• Disable booting from drive A:. Go into your BIOS setup and disable booting from Drive A:. This will prevent pure boot sector viruses from taking control of your PC. 

• Rename or delete dangerous executables. Rename (preferred) or delete rarely used executables that can be used by malicious mobile code for harm. These files include: FORMAT.COM, SYS.COM, DEBUG.EXE, REGEDIT .EXE, REGEDT32.EXE, WSCRIPT.EXE, and CSCRIPT.EXE. I like renaming executables instead of deleting them because the files can easily be used again by knowing the new names. Note: .Installing new software, upgrades, and patches can reinstall previously missing executables. Computer utilities like Norton Disk Doctor will find renamed files when they called upon. The newer versions of Windows will often restore protected system files, although there are ways to defeat this behavior depending on the version of Windows you use.

• Remove Windows Scripting Host (WSH) file associations. WSH is a Microsoft program used by many types of malicious mobile code. Files ending in .hta. .js. .jse. .vbs. .v be, .wsh. .wsc. and .wsf should have their opening action re- associated with some harmless program, like NotePad. Note: In Windows 98, open Windows Explorer, choose Tools > Folder Options > File Types, choose the appropriate file extension type, choose Open under Actions > Edit, and change WSCRIPT.EXE to NOTEPAD.EXE. 

• Make file extensions visible. It is safe to run non-executable file content, such as JPGS, MPGS, GIFS, WAVS, and SO on. You just need to make sure they aren't executables in disguise. Most Windows versions will hide known file extensions. Thus, a seemingly innocuously named le, PICTURE.JPG, may really be PICTURE. PG.EXE. In Windows Explorer, look for the file extension hiding option under older Options. Note: Some file extensions, such as. shs (scrap object file) have to be modified in the Windows registry in order to display. 

• Remove unnecessary programs and services. Most PCs have at least a handful of programs and services running that the user doesn't know about. In many cases they doesn't need to know about these programs. Explore the obvious start-up areas (CONFIG.SYS, AUTOEXEC.BAT, CONFIG.NT, AUTOEXEC.NT, WIN.INI, SYSTEM.INI, start- up folders and groups, and the start-up areas in your registry), looking for programs that should not be there. I use MSCONFIG.EXE in the latest versions of Windows and SYSEDIT in older versions for quick looks. In your registry, look under HKEY LM\Software\Microsoft\Win(lnw\ CurrentVersion\Run or Run Services. Delete program entries you are sure you don't need. Note: There are several other areas where autostarting programs can hide in the registry, but the above registry key is the most popular.

    Additional recommendations for workstation security can be found on this CERT webpage.

  Trusted workstation
A trusted workstation is one that holds or has access to databases with confidential, private or identity (SSN) information.  These workstations should be secured to be safe, stable, reliable and have integrity of information. A trusted workstation has access to RIAS, should not be shared, and should be accountable to a single individual.