So let me give you a real scenario.
You find a server has a Trojan virus, and has been sending out multiple email spam. Hardly dangerous, but it's infected and you need to get it cleaned.
You wonder how it got infected in the first place as it's a machine that's hardly sat on.. so you start investigating.
So you discover that it has "remote desktop" switched on. Enabling you to remotely connect to it to fix any issues that occur. Nothing major there. But then you discover that a few users on the network are using simple passwords. Fred's password is "fred" hmm.
So you start probing the firewall, to discover that the remote desktop port is being probed from all sorts of incoming IP Addresses because somebody is trying to log into that server, using an easy log in.
So that's how it was done, but how could it be prevented? After all, you need the remote session available in case the server needs to be connected to.
So the answer was as follows:-
Leave the remote port available, but set up the firewall so that only certain IP addresses can access that port. Program in the IP addresses that require access.
Increase the level of security on the server, ensuring that nobody uses "simple" passwords. Most servers have this feature available ensuring that users include numbers and Capital letters in their passwords.
Remove users that no longer exist.
Lower the level of all but a few users to "computer user only" which should stop installation of programs unless they have an administrator password.
Security on a PC is vital. After all, would you display your personal bank details in the front window of your house?