You should enable only those services, which your application needs. Otherwise, you provide more opportunities for attackers to infiltrate your system. Many services are installed by default, so you should take care to disable those you do not actually need.
If you run your applications locally on your own servers, then you should check which services run on your server and IIS. Then turn off everything your application does not need. You should also patch your operating system and server regularly. When a serious security issue is announced, you should patch your system as soon as possible, because the attackers are usually able to exploit the flaws within 24 hours.
If your applications run on remote servers (webhosting, cloud, etc.), all you can do is trust your provider to ensure the server security.
You should also restrict public access to unused files located in /CMSPages and /CMSModules/<some module>/CMSPagesdirectories. The following example restricts the public access for the GetCMSVersion.aspx page: