Microsoft Finally Phases Out RC4 Encryption After 26 Years of Use

Microsoft has announced the final deprecation of the RC4 encryption algorithm in Windows, marking the end of a 26-year era for the once widely-used cipher. Initially published in 1995 in Bruce Schneier's "Applied Cryptography," RC4 has been known to be vulnerable since 2014. Despite this, Windows servers continued to accept and respond to RC4-based authentication requests by default, leaving them susceptible to Kerberoasting attacks. This vulnerability was notably exploited in the 2024 breach of Ascension, which affected 140 hospitals and exposed the data of 5.6 million patients. The incident prompted Senator Ron Wyden to call for an FTC investigation into potential negligence. The removal of RC4 from Windows is a significant step in enhancing the security of Windows environments. Organizations are advised to ensure they are not using RC4 in any of their systems and to review their authentication protocols to ensure they are using more secure alternatives like AES. Regular audits and updates to cryptographic protocols are essential to maintain a strong security posture.