XPost: alt.comp.os.windows-11, alt.privacy.anon-server, comp.security.misc   
   From: nobody@dizum.com   
      
   Microsoft is killing off an obsolete and vulnerable encryption cipher   
   that Windows has supported by default for 26 years following more than a   
   decade of devastating hacks that exploited it and recently faced   
   blistering criticism from a prominent US senator.   
      
   When the software maker rolled out Active Directory in 2000, it made RC4   
   a sole means of securing the Windows component, which administrators use   
   to configure and provision fellow administrator and user accounts inside   
   large organizations. RC4, short for Rivest Cipher 4, is a nod to   
   mathematician and cryptographer Ron Rivest of RSA Security, who   
   developed the stream cipher in 1987. Within days of the   
   trade-secret-protected algorithm being leaked in 1994, a researcher   
   demonstrated a cryptographic attack that significantly weakened the   
   security it had been believed to provide. Despite the known   
   susceptibility, RC4 remained a staple in encryption protocols, including   
   SSL and its successor TLS, until about a decade ago.   
      
   Out with the old   
   One of the most visible holdouts in supporting RC4 has been Microsoft.   
   Eventually, Microsoft upgraded Active Directory to support the much more   
   secure AES encryption standard. But by default, Windows servers have   
   continued to respond to RC4-based authentication requests and return an   
   RC4-based response. The RC4 fallback has been a favorite weakness   
   hackers have exploited to compromise enterprise networks. Use of RC4   
   played a key role in last year’s breach of health giant Ascension. The   
   breach caused life-threatening disruptions at 140 hospitals and put the   
   medical records of 5.6 million patients into the hands of the attackers.   
   US Senator Ron Wyden (D-Ore.) in September called on the Federal Trade   
   Commission to investigate Microsoft for “gross cybersecurity   
   negligence,” citing the continued default support for RC4.   
      
   Last week, Microsoft said it was finally deprecating RC4 and cited its   
   susceptibility to Kerberoasting, the form of attack, known since 2014,   
   that was the root cause of the initial intrusion into Ascension’s   
   network.   
      
   “By mid-2026, we will be updating domain controller defaults for the   
   Kerberos Key Distribution Center (KDC) on Windows Server 2008 and later   
   to only allow AES-SHA1 encryption,” Matthew Palko, a Microsoft principal   
   program manager, wrote. “RC4 will be disabled by default and only used   
   if a domain administrator explicitly configures an account or the KDC to   
   use it.”   
      
   AES-SHA1, an algorithm widely believed to be secure, has been available   
   in all supported Windows versions since the roll out of Windows Server   
   2008. Since then, Windows clients by default authenticated using the   
   much more secure standard, and servers responded using the same. But,   
   Windows servers, also by default, respond to RC4-based authentication   
   requests and returned an RC4-based response, leaving networks open to   
   Kerberoasting.   
      
   Following next year’s change, RC4 authentication will no longer function   
   unless administrators perform the extra work to allow it. In the   
   meantime, Palko said, it’s crucial that admins identify any systems   
   inside their networks that rely on the cipher. Despite the known   
   vulnerabilities, RC4 remains the sole means of some third-party legacy   
   systems for authenticating to Windows networks. These systems can often   
   go overlooked in networks even though they are required for crucial   
   functions.   
      
   https://arstechnica.com/security/2025/12/microsoft-will-finally-kill-obso   
   lete-cipher-that-has-wreaked-decades-of-havoc/   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)