Here are a few tips to get you started.
- Never use the Administrator account. Create service accounts for all your applications that require admin permissions and ensure they do not have RDP permission to your global catalogs. Give those service accounts extremely strong passwords. Preferably alpha-numeric with special characters at least 14 characters long.
- Don’t add your desktop admin users to any server admin groups.
- Require your desktop admin users have a strong password and change frequently.
- Create a Group Policy to reduce the number of cached logons on the workstations. I recommend 1, 0 will cause problems with mobile workstations.