IT Manager told Admins/Engineers to use/enable RSAT on their personal/assigned computers for convenience. Many places that I have worked (Government and Corporate) prohibited RSAT usage due to security/attack surface concerns. Your views? Jump Servers or RSAT
RSAT tools don’t matter. It’s all about credentials, tokens, tickets, and sessions. I’m specifically talking about post-authentication.
If you have privileged credentials, tokens, tickets, and sessions on a personal computer they are available for an attacker to abuse.
If your personal account has read-only access then RSAT on your PC doesn’t matter. If you are doing run-as to elevate to a privileged account for the RSAT tools, then you now have post-auth credentials an attacker can abuse.
Review both tables in this link: Administrative tools and logon types reference - Windows Server | Microsoft Learn
The first table helps you understand if reusable credentials will exist on a remote host you connect to. The second table shows login types and whether credentials are stored in LSA.
Even if you do runas and elevate with a smart card, you are creating a session and token in the local computer that can be abused.
Privileged Access Workstations are the correct way to mitigate this issue by removing all clean source principle violations.
Jump hosts that are properly configured and hardened are the next best option, although they concentrate risk in one host and are a compromise.
Running any privileged admin task from your personal computer is awful from a security standpoint. Even if you are using run-as. Even if you’re doing smart cards. Even if your privileged accounts are in Protected Users. Even if an attacker can’t steal a credential or ticket they can perform token abuse to perform actions as that privileged account.