Access control lists are your friend (deny all first)
AD delegation of rights
App Whitelisting
Best practice GPO (NIST GPO templates)
Block Dns zone transfers
Change ilo settings/passwords
Close open mail relays
Diff. local admin passwords (LAPS)
Disable LLMNR/NetBios
Disable ports that are unused, & setup port security
DMZ behind separate firewall
DNS servers should not be openly recursive
Don't forget your printers (saved creds aren't good)
Egress Filtering (should be just as strict as Ingress)
EMET (when OSes prior to 10 are present)
Fail2ban
For the love of god implement TLS 1.2
Force advanced file auditing (ransomeware detection)
Geoblocking
Get rid of open shares
Incident Response drills
Incident Response Runbook & Bugout bag
Incident Response tabletops
Least privileges EVERYWHERE
Locate and destroy plain text passwords
Log successful and unsuccessful logins - Windows/Linux logging cheatsheets
MITRE ATT&CK Matrix is your friend
Mod security
MSBSA
Network device backups
No open wi-fi, use WPA2 + AES
Patch *nix boxes
Purple Team
Remove unneeded software
Restrict access to backups
Role based servers only! DNS servers/DCs are just that
Segment with Vlans
Separation of rights - Domain Admin use should be sparce & audited
Upgrade firmware
URLscan
Use Bitlocker/encryption
User Education exercises
Vulnerability Scanner
WSUS