To best secure your environment the best way is reach a goal of security and to accomplish is a best practice to create PAWs in your infrastructure.
Privileged Access Workstations (PAWs) provide a dedicated operating system for sensitive tasks that is protected from Internet attacks and threat vectors. Separating these sensitive tasks and accounts from the daily use workstations and devices provides very strong protection from phishing attacks, application and OS vulnerabilities, various impersonation attacks, and credential theft attacks such as keystroke logging, Pass-the-Hash, and Pass-The-Ticket.
The diagram below depicts a separate “channel” for administration (a highly sensitive task) that is created by maintaining separate dedicated administrative accounts and workstations.
This architectural approach builds on the protections found in the Windows 10® Credential Guard and Device Guard features and goes beyond those protections for sensitive accounts and tasks.
For more information please continue reading – https://technet.microsoft.com/library/mt634654.aspx
And please implement it as a best practice of security within your infrastructure.