Microsoft has not set a specific date to completely disable RC4 ciphering in Kerberos across all systems. However, the company has been actively discouraging its use due to known vulnerabilities and has provided guidance on how to disable RC4 in Active Directory environments.
In November 2013, Microsoft released a security advisory detailing steps to disable RC4. This involved applying a security update and making specific registry changes to prevent the use of RC4 in Kerberos and other protocols.
More recently, in November 2022, Microsoft released updates addressing vulnerabilities related to RC4 in Kerberos. These updates set AES as the default encryption type for session keys on accounts without a specified encryption type, further reducing reliance on RC4.
While RC4 is still supported for compatibility reasons, Microsoft strongly recommends transitioning to more secure encryption types, such as AES, to enhance security in Active Directory environments.
RC4 is insecure, weak, and exploitable in Active Directory environments. Disabling RC4 and enforcing AES encryption significantly improves security and prevents Kerberos-based attacks like Pass-the-Ticket, Kerberoasting, and Golden Ticket attacks.
Why Is RC4 ciphering dangerous in Active Directory?
RC4 (Rivest Cipher 4) is a weak and outdated encryption algorithm that was widely used in Kerberos authentication within Active Directory (AD). Despite its past popularity, RC4 is now considered insecure due to multiple vulnerabilities that make it susceptible to attacks like pass-the-ticket (PTT), brute force, and cryptographic weaknesses.
RC4 Uses weak encryption
- RC4 does not use proper key scheduling, making it predictable.
- No proper integrity checking, meaning attackers can modify encrypted data without detection.
- Known key biases allow for plaintext recovery when enough ciphertext is captured.
RC4 enables Kerberos attacks
Since Active Directory supports multiple encryption types (AES, RC4, DES, etc.), attackers can force Kerberos to use RC4 and exploit it.
Pass-the-Ticket (PTT) Attack
- If an attacker steals an RC4-encrypted Kerberos ticket (TGT or TGS), they can reuse it indefinitely.
- AES encryption uses timestamps, but RC4 does not, making it easier to reuse stolen tickets.
Kerberoasting with RC4
- RC4 encryption makes cracking service account passwords easier.
- Attackers can request a Kerberos TGS ticket, extract the RC4 hash, and brute-force it offline with tools like Hashcat:
hashcat -m 13100 <rc4_hash> wordlist.txtGolden Ticket attack
- Attackers with domain admin privileges can create a forged TGT using RC4-based encryption, bypassing security mechanisms.
Microsoft Deprecation of RC4
- Microsoft deprecated RC4 in Kerberos starting Windows Server 2008 R2 and recommends disabling it.
- Newer Windows versions prefer AES, but older systems may still use RC4 for backward compatibility.
How to audit Kerberos TGS RC4 Exchanges & Event ID 4769 Keypoints
Auditing Kerberos TGS (Ticket Granting Service) RC4 exchanges is crucial to detect Kerberoasting attacks and ensure Active Directory security. The Windows Event ID 4769 (A Kerberos service ticket was requested) helps identify potential abuse of RC4 encryption in Kerberos authentication
Enable Kerberos Auditing
Open Group Policy Editor (gpedit.msc).
Navigate to:
Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Account Logon
Enable:
- Audit Kerberos Authentication Service (Success, Failure)
- Audit Kerberos Service Ticket Operations (Success, Failure)
Apply the policy and update Group Policy:
gpupdate /forceor via Auditpol.exe through cmdline :
auditpol /set subcategory:"Kerberos Service Ticket Operation" /success:enable /failure:enable
auditpol /set subcategory:"Kerberos Authentication Service" /success:enable /failure:enableKey Points of Event ID 4769
Each 4769 log entry contains details about Kerberos service ticket requests.
Important Fields in Event 4769:
| Field | Description |
|---|---|
| Account Name | User requesting the service ticket |
| Service Name | The service (SPN) being accessed |
| Ticket Encryption Type | 🔥 Look for 0x17 (RC4-HMAC) (Insecure) |
| Client Address | Source IP of the request |
| Failure Code | Shows if the request failed and why |
Red Flags in Event 4769
Look for high volumes of Event ID 4769 with RC4 encryption (0x17), which could indicate Kerberoasting attacks:
- Multiple requests for different SPNs from one user
- Requests originating from unusual or non-administrative accounts
- Unusual request patterns at odd hours
Prevent RC4 in Kerberos TGS Requests
Check Which Accounts Use RC4
Get-ADUser -Filter * -Properties msDS-SupportedEncryptionTypes | Where-Object { $_.msDS-SupportedEncryptionTypes -eq 4 } | Select-Object Name
- If
msDS-SupportedEncryptionTypes = 4, the account only supports RC4 (insecure).
Enforce AES for Kerberos Encryption
Set AES encryption on service accounts:
Set-ADUser -Identity <ServiceAccount> -Replace @{msDS-SupportedEncryptionTypes=24}
(24 = AES128 + AES256)
Apply Group Policy to Block RC4
- Open Group Policy Management (
gpmc.msc) - Navigate to:pgsqlCopierModifier
Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Security Options - Edit Network security: Configure encryption types allowed for Kerberos
- Enable only AES128 & AES256, disable RC4
Finally
- Monitor Event ID 4769 with
0x17(RC4-HMAC) = Security risk & compliance if Microsoft decide to remove R4for Kerberos - Monitor high-volume TGS requests (Kerberoasting indicator)
- Enforce AES encryption and disable RC4 when possible