With MAC, an operating system limits the ability of an initiator to access or perform actions on objects. Objects such as files, directories, network ports, memory blocks.
Every access or action is checked against a set of rules (policy) to decide whether it's allowed. Violations of the rules are logged and can generate notifications.
Linux gained MAC in 2000. MS Windows still doesn't have MAC.
Around 2008 Windows moved a little closer to MAC, but Microsoft's design (MIC) is fundamentally not-MAC, since it uses levels of access rather than types.
If MS Windows had MAC it wouldn't need ever-more numerous and complex (and fragile) defence mechanisms to attempt to compensate for its absence. Mechanisms which can often be bypassed.
You can read another expert's comments here.
If a way is found to upload malware to a MAC-protected web server, the MAC rules for the web server prevent the malware being executed. In fact those rules prevent any file being executed.
In July 2020 a serious MS Windows vulnerability was reported. Whereby the sending of certain data to a Windows DNS (Domain Name System) server made it possible to gain Domain Administrator privileges.
An equivalent vulnerability on a MAC-enabled system does not enable privilege increase. Because the MAC rules for the DNS server prevent execution of any privilege-increasing software.
We provide systems based on an Enterprise Linux. Its MAC subsystem is called SELinux, and it's enabled by default, and its policy is comprehensive.
Every service is protected in an appropriate way. So that if a vulnerability is found then any exploit attempts are either completely blocked or severely restricted.
Rules also exist for limited-access user accounts. For example a user account that doesn't have network access.
It's not hard to add extra rules for even-more-specialised uses.