<p>RSAT tools don’t matter. It’s all about credentials, tokens, tickets, and sessions. I’m specifically talking about post-authentication.</p>
<p>If you have privileged credentials, tokens, tickets, and sessions on a personal computer they are available for an attacker to abuse.</p>
<p>If your personal account has read-only access then RSAT on your PC doesn’t matter. If you are doing run-as to elevate to a privileged account for the RSAT tools, then you now have post-auth credentials an attacker can abuse.</p>
<p>Review both tables in this link: <a href="https://learn.microsoft.com/en-us/windows-server/identity/securing-privileged-access/reference-tools-logon-types" class="inline-onebox">Administrative tools and logon types reference - Windows Server | Microsoft Learn</a></p>
<p>The first table helps you understand if reusable credentials will exist on a remote host you connect to. The second table shows login types and whether credentials are stored in LSA.</p>
<p>Even if you do runas and elevate with a smart card, you are creating a session and token in the local computer that can be abused.</p>
<p>Privileged Access Workstations are the correct way to mitigate this issue by removing all clean source principle violations.</p>
<p>Jump hosts that are properly configured and hardened are the next best option, although they concentrate risk in one host and are a compromise.</p>
<p>Running any privileged admin task from your personal computer is awful from a security standpoint. Even if you are using run-as. Even if you’re doing smart cards. Even if your privileged accounts are in Protected Users. Even if an attacker can’t steal a credential or ticket they can perform token abuse to perform actions as that privileged account.</p>
