The company I now work for has decided to separate out admin accounts in Windows
Do they know that doesn’t work?
If you do a run-as then you are as vulnerable to PTH as you would be if you just logged in with the admin account anyway... you need to go full PAW these days.
Could you expand on this? we have a similar set up for our domain admin accounts and I heard it was the safest way to do things. What do you mean by PAW?
A PAW is a "privilged access workstation", i.E. a dedicated, hardened machine just for the purpose of admin tasks. Due to the specialized tasks it needs to run, the workstation can be
Pass-the-hash is a common attack on Kerberos - it doesn’t care if you are logged in as an admin or have merely done run-as an admin. See https://microsoft.com/pth for more.
Do they know that doesn’t work?
If you do a run-as then you are as vulnerable to PTH as you would be if you just logged in with the admin account anyway... you need to go full PAW these days.