While you are removing "backdoors", you secure your boot loader, right?

And I am sure you realize there is no way to secure windows server file system (off-line Password and Registry editors).

I usually don't worry about the NOC & DC staff, but since it is the topic here I am commenting.