One of my remaining dedicated servers which hasn't yet been migrated to Amazon EC2 is hosted in a UK datacenter without a dedicated firewall to protect it.
Whilst I knew that the server was effectively exposed to the Internet on various ports I did not realise that despite me setting up the Windows firewall to only allow logon attempts on the RDP port (Remote Desktop) from a fixed set of IP addresses, many if not all logon attempts were still getting through. I'm not sure why, but I seem to recall that the block only kicks in after a successful authentication, meaning bots were still probing my server 24/7. Not good.
The best and simplest tool I found for this job was RDPGuard. It runs as a Windows Service and can easily be configured to block brute force logon attempts.
I can really recommend it if you run a public facing Windows box without a dedicated firewall. They offer a free, fully functional trial on their website.