For those of you maintaining your solution on-premise, remember that the Microsoft Baseline Security Analyzer is an easy win for internal IT audits.  You can use it as long as you have administrative access to the server.  Launch it from your desktop and you'll see the interface shown below.

If you click the "Scan a computer" link you'll then be shown this....

Once you click Start Scan, you'll see a progress bar...

After it's done you'll see a list of all the known vulnerabilities and the current score for each...

The VM I'm using for the JFK archives had one issue I needed to address.  It's nice that it gives me information about how to correct issues. 

Make sure you've run this on any server exposed to the public!