Well winblows is a black box and therefore you can NEVER assume it can be perfectly safe.

The list of compromised services is so lengthy I don't even think there is a comprehensive list available.

Here is a list (not complete) of services you should have disabled that allow remote ports to be opened on your system.

TCP 53 -- DNS Zone Transfer
TCP 135 -- RPC Endpoint Mapper
TCP 139 -- NetBIOS Session Service
TCP 445 -- SMB Over TCP
TCP 3389 -- Terminal Services
UDP 137 -- NetBIOS Name Service
UDP 161 -- Simple Network Management Protocol

TCP/UDP 389 -- Lightweight Directory Access Protocol

Bottom line is that yes Winblows can be hardened by customizations just due to its closed source nature makes it a security risk.

OOB installs are inherently UNSAFE and any patch you apply from Microshaft will undo your security settings. So yeah there is that.
Fighting Redmond to keep systems secure is one of the largest wastes of time in my entire life.