A US senator is raising concerns about Microsoft’s security practices, particularly around the default settings in Windows. Senator Ron Wyden has asked the Federal Trade Commission to look into the company for what he calls “gross cybersecurity negligence.” His main issue is Microsoft’s continued support of outdated and vulnerable encryption methods that put users at risk.

Wyden points to a recent ransomware attack on the health care company Ascension as proof. The breach, which happened last year, involved the theft of medical records from more than 5.6 million patients. Wyden says the attack happened because Microsoft’s default support of a weak encryption method called RC4 played a key role in letting hackers get in.

Why RC4 Is a Problem

RC4 is a type of encryption developed in the late 1980s. It was once widely used but was found to have serious security flaws. Hackers can crack RC4-encrypted data much more easily than modern encryption standards. Despite its flaws being well known for years, Microsoft still supports RC4 in Windows for Active Directory, a system used by organizations to manage user accounts and permissions.

When Windows authenticates users, it normally uses stronger encryption, like AES. But the server can still respond with RC4-based responses, which makes it easier for hackers to exploit. If a hacker manages to compromise just one device on a network, they can send an RC4 request and then crack its password using offline methods. This process is called “kerberoasting” and has been known since 2014.

How Kerberoasting and Legacy Encryption Threaten Security

Kerberoasting involves offline password cracking attacks against accounts protected with Kerberos, a protocol used in Windows networks. Microsoft has acknowledged that using RC4 makes these accounts more vulnerable, even if they have strong passwords. Because RC4 doesn’t use salt or multiple hashing rounds, attackers with powerful GPUs can guess passwords very quickly—sometimes billions of attempts per second. This makes even well-chosen passwords susceptible to being cracked.

Microsoft has promised to phase out RC4 support in future updates, but no clear timeline has been announced. Wyden criticizes this slow action, saying Microsoft’s communication about the vulnerability was vague and poorly timed—released on a Friday in a technical blog, rather than a clear warning to users.

He also criticizes Microsoft for not explicitly warning customers that their systems are vulnerable unless they change default settings. Wyden compares Microsoft’s approach to an arsonist who then sells firefighting services to victims, implying the company profits from security issues it refuses to fully fix.

Microsoft’s Response and Future Plans

Microsoft responded by saying it has already stopped using DES, another outdated encryption method. The company says RC4 is less than 0.1% of its traffic and that they are working to gradually disable it entirely. Microsoft plans to make new Windows Server 2025 installations disable RC4 by default in early 2026. They also say they are working on additional measures to protect existing systems, balancing security with compatibility.

In the meantime, Wyden urges organizations to be aware of the risks and to take steps to improve their security. The senator’s office continues to push for faster action and clearer communication from Microsoft to better protect users from these long-known vulnerabilities.

Inspired by

• https://arstechnica.com/security/2025/09/senator-blasts-microsoft-for-making-default-windows-vulnerable-to-kerberoasting/

Sources

• conde.digital
• cnevids.com
• senate.gov
• archive.org
• cryptographyengineering.com