In a Windows multi-user environment, anyone with local administrative access can steal the identity of any user or service with a few lines of code!
Just think about it for a minute... Maybe the below scenarios come to mind?
Two Administrators Logged in to the Same Server?
One administrator can start applications running as the other administrator. Maybe to gain more access if the other admin has greater security clearance. Or maybe to use another identity while carrying out foul play. Do you have servers where different admins are logged in at the same time? (I bet you do).
Users Having Access to Local Administrator Rights on a PC?
If the PC is running services using domain credentials, the user can (easily) steal the identity of the service account. This privilege escalation could be the first step in a chain of escalations ending up with a simple domain user being able to steal or destroy critical data from your organization. Without leaving any trace apart from the stolen identities.
The TokenSnatcher Application
To illustrate this issue I have created the TokenSnatcher application. TokenSnatcher will allow any local administrator to view all identities running a process with high or system integrity level. If desired, the user can then select any of the ID's after which TokenSnatcher will start a command prompt running as the selected ID. Any application started from the command prompt will inherit the ID.
To understand the issue in greater depth, please view the following video. The video explains the theory behind TokenSnatcher and demonstrates the issue in a realistic setting that most larger companies will recognize.
It's a fast paced 4 minute theoretical backgrounder followed by a demo starting at 4'22". The video assumes you're familiar with basic Windows OS concepts.