I think you have to look a little bit deeper than this. The problem isn't necessarily Apache or IIS on its own, but the scripting that they are capable of. For instance, if you were to remove the .asp and .shtml, etc. from IIS, you lower your possibility of being exploited. Just as if you were to add mod_php or mod_perl to your Apache configuration, you would raise your possibility of being exploited. When you do the initial server install, Apache by default is more secure, granted, but if you are not going to be using .asp on your IIS server you should know to remove the extension mappings from your IIS config immediately after install. Either one is fairly secure if you just run static .html on them without any scripting.
///Jason -----Original Message----- From: Bill Jaeger [mailto:[EMAIL PROTECTED]] Sent: Friday, January 18, 2002 10:16 AM To: d.schneider; [EMAIL PROTECTED] Subject: RE: [gb-users] Not Gnatbox but security related OK; I'll take the bait even though this wasn't addressed to me specifically. Yes, I would sooner (and have) opted for Apache over IIS when looking for a "secure" web server.
