If a Server has services available on the Internet without a VPN then there is always a security Risk…
One suggestion would be to use the PSD value on the Firewall, which actually detects TCP and/or UDP Scans…
A nice explanation is here: http://forum.mikrotik.com/t/can-someone-please-explain-the-psd-attributes/98488/1
Also make sure you do not open any RDP ports for public use… Even if you change the Public Port does not make any big difference…
Port Knocking is also a well known technique, where actually you first need to reach a Port X that will give you access to a port Y…