Understanding the Multiple Layers of Privileged Access in Windows

The term “privileged access" in Windows is open to interpretation.  Are you simply talking about membership in the local Administrators group?  If so, you need to think about local accounts and if the system is joined to AD then domain accounts.  If it’s an Entra-joined Windows 11 box or an Azure VM then there’s Entra accounts that could be admins.  But privileged access goes way beyond the Administrators group.  There are a number of admin-equivalent user rights such as “Act as part of the operating system”.  And again, if the system is part of an AD domain, then anyone with certain group policy related permissions on the OU branch of the computer account has indirect but definite privileged access.  Likewise for systems managed by Intune.  If the system is a VM then it depends on the particular hypervisor or cloud environment.  Azure for instance provides multiple routes of privileged access into VMs based on resource group permissions. Windows itself has multiple connection points for privileged accounts including RDP, shared folders, WinRM, RPC, etc.  Do you disable these individually or rely on Windows firewall or an external firewall? Bottom line is there are many vectors to privileged access in Windows, and it can be confusing because so much of this functionality has accreted over time with the progression of IT eras that Windows has lived through.  In this real training for free session, I will try to give you a comprehensive view of privileged access in Windows covering all these areas and more.  Then I will focus on key choke points that if you understand and properly control will give you confidence that privileged access to your Windows systems is truly locked down to who should actually have it.