Either you don't use RDP completely, or restrict the RDP to allow connections only from computers running Remote Desktop with Network Level Authentication, then configure the user list that can RDP into the server. Then on the report you can indicate that's your remediation steps to reduce the risk.