I have used this to lock down NT4 servers for a while now. I wrote it about two years ago. From what I've seen out there, this how to is still very good to use. Hope someone else can use it. Keep in mind that Windows shares will no longer work if you implement this giude. It is meant for a server that has a single specific purpose, like a bastion host or the like.

1. Install NT as a Stand-alone server - DO NOT JOIN A DOMAIN
2. Apply all current Service Packs and hot fixes
3. Ensure no other network applications are running on the machine (e.g.
4. Implement strong passwords for admin account
5. Disable Guest account and DO NOT create any user accounts
6. Set password protection on screen saver - don't choose a screen saver
that's graphically intense
7. In Network Control Panel:
- uninstall all services
- uninstall all protocols except tcp/ip
- disable the WINS tcp/ip client ('all protocols' view on Bindings tab)
(These steps can be avoided if you skip networking install during NT setup
and manually install the adapter driver and tcp/ip afterwards - just double
check to make sure the WINS client doesn't appear)
8. Disable the "TCP/IP NetBIOS Helper" in the Services control panel
9. Disable the "WINS Client (TCP/IP) in the Devices Control panel
10. Remove the OS/2 and POSIX sub-systems (see below for details)
11. Ensure NTFS is in use for all partitions
12. Set permissions such that only the Administrator, Creator Owner, and
System accounts have any rights to any files (in other words, remove the
'Everyone' rights).

To disable and remove the OS/2 and POSIX subsystems, do the following:
To manually remove OS2 and POSIX completely:
• Delete the winnt\system32\os2 directory and all sub-directories.
• HKLM\SOFTWARE\Microsoft\OS/2 Subsystem for NT - Delete all sub-keys
• HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\Environment\Os2LibPath - Delete
• HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\SubSystems\Optional - Delete OS2 Values
• HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems - Delete
all entries for OS/2 (and POSIX if you wish)
The OS/2 and POSIX sub-system will be gone after reboot. And it goes without
saying that registry hacking is dangerous.

Here are some other registry hacks that are useful:

Display legal Notices at logon by editing the following keys:
Key name: LegalNoticeCaption
Data Type: REG_SZ
Value: Legal Notice!
Key name: LegalNoticeText
Data Type: REG_SZ
Value: This system is for authorized users only! Unauthorized use is subject
to prosecution.
All activity on this machine is being logged.

Hide the name of the last user to logon:
Key name: DontDisplayLastUserName
Data Type: REG_SZ
Value: 1