DesktopSecurity:Who opened the back door

I’m trying to identify and close desktop security backdoor vulnerabilities. How do you control desktop security in your networked environment and how much serious attention does your IT department devote to locking down desktop vulnerabilities? What are the viable cost vs. security arguments?