How to Secure a Windows machine
For all the ink spilled on this topic, the solutions are simple and have not changed for two decades.
Software
Use a few software packages only.
For smaller tasks, use scripts.
Remove all unnecessary and unused software from machine.
Firewall
Install and run a firewall.
Block incoming connections to unneeded services.
Networking
Disable file sharing on client machines.
Disable client ability to use thumb drives.
Internet
Disable the ability to download .exe, .bat and .com files.
Run a virus check on mail on the server.
Training
Train staff to ask for certifications first before giving information.
Validate all internal callers with background questions.
Demonstrate destructive power of a hack with stories and news articles.