* Scan external ranges for RDP open to the Internet, if found ensure it is configured with NLA 1/
* Examine netflow for abnormally long connections that shouldn't be there, e.g. illicit outbound VPNs used as a reverse tunnel for access. 2/
* In addition to RDP exposed to the Internet, what other ports are there? SSH? 3/