Enable Kerberos or Secure RPC if possible.
Disable any RPC service you don't need, especially rexd.
Use a short window for Secure RPC reauthentication.
Put keylogout in your logout file if you are running secure RPC.
Make sure that your version of portmapper does not do proxy forwarding.
If your version of portmapper has a "securenets" feature, configure the program so that it restricts which machines can send requests to your portmapper. If this feature is not present, contact your vendor and ask when it will be supported.