splitting the servers into another network segment separating them from any workstations on the network and further separating web services, from internal services (FS/dc...), from development and sandbox systems.

With IDS sensors on these segments with rulesets defined for each focusing on traffic that shouldn't exist such as.. there shouldn't be any network share browsing towards the e-mail server and no web traffic towards the DC (they are duel purpose machines).

Along with strict firewalling between these segments, where only the required port/protocol's are passed to the appropriate systems. http and https only to systems that are supposed to offer http(s) to an external segment and such rules.

These would apply to both setups.. allowing access to only what is supposed to be available, and raising flags on traffic that doesn't match the normal profile. As long as the services are kept up to date, and the flags are noticed, then this would allow for a decently secure network. But it would require active administration, not just a fix what's broken admin staff.