Require passwords for login.
Use a centralized authentication server for account management.
Use only hashed password files.
Backup the hashed password file in case the original is destroyed.
Require complex passwords.
Require minimum password age.
Set the account to disable after five (or fewer) failed attempts.
Either set an automatic unlock after a half hour or be prepared to come in nights and weekends.
There are other things to set up but those are the basics. If you implement Windows Servers and Active Directory, these capabilities come with the software only needing to be configured.
But tell us what answer you adopted four years ago.