Focus
Is this article meant for Windows servers on a local network, Internet-facing Windows servers, individual home users, or corporate PC users?
It would be helpful to state that this is aimed to corporate PC LAN workstations, or at enterprise Windows servers, if that is the case. When you say 'Windows Security' that covers products from a Windows phone running CE to a Windows SQL database or IIS web server.
Network security and OS security are not the same thing.
In fact it could be argued that these two things are in direct conflict with each other quite often, so it may not be useful to use the two terms interchangeably. And there needs to be context here as well; the network controls and security requirements for a Web-facing Windows server are quite different than those of a typical corporate LAN workstation. Does it matter if my port 1433 is open on my workstation? Yes, if it isn't then my corporate SQL database apps won't work very well.
Context: The article only mentions firewalls briefly, without stating the context; is this the PC personal firewall or the corporate firewall that is being discussed? Most Windows database or application servers on an enterprise network are not going to be configured to use the Microsoft firewall services, in any case.
The security controls you put in place for an Windows IIS server make no sense for a workstation, because you then break some very useful things, such as printing, for example, or browsing the network neighborhood. One would hope that PCs on a private home network should not have to worry about attack surface, unless their kids are really skilled hackers.
And, seriously, unless you're off your meds, how many workstation users do audit logging and maintain multiple administrator accounts? (or even know how to enable audit logging ?)
Isolation of Services sounds like Service Isolation, which is a very different thing. It might be better to simply recommend to use more virtualization. Of course if you put your ten most important apps in ten VMs all one one server with one motherboard, you've created one Titanic-scale single point of failure. In general, you're not reducing the risk very much by spreading your apps over multiple servers or VMs since whatever exploit worked on one server will surely work on all the others.
