Re: Opinion sought
Start off with a default deny mindset. I configure all resources with their own resource groups. I then create role groups which are members of the appropriate resource groups. Until users are added to any of these roles they have access to nothing. They can't even log on. I can also see exactly what any user can access by just looking at the roles they are a member of. Use the AGDLP principle https://en.wikipedia.org/wiki/AGDLP)
Use minimum privilege for access to anything. Only grant the minimum required access for each role. This will limit any user can cause if that get malware.
If you can, implement applocker or some other application whitelisting solution. Use FSRM to watch for known crypto malware (see here: https://fsrm.experiant.ca/).
If you have a firewall or webfilter that categorises websites, block access to uncategorised sites. This can stop phish mails that try to pull malware down from the web. Block executables in email using your mail filter.
It is all about putting as many layers in the way to stop the malware to minimise risk. At the end though assume you can't block everything so have tested backups and a recovery plan.
If possible have independent backup solutions backing up up to different media (Veeam to NAS, Arcserve to tape for example). That way if one fails or is compromised, you still have a backup. Better to have lots of backups you don't need than no backups that you do need.