For the administration of servers, use a network that is (logically) separated from the user network

Having a separate network or a demilitarised zone that is dedicated to the servers and their administration is an example of isolating critical resources, and makes it more difficult to spread malicious code.

The physical separation of sensitive resources, including at infrastructure level, allows risks to be compartmentalized and prevents spreading between different security levels.