Revoke logon rights for all admin and service accounts and then provision them based on least privilege, enhanced by multi-factor authentication (MFA). This blocks lateral movement across your networkeven if credentials are stolen.