So far this is what we have:

– Weekly vulnerability scan with nmap, this is just to check that only port 443 is open and that the RDP ports are closed to all except the permitted IP addresses
– Reset windows firewall weekly with a powershell script, to ensure that any rules created by software or windows are removed again
– Windows update done weekly
– Check files and software within the server for unexpected changes
– Check event logs for (a) audit failed in the security log – this means hackers are getting to RDP and trying to connect (b) check other event logs for unexpected errors
– Check no new user accounts exist and others which are not regularly used are disabled

I don’t know what else we should be doing, but I’d like to run a “tight ship” where any other opportunities to reduce the attack surface are taken. And eventually we’d like to pass a SOC audit, but not quite there yet maybe

thanks in advance!