Allow programs to only run in certain folders
Preventing the execution of programs outside the authorized folders means that the propagation of malicious software is severely limited. It can be achieved by modifying the rights of folders/files.
Blocking the execution of programs in the 'Downloads' folder, or in the users' folders, means that infections due to software received by e-mail or downloaded from the internet (for example ransomware) can be avoided.
Maintain a 'whitelist' of allowed programs
All software running on the machines needs to be authorized (application whitelisting).