The latest reason to never expose RDP to the Internet
-
https://arstechnica.com/information-technology/2019/08/microsoft-warns-of-more-wormable-bugs-this-time-in-new-versions-of-windows/
Similar to the so-called BlueKeep vulnerability Microsoft patched in May, the four bugs the company patched on Tuesday reside in Remote Desktop Services (RDS), which allow a user to take control of a remote computer or virtual machine over a network connection. The bugs—indexed as CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, and CVE-2019-1226—make it possible for unauthenticated attackers to execute malicious code by sending a specially crafted message when a protection known as Network Level Authentication is turned off, as is often done in large organizations.
Don't be lazy. Put it all behind a VPN.