Here is how I do a quick lockdown:

Make sure the server is fully patched before you begin.

Run a port scan on the ip from the local segment, take note of all ports that respond.

Look up by port number the app that uses that port.

Determine if that application is necessary on that server, if not stop the service and disable it so it won't start on bootup.

The ports left open you server will need to offer to computers on the network and probably can't be changed, stuff like DHCP or DNS.

If I am dealing with an internet box I start with the same proceedure then put it behind a SOLID firewall (never on box) and open only the required ports for the NAT address. Then I use a tool like nmap from the outside to confirm I can't see anything more than what I expect to from that box.

What does everyone else do?

A couple notes--

One big item is to make sure you aren't running any unnecessary services. ie: Check your Services and set any unncessary ones to Manual/Disabled.

Also, use the SysInternals tools that can tell you which programs have which ports open. They have great free tools.

I also like to use a personal firewall. I use SyGate. This way I can set very detailed rules down to a specific application. I can also then review the logfiles to see which programs may need other ports open, etc.

For a start, if you're using WinXP SP2, you could use the Windows Firewall.

As w1r3sp33d stated, it's also good to scan your network/workstation from the outside to verify the open ports.

That's what I'd do... :)

--Chris