XP Security tasks after 'fresh' install

I have compiled a list of security tasks in which I feel should be performed after a fresh install. This list deals with Windows XP (I had Pro in mind) only and does not contain details about firewalls or 3rd party applications, except through the use of them to make the job of securing windows settings easier. I would greatly appretiate anybody's opinion and review of the list. Any additions are very welcome; I will change this post as additions come, if needed. If anyone has any suggestions for any other software which can be used to make the job of securing Windows XP settings easier, please post that also(ie. not firewalls or antivirus, etc). I thank everyone for any input!

Add / Remove

[ ] Remove ‘hide’ from the lines in C:\WINDOWS\inf\sysoc.inf, in order to see optional components in the Add / Remove utility.
[ ] Uninstall unneeded or risky components from the Add / Remove utility.

General

[ ] Apply all Windows Updates, patches and hotfixes (locally).
[ ] Run WWDC (http://www.firewallleaktester.com/wwdc.htm) to disable and close ports for DCOM, RPC Locator, NetBIOS and UPNP.
[ ] Secure services as much as possible within the functionality needed.
[ ] Disable Remote Assistance and Remote Desktop in the Remote tab of the System Properties.

Registry Checklist

[ ] Clear values for NullSessionPipes and NullSessionShares at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters.
[ ] Set AutoShareServer and AutoShareWks to 0 at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters.
[ ] Set RestrictAnonymous to 2, RestrictAnonymousSam to 1 and EveryoneIncludesAnonymous to 0 at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
[ ] Clear values for Machine at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths

Folder Options

[ ] Disable ‘Automatically search for network folders and printers’ and ‘Use simple file sharing’ in the Folder Options.

Shares Checklist

[ ] Delete all shares in Computer Management.

Connection Checklist

[ ] Remove all protocols (except TCP/IP) from your network connection.
[ ] Disable LMHOSTS lookup in the TCP/IP advanced properties.
[ ] Disable NetBIOS in the TCP/IP advanced properties.

Accounts

[ ] Rename all accounts weirdly (ex: password looking).
[ ] Delete all accounts not built-in. This leaves Administrator, Guest and the install-generated accounts.
[ ] Set passwords on all remaining accounts, 15 characters or greater in order to make NTLM report a null password.
[ ] Disable all accounts except the install-generated account (which is also admin level).

 

Added the removal of the listings from the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths

This removes paths that could otherwise be used for remote control of the registry...

 

clarock--Not sure if you have included the security settings possible within Internet Explorer such as on the Security and Privacy tabs.
Perhaps that is what you meant by

Of course these are somewhat subjective.

 

I consider IE a seperate entity... I meant the services when I said that (services.msc)...