- Migrate to a modern OS and hardware platform – 64-bit versions of Windows are much harder to crack and ship with most of their security settings set to "On." Be sure to set Windows Update to Automatic.
- Install a comprehensive host-based security suite – Host-based intrusion prevention (HIPS), anti-virus, anti-phishing and safe browsing provide layered defense. Cloud-based reputation-protection services keep a history of your updates, attacks and incidents with malware, improving your protection.
- Limit use of the administrator account – Don't give the janitor Root on the Domain Controller.
- Use a web browser with sandboxing capabilities – The sandbox can contain some malware; most browsers that have one also auto-update their security. Products that move the browser into a virtual machine would provide more protection, and are starting to appear commercially "but are not ready for mass consumer use."
- Update to a PDF reader with sandboxing capabilities – Same deal as with the browsers. Blocking embedded URLs is a good way to start.
- Migrate to MS Office 2007 or later – Older suites don't support file formats based on XML, which doesn't allow code to execute when the document opens. The "Protected View" in Office 2010 is a read-only mode that also limits the scope of malware in an Office document.
- Keep application software up to date – You knew that one was coming.
- Encrypt your whole hard drive – Most corporations don't do this because end users break them, forget passwords, or store documents outside the encrypted volumes, usually because the extra step or two required to access encrypted files is too much of a pain. Good luck getting them to cooperate en masse, but this one provides a huge security boost.
All the advice is run-of-the-mill except this:
Implement an alternate DNS provider -- using your ISP as your primary DNS doesn't usually give you extra security such as the ability to blacklist dangerous web sites. Open-source or commercial DNS providers.
Anyone who's done it knows messing with the DNS settings on your PC can FUBAR you faster than almost any other DIY project that doesn't involve randomly deleting things from the Registry. Follow the instructions and print off the 800-number for Google support before you start.