The basic set is simple:
- we close all ports, we open only those that are needed
- administrative access - via a non-standard port, with a kilometer password, and preferably without a password using a key
The rest depends on the operating system. The Google keyword is hardening: linux hardening, nginx hardening, etc.

Hatzner has a firewall in lk. There and close all access, except for your or not only IP. Eats IP must be fixed

Correction: Windows Server R2 2012 is installed on the server

If possible, I would recommend updating your version of the server as mainstream support for Windows Server R2 2012 ended in 2018. If this is not possible, then you need to install the latest patches. Since Windows Server R2 2012 has a number of kernel memory overflow issues.
Next, we configure the firewall, database and other services in accordance with the official documentation from Microsoft .

what ports should be closed immediately

We close everything that is not necessary for the immediate operation of the server.

what roles and services are better not to install

It's better not to install crooked and obsolete services. The former may contain malicious code, while the latter may contain system exploits.
For each individual vulnerability and for each individual type, there are different utilities for checking.
You can start with Nmap and continue by reading the OWASP Web Application Security Guide.
There are special resources, vulnerability scanners that can check most vulnerabilities at each level.
https://metascan.ru
https: //acunetix.com/
https: //detectify.com/