I am considering the security risks to have a standard user added to the Administrators group on an enterprise Windows 10 machine that is dedicated to that user. This is related to security only, so breaking the OS of a wrong manipulation, installing unlicensed programs or similar administrative tasks is out of scope of my question.
The only one I found so far is that such rights allow for that user account to dump the authentication hash of someone having had interactively connected to that machine (via mimikatz for instance). This can be prevented via Credential Guard or other mesures limiting the use of wider admin accounts.
All the other risks I can think of are applicable to a normal user anyway:
- execution of programs that will extract data (with the user rights - so data the user has access to anyway).
- attempts to map the surroundings of the machine looking for lateral moves
- persistence through scheduled tasks
- communication to a C2
Are there other security concerns to be an administrator of one's machne as part of one's normal, everyday account?
EDIT: following up on a comment - I do assume that the user can be compromised. What I am trying to understand is what the fact that they are an administrator of their own machine changes in the risk landscape
Note: a similar question discussed the ability to add admin rights to users but I could not find anything related to additional risks beyond the ones a normal user introduces anyway (besides "best practices" and legal constraints which do not apply in my case).
There is of course an xkcd strip about that, which I add for completeness