>>In fact the service record of IIS 7 for vulnerabilities has been much better than any of the *nix servers available.
>
>Interesting... do you have some stats to back that?
Here are a couple that I could dig up:
IIS 7:
http://secunia.com/advisories/product/17543/?task=statisticsApache:
http://secunia.com/advisories/product/73/?task=statisticsMicrosoft has been for years comparing attach vulnerabilities on non-MS studies and there really hasn't been any challenge to that. All the complaints you hear about IIS security goes back to pre-IIS6.
As we said before 99% of security breaches today don't actually go through the server's internals, but through application weaknesses which you can screw up in any development tool and language.
If you actually follow the server mfr. security guidelines for applicaiton security you are very secure (for any vendor). You might also not have much of an application to run becuase the requirements can be very strict.
In the end it's up to us as developers to make sure sites don't get hacked, not server vendors. This means we have to have at least a fundamental understanding of security at the OS level.
+++ Rick ---