You'd be surprise how many trusted security configuration guides have settings that have never been tried or implemented. These people are telling you to enable or configure something that could cause harm or issues in most environments. I've seen trusted security guides make suggestions that would literally turn off critical security settings with absolutely no benefit. In fact, they would make you less secure.
Don't change default service or daemon run settings. Most people who turn off default services don't understand the full repercussions of what they are doing, and usually there is little benefit to doing so. The conventional wisdom is that any service running that doesn't need to be is just an additional target the hackers can attack. And this is true. But as long as you don't change the default settings and you stay fully patched, usually it's very difficult for the attackers to gain a foothold, especially without tricking the end-user into doing something first. Truly remote buffer overflows are rare today.
As my anecdote at the beginning of this article showed, don't mess with the default group memberships if you don't have to. The biggest problems I see with group membership changes is people putting far too many users into elevated groups that should have few if any permanent group memberships. Removing a default group membership is almost always a bad thing
Here is an oldie-but-goodie blog entry on the subject of defaults that I often send to customers. It's written by Microsoft's Aaron Margosis, who has the technical smarts, wisdom, and experience to give authoritative security advice.
The decision of when to change defaults should be led by whether or not the change would stop a likely critical threat and not cause too many operational issues. Too many people make changes for theoretical threats they will likely never face, and do so without understanding the long-term operational consequences. When in doubt, chicken out, and go with the vendor's defaults or recommendations.
Sign up for Computerworld eNewsletters.