If it's not installed, it can't be exploited. It's as simple as that.
Does IIS really need to be running on that server?
Are you using SNMP to monitor that server?
Is File and Print Sharing (or Samba) necessary for that server to perform it's role?
Unused services are a sometimes overlooked avenue of exposure that all too often provides a surface to attack.
But how do you know what is "needed"?
Have you done the research for a file and print server? A web only server? A mail server?
Do you use a published checklist?
Let us know how -you- know what services you do and don't need.
- Chris Carboni