First System Restore Protection
You can activate a system protection, a kind of Time Machine for a volume that needs to be protected. However, you don´t always have a control when system restore point is created. It might be useful in case the attacker is able to get into the system and corrupt system values, modify registry keys, or damages system files so the system crashes and is unable to boot. This is a smart move, but does not protect the data itself.
To activate system protection on Windows Server 2016:
Right click Start > System > Advanced System Settings > System Protection TAB
And then create a manual restore point
immediately. You can do that after activation only, because otherwise,
as you can see above, the button is grayed out
Now imagine that your system is corrupted and cannot boot. You can boot through Windows DVD and launch system restore from command line with:
Wizard based as well.