Apache is securable, as opposed to IIS, which cannot be secured.

This sounds more like a statement of blind faith rather than a reasoned argument: I don't recall having heard of any disclosed vulnerabilities in IIS 6 (which is what you probably should be running as Windows 2000 has just gone out of support). Yes there were some absolutely horrible holes in IIS (I particularly remember the raw NTFS stream bug in IIS 3 with some amusement), but it strikes me that MS really are taking security seriously these days.

Ideally you should have your web server behind a firewall anyway whatever OS it is running on, thereby preventing vulnerabilities in other parts of the OS making your web applications insecure.

Of course if you know of any unpatched problems with IIS, maybe now is the time to be laying them out so the OP can make his own mind up based on the facts.

Third party analysis of IIS 6 security can be found at:

• http://www.securityfocus.org/infocus/1765
• http://www.securityfocus.org/infocus/1755
• http://www.eweek.com/article2/0,1759,1666134,00.asp
• http://blogs.msdn.com/michael_howard/archive/2004/10/15/242966.aspx

/J\