Every object in your environment -- network, VLAN, VM, computer, file, folder -- should be treated the same way: least privilege with aggressive auditing.
Get as near to zero as you can
To do their worst, the bad guys seek control of high-privileged admin accounts. Once they have control over a root, domain, or enterprise admin account, it's game over. Most companies are bad at keeping hackers away from these credentials. In response, highly secure companies are going "zero admin" by doing away with these accounts. After all, if your own admin team doesn't have super accounts or doesn't use them very often, they are far less likely to be stolen or are easier to detect and stop when they are.
Here, the art of credential hygiene is key. This means using the least amount of permanent superadmin accounts as possible, with a goal of getting to zero or as near to zero as you can. Permanent superadmin accounts should be highly tracked, audited, and confined to a few predefined areas. And you should not use widely available super accounts, especially as service accounts.
But what if someone needs a super credential? Try using delegation instead. This allows you to give only enough permissions to the specific objects that person needs to access. In the real world, very few admins require complete access to all objects. That's insanity, but it's how most companies work. Instead, grant rights to modify one object, one attribute, or at most a smaller subset of objects.
This "just enough" approach should be married with "just in time" access, with elevated access limited to a single task or a set period of time. Add in location constraints (for example, domain admins can only be on domain controllers) and you have very strong control indeed.
Note: It doesn't always take a superadmin account to be all powerful. For example, in Windows, having a single privilege -- like Debug, Act as part of the operating system, or Backup -- is enough for a skilled attacker to be very dangerous. Treat elevated privileges like elevated accounts wherever possible.
Delegation -- just in time, just enough in just the right places -- can also help you smoke out the baddies, as they won't likely know this policy. If you see a superaccount move around the network or use its privileges in the wrong place, your security team will be all over it.
Institute role-based configurations
Least privilege applies to humans and computers as well, and this means all objects in your environment should have configurations for the role they perform. In a perfect world, they would have access to a particular task only when performing it, and not otherwise.
Sign up for CIO Asia eNewsletters.