A significant and long-awaited change is coming to the world of Microsoft Active Directory, and it is excellent news for organisations prioritising robust cybersecurity. Microsoft is finally planning to disable the obsolete RC4 (Rivest Cipher 4) encryption type for Kerberos authentication in Active Directory Domain Controllers by default. This move directly tackles one of the most effective and widely exploited weaknesses in enterprise networks: the Kerberoasting attack.
While this change is fantastic for genuine security, it will undoubtedly inconvenience some, particularly those who rely on legacy systems or simpler penetration testing methods. However, for us at Vertex Cyber Security, it’s just another step in the right direction. True, high-quality penetration testing relies on expertise, not low-hanging fruit.
The Problem with RC4 and Kerberoasting
RC4 is an outdated symmetric stream cipher. While it has been retained for years for backward compatibility, its cryptographic weaknesses have made it a major vulnerability in Windows environments.
The core issue lies in how RC4-encrypted Kerberos service tickets are created:
- Weak Key Derivation: RC4 encryption keys are derived from the weak NTLM password hash without cryptographic ‘salting’.
- Kerberoasting Vulnerability: This is a technique where an attacker, once they have a foothold on the network, requests a Kerberos service ticket for a Service Principal Name (SPN) associated with a service account. Since the ticket can be RC4-encrypted, the attacker can extract the encrypted ticket and then attempt to crack the password offline.
The critical danger is the speed of cracking:
- RC4-encrypted tickets can be cracked hundreds of times faster than those encrypted with the modern Advanced Encryption Standard (AES).
- This makes Kerberoasting a highly efficient method for an attacker to escalate privileges and compromise the entire network.
Microsoft’s Plan: Moving to AES-SHA1
To mitigate the Kerberoasting risk, Microsoft is taking action. By the end of the second quarter of 2026, the default encryption type for Kerberos Key Distribution Center (KDC) on Windows Server 2008 and later domain controllers will be set to only allow AES-SHA1 encryption.
For new Active Directory domain installations using Windows Server 2025, RC4 is planned to be disabled by default.
This shift is a massive win because:
- AES is significantly more computationally intensive to crack, making offline brute-force attacks like Kerberoasting far less feasible in a practical timeframe.
- It ensures that Kerberos tickets are secured with modern, robust cryptographic standards.
What This Means for Your Organisation
This upcoming change is a strong signal that you should be proactively eliminating RC4 from your environment now.
Key Steps to Consider for a Secure Transition:
- Audit for RC4 Usage: You should identify any accounts, services, or legacy devices that are still relying on RC4 encryption. You can use auditing tools and event logs on your domain controllers to find which accounts are still requesting RC4 tickets.
- Enforce AES Encryption: You can configure a Group Policy Object (GPO) to enforce AES-SHA1 (AES128_HMAC_SHA1 and AES256_HMAC_SHA1) as the allowed encryption types for Kerberos across your domain, or set the relevant registry values.
- Update Service Accounts: If an account only supports RC4, resetting the account password should prepare it to use the stronger AES-SHA1 keys.
- Focus on Password Strength: While AES makes cracking harder, it is not a cure-all. Kerberoasting remains fundamentally a weak password problem. Service accounts should use complex, unique passwords of twenty or more characters to minimise risk.
- Address Legacy Systems: Older operating systems like Windows Server 2003 or earlier do not support AES-SHA1. These systems should be migrated or replaced to ensure they do not force a downgrade in your security posture.
A Note on Penetration Testing
Some penetration testing providers may rely on quickly exploiting easy-to-find, known weaknesses like RC4-based Kerberoasting. This change will make it more difficult for less skilled or ‘script kiddie’ penetration testing companies that do not go beyond simple, automated attacks.
At Vertex Cyber Security, we focus on genuine, high-quality, and comprehensive manual penetration testing. We do not rely on one single, simple vulnerability. Our expert penetration testers are equipped to find complex, deep-seated issues that remain even after implementing security baselines like this one, ensuring your systems are resilient against the latest and most sophisticated threats.
Partner with Experts for True Security
The deprecation of RC4 is an essential step towards strengthening your Active Directory security, but it is one of many. Moving your organisation to a stronger security posture requires careful planning, deep technical expertise, and thorough testing to ensure that removing one weak cipher does not inadvertently cause service disruption to critical systems.
If you are concerned about your current RC4 usage, want to verify your transition to AES, or require a comprehensive penetration test to identify other sophisticated vulnerabilities in your systems, you should contact the expert team at Vertex Cyber Security.
We can provide the deep technical analysis and guidance needed to manage complex changes and ensure your security is truly robust.