Microsoft will finally kill obsolete cipher that has wreaked decades of havoc
The Long-Awaited Demise of RC4: Microsoft's Plan to Finally Kill the Vulnerable Cipher
For over two decades, the Rivest Cipher 4 (RC4) has been a staple in encryption protocols, including SSL and its successor TLS. Despite its known susceptibility to attacks, RC4 remained a favorite weakness for hackers to exploit, compromising enterprise networks and putting sensitive data at risk. However, Microsoft has finally announced its plan to deprecate RC4, citing its vulnerability to Kerberoasting, a form of attack that has been around since 2014.
A Brief History of RC4
RC4 was first developed in 1987 by Ron Rivest of RSA Security. It was initially designed as a stream cipher, which is a type of encryption algorithm that uses a pseudorandom keystream to encrypt and decrypt data. Within days of its release, a researcher demonstrated a cryptographic attack that significantly weakened the security it was believed to provide. Despite this, RC4 remained a staple in encryption protocols, including SSL and its successor TLS, until about a decade ago.
The Continued Use of RC4 in Windows
One of the most visible holdouts in supporting RC4 has been Microsoft. The software maker rolled out Active Directory in 2000, which made RC4 a sole means of securing the Windows component. However, Microsoft eventually upgraded Active Directory to support the much more secure AES encryption standard. By default, Windows servers have continued to respond to RC4-based authentication requests and return an RC4-based response. This has made it a favorite weakness for hackers to exploit, compromising enterprise networks and putting sensitive data at risk.
The Breach of Ascension and the Role of RC4
Last year's breach of health giant Ascension was a prime example of the devastating impact ofRetVal a weak cipher like RC4. The breach caused life-threatening disruptions at 140 hospitals and put the medical records of 5.6 million patients into the hands of the attackers. US Senator Ron Wyden (D-Ore.) called on the Federal Trade Commission to investigate Microsoft for "gross cybersecurity negligence," citing the continued default support for RC4.
Microsoft's Plan to Deprecate RC4
Microsoft has finally announced its plan to deprecate RC4, citing its vulnerability to Kerberoasting. By mid-2026, the company will be updating domain controller defaults for the Kerberos Key Distribution Center (KDC) on Windows Server 2008 and later to only allow AES-SHA1 encryption. RC4 will be disabled by default and only used if a domain administrator explicitly configures an account or the KDC to use it.
The Challenges of Deprecating RC4
Deprecating RC4 has not been an easy task for Microsoft. The company has had to deal with a raft of critical RC4 vulnerabilities that required "surgical" fixes. Microsoft considered deprecating RC4 by this year, but ultimately "punted" after discovering vulnerabilities that required still more fixes. During that time, Microsoft introduced some "minor improvements" that favored the use of AES, and as a result, usage dropped by "orders of magnitude."
The Importance of Auditing Networks for RC4 Usage
Windows admins would do well to audit their networks for any usage of RC4. Given its wide adoption and continued use industry-wide, it may still be active, much to the surprise and chagrin of those charged with defending against hackers. Microsoft is making several tools available to help identify problematic RC4 usage, including an update to KDC logs and new PowerShell scripts to sift through security event logs.
The Future of RC4 and Its Implications
The demise of RC4 marks an important milestone in the fight against cyber threats. However, it also highlights the ongoing challenges of keeping up with the evolving threat landscape. As hackers continue to find new ways to exploit vulnerabilities, it is essential that organizations remain vigilant and proactive in their cybersecurity efforts. The deprecation of RC4 is a step in the right direction, but it is only one part of a broader effort to protect sensitive data and prevent cyber attacks.
Conclusion
The deprecation of RC4 is a significant development in the fight against cyber threats. Microsoft's plan to disable the vulnerable cipher by default and only allow AES-SHA1 encryption marks a major step forward in protecting sensitive data and preventing cyber attacks. However, it also highlights the ongoing challenges of keeping up with the evolving threat landscape. As hackers continue to find new ways to exploit vulnerabilities, it is essential that organizations remain vigilant and proactive in their cybersecurity efforts.
