First ensure you have the latest updates to Win 7 or Win 10. Don't use older Operating Systems. Microsoft dropped the ball 3 times already where a hacker could send a specially crafted packet that would contain a command that would be executed under the System user. So without logging in, a hacker could add a user and promote it to an administrator. Then log in with that. Patches were released in May 2018. Since then, I've left a test VM exposed to the internet and so far it hasn't been hacked. But due to the disappointing track record, I would NOT trust RDP.
- Port Knock. Set a firewall rule that when you try to connect to port 3350 (or whatever), then add the source IP to an RDP_OK list with a timeout of 60 seconds. Only allow IPs on that list to access port 3389 (or even better, change that port). Next create another rule that says any TCP connection attempts to 3349 and 3351, put them on a BAN_LIST. Create another rule that says to drop all packets from a banned IP. Move that rule to the top. This will prevent port scanners from triggering the knock port. So now, in the RDP client, try to connect to port 3350 which will fail, but then try to connect to 3389. You have 60 seconds to create the connection. Once connected, it'll stay connected. If you disconnected after 60 seconds, you have to knock again.
- Use stunnel with client side certificates. And change the RDP port. A hacker can't hit RDP until they present a valid client side certificate.
- Use a VPN. SSTP will get around airport firewalls. SSTP performs well enough for RDP for me. L2TP/IPSec is compatible with Android, iOS and Windows.
- Changing port only is NOT good enough.