The best tactic is NOT to run a service, if you don't need it.
If you're not running a web server, you're automatically invulnerable to the hundreds of attacks that float around the Internet and take advantage of web server vulnerabilities.
If you have to provide a service (e.g. your company's web server), make sure that it only supports the necessary sets of plugins/extentions. This will minimize exposure to remote threats. Also, make sure that you follow some security-related mailing list (like BUGTRAQ) to be notified when a new security vulnerability that affects your servers is publicized.