You need to deploy defenses at two different levels: the server level and the desktop level.
At the server level, widely deploy antivirus tools on your servers and keep them up to date. You need to implement virus scanners on your mail and file servers, at least. Scan all incoming e-mail, as well as internal mail and any shared files for malicious code.
At the desktop level, there are four elements to protecting your systems. First, deploy automatically updating antivirus tools at the desktop and laptop, and make sure your policies prohibit disabling such tools. Increase your awareness program's emphasis on this point. Secondly, deploy a personal firewall on each desktop, such as ZoneAlarm, BlackICE, or Symantec's Personal Firewall. Thirdly, keep your systems patched. Tell employees to periodically visit www.windowsupdate.com or push them updates via a patch management system. You can use Microsoft's own SUS or a third-party tool for such management. And, finally, make sure you keep your browser security settings to at least "medium." If you rely on Internet Explorer, you can use Microsoft's Internet Explorer Administration Kit (IEAK) for enterprise-wide management of IE's security settings. If you've got Active Directory, you can even do this management via group policy.
For more info on this topic, please visit these SearchSecurity.com resources:
This was first published in January 2004