Well I would suggest using a service that blocks a lot of foreign crap from the getgo.
One of our fellow members has one that he protects his clients with and includes country blocking for example as but one of the prongs of defence.
Check it out......... (for the price of couple of cups of java a month its the best value you will find anywhere in IT)
viewtopic.php?t=137632
In the meantime,
In terms of port forwarding, I would imagine limited access from known external IPs to your Windows Server, should be doable.
Of course in your IP Firewall Filter Forward Chain you will need a rule to allow dstnat and assume you already have this.
add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat
In your port forwarding rules which are found in IP Firewall NAT, be sure to apply source address to limit access to the server!
example A -single authorized external address, single WAN
add chain=dstnat action=dst-nat
source-address=ALLOWED_EXTERNAL_INTERNET_IP protocol=rdp
in-interface=wan to-addresses=IP_of_local_windows_server to-ports=3389
Here normally one puts in a destination port but the protocol RDP expects it only to be 3389 and thus not required.
In fact you may not even need the to-ports as its implied by the RDP protocol. I put it there in case you have the ability to change the RDP port at the server and wish to do so. In any case it wont hurt.
example B -multiple external addresses, dual WAN
add chain=dstnat action=dst-nat
source-address-Llst=Allowed_RDP_Access protocol=rdp
in-interface-list=wan to-addresses=IP_of_local_windows_server to-ports=3389
In this case you would need to make a firewall address list containing all the allowed external addresses.
add address=external_IP#1 list=Allowed_RDP_Access
add address=external_IP#2 list=Allowed_RDP_Access
etc.........