You should remove accounts that are not used because an attacker might discover and use them. Require strong passwords. Weak passwords increase the likelihood of a successful brute force or dictionary attack. Use least privilege. An attacker can use accounts with too much privilege to gain access to unauthorized resources.
During this step, you:
Delete or disable unused accounts.
Disable the Guest account.
Rename the Administrator account.
Disable the IUSR Account.
Create a custom anonymous Web account.
Enforce strong password policies.
Restrict remote logons.
Disable Null sessions (anonymous logons).
Unused accounts and their privileges can be used by an attacker to gain access to a server. Audit local ...