Microsoft has announced that it will deprecate RC4 encryption in Kerberos authentication on Windows Server systems by mid-2026. This change affects domain controller KDC defaults from Windows Server 2008 and later, aiming to strengthen security by defaulting to AES-SHA1 encryption.
Security Enhancements
In an effort to adapt to evolving threats, the initiative to disable RC4 reflects the growing importance of robust encryption protocols. AES-SHA1, specifically AES128-CTS-HMAC-SHA1-96 and AES256-CTS-HMAC-SHA1-96, has been supported since Windows Server 2008, providing better security.
Key enhancements in Windows Server versions 2019, 2022, and 2025 include additional Kerberos event fields. Fields such as msds-SupportedEncryptionTypes and Available Keys help identify accounts limited to RC4, guiding administrators in the transition to AES.
Implementation Tools
Microsoft has introduced PowerShell tools like List-AccountKeys.ps1 and Get-KerbEncryptionUsage.ps1 to assist administrators. These tools verify the availability of AES keys and report on currently used encryption types, facilitating the migration from RC4.
- List-AccountKeys.ps1 identifies accounts and keys, revealing any absence of AES keys.
- Get-KerbEncryptionUsage.ps1 filters and reports encryption types used, supporting AES migration.
Security administrators are advised to reset passwords to generate AES keys or reconfigure account settings to ensure AES-SHA1 support. Legacy systems not supporting AES should be upgraded or evaluated for alternatives.
Guidance and Compliance
Organizations can leverage the Windows Admin Center and the Windows Server 2025 security baseline to audit and enforce compliance with allowable Kerberos encryption types. RC4 is firmly excluded in these compliance baselines.
This strategic shift by Microsoft signals a move towards more secure authentication practices essential in the current cybersecurity landscape. Businesses are urged to implement these changes to bolster their security posture against potential threats.
