As with any technology -- limit your surface area. Do not leave plain jane RDP open to the world. Require a VPN, or some other sort of pass-through authentication from a trusted vendor (web-ssl gateway, etc).
For internal use -- standard password management policies should be in place with lockout's configured. Configure RDP to use the highest level security (Force RDP to use 128-bit encryption via GPO). RDP is atleast as secure as VIC or most KVM's. Millions of people use Citrix or Terminal Services daily. VIC and a KVM simply don't have this number of installed devices, or people attempting to exploit them. Given two competing mature technologies with no known exploit, I would consider the one with many magnitudes the installed base more secure than the one with a limited installation base typically shrouded inside a private network with proprietary one-vendor tools.
For external clients I would consider a 3rd party secure SSLVPN gateway with client certificate authentication if you want that level of security.
If you seriously don't trust RDP, but do trust, say SSH... there is a commercial RDP over SSH application called WiSSH that can implement two factor authentication along with two separate layers of security.
RDP has been an option on every installation of Windows XP Professional and Windows Server since 2000. It is the remote access management tool for Windows Servers, and has seen very few vulnerabilities in the past 9 years. Even WindowsSecurity.com's list of suggestions are banal in their complexity, and mirror any other management system's best practices.
Best Answer
Sure, you can use the
NET
command:This would add the domain user domian\jscott to the local group Remote Desktop Users. If you'd like to add a non-domain user, simply leave off the domain prefix:
This would add the local user keyoke to the local group Remote Desktop Users.