.

To flush them out, Vole is rolling out updated KDC logs that record Kerberos requests and responses using RC4.

Kerberos, the industry-standard authentication protocol, is the sole way into Active Directory, which attackers prize as a crown jewel once they gain access to a Windows network.

New PowerShell scripts are also being introduced to trawl security logs and more easily flag lingering RC4 use.

Vole insists it has been trying to kill off RC4 for more than a decade, but inertia and compatibility fears kept it shambling on.

Microsoft Windows Authentication head Steve Syfuhs wrote on Bluesky: “The problem, though, is that it's hard to kill off a cryptographic algorithm that is present in every OS that's shipped for the last 25 years and was the default algorithm for so long.”

“The issue is not that the algorithm exists. The problem is how the algorithm is chosen, and the rules governing that spanned 20 years of code changes.”

Last modified on 16 December 2025
Rate this item
(0 votes)
Tagged under
More in this category: « LG stuffs Copilot onto smart TVs
back to top

Most popular

Latest comments