My approach was to set it all up internally, create a wireguard VPN accesspoint and only open that up. That way I don’t have as much to worry as much within the network (still use generated passwords for things) and able to access it anywhere.
Granted, you asked about opening up to the www. I’d suggest buying a domain through cloudfront, setting up an nginx instance that proxies traffic (think nextcloud.mydomain.com), and have it only accept connections from cloudfront servers.
That allows you SSL termination, pretty good bot coverage, and a nice domain name to share as needed.
Specific to windows then?
Edit: sorry, apparently not specific lol the CVE is specific to windows