You will find on our web site under Webinar recordings, Hardening Active Directory Part I and also Part II. If you haven't watched those presentations, you should to understand the threat to your Windows networks.
One basic concept you can start with is to realize that all the Group Policy security settings are found in the computer side Group Policy. That would include what level of security protocols you are using and who you are making local admins and where they have those rights.
Authenticated users by Microsoft rule have the right to read all Group Policies. That means a bad guy on an infected machine can read the policies and understand what you are doing. That helps them plan their attack and attempt to gain full access to your network.
The solution is to deny the bad guys as much visibility to your network as possible. The first step in that is to remove authenticated users from all computer side policies and replace it with domain computers. If you want to be even more vigilant, you can create specific groups like finance computers and remove domain computers.
This simple step ensures that no one can read any of your Windows Group Policy security settings regardless of whether they have compromised a limited user workstation or not.
If you need help implementing this change, let us know.