This is an attacker todo list if he wants to do an attack over the network he needs the following

An IP Address
An open port which he has access to
A vulnerable service that he can exploit

The best way is to first disable the service and then delete it if it’s not required.
This has saved many of my clients from new attacks cause the majority of the time a vulnerable service is what is exposed but removing the problem at the root.
This way even if a service is vulnerable it is not a problem cause it won’t exist on the system.
The next step is blocking the ports at the firewall level
not even at the firewall level there can to firewall places on the host and at the network, the reason I suggest enabling it at both levels is if it does defence in depth.
Don’t ever rely on one resource to do the job especially if it is a critical job.
The next part is at the IP address level, block IP that is known to scan and conduct attacks.
These IPs cannot access any ports on the server.
This is Defence in-Depth the this is a very general idea it has to be custom tailored based on the environment
This is an attacker checklist for doing an attack over the network.

Now, this does not include all attacks but is more of a general list that the attacker requires.