RC4 Disablement Phase Registry
Reads RC4DefaultDisablementPhase from each domain controller's remote registry. Flags controllers at conflicting phases — a common cause of post-patch authentication outages. Color-coded by phase in the report.
RC4 Detect Assessment
April 14, 2026.
RC4 enforcement
goes live.
Microsoft's next Patch Tuesday starts Kerberos RC4 disablement on fully patched domain controllers. Environments without a remediation plan in place face unplanned authentication outages — for service accounts, SSO, and every Entra hybrid-joined device on the network.
Apr 14
Next RC4 enforcement date
12+
Exposure vectors analyzed
AES-256
Encrypted result delivery
0
AD objects modified during scan
Coverage
Every RC4 exposure vector — mapped
RC4 Detect analyzes your Active Directory environment across all known RC4 Kerberos attack surfaces, from individual service accounts to forest-level trust configurations.
KDCSVC Capability Gap (Event 201–209)
Queries the System event log on each DC for KDCSVC events 201–209 to verify RC4-off capability. Domain controllers running pre-Server 2016 or missing Event 205 are flagged as incapable — a hard blocker for RC4 elimination that must be resolved before April 14.
Kerberoastable Service Accounts
Enumerates all AD accounts with registered SPNs that permit RC4 Kerberos (AES not enforced). These accounts are offline-crackable via Kerberoasting. Reported with SPN, account age, and password last set.
AS-REP Roastable Accounts
Identifies accounts with Do not require Kerberos preauthentication set. These accounts expose encrypted AS-REP responses to offline cracking — no authentication required by the attacker.
KRBTGT Password Age
Assesses golden ticket exposure by checking KRBTGT password age across all domains. Provides adaptive remediation guidance — 1 or 2 rotation cycles — based on your environment's replication topology.
Entra Connect — AZUREADSSOACC
Identifies when the Entra Connect seamless SSO computer account is RC4-only. This causes silent Kerberos handshake failures for hybrid-joined users, forcing manual password prompts — a widely overlooked RC4 dependency.
GPO Kerberos Encryption Policy
Reviews Group Policy Objects for Network security: Configure encryption types allowed for Kerberos. Flags policies that explicitly permit RC4_HMAC_MD5, DES, or leave encryption type enforcement absent.
Kerberos Audit Policy Gaps
Checks that Kerberos service ticket auditing is configured on all domain controllers. Missing audit policy prevents detection of RC4 ticket requests in-flight and blocks event-log-based capability verification.
Domain Trust RC4 Exposure
Examines cross-domain and cross-forest trust objects for RC4 usage. Inter-forest Kerberos can silently fall back to RC4 when trusts lack AES enforcement, creating exposure that bypasses intra-domain hardening.
Sample report
See exactly what you get
Every RC4 Detect assessment delivers a forensic-grade HTML report — branded, timestamped, and scoped to your Active Directory forest. Below is a redacted example from a real engagement. Click any panel to expand.
Sample — identifying details redacted
01 — Executive summary
Overall risk score, domain coverage, and headline exposure metrics — the single page your CISO, CTO, or board reads first. Weighted severity scoring makes blast radius immediately legible.
Overall risk score, domain coverage, and headline exposure metrics — the single page your CISO, CTO, or board reads first. Weighted severity scoring makes blast radius immediately legible.
Sample — all columns sortable · CSV export available
02 — Forensic-depth detail tables
Every report element surfaces in its own dedicated table — each row color-coded by severity, encryption posture, and risk rating so remediation priority is immediately clear.
Every report element surfaces in its own dedicated table — each row color-coded by severity, encryption posture, and risk rating so remediation priority is immediately clear.
Fully sortable & filterable. Every table can be sorted by any column and filtered by keyword — isolate the highest-risk accounts, oldest passwords, or most exposed trust relationships instantly.
Export to CSV. One-click download per table — hand raw findings directly to your ticketing system, SIEM ingestion pipeline, or remediation runbook.
Sample — identifying details redacted
03 — Key findings at a glance
Every critical exposure written in plain language — Kerberoastable accounts, KRBTGT age, legacy system blockers, KDCSVC audit gaps, RC4-only users, and NTLM fallback risk — each mapped to a remediation step.
Every critical exposure written in plain language — Kerberoastable accounts, KRBTGT age, legacy system blockers, KDCSVC audit gaps, RC4-only users, and NTLM fallback risk — each mapped to a remediation step.
100
Critical risk score
The overall risk score weights findings by severity and exploitability. A score of 100 means active, unmitigated exposure to both Microsoft enforcement and adversarial attack.
35%
Of Kerberos traffic still RC4
TGS traffic analysis shows what proportion of live Kerberos authentication requests are still negotiating RC4 — the real-world signal of how much will break on April 14.
400
Days since KRBTGT rotation
An aged KRBTGT leaves the Golden Ticket attack window dangerously wide. The report recommends 1 or 2 rotations based on your replication topology.
7
Distinct finding categories
From Kerberoastable service accounts to NTLM fallback exposure — every finding is categorized, severity-rated, and mapped to a prioritized remediation step.
Process
How the assessment works
From purchase to report in hand — a tightly controlled, auditable chain of custody for your sensitive AD data.
1
One-time key issuance
PresideTech issues a cryptographically signed, time-limited product key scoped to your forest FQDN and tier. The key expires in 7 days and can only be consumed once.
RSA-SHA256 signed · 7-day TTL
2
Collector deployment
Run the self-contained collector on any domain-joined Windows host with read access to Active Directory. No installation required. No AD objects modified.
.NET 8 · single-file binary · no install
3
Read-only AD scan
The collector queries Active Directory via LDAP, reads remote registry on DCs, and analyzes Windows Event Logs — all read-only. You select which domains and sites to include.
LDAP · Remote Registry · Event Log
4
Encrypted file output
Results are AES-256-CBC encrypted with an RSA-4096-OAEP key envelope and written to a file locally. Your AD data never crosses the network in plaintext.
AES-256-CBC · RSA-4096-OAEP · HMAC-SHA256
5
Analyst decryption & report delivery
You transmit the encrypted file to PresideTech. Our analysts decrypt it using HSM-backed private keys, review findings, and deliver your HTML assessment report with prioritized remediation steps.
Azure Key Vault HSM · analyst reviewed
Data protection
Designed for security-conscious enterprises
We assess your environment with the same rigor we apply to securing the assessment itself.
Zero plaintext network egress
AD data is encrypted before any file is written to disk. Nothing is transmitted to PresideTech infrastructure in plaintext — ever.
HSM-backed key custody
The RSA-4096 private key used to decrypt result files lives in Azure Key Vault HSM. It never leaves the hardware security module.
One-time-use product keys
Each assessment key is scoped to a specific forest FQDN, expires in 7 days, and transitions to Consumed state after a single use. Replay is architecturally impossible.
Full audit ledger
Every key issuance, reservation, consumption, and analyst decryption event is recorded in a tamper-evident Azure Table Storage ledger with timestamps.
Assessment tiers
Sized for your environment
Every tier includes the full RC4 Detect analysis and analyst-reviewed remediation report. Tiers differ only by the number of domains examined within a forest. For geographically distributed environments with high-latency or low-bandwidth links between sites, we recommend purchasing one Standard assessment per site segment.
Standard
Up to 2 domains in forest
- Kerberoastable account enumeration
- AS-REP roastable account detection
- KRBTGT password age analysis
- RC4DefaultDisablementPhase per DC
- KDCSVC event capability check (201–209)
- GPO Kerberos encryption policy review
- Kerberos audit policy gap detection
- Cross-domain trust RC4 analysis
- Entra Connect AZUREADSSOACC check
- Site-scoped collection support
- Risk score with weighted findings
- Executive summary + 6-step remediation
- Encrypted .rc4d delivery
Covers most single-domain and root + child domain forests. For environments split across high-latency or low-bandwidth links, purchase one Standard per geo.
Enterprise
Up to 5 domains in forest
- Everything included in Standard
- Covers forests with up to 5 domains
Multinational
Up to 12 domains in forest
- Everything included in Standard
- Covers forests with up to 12 domains
- Throttle-controlled DC enumeration for large environments
Questions
Frequently asked questions
RC4 (ARCFOUR) is a symmetric cipher used in legacy Kerberos implementations. Microsoft is actively deprecating it because RC4-encrypted Kerberos tickets are vulnerable to offline cracking (Kerberoasting, AS-REP roasting) and because the cipher itself has known weaknesses. Beginning with January 2026 security updates, domain controllers will enforce RC4 disablement in phases — environments that haven't mapped and remediated their RC4 dependencies face unplanned authentication outages as Windows enforces this change.
The RC4 Detect collector requires a domain account with read access to Active Directory (standard Domain User access is sufficient for LDAP queries) and remote registry read access on domain controllers for the RC4DefaultDisablementPhase check. It does not require Domain Admin, Schema Admin, or any write permissions. No AD objects are created or modified during the assessment.
Assessment results are AES-256-CBC encrypted with an RSA-4096-OAEP key envelope before the file is written to disk on your system. The RSA private key lives in an Azure Key Vault HSM and never leaves the hardware security module. You transmit the encrypted .rc4d file to PresideTech via your preferred secure channel. At no point does plaintext AD data leave your environment.
KDCSVC is the Kerberos Key Distribution Center service on Windows domain controllers. Microsoft introduced KDCSVC event IDs 201–209 in Server 2016 and later to signal RC4 disablement capability. The RC4 Detect collector queries the System event log on each DC for these events over a 30-day window. Domain controllers running Server 2012 R2 or earlier, or those lacking Event 205, are flagged as incapable of RC4 enforcement — a high-severity blocker that must be resolved (via OS upgrade or patch) before RC4 can be safely disabled forest-wide.
Each product key is scoped to a single forest FQDN at issuance. For environments with multiple forests, separate assessments and keys are required — one per forest. The Enterprise and Multinational tiers support multiple domains within a single forest. Contact PresideTech for multi-forest bundled pricing.
The HTML assessment report includes: an executive summary with key findings and an overall risk score; a color-coded DC inventory with RC4DefaultDisablementPhase status; tables of Kerberoastable and AS-REP roastable accounts; KDCSVC capability status per DC; GPO and audit policy analysis; domain trust findings; and a 6-step prioritized remediation plan covering: (1) RC4 phase registry configuration, (2) January 2026 patch deployment, (3) service account AES enforcement, (4) KRBTGT rotation, (5) Entra Connect SSO remediation, and (6) GPO cleanup.
Get assessed
April 14 is close. Know your exposure now.
There isn't time to remediate what you haven't mapped. Analyst capacity is limited — get in the queue now, understand your blast radius, and sequence your fixes before enforcement lands.