Put a non-standard port in NAT
And everything else in FW, if port 3389 is scanned, add it to ACL, after that you drop the same ACL.
The second option is a VPN.
The third option is an RDP gateway and port 443 or custom.
This is your custom port.

 /ip firewall nat> add chain=dstnat protocol=tcp in-interface=ether1 port=33389 action=dst-nat to-addresses=192.168.192.
168 to-ports=3389

//Блочим всех кто в списке
 /ip firewall filter> add chain=input address-list=block action=drop 

//Добавим в список того, кто по новым соединениям собрался на 3389 
 /ip firewall filter> add dst-port=3389 connection-state=new in-interface=ether1 action=add-dst-to-address-list address-
list=block chain=input

Your case can be solved in different ways (besides what has already been advised)
option 1: Remote Desktop Gateway
option 2: MFA

I would arrange it according to "decency" like this:
1. RDS Gateway and / or vpn to taste (anyconnect, ipsec + l2tp, etc.)
2. vpn to taste (anyconnect, ipsec + l2tp, etc.)
hide port in non-standard ones - well, it’s from
shkolota , perhaps, although now
shkolota doesn’t scan with his hands = bots from different addresses scan all ranges of ports, at first known ports at most to the ports involved (telnet, ftp, ssh, sql, mysql, sip, etc.)
, as a result, the bot poked into the port from the list - without having time to get a response, it dropped and got into the list and there is no more response even from the "correct" ports.
On Mikrotik, these are actually two lines:
input rule if src addr is in the blacklist
input rule with the action add src to list - put in the blacklist
I have about 2-4 thousand addresses hanging on this sweet stick with a cleaning period of 10 days
ps , forgetting to specify the port and rest)