- Keep domain controller logs centrally.
- Keep security logs from all domain joined servers centrally.
- Create and monitor alerts on:
- The use (success or failure) of any domain administrator credentials.
- The use of any local administrator credentials.
- Changes to domain administrator or other sensitive groups in AD.
- Use GPO to set cached credentials on servers to the minimum you possibly can (0 or 1 for servers - for desktops, you may find something like 5 is most appropriate).
- Use GPO to ensure no domain joined system is storing LanMan password hashes.
- Use unique local administrator passwords on every domain-joined system. Microsoft LAPS offers one way to do this.
- Require two-step verification for domain administrator accounts.
- Use GPO to ensure that null sessions are disallowed.
- Use application control (Microsoft's AppLocker or other commercial tool) on domain controllers. The policy should be to only allow known good applications, based on file hash or signed application. Log and alert on failures/errors/block actions.
- Deploy domain controllers on private networks with no inbound and strict controls with logging and alerting on outbound Internet access.
- Restrict RDP to your domain controllers to only specific administrator systems (such as a 2SV authenticated VPN or purpose build "jump boxes").
Separation of Duties:
- Separate domain administrator and server administrator roles and limit by policy the use of the domain administrator credentials.
- Do not use user accounts for either server or domain administration.
- Limit the use of domain administrator privileges to as few accounts as possible and periodically audit all accounts with these privileges.