Windows' security subsystem works like an onion model, with many different layers. We can't forget the most important layer of educating users and having good written instructions, training and security policies - as social engineering is still the most difficult form of attack to protect against.
All other layers can be technically hardened and configured for different levels of security though - it's the human factor which remains mostly out of our control.
The foundation of Windows’ security subsystem relies on a few basic rules:
01 Administrative users cannot be controlled by design and therefore all other security measures will be vulnerable if a user has administrative access to his or her operating system
02 You cannot build a secure Windows-installation without restricted physical access or hard drive encryption
These are the strongest laws of security for Windows so we'll start with these two topics and the dive into other solutions that can be implemented if these are taken care of properly.
For a laptop computer without tight physical security, you need to have both of the above in place as the lack of hard drive encryption actually leads to a situation where administrative access to a box can be achieved with a single command - as I've presented in numerous different conferences.