Microsoft Windows 10 vs. Apple macOS: 18 security features compared
One of the quickest ways to troll IT security professionals is to proclaim that either Microsoft Windows computers or Apple Macs have better security. In reality, both OSes are adequately secure when operated with their default security settings along with their vendor’s best practice recommendations, but after decades of intense competition for passionate consumers, the subject borders on a technical religious war. You won’t gain many friends by claiming both are sec.
With that said, not everyone knows what makes the two most popular OSes secure out of the box. Below is an overview of each OS followed by a comparison of the base security features found in each. We didn’t include other solid enterprise features that aren’t built into the OS and enabled by default.
Microsoft Windows 10 security
For the first decade of its existence, Microsoft’s flagship Windows program was easily the most successfully attacked OS in the history of computers. The number of attacks led to public distrust of Windows as a secure operating system. In response, Microsoft co-founder Bill Gates wrote an infamous memo on January 15, 2002, known as the Bill Gates Trustworthy Computing memo, which directed Microsoft to dedicate more resources to making Windows more secure.
Microsoft not only made Windows more secure by default, but actually co-opted or created dozens of new computer security technologies. One of the most important outcomes of Gates’ 2002 memo was the wholesale adoption of the secure development lifecycle (SDL) across Microsoft. SDL puts secure coding and practices at the forefront and beginning of every software development project. It’s a combination of education, requirements and tools, and Microsoft shares every bit of its experience.
The outcome of SDL is significantly fewer security bugs per thousand lines of code, more security features and choices, less surface attack area, and more secure defaults. The security of Windows 10 is the continuation of Microsoft’s efforts to offer an appropriately secure, general purpose, operating system that would work for the masses across multiple devices.
Apple MacOS security
For a long time, Mac users didn’t have to worry about viruses and malware. Vulnerabilities in the Mac operating system were rarely exploited in the real world. Mac users have always been aware of potential security threats, but much of that was because Windows-using coworkers have been the target of malicious software for ages. The numerous vulnerabilities in every version of Windows in concert with a very large user base made PC users a perfect target.
These days, the potential Mac threat landscape still isn’t as worrisome as on other platforms, but Mac users can no longer afford to ignore the possibility of being compromised by malicious software. These threats will only grow morenumerous and more sophisticated as time goes on and more Apple devices are purchased.
It’s happening now: 2017 was a big year for security breaches. In February, a fake Adobe Flash installer carried MacDownloader malware that attempted to transit Keychain data (which includes user names and passwords, among other personal data). Last autumn, several vulnerabilities were detected in shipping versions of the latest Mac operating system, High Sierra, one granting root access to certain areas without a password prompt. Shortly thereafter, we learned that the processor vulnerabilities called Spectre and Meltdown affect the majority of computers in the world.
1. Boot-up protections
Microsoft Windows 10: Microsoft has long led the way with pre-boot, boot, and post-boot protections. Some of the defenses were borrowed from other open-source operating system initiatives, some from industry-wide initiatives, and many others self-invented. Today, Microsoft places many of them under the larger branding umbrella of Windows Defender System Guard. Boot protections, in particular, are known as Secure Boot.
With Secure Boot, everything starts pre-boot by requiring computers to have the updated, more secure, Unified Extensible Firmware Interface (UEFI) and Trusted Platform Module (TPM) chips installed on the motherboard and used. Both chips require cryptographic approval before they will accept new code or configuration settings, and both allow the boot process to be cryptographically measured and verified. Earlier verified components often securely store the previously verified hash of later components, which must match, before the booting process can continue normally. Microsoft also refers to these processes as Measured Boot or Trusted Boot.
If anything, like a rootkit, tries to modify the pre-boot or OS booting process, one of these two chips will be alerted and either stop the attempted modification or give the user a critical warning upon next use. If you remember all the press about rootkits and boot malware and wonder why we don’t hear about them as much anymore, it’s because of pre-boot and boot protection processes like these. Mark it as one of the few significant successes against hackers and malware.
Both UEFI and TPM are open standards that any vendor or OS may use. UEFI replaced the more vulnerable BIOS chips, and the TPM chip hosts a core set of cryptographic features, including the secure storage of critical system cryptographic keys. Both chips allow any OS vendor to better maintain the integrity of their OS, and other applications, such as data storage encryption, during and after boot.
Windows also includes a feature known as Configurable Code Integrity (CI). CI allows only previously defined and trusted code to run after the trusted boot process is complete. CI is a major step forward in a general purpose OS in only allowing trusted code to run, but it takes significant planning, testing and resources to get it right for normal operations beyond what Microsoft has already tested and approved. Still, if you want to have the most secure Windows OS you can have, CI allows you to do it.
Microsoft has also improved with every OS version its ability to prevent industry standard pre-boot I/O interfaces, such as direct memory access (DMA) or IEEE 1394, from being used to control a disk or device pre-boot. Preventing these interfaces from being used maliciously while not significantly slowing down or impairing the OS has been a huge challenge for all OS vendors. Microsoft went further and allows any device driver, which essentially becomes a part of the OS, from being installed, on a per-device driver basis.
Microsoft Windows 10 also introduced an improved version of device health attestation. DHA allows OSes to be verified to have clean boot and other processes before continuing. What is included in the health check depends on the OS, the OS admin, and the service they use for DHA. Customers can do their own DHA checks or outsource the it to Microsoft or a third-party vendor.
Apple macOS: Apple adopted an early version of UEFI with far less protection known as EFI 1.0, but hasn’t adopted the more secure, later, versions of UEFI. Instead, Apple has created many proprietary features with some of the same, but not identical, protections. Because Apple has not released detailed information on its proprietary protections, it is difficult to get more specifics on Apple’s pre-boot and boot protections to see how well they compare.
However, several boot-up protections can be enabled on the Mac, specifically to prevent access to the data on a Mac’s hard drive if it falls into the wrong hands. The standard user account password provides rudimentary protection against access on a properly booted Mac, but does nothing against someone with access to the equipment and with knowledge of Target Disk Mode.
To prevent unauthorized access, startup disks can be encrypted using FileVault 2, and the Mac can be set to prevent booting to external devices via firmware passwords. FileVault 2 encrypts the entire drive using the AES-XTS mode of AES with 128-bit blocks and a 256-bit key, and it prevents anyone who does not have an unlock-enabled account from seeing disk contents whatsoever.
The new iMac Pro released in late 2017 features an Apple-designed T2 chipset. This chipset consolidates a bunch of hardware subsystems into one chipset, but also introduces some interesting security features that will be adopted on other Macs, eventually.
2. Memory protections
Microsoft Windows 10: Microsoft has done much security work in memory protections, usually to prevent initial exploits, zero days, and privilege escalations. Most are gathered under the Windows Defender Exploit Guard, and many came from a previous exploit protection add-on called Enhanced Mitigation Experience Toolkit (EMET).
Data Execution Protection (DEP) has been around since Windows XP. DEP attempts to prevent malicious buffer overflows, where a malware program attempts to place executable code in a data area, and then trick the OS into executing it. DEP prevents the OS from executing anything in areas marked as data.
Microsoft Windows Vista introduced many new security features, including Address Space Layout Randomization (ASLR), Structured Exception Handling Overwrite Protection (SEHOP), and Protected Processes. ASLR places common, critical, system executables in different places in memory between each boot. This makes it significantly harder for malicious programs that attempt to manipulate and modify these components to find them.
SEHOP attempts to stop malicious, rogue, error handling from being installed and executed when an execution error is found. These security features and other preventative technologies morphed into what Microsoft now calls Control Flow Guard. It is enabled on every Microsoft program and is available in programming tools such as Microsoft Visual Studio 15.
EMET also arrived in Vista, as an add-in to help prevent 0day attacks. It contained memory protections, digital certificate handling improvements (like certificate pinning), early warnings, and improved reporting to both the OS admin and Microsoft so they could identify the technical specifics of different new attacks. EMET expanded to over 15 separate mitigations, and its proven protection became so recommended that Microsoft built it into Windows 10 with the Creators Update release (as Windows Defender Exploit Guard).
Apple macOS: Macs have an XD (execute disable) feature built into Intel’s processors that prevents memory used for data and memory used for executable instructions from accessing each other. This is a common attack used by malware to compromise a system, but the XD creates a barrier of sorts.
Also built into every Mac is the macOS kernel’s use of ASLR, which makes it more difficult for attackers to pinpoint application vulnerabilities by randomly arranging the values of target addresses. Basically, with ASLR enabled, a hacker is more likely to crash the app they’re trying to exploit than gain access to do anything malicious.
3. Logon/authentication
Windows 10: Once an OS boots up, the most important security feature it can have is in limiting who has allowed, authorized access to it. This is controlled by a logon authentication security feature and might include passwords, biometrics, digital certificates, and other multi-factor devices, such as smartcards and USB authentication tokens. It has also become especially important to protect logon credentials after the authorized party has logged on, temporarily or permanently, whether stored in memory or on disk, to stop various credential theft and re-use attacks.
Windows 10 has strong support for broad password policies, and for biometric, multi-factor, and digital certificate authentication. Microsoft’s newest and most secure logon feature is known as Windows Hello. It supports face and fingerprint recognition, which allows for quick and easy sign-ons, but behind the scenes uses secure digital certificate technology. Users can still use a password or a shorter PIN, although each of these can only be enabled as an option after setting up more traditional authentication methods (such as password). Windows Hello also works with enabled applications, such as Dropbox and multiple password managers.
Microsoft, worried about the theft of credentials in memory, created Virtualization Based Security (VBS), where logon credentials are secured in a hardware-based, virtualized subset of the operating system that is nearly impervious to malicious attacks. You may hear VBS also referred to as Virtual Secure Mode (VSM).
Using the VBS core, they created Windows Defender Credential Guard and Device Guard. Credential Guard protects multiple types of logon credentials including NTLM, Kerberos, and other non-web, domain-based credentials stored in Microsoft Windows’ Credential Manager. Credential Guard defeats many of the most critical and popular password attacks. Credential Guard requires 64-bit version of Windows, UEFI, TPM (recommended, not required), Secure Boot, and an Intel or AMD processors with the appropriate virtualization extensions.
Comments