With MAC, an operating system limits the ability of an initiator to access or perform actions on objects. Objects such as files, directories, network ports, memory blocks.

Every access or action is checked against a set of rules (policy) to decide whether it's allowed. Violations of the rules are logged and can generate notifications.

Linux gained MAC in 2000. MS Windows still doesn't have it.

Around 2008 Windows moved a little closer to MAC, but Microsoft's design (MIC) is fundamentally not-MAC, since it uses levels of access rather than types.

If MS Windows had effective MAC it wouldn't need ever-more numerous and complex defence mechanisms to attempt to compensate for its absence - which can often be bypassed.

But we suspect that MS prefers income of $10+ billion from subscriptions to its monitoring services.

You can read another expert's comments.

If a way is found to upload malware to a MAC-protected web server, the MAC rules for the web server prevent the malware being executed. In fact those rules prevent any file being executed.

In July 2020 a serious MS Windows vulnerability was reported. Whereby the sending of certain data to a Windows DNS (Domain Name System) server made it possible to gain Domain Administrator privileges.

An equivalent vulnerability on a MAC-enabled system does not enable privilege increase. Because the MAC rules for the DNS server prevent execution of any privilege-increasing software.

We provide systems based on an Enterprise Linux variant which has a MAC subsystem called SELinux. It's enabled by default, and it can defeat unknown exploits.

Every service is protected in an appropriate way. So that if a vulnerability is found then any exploit attempts are either completely blocked or severely restricted.

Policies also exist for limited-access user accounts. For example a user account that doesn't have network access. It's not hard to add extra policies for even-more-specialised uses.