I am going to say a couple of things.

First, all those posting, there is still the possibility that this is a Social Engineering attempt to get information from us on how to hack/crack a server (no offense Pie, I merely mention the very real possibility). For this reason I am most pleased to see the two pieces of advice that make the most sense: Vulnerability Scanner and Research from Respected Sources.

First get documentation on known vulnerabilities from respected sources. SANS institute is excellent and also from Microsoft themself. They openly publish procedures to secure their servers, warn against unsecured servers, and have tools to help out (i.e. iislockdown). Have these prepared.

Then, if possible, run a vulnerability scan. Present these to your manager in a supportive manner but make sure the documentation is delivered and that he is a signatory that it has. Keep one copy to CYA. If he fails to see the danger from the other failures of this guy and does not accept industry standard then, since he is your boss, all you can do is document your warnings. Saved E-mails, the affore mentioned presentation, etc. all can go to ensuring that if something happens you are as covered and protected as possible. However, he is the decision maker and probably controls your raises and promotions so I would be very careful about openly defying him.

One last thing, if he is taken in with certifications then get some. Get an A+, MCP, or work towards a Sec+. I am not saying certifications will make you a better employee or more knowledgeable (although you may learn something studying for them) but they may make you more credible in his eyes and in the eyes of his bosses. A few letters after you name never hurt.