Prevent lateral movement via RDP connection

Consider following situation:
We have ancient VPN server ( Windows based L2TP with PSK ), and we give to user Jessy access to our private network. And Jessy is a technician that connects via RDP to one specific server to manage it etc.

What we can do via regular means of network protection, if we don’t want Jessy or someone that knows her credentials to walk around all our network is following (to my knowledge):

  • Limit logon hours
  • create NAP/NPS policy
  • create GPO that Jessy can logon only to that specific server and nothing else
  • create local firewall rules - that will ensure Jessy is working via RDP and not scanning our network or trying MiTM attacks on privileged workstations
  • and so on and so forth

So my question is what we can do with Cloudflare Zero Trust to achieve this goal. I mean simplest setup just to show it as POC to my boss.

Can You describe what this setup can look like?

P.S. I’ve managed to created WARP-to-WARP network with MFA, but I don’t see anything that can prevent a user from breaking the rules once he got into his server…

Thank You