The operating system itself is just a small contributor to
your Web server's security posture. If you (or your provider)
don't consider the full environment, then it doesn't
matter which operating system you use--you can't reasonably
expect to maintain security. At a minimum, your total security
effort should include the following steps:
Create and follow a security policy, a document describing
what system usage or activities are acceptable or not acceptable,
and under what conditions.
Use your most trustworthy staff to maintain your servers.
Maintain your server’s physical protection from
tampering and environmental hazards.
Develop comprehensive written administrative procedures
and follow them.
Monitor security status with software tools (auditing,
scanning, intrusion detection, and so on).
Perform periodic security reviews, preferably by a
neutral party.