Clean up stale objects – By reducing the number of stale objects in AD, the attack surface can also be reduced by eliminating objects that can be exploited by a hacker

Don’t use complex passwords – Complex passwords are better than simple, easily guessed passwords, but not as good as complex easy to remember passphrases like Boat2open!Friday

Don’t let employees have admin accounts on their workstations – If an attacker compromises a workstation, having local admin access will make lateral movement easy. Most end users do not need to install additional software on their machines, and therefore, do not need admin permissions

Lock down service accounts – Service accounts are frequently targeted by hackers due to their elevated privileges. Take a look at them and restrict their permission as much as possible

Eliminate permanent membership in security groups – Make all membership in important security groups like Enterprise Admin, Schema Admin and Domain Admin temporary. A breach to one of these will seriously compromise an organization

Interested in learning more? Read the full blog post here for a detailed write up on each of these tips as well as one bonus tip!