You won't be able to completely remove all privilege escalation threats. But don't resign! You must always try to make it as hard as possible for an attacker to perform the exploit.

Low-Hanging Fruits

The first step in reducing the attack surface related to privilege escalation is to eliminate the shortest and highest privilege escalation paths discovered during the analysis. The most grave example of this is probably a PC with a local admin user and a service running with domain admin credentials. Never ever allow this scenario! Using TokenSnatcher or similar application the user can easily take over the domain admin credentials. Never allow users to run with local admin rights. Never allow a service to run with high privileges such as domain admin.

Medium Effort Fixes

Once you have eliminated the most critical scenarios you must broaden your search. Look for more complex privilege escalation paths that eventually lead to high levels of privilege escalation. Some of these scenarios may be blocked by simply removing unneeded admin rights from servers. Others may require modifications of the AD security group design.

Long Term Fixes

At some point we need to consider if the removal of privilege escalation scenarios are worth the effort. Some remediation steps might require lengthy restructuring of user roles, application code or even organizational changes. In some cases the cost of eliminating the risk does not outweigh the benefit.

Going Forward

Analyzing and reducing the risk of privilege escalation should be an iterative process. In larger companies servers and services are introduced all the time, and fighting the threat of privilege escalation proactively should be on your check list.