secpol.msc > Local Policies > User Rights Assignments > double-click “Allow Log on through Remote Desktop Services” > remove Administrators and Remote Desktop Users > Add a customized group and/or users

gpedit.msc > Computer Configuration > Adminstrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session host > security > change these settings:

• Set client encryption level = High
• Require secure RPC communication = Enabled
• Require use of specific security layer for remote (RDP) connections = SSL
• Require user authentication for remote connections by using Network Level Authentication = Enabled