March 26, 2021

What are the actual risks of having a Windows 10 user with administrative rights on their computer?

# Context

Users are part of a domain, so are their computers, on which they are **the only user**. Users are part of the Local Administrators group

# Question

What are the actual risks this setup poses?

# Rationale for the question

The users are the only ones that work on the computer, the only data available there is one they either have locally or to which they have access through shares.

An attacker can have (as far as I can tell), the following intents:
– stealing the user data → being administrator does not change anything, the data is the user’s anyway
– have a persistent presence on the computer to use it as a bot or for lateral movements → being an administrator does not change this (you can set persistence through user mechanisms such as programmed tasks, and you can run services (programs that communicate out or allow communication in) in the userspace
– accessing secrets available to administrators of the machine only, such as authentication tokens of other users (including global administrators) via mechanisms such as mimikatz → this is indeed an issue, which can be mitigated either via CredentailGuard, or generally via proper domain administration (separation of duties, MFA, …). But yes, this is a problem.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.