Typically the same level of permissions needed to load drivers - which if they're attacking the system using custom out of date drivers is relevant.
Having users and services at least privileges is one step of attack surface area reduction, but the "better" solution is to make sure that revocation check is enabled and that the compromised cert is revoked by its issuer. Or if it's an old, unused root, you can ban that root at the machine level.
Typically the same level of permissions needed to load drivers - which if they're attacking the system using custom out of date drivers is relevant.
Having users and services at least privileges is one step of attack surface area reduction, but the "better" solution is to make sure that revocation check is enabled and that the compromised cert is revoked by its issuer. Or if it's an old, unused root, you can ban that root at the machine level.