Microsoft Windows 10 vs. Apple macOS: 18 security features compared

Here's how the world's two most popular desktop OSes keep systems and data safe from malware, unauthorized access, hardware exploits and more.

1 2 3 Page 3
Page 3 of 3

Another feature worth noting in macOS High Sierra: any kernel extension installed by an application needs explicit approval to run. This should cut down the probability of malware sneaking in unauthorized software without user knowledge and consent.

10. Browser protections

Windows 10: Microsoft replaced Internet Explorer (IE) with Microsoft Edge with Windows 10. As a significantly cut-down browser, Microsoft Edge doesn’t share much code with IE. It doesn’t run traditional high-risk browser add-ins; it only accepts reviewed and approved extensions from the Microsoft Store. It has one-button configuration resets (to get rid of any possible malicious modifications) and can be put in the Windows Defender Application Guard mode.

Every website and download is evaluated by the Windows Defender Smartscreen feature, which in Windows 10 extends across the whole Windows OS and not just the browser. With significantly less code and surface area, Edge is stricter about what applications and websites can and can’t do. It’s thought to be a vast improvement over IE.

Apple macOS: Every Mac ships with Safari, Apple’s web browser, and Safari is equipped with anti-phishing technology, settings to prevent cross-site tracking, and a strong-password generator with links to iCloud Keychain.

11. Network/wireless protections

Windows 10: Microsoft is often on the cutting edge of network and wireless security technologies. Besides long supporting wireless and network standards, it often adopts them early and pushes them to customers before most customers are ready (e.g., IPv6 and DNSSEC). A long-time network defense built into Windows is the ability to put any network or wireless connection on a separately managed profile. This allows different firewall, router, and other security settings to be enforced on a per-connection basis.

12. Anti-malware

Windows 10: Windows Defender Antivirus has proven to be a top notch and un-intrusive antimalware program, especially when deployed in its default state along with Windows other antimalware features like Smartscreen and Windows Defender Exploit Guard. Windows allows any antimalware program to load itself just after the critical OS boot processes and before any other, non-essential applications load with a featured called Early Loading Antimalware (ELAM).

Apple macOS: In April 2017, CheckPoint security researchers found malware capable of bypassing Gatekeeper. Then in May, the popular video transcoder Handbrake was hacked, and an infected version was distributed with the OSX.PROTON remote access Trojan. Attacks are becoming more sophisticated, and so are the mechanisms in place to help deal with potential breaches.

On the Mac, routable network services are disabled by default, and many modern applications and services are sandboxed. That means that apps (and system services) have limited access to available system resources; malicious code is prevented from interacting with other apps or the system.

Apple also has a more extreme way to fight malware. Using a silent automatic update, Apple maintains a blacklist of known malware threats on every Mac. Every file that is downloaded by Safari, Messages and Mail is flagged with metadata that marks whether the file is safe, the source of the file’s download, and the time and date of the download. Any file marked unsafe opens a warning notification, with the option to move said file to the trash.

Certain programs and any associated are automatically deleted, and any modifications the app made are tracked and reverted. If this ever occurs, the next time someone with administrator rights logs onto the Mac, a notification announces that changes had occurred.

13. Firewalls

Windows 10: Windows has had an always-on, installed by default firewall since the days of Windows XP Service Pack 2 in the form of Windows Firewall. It comes with dozens of built-in rules, denying inbound connections unless by exception, and allowing additional rules to be created by user, group, admins, networks, services or applications. Windows Firewall is versatile and non-intrusive. It is also easily configurable along with IPSEC. The only flaws are the poor logging (sometimes too much) and lack of notification to the end-user about any significant, ongoing recognized security event, like a denial-of-service attempt or port scan, which other third-party firewalls often give.

Apple macOS: All Macs ship with a built-in firewall service, but it is off by default. Firewall can be configured under the Security & Privacy System Preference, including enabling a Stealth Mode that allows the computer to ignore ICMP requests and connection attempts.

14. Remote access

Windows 10: Although Microsoft recommends that all remote administration be performed using PowerShell or Microsoft Management Consoles (MMC), the Remote Desktop console and protocol (RDP) remains one of the most popular ways for an admin to remotely access a Windows computer. RDP has been upgraded many times over the years. Now users can connect using digital certificate authentication and protection, and use Windows Defender Credential Guard to protect their admin credentials.

Apple macOS: The Mac supports many protocols for remote access, including native support for SSH and sftp. The Macs can also be remotely managed using Apple Remote Desktop, remote screen sharing can be accomplished with the native support for VNC, and iCloud subscribers can enable Back to my Mac to remotely access their Macs from any Mac logged in with the same Apple ID.

15. Security configuration

Windows 10: Local security policies were introduced in Windows NT 4 Service Pack 4 and significantly expanded with Windows 2000 and XP using Active Directory Group Policies. Today, no other operating system allows as much built-in point-and-click security configuration options as Windows. There are thousands of options across the OS and other popular applications, such as Microsoft Office. Admins can use PowerShell scripts to accomplish the same things they could manually or using group policy.

16. Patching

Windows 10: Patching for the Windows OS and Microsoft applications is built in and turned on by default. Windows checks for new patches at least daily and automatically apply them without interaction with admins or end-users. New installs benefit with a set of built-in, hard-coded, can’t easily turn off firewall rules that protect PCs from most network attacks while being patched for the first time. Thank the MS-Blaster worm of 2003, where admins had difficulty patching new computers before they were infected by malware.

Apple macOS: Apple has historically responded quickly to patch high-profile exploits.

17. Privacy

Windows 10: After decades of being accused of invading end-user privacy, Microsoft is among the strong advocates for privacy, and provides myriad customizable settings within Windows, where any admin or user can determine, at a detailed level, what information is or isn’t collected, and why.

Apple macOS: Apple executives have been leaders at the forefront of user privacy issues, in some cases publicly sparring with the federal government on behalf of protecting user data. Apple doesn’t harvest user data to sell at the highest bidder, security information like fingerprint- and face data never leave the device, and Apple’s privacy policy is refreshingly direct and well worth the read.

18. Logging

Windows 10: Microsoft products contain dozens of log files that can be used for security analysis, depending on which features and services are installed. Central is the Windows Event Log service. Traditionally, it contained three main logs (Security, System and Application). Today it contains over a hundred far more specific logs, all XML-enabled and configurable. You can forward logs or specific events to other collector machines and trigger console messages or other applications. If there is a complaint about Windows logging, it’s that it does too much logging about too many minor events. In the world of computer security, we’d rather start working with that problem than not enough good information.

Apple macOS:  Last year’s macOS Sierra introduced a unified logging system, in an effort to provide a single and efficient API to capture and store all system and app activity. Logs can be configured to record varying levels of detail, and this data can be viewed using the built-in Console app.

Click the link below to download a free PDF version of this article.

A side-by-side comparison of how the world’s two most popular desktop OSes keep systems and data safe from malware, unauthorized access, and more. CSO
1 2 3 Page 3
Page 3 of 3
Get the best of CSO ... delivered. Sign up for our FREE email newsletters!