All routers ever created in the history of the universe have a
built in web page or two that controls all the security settings and whatnot. That's the local IP address, which can only be accessed from your side of the router and not the internet side. If you lock up all the stuff you don't use and set all the security features to unabomber it makes life difficult for bad guys. If you do it right your system just won't respond to any outside signals at all, only packets coming from your box.
Even that is not necessarily 100% watertight because your own box will play double agent against you. The reason there are all these problems is there's a bunch of security holes built into windows either on purpose or through sloppy coding. Most of them relate to features that do stuff for you, like remote desktop, chat clients, or torrents. You should google on the most common windows security holes and turn them off. Nobody is going to log in and control my box via remote desktop, so I slayed that. Screw universal plug and pray, slay that. Give it the old three fingered salute to pop up the task manager. Go through all of the several dozen running services and find out what they do and if you want your box to be doing that.
But even that is not necessarily 100% watertight because your web browser will play double agent against you. Once again this is because of features that you may want such as playing videos or automatic logins. But if you uninstall adobe flash and install extensions for ad blocking and script blocking and WebRTC blocking and HTTP referer blocking then you can surf in reasonable safety.