If you haven't done so and want some quick wins for a Win 8.1 or 7 environment. Head over here to download the Windows 8.1 security baseline zip file and extract the contents.
After Extracting navigate to the following area. (I extracted the contents to temp)
Copy the pth.admx and the pth.adm file in the en-US folder to their respective locations in the policy definitions on the domain controller. When you go into your group policy editor on your domain controller you will notice some Pass the hash mitigations available.
Set 'Apply UAC restrictions to local accounts on network logons' to 'Enabled'
This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Enabling this policy significantly reduces that risk.
Set 'WDigest Authentication' to 'Disabled'
When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server.