Help me secure my Windows Server 2016.

[Calby]

Hi,
I have a Windows Server 2016 running and I need some help to secure it.

I run this things on the server:

• Plex media server
• Transmission Downloader
• Running VM's trough Hyper-V (manage from the client)
• SMB Share inside the LAN (offline files)

I'll add this to the server in the future:

• OpenVPN or l2tp/ipsec VPN
• WSUS

What I have done so far is:

• Uninstall SMB v1
• Disabled the Administrator account and created a new one with new name that have restrictions and need to run things "as administrator" it can't just do admin stuff, but the account have the Administrator rights.
  
• Installed Kaspersky Small Office 5
• I have put a password (strong one) on Kaspersky so if I want to modify it or remove it you need to write the password.
• Kaspersky 'll do a "fast search" every night and a full one once a week and rootkit scan every 6h.
• Every port that I have open I have put Kaspersky Small Office 5 to watch over
  
• Blocked the SMB share users can't login on the server etc. they can only access the SMB share.
• I have enabled the firewall in my Asus router.
• Blacklisted the port 3389 in my Asus firewall.
• Installed Windows Server backup that are running every 3h to a external HDD.
• I do have strong passwords on every user, it's 24 signs with both upper and lower cases, numbers and special signs created by a password manager application and every account have different password.
• Change in GPO so if you put in the wrong password 5 times within 60min windows the account 'll bee blocked for 60min.

Wow, I guess that I have a pretty tight security but I guess it can bee better.
When I did run Ubuntu server I did have a tool called fail2ban that did search trough the log files and then ban all bruteforce or other attacks attempt that was logged in the logs.
Does Windows have that kind of feater or 3rd party software?

 

[Neemobeer]

Here's a big list of what the DoD requires on their systems.
General Purpose Operating System SRG