Windows Server

microsoft-will-finally-kill-obsolete-cipher-that-has-wreaked-decades-of-havoc

Microsoft will finally kill obsolete cipher that has wreaked decades of havoc

Biz & IT, Encryption, rc4, Security, Windows Server / /

Microsoft said it has steadily worked over the past decade to deprecate RC4, but that the task wasn’t easy.

No salt, no iteration? Really?

“The problem though is that it’s hard to kill off a cryptographic algorithm that is present in every OS that’s shipped for the last 25 years and was the default algorithm for so long, Steve Syfuhs, who runs Microsoft’s Windows Authentication team, wrote on Bluesky. “See,” he continued, “the problem is not that the algorithm exists. The problem is how the algorithm is chosen, and the rules governing that spanned 20 years of code changes.”

Over those two decades, developers discovered a raft of critical RC4 vulnerabilities that required “surgical” fixes. Microsoft considered deprecating RC4 by this year, but ultimately “punted” after discovering vulnerabilities that required still more fixes. During that time Microsoft introduced some “minor improvements” that favored the use of AES, and as a result, usage dropped by “orders of magnitude.”

“Within a year we had observed RC4 usage drop to basically nil. This is not a bad thing and in fact gave us a lot more flexibility to kill it outright because we knew it genuinely wasn’t going to break folks, because folks weren’t using it.”

Syfuhs went on to document additional challenges Microsoft encountered and the approach it took to solving them.

While RC4 has known cipher weaknesses that make it insecure, Kerberoasting exploits a separate weakness. As implemented in Active Directory authentication, it uses no cryptographic salt and a single round of the MD4 hashing function. Salt is a technique that adds random input to each password before it is hashed. That requires hackers to invest considerable time and resources into cracking the hash. MD4, meanwhile, is a fast algorithm that requires modest resources. Microsoft’s implementation of AES-SHA1 is much slower and iterates the hash to further slow down cracking efforts. Taken together, AES-Sha1-hashed passwords require about 1,000 times the time and resources to be cracked.

Windows admins would do well to audit their networks for any usage of RC4. Given its wide adoption and continued use industry-wide, it may still be active, much to the surprise and chagrin of those charged with defending against hackers.

Microsoft will finally kill obsolete cipher that has wreaked decades of havoc Read More »

windows-version-of-the-venerable-linux-“sudo”-command-shows-up-in-preview-build

Windows version of the venerable Linux “sudo” command shows up in preview build

Tech, Windows 11, Windows Server / /

sudo start your photocopiers —

Feature is experimental and, at least currently, not actually functional.

Not now, but maybe soon?

Enlarge / Not now, but maybe soon?

Andrew Cunningham

Microsoft opened its arms to Linux during the Windows 10 era, inventing an entire virtualized subsystem to allow users and developers to access a real-deal Linux command line without leaving the Windows environment. Now, it looks like Microsoft may embrace yet another Linux feature: the sudo command.

Short for “superuser do” or “substitute user do” and immortalized in nerd-leaning pop culture by an early xkcd comic, sudo is most commonly used at the command line when the user needs administrator access to the system—usually to install or update software, or to make changes to system files. Users who aren’t in the sudo user group on a given system can’t run the command, protecting the rest of the files on the system from being accessed or changed.

In a post on X, formerly Twitter, user @thebookisclosed found settings for a Sudo command in a preview version of Windows 11 that was posted to the experimental Canary channel in late January. WindowsLatest experimented with the setting in a build of Windows Server 2025, which currently requires Developer Mode to be enabled in the Settings app. There’s a toggle to turn the sudo command on and off and a separate drop-down to tweak how the command behaves when you use it, though as of this writing the command itself doesn’t actually work yet.

The sudo command is also part of the Windows Subsystem for Linux (WSL), but that version of the sudo command only covers Linux software. This one seems likely to run native Windows commands, though obviously we won’t know exactly how it works before it’s enabled and fully functional. Currently, users who want a sudo-like command in Windows need to rely on third-party software like gsudo to accomplish the task.

The benefit of the sudo command for Windows users—whether they’re using Windows Server or otherwise—would be the ability to elevate the privilege level without having to open an entirely separate command prompt or Windows Terminal window. According to the options available in the preview build, commands run with sudo could be opened up in a new window automatically, or they could happen inline, but you’d never need to do the “right-click, run-as-administrator” dance again if you didn’t want to.

Microsoft regularly tests new Windows features that don’t make it into the generally released public versions of the operating system. This feature could also remain exclusive to Windows Server without making it into the consumer version of Windows. But given the command’s presence in Linux and macOS, it will be a nice quality-of-life improvement for Windows users who spend lots of time staring at the command prompt.

Microsoft is borrowing a longstanding Linux feature here, but that road goes both ways—a recent update to the Linux systemd software added a Windows-inspired “blue screen of death” designed to give users more information about crashes when they happen.

Windows version of the venerable Linux “sudo” command shows up in preview build Read More »