Switching off unnecessary

no ip source-route 
ip options drop 
no ip http server 
no ip http secure-server 
no service tcp-small-servers 
no service udp-small-servers 
service tcp-keepalives-in 
service tcp-keepalives-out 
no ip bootp server 
no ip finger 
no ip identd 
no service config 
no lldp run 
no service pad

! add logging buffer
logging buffered 50000
login block-for 300 attempts 3 within 300

Safety cushion by scheduled reload

When applying ACLs or adding extra security it possible to lock out yourself. Therefore before you apply any changes you can schedule reload and do not save running-config to startup-config until you 100% sure all is working correctly. Then cancel scheduled reload and save changes.

Schedule reload in 5 minutes

reload in 5
Reload scheduled for 19:57:04 GMT Sun Nov 17 2013 (in 5 minutes) by dsneteng on console
Reload reason: Reload Command
Proceed with reload? [confirm]
***
*** --- SHUTDOWN in 0:05:00 ---
***

Cancel reload

reload cancel
***
*** --- SHUTDOWN ABORTED ---
***

Other options

reload ?
  at      Reload at a specific time/date
  cancel  Cancel pending reload
  in      Reload after a time interval
  reason  Reload reason
  warm    Reload should be warm

Use copy tftp run when applying ACLs

Then to a copy tftp run to install the updated ACL into the running config. This method is nice because the ACL doesn't get updated until after the TFTP is complete, so it should be safe even if the change will interrupt network connectivity.

References

• Best Practices for Inbound Cisco Access Lists 2007
• Best Practices and Securing Cisco IOS 2011
• How do I secure a Cisco router from the Internet? 2009