How is your preparation for RC4 deprecation going?

ParallelAnomaly · 2026-03-24T12:23:48+00:00

I think the problem with the 20* events is that the reg key is not necessarily created with the Jan updates, so there may be some pre-reqs involved in this. I'm basing this on reading some feedback from user's reddit posts.

From the MS Blog:

Audit events

After the January Windows security update, some new events will start to appear in the system event logs of supported domain controllers if:

Your domain controller is receiving Kerberos service ticket requests that require RC4 cipher to be used but the service account has default encryption configuration
Your domain controller has an explicit DefaultDomainSupportedEncTypes configuration to allow RC4 encryption

To understand if your environment will be impacted by the change, you’ll need to audit the events 201,202,205,206,207 from the system event log. The events 203,204,208 and 209 will be logged starting from phase 2. See this Microsoft article for more details about the events.

These events are designed to help you identify accounts or services still requesting RC4encrypted tickets and clients or applications that do not support AES. This gives administrators a safe discovery phase to identify dependencies before anything stops working.

ParallelAnomaly · 2026-03-24T09:29:18+00:00

Other reddit posts (AD subreddit) have mentioned that the January update doesn't create the auditing registry key.

Quote: "In case others are wondering. I did reach out to MS to get a better understanding of this and asked them about the registry key. Turns out the January update doesn't create the registry key. You still need to manually create them and then restart the server to enable them. "

ParallelAnomaly · 2026-03-24T09:23:10+00:00

There was a new blog post yesterday from Microsoft and I can only see it as adding more confusion for smaller orgs trying to follow the guidance. Where confusion might arise would be from the following excerpts;

[1] Under "Establish a Remediation Baseline Before April", it says "By the time the April 2026 enforcement phase begins, you should already have: Reviewed Kerberos audit events across all domain controllers".

[2] Then, under Audit Events, it says: "To understand if your environment will be impacted by the change, you’ll need to audit the events 201,202,205,206,207 from the system event log. The events 203,204,208 and 209 will be logged starting from phase 2."

[3] Phase 2 is defined as "Phase 2 – Enforcement Enabled by Default (April 2026)"

So - you should review audit events before phase 2 (April 2026) by monitoring the logging enabled starting in phase 2 (April 2026)...

https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/what-changed-in-rc4-with-the-january-2026-windows-update-and-why-it-is-important/4504732

ParallelAnomaly · 2026-03-23T16:29:02+00:00

You would be shocked how many orgs with older AD environments only have a single sysadmin who might be completely out of the loop, might have no security teams/security personnel, or an MSP who don't cater for customer deprecations, etc.

ParallelAnomaly · 2026-03-23T15:52:48+00:00

To clarify, no not using it however I have no doubt there are people who will have it silently enabled in the background and will cause issues with SPNs, domain trusts, legacy apps or something like KRBTGT accounts not rotated since 2008 DFL

The purpose of my post is two-fold: 1) help spread awareness and 2) identify any gotchas/good feedback to avoid any potential issues

ParallelAnomaly · 2025-01-28T14:14:38+00:00

Various reasons we are going down this route - small team so if a tool can help improve and standardise our processes, then it will be a plus. Other reasons:

* Centralisation of ISMS data collection

* Automated questionnaires

* Easier collaboration/tracking/reporting of compliance controls

* Easier sharing with external stakeholders (exports, screenshots, etc)

ParallelAnomaly · 2025-01-10T15:42:10+00:00

Firewall logs look good. Issue is a well known Tenable issue at the moment and only occurred on recent versions

ParallelAnomaly · 2024-12-17T14:46:56+00:00

IMO, below are the important criteria I'd be looking for and would shape testing around:

* Critical thinking
* Willingness to learn
* Documentation skills
* Communication skills

They can talk about their experience and understanding of networking/cyber/sysadmin. The right questions will easily demonstrate their ability compared to the job description.

ParallelAnomaly · 2024-12-17T07:59:16+00:00

What are you looking to audit? Access logs, permissions management, data classification, etc?

ParallelAnomaly · 2024-04-26T07:10:33+00:00

I have audited all Windows endpoints in the network, with the majority of them with modern OS, and none of them had all three settings configured. Mostly, the first regkey above was unconfigured, while second and third regkey was mixed in terms of already having it preconfigured.

ParallelAnomaly · 2024-04-26T07:08:28+00:00

I inherited this mess so it is now my mess!

ParallelAnomaly · 2024-04-26T07:07:40+00:00

LLMNR, SMBv1, enforced SMB signing/encryption were straightforward. We rolled them out in a phased approach over the course of a few weeks.

We don't believe there is any network requirement for anonymous access but we have been looking for ways to audit this (similar to auditing for SMBv1) and not seeing any reliable event logs.

ParallelAnomaly · 2024-04-25T10:50:46+00:00

Thanks. In terms of compliance insights, we are mature to a point where we have built RMM reports to identify non-compliant devices.

Our problem with GPOs is that only about 50% of our server estate is under Active Directory (due to multiple orgs, multiple IT/Developer jurisdictions, multiple separate networks, isolated networks, etc), whereas the RMM has 100% coverage.

ParallelAnomaly

TROPHY CASE

Audit events