First off a firewall should be used at the perimiter to protect your network
from unwanted access. Beyond that you can either close ports by disabling
the service or application that uses them or block them with a host based
firewall. You can use free utilties like TCPView and Process Explorer from
SysInternals to find what application or service is using a particilar port.
The commands netstat -ano, netstat -anb, and tasklist /svc will also be
helpful in seeing what executeables and process ID's are associated with a
port. Tasklist /svc will show what services are associated with an instance
of svchost. Ipsec policy can also be used to restrict access to ports on a
computer with either an ipsec filtering policy or with an ipsec negotation
policy that requires computer authnetication before access is allowed to a
computer on the ports restricted by ipsec.

http://www.microsoft.com/windowsserver2003/technologies/networking/ipsec/default.mspx  
--- Windows 2003 ipsec

Use the free tool Microsoft Baseline Security Analyzer to check for
vulnerabilites on your computer including services that may not be needed.
The Windows 2003 Server Security Guide also has excellent information on
what services should be enabled on servers by role and also recommendations
for ipsec filtering policy. If you are using SP1 you can take advantage of
the Security Configuration Wizard as shown in the first link below to help
configure your servers with only the needed services and to implement an
ipsec filtering policy.   --- Steve

http://www.microsoft.com/windowsserver2003/technologies/security/configwiz/defau
lt.mspx
http://www.microsoft.com/technet/security/tools/mbsahome.mspx  --- MBSA
http://support.microsoft.com/default.aspx?scid=kb;en-us;832017   --- Windows
Server ports
http://www.microsoft.com/technet/security/prodtech/windowsserver2003.mspx    
--- TechNet Security for windows 2003