While one option would be to use ipsec, it can be a PITA to get set up to run reliably across any network - tunnelled protocols are much more robust.
If it were me I'd drop the built-in encryption/random obscure port number/complex password and route the connection using stunnel with client certificate validation (and using a simpler password). That way you can limit access to a device holding the right client certificate (or a certificate signed by the right CA).
Running your own Certification Authority may be overkill for just one remote user - several CAs provide signed certs for email use relatively cheaply (compared with certs for use in webservers / VPNs). Indeed, Thawte used to give them out for free, Entrust currently charge 20 USD/annum. But its not that hard to create your own CA (although I've never tried to setup a CA on MSWindows).
Then firewall direct access to the RDP post on the desktop and opnly allow connections from the ip address where the serverside stunnel is running.
I've previously used such a setup for VNC, mail and telnet (yes, I know - it's a long story) for road warriors. RDP will work on this kind of setup.