Apache is securable, as opposed to IIS, which cannot be secured.

This sounds more like a statement of blind faith rather than a reasoned argument: I don't recall having heard of any disclosed vulnerabilities in IIS 6 (which is what you probably should be running as Windows 2000 has just gone out of support). Yes there were some absolutely horrible holes in IIS (I particularly remember the raw NTFS stream bug in IIS 3 with some amusement), but it strikes me that MS really are taking security seriously these days.

Ideally you should have your web server behind a firewall anyway whatever OS it is running on, thereby preventing vulnerabilities in other parts of the OS making your web applications insecure.

Of course if you know of any unpatched problems with IIS, maybe now is the time to be laying them out so the OP can make his own mind up based on the facts.

Third party analysis of IIS 6 security can be found at:

• http://www.securityfocus.org/infocus/1765
• http://www.securityfocus.org/infocus/1755
• http://www.eweek.com/article2/0,1759,1666134,00.asp
• http://blogs.msdn.com/michael_howard/archive/2004/10/15/242966.aspx

/J\

---

---

• Are you posting in the right place? Check out Where do I post X? to know for sure.
• Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:

  <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>

• Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
• Want more info? How to link or How to display code and escape characters are good places to start.