Re: .NET 4.0.30319
Moving away from port 3389 helps A LOT. As does enabling account lockout on Windows Server, to disable the account for 30 mins or so after 3 unsuccessful password attempts.
Trouble is, you can't set a timeout for the administrator account. Or rather, the administrator account isn't subject to the timeout. So you also need to remember to rename the admin account to something else.
Also, setting an account lockout can have other serious unintended consequences. For example, most SharePoint books suggest that you use sp_admin as your farm admin username. And lots of people do. So anyone who RDP's into a SharePoint server can bring it down by attempting to log in as sp_admin and getting the password wrong a few times. Because, chances are, that'e the account the SharePoint server uses to talk to its SQL Server back end.