The “how” depends on the target systems. For example, non-Windows systems like Linux, UNIX, Cisco, PaloAlto, etc. will use SSH. SSH encrypts the entire session from end to end using a variety of encryption ciphers that will be negotiated based on your endpoint’s configuration. For Windows, a password change encrypts the payload automatically when the RPC call is made. Other systems may employ additional methods such as TLS, SSH, SSL, etc., and is endpoint specific.
Additionally, you may choose to implement additional transport and session layer protections for all network communications such as IPSec with ESP and/or AH to encrypt all communications to and from the server and/or help prevent various MITM or replay attacks.