ANSWER:

Deny your account remote access in Local Security Settings (secpol.msc) under Local Policies → User Rights Assignment. (This can also be modified via group policy.)

The policies to change are:

• “Deny access to this computer from the network” (for network logins such as file sharing)

• “Deny log on through Terminal Services” (for interactive logins using Remote Desktop)

• “Deny log on as a batch job” (for batch logins using Scheduled Tasks)

You cannot disallow usage of such tools as runas for specific accounts, only disable this functionality system-wide (by disabling the “Secondary Logon” service, which may break some Windows features). However, this is not a problem in your case, since the attacker cannot use runas without already having broken in to another account.

But note that Windows has a history of vulnerabilities in all of its network services that would allow bypassing authentication entirely, in some way or other. It is best to not expose SMB or Remote Desktop to the Internet at all.

by grawity from http://superuser.com/questions/416561