We only allow RDP from known IP addresses, using IP whitelisting on the perimiter firewall.