Alert essentials:
Microsoft has announced that RC4 encryption will be deprecated for Kerberos authentication in Windows environments. Starting mid-2026, RC4 will be disabled by default on Windows domain controllers, and AES-SHA1 will become the required encryption standard.
Failure to act before mid-2026 may result in authentication failures and service disruptions. Please prioritize remediations.
Detailed threat description:
RC4 is considered cryptographically weak and is vulnerable to attacks such as Kerberoasting, which can lead to credential theft and compromise of the network. Continuing to rely on RC4 poses a significant security risk; therefore, Microsoft will disable RC4 encryption by default on Windows domain controllers mid-2026.
The legacy cipher often shows up in Windows environments when accounts or devices haven’t graduated to stronger encryption. It tends to linger in legacy systems, in accounts created before AES-SHA1 was introduced, or when encryption settings are left on autopilot. For years, RC4 was the default for older infrastructure. Yet today it is considered a security liability, and Microsoft is prescribing a healthier alternative, AES-SHA1.
Unfortunately, systems or applications relying on RC4 will fail authentication unless updated before the deprecation. The good news is that the last version of Windows that did not support AES-SHA1 was Windows Server 2003, so all newer devices will embrace the change in encryption.
To prepare for the encryption shift, expect to adjust computer accounts using group policy objects (GPOs) or through an operating system upgrade. General user accounts may need a password change. Service Accounts may also require the msDS-SupportedEncryptionTypes attribute to be set.
Beginning with Windows Server 2025, domain controllers won’t create RC4 Ticket-Granting Tickets. Thus, if the network isn’t quite ready for AES-SHA1, keep your domain controllers on earlier versions of Windows Server.
Start auditing, updating, and planning now before hackers take a pulse on systems. By mid-2026, AES-SHA1 will be the standard for Kerberos authentication, so strengthen defenses before RC4 flat lines.
Impacts on healthcare organizations:
Many hospitals still run older imaging systems, lab equipment, and embedded devices that authenticate using RC4 because they were designed before AES-SHA1 support. If these devices cannot be updated, they will fail Kerberos authentication once RC4 is disabled, potentially disrupting clinical workflows.
Hospitals must audit all devices and accounts for RC4 usage. Coordinate with biomedical engineering and IT teams to update firmware, OS versions, and encryption settings. Where updates aren’t possible, segmentation or isolation strategies may be needed until replacements are deployed.
Recommendations
- Identify medical devices (imaging, lab analyzers, infusion pumps) that use Windows authentication
- Validate encryption settings for EHR, PACS, LIS, RIS, and middleware
- Maintain audit logs for encryption compliance
- Check for embedded systems or vendor-managed appliances still relying on RC4
- Legacy systems and non-Windows devices may require updates or replacement
- Inform clinical leadership and IT teams about the changes
- Contact medical device manufacturers and software vendors to confirm AES-SHA1 compatibility and request firmware or software updates for legacy systems
- Document vendor timelines for compliance
- Use PowerShell scripts to discover RC4 and enhance logging in Windows Server 2019, 2022, and 2025
- Review Kerberos logs (Events 4768 and 4769) for RC4 usage
- Where possible, explicitly disable RC4
- Remove RC4 from group policy encryption settings
- Ensure all accounts have AES-SHA1 keys configured
- Update or replace systems that do not support AES
- Conduct authentication tests in a staging environment.
- Validate clinical workflows post-update to avoid downtime
- If you have a third-party device that doesn’t support AES-SHA1, reach out to stillneedrc4@microsoft.com with information about the device and scenario
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- Detecting and remediating RC4: https://learn.microsoft.com/en-us/windows-server/security/kerberos/detect-remediate-rc4-kerberos
- Directory Services Support team: https://techcommunity.microsoft.com/blog/askds/so-you-think-you%E2%80%99re-ready-for-enforcing-aes-for-kerberos/4080124
- PowerShell scripts: GitHub – microsoft/Kerberos-Crypto: Tools and information regarding Windows Kerberos cryptography
- https://www.microsoft.com/en-us/windows-server/blog/2025/12/03/beyond-rc4-for-windows-authentication