1ºSystem hardening is an overlooked control for many companies. Need to remove/disable unneeded applications, close any unused ports, stay consistent on updating software, firewall/IPS/IDS, and OS systems, disable guest/inactive accounts, require multifactor authentication, and require passwords to be changed on a regular basis.
I've seen cases where accounts as old as 10 years are still on a system. 10 years ago, a password of doglover75 was more secure than it is today.
People also like to reuse the same password so it helps to activate minimum and maximum password age. Set a new password to have a minimum age of 45 days or so.