I have 4 RB1200 Units at our head end that we just installed. They are up and operational as of a couple days ago. Firewall is turned on to prevent the script kiddos out. My question is…How do I set a certain IP (our external office ip) to only have access to winbox and ssh, and restrict all others? I still new at this so please..if you reply..put it in laymen’s terms so i can better understand it all. 
There are a 2 schools of thought on the firewall side ; Either full on rejects/drops on the outside address and only allow specific ip’s and ports which is safer but more prone to break stuff or accept all packets and drop only the dangerous stuff which is not as safe but you are a lot less likely to break anything.
You can make firewall rules on the INPUT chain and optionally only make it apply to the wan/outside address or globally. Create specific ACCEPTs from the outside and a explicit REJECT/DROP on those ports AFTER the allow rule.A word to the wise ; Make sure when the allow rules are created you test connectivity from the outside and inside and that they are hitting the chains otherwise there is the possibility of locking yourself out . Remember to include internal ip’s/subnets as well that you want to be able to configure/access the router from. Use the rate limiting on ICMP to make slow down any icmp attacks but allow icmp for network connectivity and diagnostic testing.
I generally prefer using jump targets for this because after a while my firewall config gets cluttered.Disable any unneeded services and use nmap to scan tcp+udp (if there is no ips/ids in front) and grc to test firewall rules.
I would highly recommend you check out the securing a new RouterOS article : http://wiki.mikrotik.com/wiki/Securing_New_RouterOs_Router
Ya my supervisor pointed me to that site. tried reading through it. I guess when it comes to me setting this stuff up it is a lot easier for me to modify an existing code that to create one. We do have a script in place that allows us to configure the the MT with in 15 minutes. if not finished or locked out…the script reverts back to its previous working state. Is there a way you could setup the script and i can just replace the specific items i need. Would help out alot.
In winbox go to IP / Services and edit the ‘available from’ field to the only IP you want to give access to winbox or other services.