Mitigations

Network

Mitigating ARP spoofing:

AD

Common vulnerabilities & misconfigurations and recommendations:

SMB lateral-movement hardening:

Antispam protection for Exchange:

Detect stale, unused or fake computer accounts based on password age (replace -90 with your domain's maximum computer account password age):

$date = [DateTime]::Today.AddDays(-90); Get-ADComputer -Filter '(Enabled -eq $true) -and (PasswordLastSet -le $date)' | select Name

Administrative Tier Model explained:

Contents
Network
AD