We have a consultant connecting their personal laptop to our corporate network. We have provided the consultant with a domain account that has access to several resources on our network. Because the laptop is not a member of our domain, the consultant will logon to their laptop using the local administrator account and then authenticate separately to the individual resources on our network using the domain account we've provided.
Our concern is the level of risk to our network were his machine to become compromised. For instance, if there was a malicious process running on it in the security context of the local administrator or SYSTEM account, would it be possible for that process, because it has administrative privileges on the local system, to in some manner “hijack” the domain credentials and use them to execute malicious code on our systems? I'm thinking less here about a malicious process that is logging key strokes and more in terms of the the local administrator account actually being able to function within the security context of the domain user; in other words, being able to impersonate it in some way because of its elevated rights on the laptop?