I've seen the technique of disabling weak password hashes work against APTs (advanced persistent threats), even when the attacker's own tool worked just fine using the stronger password hashes. The attackers didn't know that the weaker hashes were disabled, so they gave up attempting PTH attacks.
The best defense against PTH attacks is to prevent the attackers from getting superadmin access in the first place. Unfortunately, that involves nearly every traditional computer security defense I've discussed in this blog for years: least-privilege user logons, antimalware software, whitelisting, firewalls, and so on. Usually my clients aren't coming to me for PTH-defense advice until they realize they have a poor track record with their first lines of defense -- on to Plan B.
We can make it harder for the attackers to lift the hashes out of memory. In Windows, the password hashes can be pulled out of memory for the following logon types: interactive, batch, service, unlock, remote interactive, and cached interactive. That may seem like every type of logon you can think of, but it doesn't include network logons. Thus, simply accessing a NetBIOS drive share doesn't throw your password hash into memory.
Also, logging off often removes the password hash from memory, although it can be left intact by applications and APIs, so you never know. Rebooting a computer after logging out is one way to make sure your hash does not remain in memory.
Sever those ties
I frequently advise clients to minimize the logon types listed above from privileged accounts. Most environments I review frequently have admins using Remote Desktop Protocol (RDP) or some other sort of interactive remote software to administer, troubleshoot, and access servers and workstations throughout the environment. It's easy and effective, but it has the distinct side effect of leaving privileged hashes sitting around the environment -- on machines that are often not clean or trusted.
Instead, I encourage clients to use noninteractive ways to manage computers. Instead of using RDP, go with a console tool that allows you to connect to remote computers. Most of the Microsoft Management Console (MMC) tools can be retargeted to remote computers. Use PowerShell scripts instead -- at least the ones that don't require passing passwords.