Unfortunately this is NOT a single "RESOLVE-ALL" button task IMHO.
1. Physical security
if you do have contractors freely roaming around without supervision. File servers just under table on the reception or so .. then you can have many NAC/2FA solutions, but 5 minutes with screwdriver and you are done!
Proverbial $5 five-bucks-wrench attack can solve surprisingly lot, ranging from 2FA to encrypted filesystems :)
Therefore critical infrastructure have to be in separate room. Very limited and always supervised access.
2. Network access control
Yes, NAC and basically port-based authentication, 802.1x is another key element.
Authenticate per port whenever port is tried to be used. Is it expected device there? Is it expected user?
Shut down all unused ports. Cisco switches has funky MAC memory so they allow specific MAC addresses or just one (or set amount) of last used. So someone who disconnect net printer to gain access with idea that printer has MAC based overrides might try his MAC and gets port locked. However he can misuse MAC of printer ..
NAC from FortiNAC or 3rd party. However serious 802.1x can be built with just mentioned FortiAuthenticator.
3. Segmented networks
Policies, from where and who can access critical fileservers for example.
No free DHCP assigning IPs to anyone who just connects to SSID or wire!
Per MAC IP assignments. Etc.
4. Agents on server level (2FA login to server/workstation)
If those servers like print servers are Windows, then FortiAuthenticator does have agents, so 2FA can be enforced even if someone RDP or console login to the server itself.
Same does exist on workstations, SSOMA (Single Sign-On Mobility Agent) and is part of FortiClient.
That helps to track users and workstations, let them pass firewall policies based on their previous logon with domain credentials or any other logon. FortiAuthenticator is pretty versatile and capable SSO collector. So not even AD logon but also RADIUS logon into 3rd party WiFi AP can lead to RSSO and user logon tracking.
So no misuse of logins to workstations or print servers etc. Of course, if someone left unlocked server console and for 'convenience' there is no login protected screensaver .. well.
just what came to my mind shortly.
More on [link]https://docs.fortinet.com[/link] / https://video.fortinet.com / https://kb.fortinet.com
Or via Professional Services / TAM as paid service. As regular TAC is not truly expected and designed to provide network design services. Hope you understand.
Tom xSilver, planet Earth, over and out!