RC4 Detect Assessment

April 14, 2026.
RC4 disablement
goes live.

Microsoft's next Patch Tuesday activates Kerberos RC4 disablement on fully patched domain controllers. Environments without a remediation plan in place face unplanned authentication outages — many accounts and services built up over years of operation might simply stop working, with no automatic fix and no grace period. The longer your environment has been running, the more silent RC4 dependencies have accumulated. The only way to know your true exposure is to look before the deadline forces you to find out the hard way.

Invest in an assessment →
See what we find ↓
Apr 14
Next RC4 enforcement date

12+
Exposure vectors analyzed

AES-256
Encrypted result delivery

0
AD objects modified during scan

April 14, 2026 is not a soft deadline.

The April 2026 Patch Tuesday update advances the RC4DefaultDisablementPhase enforcement state on every fully patched Windows domain controller. The longer an Active Directory environment has been in operation, the greater the accumulated exposure — service accounts created years ago for line-of-business applications, scheduled tasks, and integrations rarely get touched, and many still rely on RC4 Kerberos encryption without anyone realizing it. When enforcement lands, those accounts stop authenticating. Organizations that haven't mapped their RC4 exposure have no reliable way to anticipate which systems will break, in what order, or how long recovery will take.

Coverage

Every RC4 exposure vector — mapped

RC4 Detect analyzes your Active Directory environment across all known RC4 Kerberos attack surfaces, from individual service accounts to forest-level trust configurations.

Critical

RC4 Disablement Phase Registry

Reads RC4DefaultDisablementPhase from each domain controller's remote registry. Flags controllers at conflicting phases — a common cause of post-patch authentication outages. Color-coded by phase in the report.

High

KDCSVC Capability Gap (Event 201–209)

Queries the System event log on each DC for KDCSVC events 201–209 to verify RC4-off capability. Domain controllers running pre-Server 2016 or missing Event 205 are flagged as incapable — a hard blocker for RC4 elimination that must be resolved before April 14.

Critical

Kerberoastable Service Accounts

Enumerates all AD accounts with registered SPNs that permit RC4 Kerberos (AES not enforced). These accounts are offline-crackable via Kerberoasting. Reported with SPN, account age, and password last set.

Critical

AS-REP Roastable Accounts

Identifies accounts with Do not require Kerberos preauthentication set. These accounts expose encrypted AS-REP responses to offline cracking — no authentication required by the attacker.

High

KRBTGT Password Age

Assesses golden ticket exposure by checking KRBTGT password age across all domains. Provides adaptive remediation guidance — 1 or 2 rotation cycles — based on your environment's replication topology.

High

Entra Connect — AZUREADSSOACC

Identifies when the Entra Connect seamless SSO computer account is RC4-only. Our remediation steps provide a method to make sure this account is AES enforced and updated.

Medium

GPO Kerberos Encryption Policy

Reviews Group Policy Objects for Network security: Configure encryption types allowed for Kerberos. Flags policies that explicitly permit RC4_HMAC_MD5, DES, or leave encryption type enforcement absent.

Medium

Kerberos Audit Policy Gaps

Checks that Kerberos service ticket auditing is configured on all domain controllers. Missing audit policy prevents detection of RC4 ticket requests in-flight and blocks event-log-based capability verification.

Medium

Domain Trust RC4 Exposure

Examines cross-domain and cross-forest trust objects for RC4 usage. Inter-forest Kerberos can silently fall back to RC4 when trusts lack AES enforcement, creating exposure that bypasses intra-domain hardening.

Sample report

See exactly what you get

Every RC4 Detect assessment delivers a forensic-grade HTML report — branded, timestamped, and scoped to your Active Directory forest. Below is a redacted example from a real engagement. Click any panel to expand.

RC4 Kerberos assessment executive summary showing a Critical Risk score of 100, 4 Kerberoastable service accounts, 35% of Kerberos authentication traffic still using RC4, 2 legacy systems at risk of AES enforcement failure, 400-day KRBTGT password age, and 18 RC4-only user accounts for contoso.corp Active Directory forest

Sample — identifying details redacted

01 — Executive summary
Overall risk score, domain coverage, and headline exposure metrics — the single page your CISO, CTO, or board reads first. Weighted severity scoring makes blast radius immediately legible.

RC4 Kerberos assessment forensic detail tables showing sortable and filterable data for Kerberos traffic sources, domain trust relationships with RC4 and AES encryption flags, risk ratings per trust partner, and export to CSV controls for integration with SIEM and ticketing systems

Sample — all columns sortable · CSV export available

02 — Forensic-depth detail tables
Every report element surfaces in its own dedicated table — each row color-coded by severity, encryption posture, and risk rating so remediation priority is immediately clear.

Fully sortable & filterable. Every table can be sorted by any column and filtered by keyword — isolate the highest-risk accounts, oldest passwords, or most exposed trust relationships instantly.

Export to CSV. One-click download per table — hand raw findings directly to your ticketing system, SIEM ingestion pipeline, or remediation runbook.

RC4 Kerberos assessment key findings panel listing 4 Kerberoastable accounts with offline-crackable password hashes, KRBTGT password 400 days old with Golden Ticket exposure, 2 legacy systems unable to support AES encryption before April 2026 enforcement, 4 domain controllers with missing KDCSVC audit events, 18 RC4-only user accounts, and 2 privileged accounts forcing NTLM fallback vulnerable to credential relay attacks

Sample — identifying details redacted

03 — Key findings at a glance
Every critical exposure written in plain language — Kerberoastable accounts, KRBTGT age, legacy system blockers, KDCSVC audit gaps, RC4-only users, and NTLM fallback risk — each mapped to a remediation step.

100
Critical risk score

The overall risk score weights findings by severity and exploitability. A score of 100 means active, unmitigated exposure to both Microsoft enforcement and adversarial attack.

35%
Of Kerberos traffic still RC4

TGS traffic analysis shows what proportion of live Kerberos authentication requests are still negotiating RC4 — the real-world signal of how much will break on April 14.

400
Days since KRBTGT rotation

An aged KRBTGT leaves the Golden Ticket attack window dangerously wide. The report recommends 1 or 2 rotations based on your replication topology.

7
Distinct finding categories

From Kerberoastable service accounts to NTLM fallback exposure — every finding is categorized, severity-rated, and mapped to a prioritized remediation step.


Process

How the assessment works

From purchase to report in hand — a tightly controlled, auditable chain of custody for your sensitive AD data.

1

One-time key issuance

PresideTech issues a cryptographically signed, time-limited product key scoped to your forest FQDN and tier. The key expires in 7 days and can only be consumed once.

RSA-SHA256 signed · 7-day TTL

2

Collector deployment

Run the self-contained collector on any domain-joined Windows host with read access to Active Directory. No installation required. No AD objects modified.

.NET 8 · single-file binary · no install

3

Read-only AD scan

The collector queries Active Directory via LDAP, reads remote registry on DCs, and analyzes Windows Event Logs — all read-only. You select which domains and sites to include.

LDAP · Remote Registry · Event Log

4

Encrypted file output

Results are AES-256-CBC encrypted with an RSA-4096-OAEP key envelope and written to a file locally. Your AD data never crosses the network in plaintext.

AES-256-CBC · RSA-4096-OAEP · HMAC-SHA256

5

Analyst decryption & report delivery

You transmit the encrypted file to PresideTech. Our analysts decrypt it using keys stored in Azure Key Vault, review findings, and deliver your HTML assessment report with prioritized remediation steps.

Azure Key Vault · analyst reviewed

Data protection

Designed for security-conscious enterprises

We assess your environment with the same rigor we apply to securing the assessment itself.

🔐

Zero plaintext network egress

AD data is encrypted before any file is written to disk. Nothing is transmitted to PresideTech infrastructure in plaintext — ever.

🔑

Azure Key Vault key custody

The RSA-4096 private key used to decrypt result files is stored in Azure Key Vault. It never exists outside of the vault.

🪪

One-time-use product keys

Each assessment key is scoped to a specific forest FQDN, expires in 7 days, and transitions to Consumed state after a single use. Replay is architecturally impossible.

📋

Full audit ledger

Every key issuance, reservation, consumption, and analyst decryption event is recorded in a tamper-evident Azure Table Storage ledger with timestamps.

Assessment tiers

Choose your assessment

Every tier covers a single Active Directory domain and delivers an analyst-reviewed remediation report. Already have Professional? Upgrade to unlock the full Enterprise analysis for the same domain.

Professional

Single domain

$5,995

  • Kerberoastable account enumeration
  • AS-REP roastable account detection
  • KRBTGT password age analysis
  • RC4DefaultDisablementPhase per DC
  • KDCSVC event capability check (201–209)
  • GPO Kerberos encryption policy review
  • Kerberos audit policy gap detection
  • Cross-domain trust RC4 analysis
  • Entra Connect AZUREADSSOACC check
  • Risk score with weighted findings
  • Executive summary + 6-step remediation
  • Encrypted .rc4d delivery

Purchase Professional →

Enterprise

Single domain

$9,995

  • Everything included in Professional
  • SPN Registry — RC4-only service accounts ranked by risk
  • Delegation Risk Register — unconstrained, constrained & RBCD with DC-target detection
  • ACL Attack Path Analysis — domain root, AdminSDHolder, privileged groups & DC OU
  • Blast Radius Register — 10-signal 0–100 score with per-account narrative cards

Purchase Enterprise →

Professional → Enterprise Upgrade

Existing Professional customers

$4,995

  • Unlocks all four Enterprise-exclusive sections on your existing report
  • SPN Registry — RC4-only service accounts ranked by risk
  • Delegation Risk Register — unconstrained, constrained & RBCD with DC-target detection
  • ACL Attack Path Analysis — domain root, AdminSDHolder, privileged groups & DC OU
  • Blast Radius Register — 10-signal 0–100 score with per-account narrative cards

Purchase Upgrade →

Questions

Frequently asked questions

RC4 (ARCFOUR) is a symmetric cipher used in legacy Kerberos implementations. Microsoft is actively deprecating it because RC4-encrypted Kerberos tickets are vulnerable to offline cracking (Kerberoasting, AS-REP roasting) and because the cipher itself has known weaknesses. Beginning with January 2026 security updates, domain controllers will enforce RC4 disablement in phases — environments that haven't mapped and remediated their RC4 dependencies face unplanned authentication outages as Windows enforces this change.

The RC4 Detect collector requires a domain account with read access to Active Directory (standard Domain User access is sufficient for LDAP queries) and remote registry read access on domain controllers for the RC4DefaultDisablementPhase check. It does not require Domain Admin, Schema Admin, or any write permissions. No AD objects are created or modified during the assessment.

Assessment results are AES-256-CBC encrypted with an RSA-4096-OAEP key envelope before the file is written to disk on your system. The RSA private key is stored in Azure Key Vault and never exists outside of the vault. You transmit the encrypted .rc4d file to PresideTech via your preferred secure channel. At no point does plaintext AD data leave your environment.

KDCSVC is the Kerberos Key Distribution Center service on Windows domain controllers. Microsoft introduced KDCSVC event IDs 201–209 in Server 2016 and later to signal RC4 disablement capability. The RC4 Detect collector queries the System event log on each DC for these events over a 30-day window. Domain controllers running Server 2012 R2 or earlier, or those lacking Event 205, are flagged as incapable of RC4 enforcement — a high-severity blocker that must be resolved (via OS upgrade or patch) before RC4 can be safely disabled forest-wide.

Each product key is scoped to a single domain at issuance. For environments with multiple domains or forests, separate assessments are required — one per domain. Contact PresideTech for multi-domain bundled pricing.

The HTML assessment report includes: an executive summary with key findings and an overall risk score; a color-coded DC inventory with RC4DefaultDisablementPhase status; tables of Kerberoastable and AS-REP roastable accounts; KDCSVC capability status per DC; GPO and audit policy analysis; domain trust findings; and a 6-step prioritized remediation plan covering: (1) RC4 phase registry configuration, (2) January 2026 patch deployment, (3) service account AES enforcement, (4) KRBTGT rotation, (5) Entra Connect SSO remediation, and (6) GPO cleanup. Enterprise tier adds four additional sections: SPN Registry (RC4-only service accounts ranked by risk), Delegation Risk Register (unconstrained, constrained, and RBCD delegation with DC-target detection), ACL Attack Path Analysis (writable permissions on domain root, AdminSDHolder, privileged groups, and DC OU), and Blast Radius Register (a 10-signal 0–100 compromise-impact score with narrative cards for high-risk accounts).

Get assessed

April 14 is close. Know your exposure now.

There isn't time to remediate what you haven't mapped. Analyst capacity is limited — get in the queue now, understand your blast radius, and sequence your fixes before enforcement lands.

Get your assessment →