This page is probably the best guide I have come across that's free and public.
Harden Windows 8.1
So in short.
Disable services you dont need.
Turn of unneeded network protocols.
Enable SRP or Applocker.
Cryptoprevent is a good free tool that populates some SRP rules for you.
Whitelist outbound traffic access.
If using a browser with no native privilege reduction implement icacls to enforce it.
Install malware bytes anti exploit, its free. It will enforce memory exploit protections on web browsers.
Consider also using EMET to apply protections to other apps, although this isnt as easy to use as MBAE.
Set DEP to optout or always on with this command. dont use EMET to set it, is a bug, see my post here---->
Weird DEP behaviour | Wilders Security Forums
'bcdedit /set nx optout' or 'bcdedit /set nx alwayson' reboot to apply change.
Try to use an anti virus that has a whitelist system for binaries, avast is free and has whitelisting if you enable hardened aggressive mode. When a unrecognised binary is executed you will be prompted to whitelist it or it wont run.
If you installed EMET, add all binaries that access the internet if possible to its app list, also add svchost.exe, lsass.exe and winlogon.exe system32 binaries for protection.