What I am talking about is a computer-server with no outside connection to the admin level of the processor or from user space within the machine. So no outside source can gain access to the admin level. If this is a server for many users, then a ransom-ware attack would only be possible for a user account that doesn't guard access to their password secrecy.
Disclaimer: "total security" does not exist. security always exists on a spectrum. Security decisions should always be approached as a cost/benefit question: what is the cost of the security measure? What is the cost of compromise? How much does the security measure reduce the likelihood of compromise?
That said, disabling admin rights over network could be accomplished a couple of ways. Group policy would be one approach, you could also set firewall rules blocking traffic. For example, if you are controlling a server via SSH on port 22, your firewall blocking all external port 22 connections would prevent direct access from external attackers. Likewise, the server's software firewall could reject all SSH connections except from whitelisted IPs on the network. For example, say your router has 192.168.0.1-20 set aside for wired connections, and DHCP's 192.168.0.100-255 for wifi. setting your servers software firewall to accept SSH traffic only from 192.168.0.1-20 with an implicit reject of all other SSH traffic would limit it only to those wired systems.
Now, if someone compromised one of those local systems, they could use it as a relay for sending commands to the server, so again, not PERFECT security.
You would also need to look at preventing escalation of privilege attacks, if you are allowing non-admin permissions for the server, and of course all the usual stuff with SQL injection, buffer overflow, etc.