To prevent hackers to spread active payload between your computers, you can block at the network perimeter the following ports:

TCP 135

TCP 3389

UDP/TCP 389

TCP 3268

UDP/TCP 53

UDP/TCP 42

UDP/TCP 88

UDP/TCP 464

TCP 1433

TCP 5985

 

Also the reference of MS for ports and services: https://support.microsoft.com/en-us/kb/832017

Also: https://digital-forensics.sans.org/blog/2013/06/20/overview-of-microsofts-best-practices-for-securing-active-directory