As one tech guy says, the longer your passwords, the more likely your staff will write them on a post-it note and put it on their monitor. Random eight character passwords that are easy to remember but difficult to guess are great.
I used to do the same thing. A friend of mine who used RDP would have over 1,000 hack attempts per day, sometimes way more. His good password along with only five password attempts before a 20 minute lockout is what saved him. I told him to close port 3389, and the next day: zero attempts. Any hacker with a scanner will find 3389 every time and they know what it is behind it. You may have good passwords and lockouts, but most won't. And, why let them get to the front door anyway. Now, with 2008, it is probably the safest way to log in.
Besides, if you ever set someone up and explain for two hours the value of passwords, they will still change it to pass1234.