what he would have to do is have a person run the setup for the server. Then have that user setup the router to forward the ports to the machine. This is not easily done without the victim's knowledge.
if the person wanted to break in to the pc, it would be a lot easier to have the user run a trojan, which has to get by AV, and have the trojan automatically connect to another machine on the inet.