You seem to be an Sys Admin. When you use Microsoft's Products like Server with a Domain Controller, RDP, VM security also consists of security concepts [policies] created by you for your work "flow", not only software apps.
Read about:
Group Policy Administrative Templates Catalog [getadmx dot com] - understand what are Administrative Template.
Microsoft®Update Catalog
Microsoft Best Practices for different services like Active Directory. [best practices are guidelines that are considered the ideal way, under typical circumstances, to configure a server as defined by experts. ]
Microsoft Security Compliance Toolkit
Download and Install Best Practices Analyzer
See the "needs" of your clients and fulfill those needs by services like VPN as a protection layer to RDP, par example.
Don't forget about hosts file on every device and you can block there many, many domains that are reported al mallware / "Danger"ware.
There are many tutorials and modules for the "new" open sourced Micrtosoft's Powershell for SysAdmins / DevOps .
Make your own logical map regarding permissions. What I mean by that ? What User/Admin should access only what folders ?
You can have Users / Admins with several layers of permisions on a logical idea. Example Starting from Level 4 where "places" to have access are few till Level 0 - total access.
You must construct you "policies" | "best practices". No software is reliable to zero-day vulnerabilities. Usually if you noticed, the most known events of damage caused by malware [example: one that encrypts documents and ask for money to decrypt] occurred around not known yet or recently discovered vulnerabilities. Your last defense are these policies. If a user is infected he will "spread" the virus only where he can "touch" depending on his permission level set by you.
While infected you can monitor to what IP's [domains] is communicating and you can block that. Having ready [bash / batch / python / powershell] script's that do stuff is a plus. Like adding a line in hosts to all users pc's to block the virus communicating with outside, or adding in Pfsense a lne in iptables or what service you use to block what you can.
I see you use PFSense. There are Linux Distros as DC [plus samba and other services] working well with Postfix mail servers.
Think about custom ports like instead using 3389 [default for rdp] implement and document a custom port picked by you. This is just one idea, concept from millions out there. Google: "Change the listening port for Remote Desktop on your computer" and you'll find Microsoft's guide on how to do that.
On Linux side I won't even write about it. Lot's of things.
Well, good luck mate. [I'm not from Australia [but from Romania] but sounds nice]