HI
1.since there is no AD domain in your environment,i think we need to create a security registry script and run it on your servers.
Computer Configuration\Policies\Windows Settings\Security Settings
2.for virus software ,i think mcafee is good ,if you have no virus software budget ,we can also use windows defend.
https://www.mcafee.com/en-us/index.html
How to add, modify, or delete registry subkeys and values by using a .reg file
https://support.microsoft.com/en-us/help/310516/how-to-add-modify-or-delete-registry-subkeys-and-values-by-using-a-reg
Windows Server Hardening Checklist
https://www.netwrix.com/windows_server_hardening_checklist.html
Server Hardening Standard (Windows)
https://security.uconn.edu/server-hardening-standard-windows/#
Is it possible to modify a registry entry via a .bat/.cmd script?
https://stackoverflow.com/questions/130193/is-it-possible-to-modify-a-registry-entry-via-a-bat-cmd-script