You can turn off null sessions without a regedit in 2k. Start -> Programs -> Administrative Tools -> Local Security Policy -> Local Policies -> Security Opetions
additional restrictions for anonymous connections should be set to "do not allow without explicit anonymous permissions."
This will kill anybody using any exploit that does a net view as <> to enumerate shares and users, which takes away the single easiest thing about cracking a windows box over the network - already having half of the username/password combination.
Any apps that you install that need service accounts, especially stuff like SQL or backup software that require high level user rights on SA, should have 14 character complex passwords, and should have non standard names.
Disable the guest account. Rename the Administrator account to something else, rename Guest to Administrator.
Load up Microsoft's Baseline Security Analyzer and hfnetchk.exe to scan for patches that you might have missed. Windows Update is NOT to be relied upon for staying up to date on security patches, as it only gets OS patches and not patches for services like MSSQL.
Turning off NetBIOS is a good idea, but alot of people like to be able to map network drives over SMB. If you leave this on, you've GOT to turn off null sessions as described above, and you should definitely configure account lockout and auditing. Strong password complexity is a must too - 7 character length pwds are more resistant to l0phtcrack than 8, 9, 10, 11, 12, or 13 char length pwds. 14 characters are substantially harder to crack. By strong passwords, I mean random character generations that utilize upper and lower case alpha numerics plus some standard ASCII like !, @, #, $, %, etc...
NTFS permissions are must. If you insist on running FTP services, don't allow anonymous access. Don't EVER ftp to your server using admin credentials, as these are sent in clear text and can be sniffed very easily. If you have to have an upload directory, create ONE user account with write permissions to that directory. Make sure that that user has NO rights to absolutely anything else on the server, period. If you want to know why, lemme know and I'll explain FTP vulnerabilities to malicious code execution exploits more thoroughly.
If you run IIS, disable default and admin web sites. Delete the admin scripts directory, or move it to a different drive with tight permissions. Don't keep your site scripts in your Inetpub directory. If you have SMTP enabled, make sure to lock down relay restrictions tightly. Patches, patches, patches!
Either load a software firewall to permit access only to the ports that you want, or get fancy with an IPSEC policy. A hardware firewall is ALWAYS a better way to go, but I'm assuming that you dont' have the cash to invest in one.
Check the service control manager and change the startup options on all services that you don't need. No reason whatsoever to run remote registry service, for instance, and that is turned on by default on Win2k. Big hole there, too. If you don't know what a service does, ask - I probably do, and 100 other people who also know will likely answer before I do ;.)
Do a netstat -an and check to see what ports you are listening on. If there's anything showing up that you don't recognize, spend some time looking it up and find out what's listening. Once you've got it down to the minimum listeners that can serve the data you want, put the firewall up and drop yourself online.
Be sure to take a screen shot of your listening ports and your running processes before doing so, and periodically check them and compare to your clean list to make sure that you haven't been owned.
Anyway, that's basic Windows 2k hardening 101 for ya. It's by NO MEANS a complete guide, and if you don't eat, sleep, live and breathe security for a while, you'll never get up to speed enough to really lock a Windows box down. The minute you stop keeping up to date, too, a new exploit will emerge and you will probably get owned.
It's so much easier in Unix! IPChains are your friend...
Regards,
Satori, who maintains security for over 3,000 Windows 2000 webservers, among other things.