PRESIDETECH SECURITY
RC4 CIPHER & KERBEROS ASSESSMENT
PREPARED FOR IT EXECUTIVE LEADERSHIP
PRESIDETECH · ACTIVE DIRECTORY SECURITY
⚠ APRIL 2026 ENFORCEMENT DEADLINE
Your Window to Remediate RC4 Exposure Is Closing
⛔
Microsoft AES-only enforcement July 2026 — final cutover presidetech.com
Microsoft is removing RC4 Kerberos encryption in a phased rollout starting with the April 14, 2026 server updates and ending July 2026. Organizations that have not identified and remediated RC4-dependent accounts, legacy systems, and domain configurations will face Kerberos authentication failures — locking users out of critical systems with no warning. RC4 exposure also carries direct consequences beyond the outage: cyber insurance carriers are actively denying claims where RC4 is found in the attack chain, and regulators treat it as a violation — not a gap — under NIST, FIPS, CIS, and SOC 2.
W H AT T H E A S S E S S M E N T I D E N T I F I E S
T H E R E P O R T — AT A G L A N C E
Pre-AES Credential Exposure Accounts whose passwords predate AES support will fail Kerberos auth immediately after enforcement — invisible until it's too late.
Every finding is weighted, triaged, and delivered in a clear HTML report your team can act on immediately — no interpretation required.
CRITICAL RISK EXPOSURE
100
Legacy System Incompatibilities Systems that cannot negotiate AES will drop off the network after enforcement. Discovered before patch day — not after.
CRITICAL RISK
RC4 Disablement Phase Gaps DCs not in KDCSVC audit mode are invisible to remediation tracking. The tool maps every DC's compliance posture. NTLM Relay & AS-REP Exposure Privileged accounts forcing NTLM fallback and pre-auth disabled accounts flagged with remediation steps. Golden Ticket Attack Window RC4-based KRBTGT keys are the foundation of forged Golden Ticket attacks — an attacker with a compromised hash can impersonate any user indefinitely. An aged KRBTGT password widens that window dramatically. The assessment surfaces exact password age and prescribes a safe double-rotation sequence to close it. Kerberoastable Service Accounts
RC4 Kerberos is actively in use. 9 accounts have no AES credential hashes and will fail authentication after the April 2026 enforcement update. 47% of Kerberos traffic is RC4. Immediate action required.
9
47%
730d
4
KERBEROASTABLE
RC4 TRAFFIC
KRBTGT AGE
LEGACY SYSTEMS
4 accounts with passwords before 2008 — no AES hashes exist. Will fail Kerberos auth after April 2026 enforcement.
5 accounts with passwords before domain AES upgrade — no AES keys. Password reset required.
9 accounts exploitable via Kerberoasting — password hashes crackable offline with free tools.
KRBTGT password 730 days old — Golden Ticket attack window dangerously wide.
17 legacy systems cannot support AES — will break after April 2026 without remediation.
1 DC cannot produce KDCSVC audit events — RC4 usage through this DC invisible in logs.
Representative output — findings reflect your specific environment.
RC4 ticket encryption is what makes Kerberoasting practical — RC4 hashes are crackable offline with commodity hardware and free tools in hours. Every service account with an exposed SPN is catalogued, risk-scored, and paired with remediation steps to eliminate the attack surface before enforcement.
R C 4 & C Y B E R I N S U R A N C E — W H AT Y O U R C A R R I E R A L R E A D Y K N O W S
IF RC4 IS PRESENT & UNDISCLOSED
IF RC4 IS PRESENT & DISCLOSED
A breach involving credential theft or lateral movement triggers forensic review. If RC4 tickets appear in the attack chain and your application stated RC4 was
Expect 20–45% premium loading, sublimits on identity-related losses, and possible exclusion for Kerberos-based attack scenarios. A remediation plan
disabled — that is material misrepresentation. The policy is voidable from inception, all claims are denied, and interim payments may be recovered.
becomes a policy condition — with breach of warranty voiding coverage if the deadline is missed.
IF RC4 IS FULLY REMEDIATED & DOCUMENTED
Standard market rate. Documented AES enforcement with verification evidence is negotiating leverage — some carriers offer a 5–10% premium credit. The assessment report and remediation log are the evidence package underwriters require.
WHAT CARRIERS NOW REQUIRE AT RENEWAL
ATTACK SCENARIOS THAT TRIGGER EXCLUSIONS
Tier 1 carriers (Lloyd's, Beazley, Chubb, AIG, Travelers) now require technical evidence at renewal — not questionnaire checkboxes.
Golden Ticket RC4-only KRBTGT means no AES key exists — the RC4 hash is the only target. Carrier exclusion: deprecated algorithm in use for domainwide authentication.
Underwriters are looking for documented proof that RC4 has been identified across all accounts and systems, that KRBTGT rotation is current, that AES-only policy is enforced via GPO, and that findings have been systematically remediated with verification. The RC4 Collector assessment produces exactly this evidence package: a timestamped, analyst-reviewed report covering every account, DC, and domain configuration that underwriters require to move a policy to standard market rate.
Kerberoasting RC4 tickets crack at millions of attempts/sec vs. thousands for AES. Carrier exclusion: algorithmically weak encryption enabling credential theft. Pass-the-Ticket RC4 service tickets captured and replayed without the password. Carrier exclusion: failure to enforce minimum encryption standards on service accounts.
I N D U S T R Y C O M P L I A N C E — R C 4 I S N O T A B E S T P R A C T I C E G A P, I T ' S A V I O L A T I O N
NIST SP 800-131A / 800-175B
FIPS 140-2 / 140-3
CIS BENCHMARK — LEVEL 1
SOC 2 — CC6
DISALLOWED
NON-COMPLIANT
IMMEDIATE FAILURE
MATERIAL WEAKNESS
RC4 formally disallowed since 2015. RC4-HMAC-NT specifically
RC4 is not an approved algorithm — any system claiming FIPS
RC4 enabled is an automatic Level 1 CIS benchmark failure — the
RC4 violates CC6.1 (encryption of data), CC6.6 (logical access
cited as cryptographically weak. AES256-CTS-HMAC-SHA1-96 is the mandated Kerberos minimum. Federal contractors and any system handling federal data are
compliance while using RC4 for Kerberos authentication is noncompliant. Affects federal contractors, healthcare, and financial institutions referencing
baseline tier, not advanced hardening. The benchmark explicitly requires AES128 and AES256 only for Kerberos. RC4_HMAC_MD5 in any permitted
against external threats), and CC6.7 (transmission using approved methods). Auditor finding language: "use of deprecated cryptographic algorithms
directly in scope.
FIPS.
configuration fails the control outright.
represents a material weakness in logical access controls." Unresolved findings risk a qualified SOC 2 Type II opinion.
⚖ The difference between a finding and a control failure is systematic remediation. Auditors, insurers, and regulators are
distinguishing between organizations that identify issues and those that work through them with documented evidence. A finding that reappears across audit periods becomes a material weakness. The assessment report provides the discovery artifact — the remediation steps and verification evidence close the loop that auditors, carriers, and regulators require.
COMMON EXECUTIVE QUESTIONS — ANSWERED
"We have AD monitoring — don't we already see this?"
"Can't our internal team run this themselves?"
General SIEM tools flag events reactively. This assessment proactively correlates password age, credential hash status, encryption type attributes, and event log data into an outage-risk prediction — before the April enforcement update forces the issue.
Available scripts collect raw data — they don't correlate it. This tool cross-references LDAP attributes, krbtgt replication metadata, Kerberos event logs across every DC, and AES key generation history tied to encryption changes detected over years in your environment — then applies weighted risk scoring to produce prioritized triage and step-by-step remediation guidance in a single, executive-readable report. Findings are reviewed by PresideTech security analysts before delivery. That full picture is what most teams cannot assemble on their own, and it deploys in minutes.
"What data leaves our environment?"
"We'll handle this after the July update if something breaks."
The collector produces an encrypted report bundle (RSA-OAEP + AES-256) on your machine. No raw AD data traverses the network. Only the encrypted bundle is uploaded to the analyst portal — your
The first breakage point is April 14, 2026 — not July. A common finding is a cluster of service accounts tied to line-of-business applications where remediating encryption dependencies requires
data stays under cryptographic control at all times.
coordinating with vendors and internal dev teams. That process takes weeks, not hours. Starting after something breaks means doing it under outage conditions. A proactive assessment gives your team the runway to work through it methodically.
ASSESSMENT TIERS
PROFESSIONAL
All Professional +
ENTERPRISE
Weighted risk analysis & prioritized findings
SPN registry
— every account, DC, and system scored and ranked; no spreadsheet archaeology required
— maps every service account to its RC4 dependency
Executive summary report
Delegation risk analysis
— the condition of your environment in a single readable document, not a raw data dump
— unconstrained & constrained delegation exposure identified
AES key generation risk
ACL attack path analysis
— Pre-AES Era, DFL Gap, and High Risk classifications by account
— permissions enabling credential theft and privilege escalation
KRBTGT, Kerberoastable & AS-REP roastable accounts
Blast radius scoring
chain
— exposed with remediation steps
— lateral movement impact quantified if an account is compromised
DC encryption posture & KDCSVC event log audit
Session chain correlation
— GPO and domain trust analysis included
— links RC4 ticket events to specific accounts across all DCs
Entra Connect / AZUREADSSOACC$ exposure — SSO account AES readiness and remediation commands
ABOUT PRESIDETECH
PresideTech consultants bring decades of hands-on Active Directory expertise — including direct collaboration with the Microsoft directory product team to help optimize and scale AD to the point where large-scale cloud identity platforms like Entra became possible. That depth of knowledge is what drives the assessment logic: not generic security tooling, but purpose-built analysis from engineers who understand the protocol, the attack surface, and the remediation path at a foundational level.
PresideTech Security · RC4 Collector v5 Encrypted end-to-end
Preside Inc (dba PresideTech) © 2026
Visit presidetech.com — schedule your assessment now