Disabling non-essential applications and filtering unused or unnecessary ports is definitely a step in the right direction. But as any good penetration tester will tell you, you have to be <b>running a secured application that is properly configured</b>. Try doing a web search for <a href=”http://www.lmgtfy.com/?q=web+server+penetration+testing”>web server penetration testing</a>. Attackers will take what they do know about the system and the exposed services and attempt to break in using the weaknesses presented there. A better security approach might be to have application firewall and intrusion detection/prevention device(s) in-line with your webserver for deeper traffic inspection. This would definitely be a good idea for e-commerce or financial services.
Be sure your system is patched and the applications are securely written. That will be the greatest security precaution you can take in addition to shutting down unneeded services and blocking unneeded ports.