We have Remote Desktop Terminal Services Gateway on Server 2008 R2 for staff to use from home. Domain administrator accounts as well as staff can log on. This seems to me to be a big security hole - anyone could use a dictionary attack on my domain admin account (I have a good password).

I've removed administrators from the user groups in the Connection and Resource Authorization Policies.

Admins can still connect to the gateway, but can't logon to the desktop. Is there any way of stopping domain admin accounts from authenticating?