Panagiotis Gkatziroulis writing for the Blue Team Medium account has a very detailed article describing steps an organization can take to limit the effectiveness of various Mimikatz exploits. https://medium.com/blue-team/preventing-mimikatz-attacks-ed283e7ebdd5

Even though that Microsoft introduced a security patch which can be applied even in older operating systems such as Windows 2008 Server still Mimikatz is effective and in a lot of cases it can lead to lateral movement and domain escalation. It should be noted that Mimikatz can only dump credentials and password hashes if it is executed from the context of a privilege user like local administrator.

1. Patch the operating system on all PCs and Servers. Windows security updates should be applied and Windows Update should be set to download and install automatically. [Preventative]
2. Update Microsoft Office with all available updates. Set Windows Update to also update any other Microsoft products. [Preventative]
3. Update all web browsers. Preferred browser would be 64 bit Google Chrome Enterprise as it is fairly secure by default and includes its own sand-boxed Flash player and PDF viewer. [Preventative]
4. Update Adobe Flash to most current version or remove if using Chrome as advised above. Update Adobe Reader to most current version or remove if using Google Chrome. [Preventative]
5. Remove Java. If you must run Java, update to most current version but seriously consider removing Java. [Preventative]
6. Raise the level of User Access Control (UAC) to the highest level – requiring Admin account to install or modify the system. [Preventative]
7. Users must not be Local Admin on their PC. [Preventative]
8. Enable Windows firewall on all PCs and servers. Only enable ports and applications both inbound and outbound as required (block inbound by default minimum). [Preventative]
9. Implement a backup solution for all user data. Restore must be tested periodically. Ideally, versioning or offline snapshots should be enabled to protect against ransomware. [Preventative]
10. All mobile devices should be updated to latest version of OS and device pass codes must be set (at least 6 digits). [Preventative]

Bonus Items

1. Install antivirus / anti-malware software on PCs and servers. Any IPS / IDS functionality would be good to apply. Solution should be set to update signatures automatically. [Preventative / Detective]
2. Bitlocker hard drive encryption should be enabled and enforced via GPO.[Preventative]
3. Application whitelisting using AppLocker with trusted publishers or hashes of known good applications. [Preventative]
4. Install SYSMON on all PCs and Servers. Configure for logging process creation, command line execution parameters, process creation, optionally network events. [Detective]
5. Turn on Windows Event logging for critical events see SANS Detecting Security Incidents Windows Event Logs. [Detective]