You have all the tools you need (Score 1)

Use ldap or equivalent for user authentication along with pam. Give all regular users rbash as their shell and put them in groups that don't have permissions to do anything. Only give sudo to administrators. Run sshd on an off port, disable root login and uses DenyUsers, AllowUsers, DenyGroups, and AllowGroups in your sshd_config. Use Cfengine and apt to push configs/updates. Use open tripwire or equivalent to check for unplanned file changes. Use iptables and if you want setup /etc/hosts.allow and /etc/hosts.deny. Set up a apt-mirror server for all updates and custom packages and configure auto updates. Use apt-get remove to uninstall all the packages you don't need. Stop all unneeded services. Set up a samba or nfs share and use pam_mount to mount the shares. If you don't get it 100% at first don't worry. Its easy to make mass changes and tweaks with Cfengine and your apt-mirror.