the problem is Microshaft's design
the problem is Microshatf's design. The idea that a networked box would expose services on the intarwebs is in and of itself a MAJOR problem.
In other words, they should have designed it to ONLY listen on RFC1918 IP addresses, and ONLY listen if you enable networking.
But NOOooo... they have to bind to 0.0.0.0 (i.e. everything) and THAT is the problem!
And they do that with other "well known" or "easily discoverable" TCP stuff. Just do a "netstat -an" some time on you Winders box, and see what's listening...
And if it shows up as the SAME port on everybody ELSE's box, and there's a vulnerability on it, and you connect directly to the intarwebs on a publically visible IP address [including _ANY_ IPv6 address!] then you're exposing your winders box's soft underbelly to the intarwebs.
"Only an idiot" would have DESIGNED! IT! THIS! WAY!! Right, Micro-shaft??
[the need to bind to publically visible IP addresses could be a kind of "opt in" setting, and THEN it would be the customer's fault for doing it...]