One of the essentials of Windows computer maintenance is protection against malware. Unfortunately, this topic has become a rather big one due to the large number of different ways a Windows system can be attacked, so in this article I will focus on how you close out the most vulnerable routes into your system. After all, if the malware doesn't have a way in, you don't have to worry about removing it.

Now, it is an unquestionable fact that the bulk of the malware that infects Windows systems does so by exploiting the ignorance and laziness of the average computer user. Most (not all, but most) attacks against Windows computers would fail if users would actually read and understand those popup requesters that often appear when the malware first tries to install itself. But the reality is that there are too many of those popups appearing and reading them slows down browsing, so most people most of the time just click them away, and thereby permit their system to become infected. I am not criticizing the people who do this (I do it often enough myself...), rather I am criticizing the design of a system that makes this kind of behavior necessary in order to retain security.

Now, on my Windows systems, I don't even run antivirus software, yet my systems never get infected with viruses. Why not? Well, there are a number of things I have done to protect the systems and in this article I am going to show you the most important of those things.

Understand that I am not recommending that you ditch your antivirus software; I do in fact occasionally scan my systems using Trend Micro's online Housecall product, but I have found it unnecessary to have an antivirus package running routinely in my computer. This frees up resources and allows my computers to run faster.

The most important single thing that you can do to make your browsing more secure is to stop using Internet Explorer for browsing. Instead, choose any other browser package (I use Firefox), and use it instead.

The reason for this is that IE uses Microsoft's ActiveX controls, and permits downloads of other controls from the web - and this is the most dangerous vector for attack that exists on a Windows computer. ActiveX controls are basically independent programs, that can be downloaded from the web and run on your machine. Commonly written in Visual Basic or Visual C++, these programs have the capability to hook deeply into your system and do pretty much anything. They are supposed to be "sandboxed" - which is to say "restricted", but the reality is that the way ActiveX is implemented in Windows (it is deeply embedded and was formerly referred to as OLE2) makes it very, very difficult to effectively establish and maintain a sandbox.

From a technological standpoint, ActiveX is quite cool and, in an ideal world free of malware, I would enthusiasically recommend it because it allows a LOT of flexibility in the browser. Unfortunately, this is not a perfect world, and from a security standpoint, I think the ActiveX concept is fatally flawed. I do not believe that Microsoft will EVER be able to fix it. No other browser permits ActiveX to run and as a consequence every other browser is more secure than IE can ever be.

With IE7, released last fall, Microsoft has taken some major steps to try to secure ActiveX, but these steps are more or less bandaids and all give you additional popups to deal with, or alternatively require you to root around in the IE security settings to disable things that shouldn't be running anyway. Furthermore, there inevitably will be flaws in IE7 (as in all software) and given that IE7 still enables ActiveX to run, it easily could be that there exists a flaw that will permit ActiveX even if you have it disabled.

Keep in mind that when you are on the web, you are wandering around in foreign and often hostile terrain. ActiveX is something that should only be allowed to happen between friends, therefore you should absolutely forbid it when it comes from the web. At least, you should absolutely forbid it if you want to surf safely. So, just don't use IE.

My second major step to avoid security issues is to get rid of Outlook Express. This package is simply a nightmare from the standpoint of security. Microsoft has started shipping its OS with most of the worst security features of Outlook Express disabled by default, but the fact is that OE uses Internet Explorer to display any so-called "rich text" emails and if OE isn't configured right, you can have scripts running in your email just by clicking on it to read it. This has long been a common vector for infesting computers. Not only that, but should malware infest your computer by some OTHER means, it often goes straight for your OE email address book in order to obtain new targets for attack. This is a steady source of spam and virus propagation. Just ditch OE.

I use Thunderbird for my email client on Windows systems. It is derived from the old Netscape email client, and is a lot more secure. However, there are a lot of other email clients available on the web and Thunderbird's development is lagging. I might switch in the future but at this time I don't have a decent recommendation. Eudora receives good reviews, but I believe it is ad-supported and I won't go there.

My third major step to prevent malware infestations is to use good firewalls. And, yes, I do have multiple firewalls. My entire LAN is protected by a hardware router/firewall, which is the first line of defense for the entire network. These router/firewall appliances can be purchased at any big-box electronics store, computer store, or department store for about $50, and I recommend them highly. Everyone should have one, even if you only protect one computer with it. Note that the majority of these devices include wireless capability; if you don't need it, turn the wireless radio OFF and disable it. Instructions on how to do this will come with the product.

In spite of the protection this hardware firewall gives, I also run a software firewall on each computer on my LAN. This protects other computers on the LAN should one of them become infected. The Windows firewall that is provided as part of XP and Vista is adequate, but it only monitors inbound connections and therefore only protects the system against threats from the outside.

The firewall I use monitors outbound connections as well which provides protection in the event that your system has become infected. By this means, I can specifically permit a program that wants to access the internet to do so, or I can specifically deny that program permission. You will find that many programs that you are using on your computer will try to connect to the internet, and if you didn't tell them to or you don't know why they want to, this gives you the ability to stop them. For instance, any time I play a local music or video file using Windows Media Player, it tries to connect to the internet. I don't know why it wants to do that and I refuse to let it. No one on the internet has any need to know what music I am playing, and I don't intend to let anyone on the internet (read: Microsoft) find out. The capability to monitor outgoing programs turns out to be an important line of defense if it should happen that your computer becomes infected by malware; by telling it "no", you stop the malware from doing some of the bad things it does, AND you gain knowledge that it is present and trying to do something. I use the free version of Zonealarm for my firewall. I use an old version because more recent versions seem to have added a lot of stuff that I don't want; I only want the firewall. It does appear though that recently Zonealarm has reorganized their product line and is again offering the basic firewall as a free download.

By taking these three steps, you will vastly reduce your vulnerability to malware on the internet. You will have very few problems with this configuration, and you still can use IE for those sites that only work with IE. The result is that your system will have a greatly reduced exposure to those things that tend to clog it and tear it up. As a result, its overall performance will not deteriorate and you will experience fewer problems.

About the Author: Jim Locker is a technical guy who has done a lot of real estate investing and landlording. The experiences he writes about and advice he gives are either first hand, or in answer to specific questions posed by others. He is commonly known as jiml8 around the internet.