1. Giving managers or the owner administrative access to your domain.
This might sound like a good idea, but unless the owner of the company manages users and has a solid background in security, limit the users that can make these changes to only a few IT professionals.
2. Leaving SMB 1 enabled on your file server.
This is the default behavior for Windows Server 2016 and below. Disable SMB 1 to prevent widely known security exploits.
https://support.microsoft.com/en-us/help/2696547/detect-enable-disable-smbv1-smbv2-smbv3-in-windows-and-windows-server
It is possible that you need version 1 for backwards compatibility. I would suggest using a method like SFTP to access these files on your server.
3. Leaving NTLM V1 authentication on.
Disable NTLM v1 and LANMAN authentication. You can help identify machines connecting to your server by Get-EventLog -LogName Security -InstanceID 4624 -Newest 1000 | findstr V1
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain