Install all possible updates from MS, install (configure) furrywall and a / c and don't worry.

Windows Server 2008 R2 is already inherently insecure if you don't have an extended subscription to receive updates.
The correct option is to update the OS.
The only thing that can be advised as a collective farm is to raise the RDP Gateway on Windows Server 2016 \ 2019 and open access to the terminal server only through the Gateway, prohibiting everything else with a firewall.
All other options will cost more than an OS upgrade license.

It's safe enough locally.
All you need to do is disable unused and obsolete services like old versions of SMB, and set up a firewall.
In the firewall, block everything that you do not use.
And access via RDP is limited to a pool of local addresses.

From what you've read:
This is just the time when a malware or an insider pro exploits one of the vulnerabilities for 2020-2021
An attack can be from a neighboring server (DC, for example, since your terminal is old, then from a DC)
And this will happen, but you and PC personal are used.
OpenVPN also go by the button that is stored in the operating system, which means it can be stolen and the attacker will generally connect with his kali linux.
How can you secure the connection from them to the RDP protocol so that only the correct and necessary are passed through, and the suspicious ones are discarded?
Refuse personal home devices or implement MDM, but apparently it’s also not your option for money, of course the Zero trust concept is correct.
Two-factor + one-time password not via SMS.
EDR on each device, including on the terminal, with rules for blocking the device if the risk is exceeded. Terminal output from the domain. Transferring it to a segment where there are no other servers. Setting up according to the baseline from MS and turning off unnecessary things on it even more. Minimization of access from the server somewhere to the network, for example, not giving access to personal data from it (read 152-FZ and by-laws) and other information of your customers. Collection of logs from it to another device and analysis of security events in the logs.

Long ago they came up with SZIotNSD

Are there any real-time traffic analyzers that can distinguish a "correct" user connection to RDP from some kind of attack on the same RDP or another service? And on these packets to identify the "violator" and block him?

Is Windows Server 2008 R2 completely secure against threats on the local network?