Give careful attention to who is allowed to log on from the network and locally.
One thing to consider is that the administrator account is on every machine, and can't be locked out from too many bad passwords. A good way around this is to remove the administrator's group from the permissions to log on from the network, and add back in the individual users who are the admins.
Now go set it up to audit failed login attempts, lock out users for a few minutes if there are too many login failures, and require a password of decent length - 6 characters is acceptable. This makes brute force attacks very difficult. If you want to prevent other users from accessing the machine remotely, you can also remove the users from the right to log on from the network - that confines the users to having to use the shares on the server. This also prevents anyone not given that right from accessing the event log, the registry, and the shares on the machine. Pay attention to who can and cannot shut the machine down, and make it require you to log in to shut it down.
Internet FAQ top