11.4. Disabling or Removing Unused Accounts, Services, and Software
You want to disable or remove anything that you don't explicitly need or use on a frequent basis on your server. The fewer things you have installed or active, the fewer potential vulnerabilities you have.
There is no one-size-fits-all rule for the accounts and services you should disable. It really depends on how you use your servers and what you use on them. As far as local accounts go, you should really only have a few on your system. The administrator and guest accounts are standard and you may also have built-in accounts for Internet Information Services (IIS) or other applications. In the case of administrator and guest, you can't actually delete those accounts, but you can disable them. If nothing else, you should consider renaming them so that they aren't easy objects of attack (see Recipe 11.3 for more on this).
For services, you should review the services that are actively running and determine which ones you can safely disable. Again, there are no hard and fast rules here, but use Appendix F as your guide. Review the purpose of each service and determine if it needs to be running. For example, if you aren't running any scheduled jobs and don't plan to do so, you don't really need the Task Scheduler service to run. Configure its startup type to Disabled (see Recipe 7.4). For other services that you aren't sure about, don't just disable them on production systems. Test changes on a test ...