This question is a bit too broad. But, yes it is a security risk. If a user finds an exploit in your web server, either accidentally or maliciously, he or she may use that exploit to possibly execute code in the security context under which your web server runs... which in your case will be fully elevated, meaning the attacker can thoroughly and completely own your entire server. This is precisely why we don't run web servers under Local System or other administrator accounts. Noobixide's comment is totally valid as well. If an attacker figures out how to DoS your web server, it will be running with real-time priority, and the operating system will be helpless to stop or throttle it. Your entire server will become unusable.