Pre-Enforcement outage prediction
Names every account that will fail after the authentication behavior flips - turns we'll find out when users complain into a triaged remediation list before the failure window opens.
RC4 Detect Assessment
July 14, 2026.
RC4 disablement
is finalized.
Microsoft's April Patch Tuesday activated Kerberos RC4 disablement on fully patched domain controllers and will be enforced in July with no way to revert. Environments without a remediation plan in place face unplanned authentication outages — many accounts and services built up over years of operation might simply stop working, with no automatic fix and no grace period. The longer your environment has been running, the more silent RC4 dependencies have accumulated. The only way to know your true exposure is to look before the deadline forces you to find out the hard way. Our RC4 Assessment shows you which accounts are detected with valid AES keys prior to enforcement rather than just showing events about what only authenticated as RC4. Our assessment has a prioritized remediation plan that can also be leveraged when Cyber Insurance underwriters demand it.
July 14
Next RC4 enforcement date
12+
Exposure vectors analyzed
AES-256
Encrypted result delivery
0
AD objects modified during scan
Coverage
Every RC4 exposure vector — mapped
RC4 Detect analyzes your Active Directory environment across all known RC4 Kerberos attack surfaces, from individual service accounts to forest-level trust configurations.
Definitive proof of AES keys per account
Pulls per user keys so the report shows directly observed credential-store contents, not inferences - eliminates resetting accounts that are demonstrably fine and cuts the post-Enforcement remediation backlog to the accounts that actually need it.
AES key generation risk for accounts where AES has NOT been observed
For the residual population the event logs haven't proved out, classifies each account by password-age tier - converts an unknown bucket into a triaged reset list with the right urgency per tier.
KDCSVC Event cross-reference
Joins audit-mode log evidence back to specific accounts in every table — converts the audit-mode preview window from a pile of event entries into a per-account this one will break list operators can act on.
RC4 calls per host — zero in on legacy authentications
Per-endpoint, per-account aggregation of RC4 ticket counts - surfaces the specific workstations, appliances, and apps still negotiating RC4 so remediation effort lands on the actual sources, not a forest-wide guess.
KRBTGT Golden Ticket window assessment
Password age, AES key presence, and rotation history on every KRBTGT (including RODC variants) with risk-tiered remediation — exposes the silent invisible-forgery window most environments don't measure.
Service account blast radius from authentication patterns
Per-service-account aggregation of events shows which client accounts and IPs requested each service ticket – allows understanding the landscape of some of the highest risk accounts, prioritizing remediation by real reachability instead of just privilege flags.
Configuration state per domain controller
Checks each DC for audit settings, RC4 enforcement patch level and encryption enfoorcement setting of Legacy/Audit/Enforcement based on actual registry state, not assumptions — the only way to predict same-account-different-DC inconsistencies before they cause sporadic auth failures.
Prioritized remediation roadmap, ordered by dependency
Sequenced steps (audit-mode first, then patches, then KRBTGT, then accounts, then re-rotate) with priority labels — replaces Microsoft says fix RC4 with a concrete in-order plan a sysadmin can execute without breaking auth in the middle.
Sample report
See exactly what you get
Every RC4 Detect assessment delivers a forensic-grade HTML report — branded, timestamped, and scoped to your Active Directory forest. Below is a redacted example from a real engagement. Click any panel to expand.
Sample — identifying details redacted
01 — Executive summary
Overall risk score, domain coverage, and headline exposure metrics — the single page your CISO, CTO, or board reads first. Weighted severity scoring makes blast radius immediately legible.
Overall risk score, domain coverage, and headline exposure metrics — the single page your CISO, CTO, or board reads first. Weighted severity scoring makes blast radius immediately legible.
Sample — all columns sortable · CSV export available
02 — Forensic-depth detail tables
Every report element surfaces in its own dedicated table — each row color-coded by severity, encryption posture, and risk rating so remediation priority is immediately clear.
Every report element surfaces in its own dedicated table — each row color-coded by severity, encryption posture, and risk rating so remediation priority is immediately clear.
Fully sortable & filterable. Every table can be sorted by any column and filtered by keyword — isolate the highest-risk accounts, oldest passwords, or most exposed trust relationships instantly.
Export to CSV. One-click download per table — hand raw findings directly to your ticketing system, SIEM ingestion pipeline, or remediation runbook.
Sample — identifying details redacted
03 — Key findings at a glance
Every critical exposure written in plain language — Kerberoastable accounts, KRBTGT age, legacy system blockers, KDCSVC audit gaps, RC4-only users, and NTLM fallback risk — each mapped to a remediation step.
Every critical exposure written in plain language — Kerberoastable accounts, KRBTGT age, legacy system blockers, KDCSVC audit gaps, RC4-only users, and NTLM fallback risk — each mapped to a remediation step.
100
Critical risk score
The overall risk score weights findings by severity and exploitability. A score of 100 means active, unmitigated exposure to both Microsoft enforcement and adversarial attack.
35%
Of Kerberos traffic still RC4
TGS traffic analysis shows what proportion of live Kerberos authentication requests are still negotiating RC4 — the real-world signal of how much will break on April 14.
400
Days since KRBTGT rotation
An aged KRBTGT leaves the Golden Ticket attack window dangerously wide. The report recommends 1 or 2 rotations based on your replication topology.
7
Distinct finding categories
From Kerberoastable service accounts to NTLM fallback exposure — every finding is categorized, severity-rated, and mapped to a prioritized remediation step.
Process
How the assessment works
From purchase to report in hand — a tightly controlled, auditable chain of custody for your sensitive AD data.
1
One-time key issuance
PresideTech issues a cryptographically signed, time-limited product key scoped to your forest FQDN and tier. The key expires in 7 days and can only be consumed once.
RSA-SHA256 signed · 7-day TTL
2
Collector deployment
Run the self-contained collector on any domain-joined Windows host with read access to Active Directory. No installation required. No AD objects modified.
.NET 8 · single-file binary · no install
3
Read-only AD scan
The collector queries Active Directory via LDAP, reads remote registry on DCs, and analyzes Windows Event Logs — all read-only. You select which domains and sites to include.
LDAP · Remote Registry · Event Log
4
Encrypted file output
Results are AES-256-CBC encrypted with an RSA-4096-OAEP key envelope and written to a file locally. Your AD data never crosses the network in plaintext.
AES-256-CBC · RSA-4096-OAEP · HMAC-SHA256
5
Analyst decryption & report delivery
You transmit the encrypted file to PresideTech. Our analysts decrypt it using keys stored in Azure Key Vault, review findings, and deliver your HTML assessment report with prioritized remediation steps.
Azure Key Vault · analyst reviewed
Data protection
Designed for security-conscious enterprises
We assess your environment with the same rigor we apply to securing the assessment itself.
Zero plaintext network egress
AD data is encrypted before any file is written to disk. Nothing is transmitted to PresideTech infrastructure in plaintext — ever.
Azure Key Vault key custody
The RSA-4096 private key used to decrypt result files is stored in Azure Key Vault. It never exists outside of the vault.
One-time-use product keys
Each assessment key is scoped to a specific forest FQDN, expires in 7 days, and transitions to Consumed state after a single use. Replay is architecturally impossible.
Full audit ledger
Every key issuance, reservation, consumption, and analyst decryption event is recorded in a tamper-evident Azure Table Storage ledger with timestamps.
Assessment tiers
Choose your assessment
Every tier covers a single Active Directory domain and delivers an analyst-reviewed remediation report. Already have Professional? Upgrade to unlock the full Enterprise analysis for the same domain.
Professional
Single domain
$5,995
- Kerberoastable account enumeration
- AS-REP roastable account detection
- KRBTGT password age analysis
- RC4DefaultDisablementPhase per DC
- KDCSVC event capability check (201–209)
- GPO Kerberos encryption policy review
- Kerberos audit policy gap detection
- Cross-domain trust RC4 analysis
- Entra Connect AZUREADSSOACC check
- Risk score with weighted findings
- Executive summary + 6-step remediation
- Encrypted .rc4d delivery
Enterprise
Single domain
$9,995
- Everything included in Professional
- SPN Registry — RC4-only service accounts ranked by risk
- Delegation Risk Register — unconstrained, constrained & RBCD with DC-target detection
- ACL Attack Path Analysis — domain root, AdminSDHolder, privileged groups & DC OU
- Blast Radius Register — 10-signal 0–100 score with per-account narrative cards
Professional → Enterprise Upgrade
Existing Professional customers
$4,995
- Unlocks all four Enterprise-exclusive sections on your existing report
- SPN Registry — RC4-only service accounts ranked by risk
- Delegation Risk Register — unconstrained, constrained & RBCD with DC-target detection
- ACL Attack Path Analysis — domain root, AdminSDHolder, privileged groups & DC OU
- Blast Radius Register — 10-signal 0–100 score with per-account narrative cards
Questions
Frequently asked questions
RC4 (ARCFOUR) is a symmetric cipher used in legacy Kerberos implementations. Microsoft is actively deprecating it because RC4-encrypted Kerberos tickets are vulnerable to offline cracking (Kerberoasting, AS-REP roasting) and because the cipher itself has known weaknesses. Beginning with January 2026 security updates, domain controllers will enforce RC4 disablement in phases — environments that haven't mapped and remediated their RC4 dependencies face unplanned authentication outages as Windows enforces this change.
The RC4 Detect collector requires a domain account with read access to Active Directory (standard Domain User access is sufficient for LDAP queries) and remote registry read access on domain controllers for the RC4DefaultDisablementPhase check. It does not require Domain Admin, Schema Admin, or any write permissions. No AD objects are created or modified during the assessment.
Assessment results are AES-256-CBC encrypted with an RSA-4096-OAEP key envelope before the file is written to disk on your system. The RSA private key is stored in Azure Key Vault and never exists outside of the vault. You transmit the encrypted .rc4d file to PresideTech via your preferred secure channel. At no point does plaintext AD data leave your environment.
KDCSVC is the Kerberos Key Distribution Center service on Windows domain controllers. Microsoft introduced KDCSVC event IDs 201–209 in Server 2016 and later to signal RC4 disablement capability. The RC4 Detect collector queries the System event log on each DC for these events over a 30-day window. Domain controllers running Server 2012 R2 or earlier, or those lacking Event 205, are flagged as incapable of RC4 enforcement — a high-severity blocker that must be resolved (via OS upgrade or patch) before RC4 can be safely disabled forest-wide.
Each product key is scoped to a single domain at issuance. For environments with multiple domains or forests, separate assessments are required — one per domain. Contact PresideTech for multi-domain bundled pricing.
The HTML assessment report includes: an executive summary with key findings and an overall risk score; a color-coded DC inventory with RC4DefaultDisablementPhase status; tables of Kerberoastable and AS-REP roastable accounts; KDCSVC capability status per DC; GPO and audit policy analysis; domain trust findings; and a 6-step prioritized remediation plan covering: (1) RC4 phase registry configuration, (2) January 2026 patch deployment, (3) service account AES enforcement, (4) KRBTGT rotation, (5) Entra Connect SSO remediation, and (6) GPO cleanup. Enterprise tier adds four additional sections: SPN Registry (RC4-only service accounts ranked by risk), Delegation Risk Register (unconstrained, constrained, and RBCD delegation with DC-target detection), ACL Attack Path Analysis (writable permissions on domain root, AdminSDHolder, privileged groups, and DC OU), and Blast Radius Register (a 10-signal 0–100 compromise-impact score with narrative cards for high-risk accounts).
Get assessed
April 14 is close. Know your exposure now.
There isn't time to remediate what you haven't mapped. Analyst capacity is limited — get in the queue now, understand your blast radius, and sequence your fixes before enforcement lands.