Increase security for remote desktop machine - use 2FA and/or limit to LAN connection only?

The article Securing Remote Desktop (RDP) for System Administrators lists these tips:

• Use strong passwords
• Update your software
• Restrict access using firewalls
• Enable Network Level Authentication (enabled by default for Windows 10)
• Limit users who can log in using Remote Desktop (default is all Administrators)
• Set an account lockout policy (lock an account after a number of incorrect guesses)
• Change the listening port for Remote Desktop (default is TCP 3389)
• Do not use other products like VNC or PCAnywhere

For your question about two-factor authentication, I don't believe this exists on Windows 10 Pro, only on Windows Server.

The article The 5 Best Alternatives To Google Authenticator lists six products which have a free plan (but also paid ones) : Google Authenticator, Authy, Duo, HDE OTP, Authenticator Plus, Sound Login Authenticator. I have never used such products, so do not know how useful these are for you.

Based on the current info, my recommendations are:

• By setting up a SSH tunnel, you get an extra layer of authentication, where you can use another username/password or public key authentication to login. You can also enable obfuscation, with a completely different password, like you wanted. That way you also make it harder for someone monitoring the traffic to even see that it's SSH - and to connect, they both need that password and whatever SSH login you set up. Add to that, that it's tunneling RDP traffic, which is also encrypted.
  
  On the Windows machine you can install Bitvise SSH Server and on the Macs, you can add obfuscation support to the built-in OpenSSH with some pathes by ZingLau.
• 2FA might be possible, but it won't be easy or free. The built-in smart card logon requires a Windows Active Directory domain, but there are 3rd party solutions for stand-alone computers. EIDAuthenticate support RDP and is available in a free open source version, but only for Home editions (yet, they are thinking about a "home use program", so contacting them might speed up that thinking). But in your case it might not be enough, since it's only for Windows, and you connects from a Mac.
• Limiting incoming connections to LAN, can easily be done in Windows Firewall.
• General things like strong passwords and updating all computers shall be done of course. I also recommend having separate user and administrator accounts, and only allow the (unprivileged) user accounts to log on via RDP, so the administrator account has to log on locally.
• The next thing I would look at, would be the security on the clients that connects, because if they are compromised, all the other things you have set up doesn't help much. But I'm talking about general security principles, so I won't go into details with that.