What are some defense recommendations against RDP tunneling attacks?

Defenders should restrict RDP file sharing and virtual channel usage, monitor for unusual RDP connections, and limit which users can establish RDP sessions. Enabling Network Level Authentication (NLA) and using RDP gateways with proper logging can help detect such tunneling attempts. For more context on RDP abuse scenarios, see Penetration Techniques - Multi-user Login for Windows Remote Desktop to understand how attackers may escalate privileges on RDP hosts.