Well, after using Snow Leopard for a few months, and taking Windows 7 for a good spin, I’m happy to report I’m still more secure on a Mac. I’ll explain below.
First, however, let me clarify my statements a bit. It’s clear that both operating systems are mature and powerful, and they both support a vast array of security features and capabilities. But to paraphrase Jeremiah Grossman, it needn’t be the case that one operating system is more secure per se; what matters is where you’re safest.
Safe and secure are two different concepts, and I’m convinced that what matters to the consumer is where he is safest. And I’m convinced I’m safer on a Mac than I ever was on Windows.
So let’s start with some basic general comparisons in the two systems. It’s clear that there are many similarities in how the two systems set out to protect their integrity and users’ data. They both look not just at the fundamental issues of user privileges and file access control, but also at programmatic actions. For example, when a program attempts to install itself in the system applications area, both systems prompt the user—even a privileged user—before the operation proceeds.
Additionally, both systems include basic firewalling capabilities as well as security updating mechanisms. It seems that most software producers these days have finally “gotten it” with regard to turning features like these on by default. In fact, many consumer-level security settings are on by default in both of these systems. Kudos to both Microsoft and Apple for that.
Neither operating system includes anti-virus protection by default. Those are left for the consumer to install if he feels it necessary. And there’s where on element of safe vs. secure comes in.
Neither system is immune to viruses, and we certainly have plenty of examples of this fact. But the fact is that the vast majority of malware and viruses is still written for Windows systems. Until that changes, Macs are safer, even if they aren’t necessarily more secure.
Indeed, many Mac users don’t use anti-virus products at all, and can use their computers for years without encountering anything that would warrant it. This surely can’t be said for Windows users.
Additionally, neither system requires a separate administrative user for performing administrative functions and non-privileged desktop users for running applications and such. Call me old school, but I believe that it’s still a good idea to separate administrative and production tasks, and would recommend that to anyone using either of these systems. It’s a bit of extra work, but it’s worth it in my view. And yet, pretty much only us gray-haired security geeks do it on our desktop systems.
With that out of the way, let’s take a deeper look at some of the security criteria that matter to consumers.
Windows 7 vs. Snow Leopard Security: Feature by Feature
• Familiarity with security mechanisms. Although I remain fundamentally more comfortable with UNIX-based systems than others, the fact is that many of the relevant security functions that end users will perform are done in “GUI land,” far from any command line sorts of environments.
Both systems have made great strides in making security controls accessible and understandable to the end user. Most common security controls are presented to the user and are easy to work with.
The one thing where I still give a slight nod to OS X is that I can still get to the UNIX command line to fine-tune things that I can’t get do (or find) in the GUI environment. That gives me just a little more comfort when it comes to the security of my business data.
Qualitative score: Snow Leopard gets a B+ while Windows 7 gets a B.
• Separation of data and executables. Although their respective naming conventions differ, both systems do a pretty good job overall at separating system files from user files. In particular, I look for system files like executables and libraries to be in their own locations (e.g., /Applications, c:Program Files) and not generally modifiable by end users. User data, on the other hand, should be readily available and only accessible to the designated owner/user.
In the past, I’d had problems with installing applications (as an administrative user) on Windows systems, and then running them as a non-privileged user. Many programs just didn’t work well in this multi-user manner. I’m pleased to say that the situation has improved over time.
Although the systems haven’t changed much from their respective predecessors, the scoring has gradually equalized a bit.
Qualitative score: Snow Leopard gets a B+ while Windows 7 gets a B.
• Privilege management. As I said above, I feel that both systems have been taking small steps backwards here, perhaps with the rationale of making things easier for the end user. A security-savvy owner is forced to create administrative and non-administrative profiles in both systems in order to completely separate these tasks. From my point of view, this is a mistake that is going to haunt us in the future.
Still, I’m going to give a slight nod here to Snow Leopard, because I can again get to the UNIX command line and run privileged operations easily via the “sudo” command, making it a bit easier for me to keep my administrative and production worlds separate.
Qualitative score: Snow Leopard gets a D+ while Windows 7 gets a D-.
• Program management. Not much has changed here from previous versions of OS X or Windows. I still feel this is an area where OS X truly shines. Putting all of an application’s files into a single “bundle” in the /Applications folder makes a world of sense to me. Removing unwanted apps; upgrading to new versions of apps; archiving apps; all of these basic functions become trivial in OS X and remain a nightmare for me in Windows.
I still don’t feel I can remove a major application from a Windows system without leaving behind significant residue, be it directly in the file system in the form of remnant DLLs or in a registry hive somewhere that the uninstaller didn’t clean up.
Qualitative score: Snow Leopard gets an A while Windows 7 gets a D.
• Access controls. Not much has changed here. As I said, both systems install a default user with administrative access. The good news, though, is that the default read-write access settings on most system files is disabled on both systems.
As in the past, I was able to tweak my Snow Leopard installation so that my desktop user is unprivileged and only my administrative user has read/write control over applications. I still find myself sweeping through the system periodically to clean up the default access controls left behind by various application installers that leave /Applications and /Library/Application Support open to world read/write.
As for network access controls via the firewall, I find a lot to not like in both systems. I have essentially 3 settings in Snow Leopard: allow all, disallow all, and allow per-application. Once you learn how to work with these, they’re relatively simple, but the user interface isn’t as smooth as it should be.
Windows similarly allows the user to adjust firewall settings. They have, however, two extremes to choose from. The basic settings are very simplistic for the end user. If you go into the advanced settings, on the other hand, the settings are hugely and overly complicated.
Qualitative score: OS X gets a C while Windows gets a C.
These certainly aren’t all the criteria that would be relevant to compare, but they’re important aspects of a system’s security to the end user. A reasonably tech-savvy consumer can certainly find a lot to like and dislike in both operating systems. Windows 7 seems to me to have made great strides in making security choices simpler for the end user, but perhaps they’ve taken that too far in some areas—such as firewall controls.
I’ve become convinced that, in order to get security right, software must first and foremost be intuitive to the users. As a veteran of Windows, Linux, and Mac desktops, I firmly believe Apple is vastly ahead of its competition in this regard. Windows 7 has shown remarkable improvements, but still has miles and miles to go.
In the end, I believe neither system is drastically more secure than the other. They both offer a solid set of security capabilities, for sure. Even still, I remain a firm believer that I’m safer on Snow Leopard than I would be on Windows 7.