Microsoft Windows 10 vs. Apple macOS: 18 security features compared

Here's how the world's two most popular desktop OSes keep systems and data safe from malware, unauthorized access, hardware exploits and more.

1 2 3 Page 2
Page 2 of 3

Hackers have long been using stored service credentials to take over computers and networks. Windows Vista introduced the concept of Virtual Service Accounts and (Group) Managed Service Accounts (the latter of which requires Active Directory). Both are new types of service-only identities that, once initiated, take over the complex task of randomizing and periodically changing service account passwords so that if stolen, are of less value across an enterprise.

Apple macOS: Firmware passwords can be set to prevent choosing anything but the designated startup disk, and a firmware password also ignores the standard startup key combinations. Be aware that both FileVault and firmware password protection requires the use of a strong password; if a weak password is used and then guessed, the entire contents of the drive will be exposed to anyone with the proper credentials.

The 2017 iMac Pro is the first to ship with the T2 chipset, and specific features can be modified using the new Startup Security Utility. This utility was designed to make it easier to secure the Mac against unauthorized access by combining firmware password protection, Secure Boot, and External Boot options in a single interface. From here, you can set how strict the Mac is about using the operating system and installing updates and third-party software.

4. Privilege escalation prevention

Windows 10: Once hackers or malware have established a foothold on a system, they usually try an additional privilege escalation attack to obtain top administrative access. The mitigations contained in Windows Defender Exploit Guard are Microsoft’s first line of privilege escalation attack prevention, but it has many others.

User Account Control (UAC), introduced in Vista, attempts to “de-elevate” a privileged user (e.g., an administrator) if they are only performing standard user tasks, such as reading email or browsing the internet. If a user logs on with privileged credentials, UAC, splits their access into two tokens: one privileged and one non-privileged. The non-privileged token is used by default with all applications and tasks unless the user is prompted for elevation or if they run one of the many predefined tasks requiring elevation. Early on, many users and administrators cursed UAC’s intrusiveness. Today, most users run in UAC-enabled mode without noticing an overly burdensome number of interruptions.

Apple macOS: Most users on Apple’s operating systems are created as administrators. With their username and password, they can install apps or make changes to settings that affect the entire system. Thankfully, there are protections built into the macOS that make it difficult for rookie users with admin privileges to make obvious mistakes, like attempting to delete the /System folder or its contents. Even if malicious software is inadvertently installed with admin privileges, the built-in System Integrity Protection acts as a failsafe so that malware can’t wreck the operating system. (More on this later.)

The macOS isn’t always flawless: It was revealed a few months ago – and the bug since patched – that Apple’s latest version would allow root access without a password. While the flaw was quickly addressed, it’s a not-so-subtle reminder that your hack-proof computer is only for the moment, and an exploit could be discovered at any time.

5. Data protection

Windows 10: OS security doesn’t matter if you can’t protect the data. Microsoft has long had file and folder encryption (Encrypting File System), but added volume encryption with Vista using BitLocker. The ultimate encryption keys can be stored on the TPM hardware chip, on the network, on a removable media device, and other options. Later Windows versions added options and encryption features, including the ability to encrypt and require encryption on removable media using BitLocker To Go. With or without requiring encryption, administrators can configure what removable media devices are allowed to be installed and used.

Apple macOS: As mentioned earlier, FileVault 2 can be used to encrypt startup disks to prevent unauthorized access. The Mac can be set to prevent booting to external devices via firmware passwords. FileVault 2 uses the AES-XTS mode of AES with 128-bit blocks and a 256-bit key. In concert with a firmware password – which prevents booting with modifier keys, potentially bypassing the startup disk – FileVault 2-encrypted disks locked with a strong password are virtually impossible to crack.

Recovery keys can be used if the storage device is moved to another Mac, or if users with unlock privileges available. The recovery keys can be kept in management systems, like JAMF, or they can be stored on Apple’s iCloud servers, behind your Apple ID. 

The native Disk Utility app can be used to encrypt external drives, or create encrypted disk images.

6. File integrity protections

Windows 10: Windows has many features that provide integrity to the OS and user data files. Microsoft Windows Millennial Edition (Windows ME) introduced an OS file protection process called System File Protection (SFP). If anything deleted a system critical file, SFP ensured that Windows would immediately replace it with a known good copy. Windows Vista introduced a version of SFP known as Windows Resource Protection, which also protected critical Windows registry settings, although what was protected and automatically replaced diminished overall.

Vista also introduced Mandatory Integrity Controls (MIC) and file and registry virtualization. With MIC, every user, file, and process in Windows is explicitly assigned a MIC level (high, medium, low). Users, files, and processes of lower MICs cannot modify objects of higher MICs. With file and registry virtualization, most of the OS critical files and registry settings are protected by virtualization so that if an unelevated user or process tries to modify them, the modification will instead happen to an additional, virtual, copy of the file or registry. This prevents unelevated users and malware from modifying system-critical files and registry settings as easily as they did before.

Introduced in Windows 8, the PC Reset and PC Refresh features allowed users to reset a device back to its new state (PC Reset) or back to a near-new state, but save your user files, customizations, and some applications (PC Refresh). If you’re worried about malware, it’s best to reset it to start with a known clean state.

Apple macOS: Introduced in El Capitan in 2015, the security feature called System Integrity Protection (SIP) addresses the problem with unrestricted root access if malware or hackers gain access to the account credentials. SIP protects the contents and permissions of certain important files and directories, even from actions performed as root. SIP protects against running unsigned kernel extensions, and it protects processes against code injections and real-time modifications to code without specific entitlements. Only properly signed apps can modify the protected system directories, and those apps must be tied to a developer ID and with entitlements signed by Apple.

7. Cryptography support

Windows 10: Starting with Windows Vista, Microsoft no longer tried to invent its own encryption ciphers and algorithms. Instead, it deployed respected cryptography (e.g., ECC and SHA-2), and frequently updated it to get rid of proven weak ciphers and to support new, emerging crypto.

Apple macOS: The T2 chip features a hardware-encrypted Secure Enclave to store the Mac’s encryption keys, which pass to the hardware encryption engine on the same chip. The T2 chipset also controls the two striped NAND memory chips that are used for storage, including dedicated AES encryption hardware that encrypts/decrypts storage data on-the-fly with no performance hit.

The T2 chipset manages the Mac during boot to ensure the operating system software hasn’t been compromised. Upon startup, the T2 chip takes over, and using its hardware-encrypted Secure Enclave to compare keys, loads the bootloader, ensures its validity, validates the firmware, and then validates the kernel and drivers that allow the Mac to run.

8. Disk/data backup and restore

Windows 10: Every version of Windows has had multiple ways to backup and restore files. Since Windows XP, users could use the System Restore feature to restore the OS and settings to a previously saved version of the OS. The 'Previous Versions' Windows XP option was built-in by Windows 8. It allows individual files to be restored from previously saved versions, if covered by the Previous Versions saving process.

Starting in Windows 8, a backup-and-restore feature called File History is available. While not a complete system backup, File History is often just what users need, especially when the Windows OS can be restored separately already. File History, by default, attempts to back up the most popular areas for people storing files and configuration settings, such as My Documents, Music, Documents, Videos, Desktop, Downloads, and AppData, but you can also include and exclude any files and folders you wish and then make a backup schedule.

Apple macOS: Since 2007, Macs have shipped with Time Machine. This service aims to make the backing up process easy, in a set-it-and-forget-it kind of way. If Time Machine hasn’t been configured, plugging in a hard drive prompts a dialog box offering to set that drive as the backup destination. Once confirmed, the backup process begins.

Time Machine keeps hourly backups for the past 24 hours, consolidates that data into daily backups for the last month, and then consolidates everything older than that into a weekly backup set. When storage space runs low, Time Machine compensates with the deletion of the oldest weekly backup. Time Machine settings can be modified under the System Preferences.

9. Application protection

Windows 10: Microsoft started to get very strict on what an application could do to another application or what an application could do to the operating system with Windows Vista. It put a hard separation between the OS, services, and end-user applications. With Windows 8, Microsoft created a more protected class of applications called Metro apps. They were eventually named Modern Applications.

Modern Applications, following the lead of Apple and others, could only be installed from the official Microsoft Store and only after review and approval. All Modern Applications run in a dedicated “sandbox container” (known as an app container) with limited access to each other and the OS. Modern Apps could only run if UAC was enabled.

In Windows 10, Microsoft debuted Windows Defender Application Guard. Application Guard works on Windows 10 and in conjunction with Microsoft Edge. Microsoft Edge and the sites and applications it hosts now run in an isolated VBS-based, virtualized environment that is separate from the OS. Sessions opened in Application Guard cannot start browser extensions, save files to the local file system, or do other higher risk actions. Rumor has it that future versions of Application Guard will be expanded to support more applications.

Controlling which applications are and aren’t allowed to run (known as application control, blacklisting, or whitelisting) has long been a way to achieve very high levels of security. Microsoft included application control in Windows XP using a feature known as Software Restriction Policies (SRP). SRP was superseded by AppLocker in Vista and later. Both features allowed admins to configure which programs, scripts, or installers did or didn’t run based on name, location, or digital certificate.

In Windows 10, CI and Device Guard have become Windows Defender Application Control. With WDAC, very specific allows and denies are managed by a hardware-based enforcement. Admins are allowed to decide what level of application control is right for their environment and can choose among AppLocker, CI, Device Guard, and WDAC. One of these features will have the right level of control versus operational trade-off for your sphere of influence.

Apple macOS: The best and simplest way to stay a step ahead of potential hackers is by keeping the operating system software and apps as current as possible. Apps should be downloaded from a trusted source, such as the vendor’s main site or, even better, the Mac App Store.

The Mac App Store resides in /Applications, and each app within it has been vetted by Apple employees and assigned a digital certificate. If the app is caught misbehaving, Apple can pull the plug on the offending app. Considering the alternatives, the Mac App Store is as safe as it can be for app downloads.

The problem: Not every app is available at the Mac App Store and sometimes a download from a third-party site is unavoidable. That’s where Gatekeeper comes into play. Gatekeeper is a security feature that checks the digital signature of software and blocks the software’s installation if any of the checks fail. Apps need to be signed with a code received from Apple to run, and those apps that pass the code check run without issue.

Gatekeeper can be configured in the Security & Privacy System Preference pane, and from there one of two options can be chosen: Allow apps downloaded from 1. the App Store or 2. the App Store and identified developers. When trying to install software that fails this check, the Security & Privacy preferences has manual override, but this should only be used if certain the software is from a trusted source.

Another feature is app sandboxing. Sandboxing limits an app’s access to system resources, data, and other apps, which in turn limits the potential damage malicious software can do. The strengths to sandboxing also happen to be its drawbacks, so not every app supports this capability. Many built-in apps (including the built-in web browser, Safari) offer sandboxing protection.

1 2 3 Page 2
Page 2 of 3
Get the best of CSO ... delivered. Sign up for our FREE email newsletters!