#1 – Disable Macros
One of the most-used initial access attacks is macros. The question an organization needs to ask themselves is: do we really need macros at all?
#2 – Disable Extensions
Another useful thing you can do that is really easy to implement is to disable the execution of typical phishing extensions. A common extension I use on Red Teams, for instance, is .HTA. These extensions are very useful for attackers, since they can be used to execute code on the target.
#3 – Prevent Local Administrators From Accessing Computer From Network
If you can implement LAPS so that every local administrator has a unique password, then you should definitely do it.
#4 – Protect LSASS
Try setting RunAsPPL, this can be set by using Group Policy Preferences.
Read more here.