What I meant is even doing all this you're effectively a single 0-day away from total compromise and are now dependent on specific workarounds or on getting the update that patches the vulnerability.
Because of this I can't consider the security of the AD as any better or worse than the desktop that connects to it and it's pointless to pretend that you can even have this.
We did have a crypto locker that spread on our network this way between our AD machines. It was launched from an email in the sales department, but due to an unpatched RDP credential attack, it quickly got onto the ADs then spread across the entire WAN.
I'm not saying don't do the things you're suggesting but you should prepare the scenario where none of it matters. So one thing you missed which we now have is: WAN KILL SWITCH.
I dunno about that; it sounds like a PC in your sales department could connect to the RDP port on the AD, and the listed controls would have prevented that (RDP port on the DC should be firewalled down to the machines administrators use to connect to them, which per the comment should _not_ include access to emails, just in case the compromise you're describing was actually an email from sales -> system administrator).
Because of this I can't consider the security of the AD as any better or worse than the desktop that connects to it and it's pointless to pretend that you can even have this.
We did have a crypto locker that spread on our network this way between our AD machines. It was launched from an email in the sales department, but due to an unpatched RDP credential attack, it quickly got onto the ADs then spread across the entire WAN.
I'm not saying don't do the things you're suggesting but you should prepare the scenario where none of it matters. So one thing you missed which we now have is: WAN KILL SWITCH.