You might consider the internal, local network to be safe and free from malicious actors, but all it takes is one to get a foothold which becomes leverage to get sensitive data. Even if an application does not encrypt data in transport, meaning it can be observed by network-sniffing, the Windows Firewall built into the client and server Windows operating systems can make it encrypted. Because the protection happens at the networking level, it is invisible to the application software and no special compatibility is needed. Consider any number of client software fetching data from a SQL database. The standard port 1433 connection is not encrypted and any packet sniffer can see the data!
The solution: Use the Windows Firewall with Advanced Security to create an IPSec transport security rule with the “Secure Server” option, and then specify the network and port to secure. Group Policy can be used to apply the rule consistently to the computers.
This same benefit can also be achieved between Linux and Windows computers, by configuring the Authentication Method as a PSK (pre-shared key). The PSK is essentially a single password which is used on both ends of the connection, also commonly found on a router in site-to-site VPN connections. Gyp the Cat wrote an excellent article with instructions securing the network connection between Windows and Ubuntu.