Local admin is the gift that keeps giving — to attackers. Still one of the most common footholds in modern breaches and most organizations know it and tolerate it anyway.
If you have been in security for more than a few years, you have had this conversation. Local admin rights are a problem. Everyone knows it. The conversation happens, someone acknowledges the risk, and then nothing changes because removing local admin is painful and the helpdesk will complain and the developers will revolt and it has always been this way.
Meanwhile, attackers keep exploiting it.
Local admin is one of the oldest, most documented, most consistently abused privilege problems in enterprise security. It is also one of the most tolerated. That gap — between knowing and doing — is where breaches live.
Why It Matters
Local administrator rights give a user full control over a single machine. On the surface that sounds contained. In practice it is anything but.
When a user has local admin rights, an attacker who compromises that user's account inherits those rights. From there the options multiply quickly. They can install tools. They can disable security software. They can dump credentials from memory — including credentials for accounts that authenticated to that machine recently, which may include domain accounts with significantly higher privilege than the local user ever had.
That last point is the one that catches organizations off guard. A standard user with local admin on their workstation is not just a risk to their own machine. They are a potential pivot point to every privileged account that has ever touched that endpoint. Domain admins who remote in to troubleshoot. Service accounts running scheduled tasks. IT staff who logged in to push a software update. All of those credentials can potentially be harvested from a machine where the attacker has local admin.
The blast radius of a single compromised local admin account is almost always larger than anyone estimated.
The PAM Lesson
Removing local admin rights is an endpoint privilege management problem, and it sits squarely within the PAM discipline. The goal is least privilege at the endpoint level — users run as standard users by default, and elevated rights are granted only when needed, only for what is needed, and only for as long as it is needed.
In practice this means a few things:
Most organizations do not need to start at PAW level. They need to start by getting standard users off local admin. That alone closes a significant portion of the lateral movement surface that attackers rely on.
The Password Reuse Problem
There is a specific local admin scenario that has been responsible for a stunning number of large-scale breaches: the shared local administrator password.
In environments where workstations are imaged and deployed with a standard build, it is common for every machine to have the same local administrator account with the same password. The account might be disabled. It might not. But the password is the same everywhere.
An attacker who recovers that password from one machine can authenticate as local admin to every machine in the environment that shares it. At that point lateral movement is not a technique — it is a formality.
Microsoft's Local Administrator Password Solution, LAPS, was designed specifically for this problem. It randomizes and rotates the local admin password on each machine individually, stores it in Active Directory, and makes it retrievable only by authorized accounts. It has been available for years. A significant number of organizations have still not deployed it.
What to Check This Week
Local admin is not an unsolvable problem. It is a politically difficult one. The security case is straightforward. The organizational will to act on it is the variable. Understanding the actual blast radius — not just the theoretical risk — is usually what moves that conversation forward.