[Melatonic]

Agreed - like using a non admin account.

[anonymars]

How does that protect against ransomware?

[petersellers]

Limits the blast radius to only the files that the more limited user has write access to.

[azov]

The files I normally have write access to are my important files though.

Immutable snapshots/offline backups help with those.

[mr_mitm]

It's more important in a corporate setting. Lateral movement inside the network is much more likely if the attacker has local admin.

[anonymars]

Why would local admin have relevance to network movement?

[mr_mitm]

Because every time an account logs onto a computer, it leaves traces. Some ephemeral in memory, some permanent on disk. It can be Kerberos tickets, process tokens, domain cached credentials, hashes or even clear text passwords in memory. It's common practice in a lot of organizations for administrators to log on to random workstations to perform whatever task they need to do.

Or there is a service running in the context of a service user domain account. Or the password of the local administrator account is identical on all systems, which was very common before LAPS became a thing.

Yes, if you do everything perfectly and always go by best practices, none of this should be relevant, but most people aren't doing everything perfectly all of the time.

To access any of these things, you need local admin permissions. Then you can reuse them to log on to other systems.

[dpoloncsak]

As with the other reasons stated... local admin, atleast in the environments I've seen, can still install software. Installing and running something like AngryIPScanner may be possible as local admin

[amy214]

on the flipside i feel like privilege escalations are a dime a dozen