Should it have desktop features like secure file sharing? It's a reason why the SSH server is running by default.
Closing all incoming ports is imo pointless unless running a service there and needing a more complex configuration than making it available to all or just the local machine. Closing outgoing ports will break normal desktop software like email or IM clients. Run "ss -ltun" (or "netstat -ltun") on a default install to know for sure what services are running, check listening addresses: many are available only from the same machine.
pgpEPow6WwLMD.pgp
Description: PGP signature
