I blocked all ports then I made some rules;
Deny All
Allow All > Port 21,25,53,80,110,443,8443
Allow Only From MY IP ( Static DSL IP ) > Port 3389 ( RDP )
If you block 3389 ( RDP ), they can only create user but they can not login.
If you don't block 3389 ( RDP ), they create user, add...