1.) Make sure that the default Admin Account and Guest Account are renamed (e.g. RENAdministrator and RENGuest; but you should choose your own idea here!)
2.) Make sure the screen saver will lockout the screen after x min (would prefer 15min)
3.) Make sure that the default Admin Account and Guest Account require a password. This can be done via:
net user RENAdministrator /PASSWORDREQ:YES
net user RENGuest /PASSWORDREQ:YES
7.) Disable SMBv1
As SMBv1 is quite old and has some vulnerabilities you should disable that (as explained here) via the following:
Set-SmbServerConfiguration -EnableSMB1Protocol $false
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force
This would still leave SMBv2 and SMBv3 active which can be used.
8.) Upgrade Diffie-Hellman Prime to 2048 bit as explained here.
9.) Enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP (see here)
If you run a VMWare environment, check this article here on hardening the BIOS.
If you wish to share your ideas feel free to leave a comment!