Professional security + best practices = no windows ever.  Only bsd based (free/openbsd or mac) or any *nix.

Physical access = attacker can copy or destroy files only.  Never able to fool owner into running bad daemons (user or root) or mod /bin etc.  Ever.

Strong local user passwords and high granularity permissions!

Know *all* your traffic.  Plenty of (full source) tools avail from repos.

All packages signed by trusted repos + rootkit detection + key auth only for remote logins.

Watch advisories for (rare) 0-days, get fixes quickly (good luck getting fix quickly from ms!).

Compile any code (esp wallets!) from source only.  Never trust exes from anywhere but ms. Ever.

Check box for unknown hw attached. Duh.

Basic.  Learn this stuff before ur coins are gone too!