Note that my webserver is a fully patched Windows 2003 Server
system with no firewall/router in place other than what comes with
Windows 2003 Server. Also note that I hit it via Terminal Server
without going through a VPN which horrifies some people. We also
renamed the administrator account and the two of use have our own
admin accounts we run to do things on it. The administrator
account is our backup in case we forget the password or lock
ourselves out.
It would be safer to create new admin accounts and remove the
default admin account from the adminstrators group. Why? Because the
SSIDs of the default admin accounts are discoverable, and that
doesn't change when you rename them.
And you should still use a VPN rather than having multiple ports
open to the Internet. A VPN means you need only the VPN and web
server ports open (well, unless you're running a mail server). The
point is that with a VPN all user interaction with your network
*and* your server comes through the single VPN port, as opposed to
needing multiple ports open for various task (remoted desktop, SSH,
etc.).