With MAC, an operating system limits the ability of an initiator to access or perform actions on objects. Objects such as files, directories, network ports, memory blocks.

Every access or action is checked against a set of rules (policy) to decide whether it's allowed. Violations of the rules are logged and can generate notifications.

Linux gained MAC in 2000.

Around 2008 Windows gained MIC, which is not even remotely close to MAC. It does so little that we have no idea why they bothered. Except possibly as a marketing exercise, with MIC being close to MAC.

Consequently virtually all Windows defensive measures are reactive. That is, they rely on lists of bad things to check for. So creators of malware can very easily check secretly whether it gets detected, because anti-virus vendors very conveniently publish their badness lists.

You can read another expert's comments here.

If a way is found to a upload a malware file to a MAC-protected web server, the MAC rules for the web server prevent the malware file being executed. In fact those rules prevent any file being executed by a web server.

In July 2020 a serious MS Windows vulnerability was reported. Whereby the sending of certain data to a Windows DNS (Domain Name System) server made it possible to gain Domain Administrator privileges.

An equivalent vulnerability on a MAC-enabled system does not enable privilege increase. Because the MAC rules for the DNS server prevent execution of any privilege-increasing software.

We provide systems based on an Enterprise Linux. Its MAC subsystem is called SELinux, and it's enabled by default, and its policy is comprehensive.

Every service is protected in an appropriate way. So that if a vulnerability is found any exploit attempts are either completely blocked or severely restricted.

Rules also exist for limited-access user accounts. For example a user account that doesn't have network access.

It's not hard to add extra rules for even-more-specialised things.