Following are recommended practices at various layers.
Protect server from hostile network traffic until the operating system is installed and hardened. NSA hardening guides are available: http://www.nsa.gov/ia/guidance/security_configuration_guides/current_guides.shtml.
Change default passwords.
Remove or disable unneeded network protocols, applications and services.
Utilize automated patching notification if available. Test and apply patches in a timely manner or employ total automatic patching.
Only allow specific, trusted subnets or hosts to manage.
Install and enable antivirus software including automatic virus definition updates on Windows OS.
Install host-based intrusion detection.
Each task or process should be allowed the minimum rights required. Run services as unprivileged users if possible.
Ensure that logging is enabled. Ensure that logs are reviewed on a regular basis and follow data retention policies.
Refer to policy 3.01, Server Physical Access Security.
The console should be locked when not in use. In order to prevent unauthorized access, a timed, password-protected screen lock should be in place.
Restrict authentication methods.
Local Network Layer:
Enable firewall protection.
Create a security policy. Only allow ports, trusted subnets or hosts in the policy and deny everything else.
Run firewalls at all layers (i.e. network, OS and application).
Encrypt anything that you wouldn’t want everyone to know (passwords, SSNs, credit card numbers, etc.).
When writing software, add security from the beginning.