Disclaimer and Full Disclosure time on Mac360. I use Windows. Specifically, Windows 10; mostly because it came with one of the PCs I use at work. I don’t necessarily like using Windows. As is the case with many Windows PC users, I just didn’t have a choice.
Apple’s approach to security on the Mac seems to be much different than Microsoft’s approach to securing a Windows 10 PC. What tips does Apple give Mac users to help secure their Macs? Honestly, I don’t know. I know what I do. I know what I recommend. But I don’t know what Apple recommends. Here’s what Microsoft recommends.
Too Many Clicks
First, let me walk through Microsoft’s own list of standards for a highly secure Windows 10 device. It’s called Standards For A Highly Secure Windows 10 Device. Clever, no? The list breaks down into Hardware and Firmware (think of it as software in the hardware).
These standards are for general purpose desktops, laptops, tablets, 2-in-1’s, mobile workstations, and desktops. This topic applies specifically and uniquely for Windows 10 version 1709, Fall Creators Update. Windows security features are enabled when you meet or exceed these standards and your device is able to provide a highly secure experience.
The list of items to follow or implement goes beyond merely owning a recent Windows PC. For Hardware, Microsoft recommends:
- Systems must be on the latest, certified silicon chip for the current release of Windows
- Systems must have a processor that supports 64-bit instructions
- Systems must have a processor that supports Input-Output Memory Management Unit (IOMMU) device virtualization and all I/O devices must be protected by IOMMU/SMMU
- Systems must also have virtual machine extensions with second level address translation (SLAT)
- The presence of these hardware virtualization features must be unmasked and reported as supported by the system firmware, and these features must be available for the operating system to use
- Systems must have a Trusted Platform Module (TPM), version 2.0, and meet the latest Microsoft requirements for the Trustworthy Computing Group(TCG) specification
We’re just getting started. What about Firmware?
- Systems must have firmware that implements Unified Extension Firmware Interface (UEFI) version 2.4 or later
- Systems must have firmware that implements UEFI Class 2 or UEFI Class 3
- All drivers shipped inbox must be Hypervisor-based Code Integrity (HVCI) compliant
- System’s firmware must support UEFI Secure Boot and must have UEFI Secure Boot enabled by default
- System’s firmware must implement Secure MOR revision 2
- Systems must support the Windows UEFI Firmware Capsule Update specification
Spend a moment with Google and enter ‘apple mac recommended security tips.’ Chances are good you’ll find a list of common sense items we know and love but here’s the official macOS Security List. I recommend the first. The second item is optional but worthy of the minimal effort.
- The best way to keep your Mac secure is to run the latest software. When new updates are available, macOS sends you a notification. Just accept the updates with a click and they download automatically. macOS checks for new updates every day, so it’s easy to always have the latest and safest version.
- With FileVault 2, your data is safe and secure — even if your Mac falls into the wrong hands. FileVault 2 encrypts the entire drive on your Mac, protecting your data with XTS-AES 128 encryption. Initial encryption is fast and unobtrusive. It can also encrypt any removable drive, helping you secure Time Machine backups or other external drives with ease.
Your Mac life will be pretty good just by following the first item on the official list, but adding another layer of security with full Mac encryption from File Vault 2 is a good idea. I usually turn on the built-in software Firewall in macOS (System Preferences & Security & Privacy & Firewall, but that’s optional because Apple doesn’t even bother to turn it on at all.
Outside of the above options Apple’s official list merely walks through features already built into the Mac, including sandboxing, Safari’s anti-phishing features, iCloud Keychain, and the growing popularity of two-factor authentication with tougher passwords.
That’s about it.
Yes, there is more you can do and probably should do on both Windows and macOS, but what’s the point? The weakest link in the chain is not so much Windows 10 or macOS High Sierra as it is the user.