I've managed to lock down using authorization in the web.config:
<location path="CMSDesk">
<system.web>
<authorization>
<allow roles="CMSDeskAdmin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
system.web>
<authorization>
<deny users="?"/>
</authorization>
.....
Which resolves this issue.
I'd be interested to know if it is possible to change/alias the CMSDesk path though?