How to Secure a Windows machine
For all the ink spilled on this topic, the solutions are simple and have not changed for two decades.
Use a few software packages only.
For smaller tasks, use scripts.
Remove all unnecessary and unused software from machine.
Install and run a firewall.
Block incoming connections to unneeded services.
Disable file sharing on client machines.
Disable client ability to use thumb drives.
Disable the ability to download .exe, .bat and .com files.
Run a virus check on mail on the server.
Train staff to ask for certifications first before giving information.
Validate all internal callers with background questions.
Demonstrate destructive power of a hack with stories and news articles.