It seems a shame to suggest this as Microsoft have had the idea first, but it seems to me the
best answer is for the O/S as installed to have a firewall that is in a locked down mode (with
all incoming connections blocked) until after the first update has been done. MS have
implemented this in the latest revisions of Windows Server 2003....
Of course Ubuntu's option is not bad either (no open ports out of box and none until you
actually share somthing) [Though the newest versions softened that with the network discovery