A vulnerability scanner flags a critical CVSS score on a legacy system at Baird that cannot be patched. What compensating controls do you recommend?