The best practice is to keep all the software and OS patches updated with the latest release. Install good antivirus software on all the PCs and keep the virus definitions updated. Align system policies in accordance with the security policy and review them periodically. Implement audit control to check for any security or system breaches.
Weak passwords are "the killer." It takes no more than 30 seconds to crack weak passwords. Implement strong password policies and enforce them. "Need to know" should be the rule when granting authorization, which should follow corporate policy. Physical security is obviously the key. Authentication and identification controls should be implemented properly as they are the key factors in security. Authentication in itself is meaningless unless it is believed and implemented strongly. I suggest you upgrade the non-supported OS versions to the newer ones, as they provide better security measures.
Periodic monitoring and auditing helps measure the security posture. AND, above all, never have a false sense of security.
This was first published in September 2005