Michael Howard posted a note about changes in Windows 2003 that disable flaw used by 'Sasser' worm (cleanup tool and doc available) :
... and Windows Server 2003 is not infected. Why? Because the RPC interface, which is accessible to anyone (ie; anonymous) on Windows XP and Win2000, was changed in Win2003 so that it requires a local admin to access. Not a remote admin, a local admin using the server's keyboard.
I think it is done the same way as in Chapter 16 of “Writing Secure Code, 2nd Ed”.
'Secure by Default' initiative in action (and as Michael notes - it is improved in Windows XP SP2) [via Dana Epp]
BTW, updated WXP SP2 docs posted for download.
Update: Tristan K writes how IPSec Policies can be used as a Firewall to block Sasser infection