Automatically disabling an account after five failed attempts stops automated brute-force tools in their tracks.
Changing the default port from 3389 to a non-standard number can reduce the "noise" from basic automated scanners, though it is not a complete security solution. RDP cracking.rar
This is the single most effective defense. Even if a cracker finds the password, they cannot bypass the second layer of verification. RDP cracking.rar