To follow up on this, here are some additional options:

1. Implement MFA for RDP sessions to servers. Duo (and I'm sure others) have a good solution for this.
    
2. Disable file sharing/remote access to your Laserfiche volumes and configure auditing and alerting to trigger if it's re-enabled (assume a theoretical attacker has local admin rights and could re-enable).
   If an attacker gets onto a random server on your network, they shouldn't be able to use File Explorer/robocopy/etc. to access your repo content at UNC path \\RepoServer\D$\Repositories\HumanResources\
    
3. Apply a Windows audit policy to your repository volumes. If you have a SIEM, configure it to ingest the resulting audit logs and throw alerts whenever any trustee other than the Laserfiche Server service identity attempts to access the repository directory. 
   See also: Audit File Accesses, Read Events on Windows File Servers (note: how-to article from a software vendor with whom we have relationship).
    
4. If your endpoint protection solution supports indicating specific servers/directories to watch and alert on for file exfiltration, configure it to watch your repository directories and Forms File Storage volumes (if any).
    
5. Make exfiltration more difficult by blocking general outbound internet access except to approved sites and/or route external bound traffic  through a security proxy that can inspect for and block/alert on exfiltration attempts.