For SharePoint service accounts, you should be adding them to the deny logon security policy (secpol.msc) on each SharePoint server. For SQL, you should be using a gMSA rather than a domain user account.
Place a pre-authenticating reverse proxy in front of SharePoint and don't allow it to be bypassed to each web application. But there is nothing stopping an internal user from brute forcing or locking the accounts out -- this is typically why service accounts bypass lockout policies as you don't want your service to fail.
Best defense is to use monitoring tools that will alert you of these types of attacks against users.