What I recommend here is to use a VPN service or otherwise assign a fixed IP# to the admin computer on the network. If you are using DHCP in your network, you would need to allocate an ip from the pool outside the regular IP# pool, and assign it to the computer. Likewise an account with an VPN provider like Strong VPN would give you a fixed IP.
Then restrict by firewall access the the IP# that belongs to the admin(s) computer.
This would require the login to come from only one IP #, even if you had the account/password you would not get access to the service.
This has the effect of adding a 2nd factor for login: the IP#. It is quite secure for this reason.
I personally use the VPN provider approach. My admin team all have static IP#s. All admin services on the network like RDP/SSH/CI-CD servers are secured against a tight list of known IPs.