This stuff is nasty.
1- Have spotless offline backups of everything
2- Lock down share permissions
3- Lock down admins on permissions domain level
4- Lock down admins on local machine level
I had to deal with this garbage once earlier this year on a custom domain with awful permissions management. It was bad enough from a single source\spread to shares perspective. I can't imagine the damn thing acting like a worm at the same time. Potentially career ending because 1- your enterprise gets owned so hard and 2- you never want to touch a computer again once you have to try to clean it up.