I wouldn't suggest leaving your platform, I know the article I posted discusses Linux, many of the themes are still applicable.

There are two main types of DDoS attacks:

1. Those that just plain consum all of your bandwidth.
2. Those that exploit a developed latency.

#1 cannot be defended against at your end, so no point in worrying about it, that is your ISP's job. #2 is dealt with by patching against known exploits like SYN flooding which has already been covered, load balancing if possible to keep a single system from being overwhelmed with cpu/memory intensive processes, disable all unused protocols (under advanced TCP/IP settions > options > TCP/IP filtering), and lastly an NIDS/Firewall that learns and when it sees what looks like an attack from a system, that system's future requests are ignored for X time. There are many ways to do this depending on your budet and particular needs.

One more thing, as an NT web server admin, I think you might find this software handy:
https://www.argus-systems.com/catalogue/protector/

Argus is the same company that makes Pittbull/LX which is a wonderful trusted operating system that uses DBAC to manage it's labeled security. This DBAC technology has now been slightly extended to NT. You can completely compromise the admin or system account or whatever, but if you know anything about labeled security you will know that you cannot escape you label so no permissions are gained even with a system shell.