Small config decisions make huge differences.
1) Admin rights
Bad: Broad permanent admin rights.
Better: Just-in-time elevation with approval.
2) Credentials in scripts
Bad: Plain text passwords.
Better: Vaulted secrets.
3) Logging
Bad: No centralized logs.
Better: Forward key events and monitor daily.
4) Script safety
Bad: Direct write actions first.
Better: Read-only first.
5) Firewall
Bad: Any-any rules.
Better: least-privilege rules.
6) Service accounts
Bad: Shared unmanaged accounts.
Better: owned non-interactive reviewed accounts.