Just a quick one, there are two great (free!) tools from MS for taking your default server install and securing it.
The first, SCW, is installed by default on all servers – run the tool and it will walk you through the process of identifying which roles and features have been installed and then produce a template which disables unused services and configures the Windows Firewall for the required services. Useful to note that it enables you to specify all the management tools required to manage the server, so you get all the goodness of having the firewall enabled without the pain of not being to get to the server with your favourite management tools. Once you have a template created, you can then use the command line component, scwcmd, to transform it and export it to AD as a GPO.
The second, the Security Compliance Management Toolkit, is available for download from http://technet.microsoft.com/en-us/library/cc514539.aspx. There are lots of elements to the toolkit, not least the ability to monitor ongoing compliance using SCCM’s DCM feature, but the interesting bit for this post is that it includes a tool to create GPO’s with a full suite of recommended registry settings to harden the OS – many of these settings are not exposed by GPO’s as standard.