I think you can:
- block port 3389 (outbound) on a firewall
- remove C:\windows\system32\mstsc.exe or at least rename it or set advanced permissions so non-admins users are not able to execute the file
- set AppLocker policy: https://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-po...
