You can download a w7 security benchmark from https://benchmarks.cisecurity.org/en-us/?route=downloads.multiform.

In addition to the recommendations there you may want to:

 

1. Disable Teredo tunneling.

http://www.mydigitallife.info/how-to-disable-tcpipv6-teredo-tunneling-in-vista/.

 

2. Unbind Client for Microsoft Network and Printer and File sharing from all network adapters.

 

3. Disable Remote Desktop service.

 

4. Disable UPNP device host.

 

5. Disable ISCSI initiator.

 

6. Disable Computer Browser service.

 

7. Disable NetBios helper service.

 

8. Disable RRAS.

 

9. Disable remote registry service.

 

10. Move the firewall log from its default location and enable logging of all connections.

 

11. Enable process tracking in the local security policy.

 

12. Enable “User Account Control: Only elevate executable(s) that are signed” local security policy.

 

These are just a few things off the top of my head.
Best to run x64 version of Windows as the host.  The script kiddies are still targeting x86.

 

Of course, these recommendations are also applicable on Vista/XP OS.

 

You also may want to keep track of your BIOS, NIC and GPU firmware. 🙂
(If you know how)