Physically secure servers behind locked doors, in a controlled-access environment.
Apply security in layers.
Use Configure Your Server Wizard (CYS) for turning on server roles and securing them.
Use the Security Configuration Wizard included in Windows Server 2003 SP1 and R2 to reduce a server's attack surface.
Use the Run As command when administrative access is required instead of logging in as an Administrator.
Identify internal (or external) saboteurs before they can do some serious damage by creating serious-looking shares on the network, such as Financial Statements, Root Info, or similar such shares, and audit access to those folders.
Don't enable always-on antivirus scanning on non-file servers. Instead, run periodic scans.
Plan to run the initial synchronization of WSUS over a weekend, beginning the download on Friday evening.
Test and approve WSUS patches before deploying them to production, either manually or through a process of setting up a pilot WSUS server and a production WSUS server.