re-certify all users monthly (or as frequently as reasonably possible)
ensure only users that require it are in their groups, such as Remote Access group < re-certify these regularly
MFA is actually enforced on all users that require it (i.e. don’t leave users in such groups as the Remote Access group without it: these will be the users the ‘spray and pray’ works on)
password management
make sure all users re-certify (i.e. change) their password once ever 6 months
use three or four word pass phrases instead of easy to forget mixes of long in-decipherable characters
ban the use of commonly used passwords (there are lists with a million such passwords)
ms conditional access
if using MS365 there are additional protections and alerts, such as automatic denial of the use of a password from the list mentioned above
role based access control
inhibits lateral movement by restricting a user#s access to specific roles
i.e. identity used to authenticate remote access users between firewall and domain controller is specific and restricted to that role
sales can only see their directories/files on file storage (sharepoint, on-prem, etc)
administrators do not use their admin accounts to login to their workstations and browse the internet