Let me bring my question back at a different angle. If you were paying for a hosted, fully managed terminal server, what would be your expectations for how it would be secured?
Personally, I would sleep fine at night with RDP exposed, but with 2-step authentication, and good log monitoring (and enforcing the security built into RDP and Windows authentication). However, maybe that is not enough for a professional solution.
You can add RDPGuard to the RDS server too.
Although, like @travisdh1 stated, put HTTPS in front and your all good. I use an SSL-VPN myself.