I have been following this thread for a while. Here are what I consider a couple key points that go beyond "my OS is better than yours" type arguments.
1. Out-of-the-box security is irrelevant. Why do I say that when most users run software with out of the box settings a la IIS? Because no matter what OS, web server, mail server, etc. that you run (even BSDs), if you use out of the box settings you are completely vulnerable. Period. You MUST harden to have a secure OS/application/service. 2. There is a heck of a lot more to hardening IIS than keeping up with patches. In fact, most of the recent worms and what not for IIS were not effective on unpatched but hardened IIS boxes. Things like ISAPI filters should be disabled unless you absolutely need them. That is one of the basic tenants of security. ALWAYS turn off services and features you don't use or need. Never use default settings, and that includes installation paths. Most automated worms are not intelligent enough to figure out if key files are not in default directories (though a determined hacker might). 3. Open source does have an advantage in hardening. This was already pointed out but it is worth repeating. If you can read and edit source code, then you are more likely to be able to create your own fix or someone else will while you wait for the developer to release an "official" patch. Otherwise, you are at the mercy of the vendor if it is closed source software. That does NOT mean open source is more secure, just that it can be easier to harden if you know what you are doing. 4. While IIS can be hardened to an acceptable level by knowledgeable admins, the fact that IIS runs with System level access (which can not be changed) is an unfortunate problem that can not be addressed by admins. Privileges should be another key component of a secure system, and IIS should not require this much access to serve up web pages. And since we already know that IIS comes with everything turned on by default, the risk is greater that someone will miss something and leave a vulnerable feature running. Given 1 and 2 are popular misconceptions, IIS is not as insecure as some ppl like to make it out to be. But I think 3 and 4 should help ppl realize why Apache can ultimately be made to be more secure. Brownfox