What are the best practices for securing my Windows Server?

• Enforce password complexity and length requirements
• Password expiration policy

• Ensure the server has a valid A record in DNS with the name you want, as well as a PTR record for reverse lookups.
• Redundancy while setting up DNS.

• Configuration of bare minimum roles and feature required by system.
• Removal of unnecessary file residue which were part of initial system provisioning.

• Windows security and vulnerabilities patches are critical component for system integrity.
• Have policy in place for auto download and installation of Windows patches periodically.

• Ensure 'directory browsing' is set to disabled
• Ensure 'Application pool identity' is configured for all application pools
• Ensure WebDav feature is disabled
• Ensure 'global authorization rule' is set to restrict access
• Ensure ASP.NET 'debug' is turned off
• Ensure global .NET trust level is configured
• Ensure Advanced IIS logging is enabled

• Ensure anonymous FTP is disabled.
• Ensure FTP Logon attempt restrictions is enabled

• Preventing clock drift of system is critical for functions which rely on Kerberos security and for Windows logons
• Set NTP for clock sync which external reliable time source.

• Software firewall is decent port blocking tool which can be used to block communications to unauthorized port.
• Depending on the nature of the server and upon request, tuning of the firewall can be accomplished.
• Database port to be blocked for any external connections, unless required.
• Ensure its applicable for all profiles.

• Enforce Network Level Authentication for remote desktop connections which uses Microsoft CredSSP Protocol to authenticate and negotiate credential type before opening a secure channel.
• Configure non-standard port for RDP