Why is Microsoft deprecating RC4 encryption?

Microsoft is deprecating RC4 due to its known vulnerabilities, which have been exploited in major cyberattacks, making it a security risk.

When will RC4 be disabled by default on Windows Server?

Microsoft plans to disable RC4 by default on Windows Server starting mid-2026, shifting to the more secure AES-SHA1 encryption.

What is Kerberoasting and how does it relate to RC4?

Kerberoasting is an attack that exploits weaknesses in how RC4 is implemented in Active Directory authentication, enabling attackers to compromise enterprise networks.

Home / Technology / Microsoft's 26-Year-Old Security Flaw Finally Dying

Microsoft's 26-Year-Old Security Flaw Finally Dying

16 Dec

•

Summary

Microsoft deprecates RC4 encryption, supporting it for 26 years.
RC4 was exploited in major breaches, including the Ascension healthcare attack.
By mid-2026, Windows servers will default to more secure AES-SHA1 encryption.

Microsoft's 26-Year-Old Security Flaw Finally Dying

Microsoft is phasing out the RC4 encryption cipher, a standard that has been supported by default in Windows for 26 years. This move comes after decades of known vulnerabilities and recent criticism regarding its exploitation in significant cyberattacks, including the breach at Ascension.

The company announced that by mid-2026, Windows Server defaults for Kerberos authentication will shift to the more secure AES-SHA1 encryption. RC4 will be disabled by default, requiring administrators to actively configure its use if necessary, a measure aimed at enhancing network security.

This deprecation is a complex undertaking due to RC4's long history and widespread implementation. Microsoft is providing tools, such as updated KDC logs and PowerShell scripts, to help administrators identify and transition any systems still relying on this outdated cipher, ensuring a smoother migration to more robust security protocols.