Microsoft
MicrosoftHi Deji,
thanks for your remarks and sharing your thoughts.
What is described in the paragraph you mentioned, is simply what we see in most customer environments: all VMs are treated the same, without any protection of disks or memory. And don't get me wrong, I do not mistrust the Admins as a person but I assume breach (attacker acting in the security context of an Admin due to credential theft). Always. Having a copy of a disk with the AD database doesn't give an attacker a Domain Admin account in the production AD of course, but it provides them with everything they need to get one (e.g. krbtgt and many other password hashes). In addition to that you can inject code/commands in VMs.
Even with RBAC in place the boundaries of administrative tiers can be broken.
Best regards,
Dagmar